pptpd und Lancom 1811

Björn · Beitrag von **Björn** » 22 Nov 2012, 23:15

Hallo Leute,

diesmal habe ich ein kleines Problem mit dem Lancom daheim.

Ich habe mal vor langer Zeit einen Lifetime-Account von einem VPN-Provider bekommen (nach UK und US). - Also warum nicht die Netze von Channel4, ABC und Youtube darüber jagen.

Leider bietet der Provider nur unverschlüsseltes PPTP an.
(Für Mediathek von ABC ist mir die fehlende Verschlüsselung egal)

Jetzt weigert sich der Lancom (1811 / FW 8.00) aber sich per PPTP einzuwählen.

Damit ich den Provider ausschließen kann, habe ich testweise mal einen pptpd-Server unter Debian aufgesetzt,
der ähnlich wie der Provider pptpd funktioniern sollte.

Meine Konfig auf dem Lancom: (habe extra kein Chap / Pap / etc. ausgewählt um es dem Router zu überlassen)

Code: Alles auswählen

> l /Setup/WAN/PPTP-Peers

Peer              IP-Address                                                       Rtg-tag  Port          SH-Time
----------------------------------------------------------------------------------------------------------------------
KBHPPTP           k******p.org                                                   0        1723          0
VPNUK              u*******.com                                                  0        1723          0

> l /Setup/WAN/PPP

Peer              Authent.request             Authent-response            Key       Time  Try   Conf  Fail  Term  ----------------------------------------------------------------------------------------------------------------------
KBHPPTP           none                        none                        *         0     5     10    5     2   test
VPNUK             none                        none                        *         0     5     10    5     2     test


> l /Setup/IP-Router/IP-Routing-Table

IP-Address       IP-Netmask       Rtg-tag  Peer-or-IP        Distance  Masquerade  Active   Comment
--------------------------------------------------------------------------------------------------------------------
173.194.35.0     255.255.255.0    0        KBHPPTP           0         on          Semi     Testroute auf Google

Der Lancom Trace:

Code: Alles auswählen

> ping -c 1 173.194.35.4

[PPP] 2012/11/22 23:08:14,390
PPTP control channel: connecting to KBHPPTP (77.8.12.49)
PPTP control channel: waiting for TCP connect for KBHPPTP (77.8.12.49)
PPTP control channel: use local port: 13366 for KBHPPTP


[PPP] 2012/11/22 23:08:14,470
PPTP control channel: TCP connection to 77.8.12.49 established
PPTP control channel: StartControlConnectionRequest sent to 77.8.12.49


[PPP] 2012/11/22 23:08:14,540
PPTP control channel: received StartControlConnectionReply from 77.8.12.49
PPTP call control: OutgoingCallRequest sent for call id 2588 to 77.8.12.49



 ---173.194.35.4 ping statistic---
 56 Bytes Data, 1 Packets transmitted, 0 Packets received, 100% loss

>
[PPP] 2012/11/22 23:08:22,720
Change phase to ESTABLISH for KBHPPTP
Lower-Layer-Up event for LCP
Initializing LCP restart timer to 3000 milliseconds
Waiting up to 200ms for connection
Starting LCP restart timer with 200 milliseconds


[PPP] 2012/11/22 23:08:22,720
PPTP call control: received OutgoingCallReply from 77.8.12.49 for call id 2588: peer call id 64700
PPTP call control: SetLinkInfo sent for call id 2588 to 77.8.12.49 with SendACCM=0x00000000 and ReceiveACCM=0x00000000
PPTP call control: set remote window to 32 for KBHPPTP
PPTP call control: connect request for PPP sent


[PPP] 2012/11/22 23:08:22,750

Received LCP frame from peer KBHPPTP (channel 0)
Stop waiting for connection
Stopping LCP restart timer
Initializing LCP restart timer to 3000 milliseconds
Generating LCP configure-request for peer KBHPPTP
Inserting local MRU 1452
Inserting local magic number cc27c8a2
Sending LCP configure-request with ID 00 and length 14 to peer KBHPPTP (channel 0)
Starting LCP restart timer with 3000 milliseconds
Evaluate configure-request with ID 01 and size 25
Peer ACCM 00000000000000000000000000000000, accepted
Peer requests authentication protocol CHAP with DES encryption (MS-CHAPv2), no protocol available
Peer magic number a3a55283 accepted
Peer requests protocol field compression, rejected
Peer requests address- and controlfield compression, rejected
Negative Configure-Request-Received event for LCP
Sending LCP configure-reject with ID 01 and length 13 to peer KBHPPTP (channel 0)


[PPP] 2012/11/22 23:08:22,860

Received LCP frame from peer KBHPPTP (channel 0)
Evaluate configure-ack with ID 00 and size 14
Configure-Ack-Received event for LCP
Initializing LCP restart timer to 3000 milliseconds


[PPP] 2012/11/22 23:08:22,960

Received LCP frame from peer KBHPPTP (channel 0)
Evaluate configure-request with ID 02 and size 16
Peer ACCM 00000000000000000000000000000000, accepted
Peer magic number a3a55283 accepted
Positive Configure-Request-Received event for LCP
Sending LCP configure-ack with ID 02 and length 16 to peer KBHPPTP (channel 0)
Stopping LCP restart timer
This-Layer-Up action for LCP
Change phase to AUTHENTICATE for KBHPPTP
This-Layer-Up action for LCP
Change phase to CALLBACK for KBHPPTP
This-Layer-Up action for LCP
Change phase to NETWORK for KBHPPTP
Lower-Layer-Up event for IPCP
Initializing IPCP restart timer to 3000 milliseconds
Generating IPCP configure-request for peer KBHPPTP
Inserting IP address 0.0.0.0
Inserting primary DNS address 0.0.0.0
Inserting secondary DNS address 0.0.0.0
Sending IPCP configure-request with ID 00 and length 22 to peer KBHPPTP (channel 0)
Starting IPCP restart timer with 3000 milliseconds


[PPP] 2012/11/22 23:08:23,100

Received LCP frame from peer KBHPPTP (channel 0)
Terminate-Request-Received event for LCP


[PPP] 2012/11/22 23:08:23,100
This-Layer-Down action for LCP
Lower-Layer-Down event for BACP
Stopping BACP restart timer
Lower-Layer-Down event for CCP
Stopping CCP restart timer
Lower-Layer-Down event for IPCP
Stopping IPCP restart timer
Lower-Layer-Down event for IPXCP
Stopping IPXCP restart timer
Resetting LCP restart timer with 3000 milliseconds
Change phase to TERMINATE for KBHPPTP
Sending LCP terminate-request with ID 03 and length 4 to peer KBHPPTP (channel 0)
Starting LCP restart timer with 3000 milliseconds
Sending LCP terminate-ack with ID 00 and length 4 to peer KBHPPTP (channel 0)


[PPP] 2012/11/22 23:08:23,110
Change phase to DEAD for KBHPPTP
Stopping LCP restart timer
Stopping IPXCP restart timer
Stopping IPCP restart timer
Stopping CCP restart timer
Stopping BACP restart timer


[PPP] 2012/11/22 23:08:23,130
selecting first remote gateway using strategy eFirst for KBHPPTP
     => CurrIdx=0, IpStr=>kbh.selfip.org<, IpAddr=77.8.12.49, IpTtl=60s

[PPP] 2012/11/22 23:08:23,110
PPTP call control: closing call for KBHPPTP


[PPP] 2012/11/22 23:08:23,130
PPTP: Error: Auth.-Error (0x8001) for KBHPPTP (77.8.12.49)

[PPP] 2012/11/22 23:08:23,150
PPTP call control: call destroyed for KBHPPTP


[PPP] 2012/11/22 23:08:23,150
PPTP control channel: closing TCP connection to 77.8.12.49


[PPP] 2012/11/22 23:08:23,150
PPTP control channel: TCP connection to 77.8.12.49 closed


[PPP] 2012/11/22 23:08:23,200
PPTP dispatcher: received GRE packet for unknown call id 2588 from 77.8.12.49 - packet dropped

Log auf dem Linux:

Code: Alles auswählen

Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: Client 178.11.218.95 control connection started
Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: Received PPTP Control Message (type: 1)
Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: Made a START CTRL CONN RPLY packet
Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: I wrote 156 bytes to the client.
Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: Sent packet to client
Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: Received PPTP Control Message (type: 7)
Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: Set parameters to 2097152 maxbps, 64 window size
Nov 23 03:03:35 ipcop pptpd[30942]: CTRL: Made a OUT CALL RPLY packet
Nov 23 03:03:39 ipcop pptpd[30942]: CTRL: Starting call (launching pppd, opening GRE)
Nov 23 03:03:42 ipcop pptpd[30942]: CTRL: pty_fd = 6
Nov 23 03:03:43 ipcop pptpd[30942]: CTRL: tty_fd = 7
Nov 23 03:03:43 ipcop pptpd[30943]: CTRL (PPPD Launcher): program binary = /opt/pptp/sbin/pppd
Nov 23 03:03:43 ipcop pptpd[30943]: CTRL (PPPD Launcher): local address = 10.10.0.1
Nov 23 03:03:43 ipcop pptpd[30943]: CTRL (PPPD Launcher): remote address = 10.10.0.160
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: Plugin /opt/pptp/lib/pptpd/pptpd-logwtmp.so loaded.
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: pptpd-logwtmp: $Version$
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: pppd options in effect:
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: debug^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: nologfd^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: dump^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: plugin /opt/pptp/lib/pptpd/pptpd-logwtmp.so^I^I# (from command line)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: auth^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: refuse-pap^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: refuse-chap^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: refuse-mschap^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: name pptpd^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: pptpd-original-ip 178.11.218.95^I^I# (from command line)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: 115200^I^I# (from command line)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: lock^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: local^I^I# (from command line)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: mtu 1400^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: novj^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: novjccomp^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: ipparam 178.11.218.95^I^I# (from command line)
Nov 23 03:03:43 ipcop pppd-pptpd[30943]: proxyarp^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: 10.10.0.1:10.10.0.160^I^I# (from command line)
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: nobsdcomp^I^I# (from /opt/pptp/etc/options.pptpd)
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: pppd 2.4.3 started by root, uid 0
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: using channel 23
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: Using interface ppp0
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: Connect: ppp0 <--> /dev/pts/1
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xa3a55283> <pcomp> <accomp>]
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: I wrote 32 bytes to the client.
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: Sent packet to client
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: Received PPTP Control Message (type: 15)
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Nov 23 03:03:44 ipcop pptpd[30942]: GRE: accepting packet #0
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: rcvd [LCP ConfReq id=0x0 <mru 1452> <magic 0xcc27c8a2>]
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: sent [LCP ConfAck id=0x0 <mru 1452> <magic 0xcc27c8a2>]
Nov 23 03:03:44 ipcop pptpd[30942]: GRE: accepting packet #1
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: rcvd [LCP ConfRej id=0x1 <auth chap MS-v2> <pcomp> <accomp>]
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0xa3a55283>]
Nov 23 03:03:44 ipcop pptpd[30942]: GRE: accepting packet #2
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic 0xa3a55283>]
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: peer refused to authenticate: terminating link
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: sent [LCP TermReq id=0x3 "peer refused to authenticate"]
Nov 23 03:03:44 ipcop pptpd[30942]: GRE: accepting packet #3
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: rcvd [IPCP ConfReq id=0x0 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: Discarded non-LCP packet when LCP not open
Nov 23 03:03:44 ipcop pptpd[30942]: GRE: accepting packet #4
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: rcvd [LCP TermReq id=0x3]
Nov 23 03:03:44 ipcop pptpd[30942]: GRE: accepting packet #5
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: sent [LCP TermAck id=0x3]
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: rcvd [LCP TermAck id=0x0]
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: EOF or bad error reading ctrl packet length.
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: Connection terminated.
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: couldn't read packet header (exit)
Nov 23 03:03:44 ipcop pppd-pptpd[30943]: Exit.
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: CTRL read failed
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: Reaping child PPP[30943]
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: Client 178.11.218.95 control connection finished
Nov 23 03:03:44 ipcop pptpd[30942]: CTRL: Exiting now

Hat von euch jemand noch eine Idee, was hier schief laufen könnte?

(Ich bin mir zu 100% sicher, dass ich die Benutzerdaten richtig eingetragen habe

Trotzdem trennt die Gegenstelle anscheinend wegen den Zugangsdaten -> sent [LCP TermReq id=0x3 "peer refused to authenticate"])

Gruß Björn

backslash · Beitrag von **backslash** » 23 Nov 2012, 13:55

Hi Björn

dein Fehler liegt hier:

Peer Authent.request Authent-response Key Time Try Conf Fail Term Username Rights
----------------------------------------------------------------------------------------------------------------------
KBHPPTP none none * 0 5 10 5 2 test
VPNUK none none * 0 5 10 5 2 test

du mußt für "Authent-response" mindestens ein Protokoll zulassen - sinnvollerweise läßt du alles zu, also MS-CHAPv2,MS-CHAP,CHAP,PAP - und bei den Rechten muß mindestens IP aktiv sein

dann funktioniert's auch...

Gruß
Backslash

Björn · Beitrag von **Björn** » 23 Nov 2012, 16:59

Alles klar, das funktioniert schonmal bei meiner Test-Gegenstelle.

Beim VPN-Provider komme ich schonmal ein Stückchen weiter aber bin immer noch nicht am Ziel.

Im Trace steigt der Router dann mit
"Sending LCP protocol-reject for protocol 80fd with ID 03 and length 16
to peer"
aus. Aber ich finde keine Möglichkeit an einer PPTP Verbindung die Kompression an / abzuschalten, da ja IMHO die Layer-Liste nicht zieht.

Gruß Björn

backslash · Beitrag von **backslash** » 26 Nov 2012, 16:08

Hi Björn

Aber ich finde keine Möglichkeit an einer PPTP Verbindung die Kompression an / abzuschalten, da ja IMHO die Layer-Liste nicht zieht.

80fd ist zwar CCP, aber in diesem Fall ist damit die Verschlüsselung gemeint - Microsoft handelt Komression (MPPC) und Verschlüsselung (MPPE) gemeinsam über CCP aus...

Das 1811 kann aber keine Verschlüsselung, weshalb CCP abgelehnt wird. Schalte auf deinem Linux-Server die PPTP-Verschlüsselung ab, und schon wird es funktionieren...

Gruß
Backlsash

Björn · Beitrag von **Björn** » 26 Nov 2012, 16:11

Verstehe,

nur leider habe ich keinen Zugriff auf die Gegenstelle und kann an der Konfiguration nichts ändern.

Schade. Da kann man wohl nichts machen :/

Gruß
Björn

backslash · Beitrag von **backslash** » 26 Nov 2012, 16:47

Hi Björn,

nur leider habe ich keinen Zugriff auf die Gegenstelle und kann an der Konfiguration nichts ändern.

du könntest noch versuchen, die Authentifikations-Protokolle auf CHAP und PAP einzugrenzen, dann wird auch keine Verschlüsselung gemacht, wenn der Provider unverschlüsselte Verbindungen zuläßt. Für PPTP-Verschlüsselung wird mindestens MSCHAP benötigt...

aber irgendwie wundert mich das, denn im ersten Posting hat du ja explizit gesagt:

Leider bietet der Provider nur unverschlüsseltes PPTP an.
(Für Mediathek von ABC ist mir die fehlende Verschlüsselung egal)

Gruß
Backslash

backslash · Beitrag von **backslash** » 26 Nov 2012, 19:56

Hi Björn,

ganz nebenbei: bleibt die Verbindung nach dem "Sending LCP protocol-reject for protocol 80fd ..." bestehen oder wird sie abgebaut?. Wenn sie bestehen bleibt, dann ist das kein Problem, dennj dann kannst du sie auch nutzen - nur halt ohne Kompression...

Es ist nur ein Problem, wenn die Gegenseite die Verbindung daraufhin abbaut, denn dann erwartet sie die Verschlüsselung - was mit einem 1811 ja nicht geht...

Gruß
Backslash