827H as a PPTP end point and MS-CHAP failure

maurice.walsh · ‎05-29-2003

Hi all,

I'm hoping that someone can help with a strange PPTP / MS-Chap problem that I have. We are installing a number of Cisco 827H (now 837's) in our customer sites for Internet access and VPN's (using Ipsec).

As an extra feature I would like to set up the 827H as a PPTP end point so that our support personal can use the Windows VPN client to attach to the IP network (a mixture of MS W2K server and W2K peer to peer).

I'm using 12.2(8)YM IOS on the IOS. When I try and connect the W2K never passes the username and password section. I've done a debug and I can see a MS-CHAP success packet been returned, but it never gets to the W2K machine, I've used MS network monitor to see the packets coming from the 827H and there is no PPPCHAP success, I can see the PPPCHAP challange and response. Is it possible that the 827 is sending the PPPCHAP sucess as an encrypted GRE packet ?

827H Debug PPP AUTH

*Mar 1 08:59:08.469: ppp4 PPP: Using set call direction

*Mar 1 08:59:08.469: ppp4 PPP: Treating connection as a callin

*Mar 1 08:59:08.469: ppp4 PPP: Phase is ESTABLISHING, Active Open

*Mar 1 08:59:08.469: ppp4 PPP: Authorization required

*Mar 1 08:59:08.473: ppp4 LCP: O CONFREQ [Closed] id 1 len 15

*Mar 1 08:59:08.473: ppp4 LCP: AuthProto MS-CHAP (0x0305C22380)

*Mar 1 08:59:08.473: ppp4 LCP: MagicNumber 0x0B31185F (0x05060B31185F)

*Mar 1 08:59:10.461: ppp4 LCP: TIMEout: State REQsent

*Mar 1 08:59:10.461: ppp4 LCP: O CONFREQ [REQsent] id 2 len 15

*Mar 1 08:59:10.461: ppp4 LCP: AuthProto MS-CHAP (0x0305C22380)

*Mar 1 08:59:10.465: ppp4 LCP: MagicNumber 0x0B31185F (0x05060B31185F)

*Mar 1 08:59:10.545: ppp4 LCP: I CONFACK [REQsent] id 2 len 15

*Mar 1 08:59:10.545: ppp4 LCP: AuthProto MS-CHAP (0x0305C22380)

*Mar 1 08:59:10.545: ppp4 LCP: MagicNumber 0x0B31185F (0x05060B31185F)

*Mar 1 08:59:10.589: ppp4 LCP: I CONFREQ [ACKrcvd] id 1 len 21

*Mar 1 08:59:10.593: ppp4 LCP: MRU 1400 (0x01040578)

*Mar 1 08:59:10.593: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)

*Mar 1 08:59:10.593: ppp4 LCP: PFC (0x0702)

*Mar 1 08:59:10.593: ppp4 LCP: ACFC (0x0802)

*Mar 1 08:59:10.597: ppp4 LCP: Callback 6 (0x0D0306)

*Mar 1 08:59:10.597: ppp4 LCP: O CONFREJ [ACKrcvd] id 1 len 7

*Mar 1 08:59:10.597: ppp4 LCP: Callback 6 (0x0D0306)

*Mar 1 08:59:10.673: ppp4 LCP: I CONFREQ [ACKrcvd] id 2 len 18

*Mar 1 08:59:10.673: ppp4 LCP: MRU 1400 (0x01040578)

*Mar 1 08:59:10.673: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)

*Mar 1 08:59:10.677: ppp4 LCP: PFC (0x0702)

*Mar 1 08:59:10.677: ppp4 LCP: ACFC (0x0802)

*Mar 1 08:59:10.677: ppp4 LCP: O CONFNAK [ACKrcvd] id 2 len 8

*Mar 1 08:59:10.681: ppp4 LCP: MRU 1500 (0x010405DC)

*Mar 1 08:59:10.753: ppp4 LCP: I CONFREQ [ACKrcvd] id 3 len 18

*Mar 1 08:59:10.753: ppp4 LCP: MRU 1400 (0x01040578)

*Mar 1 08:59:10.753: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)

*Mar 1 08:59:10.757: ppp4 LCP: PFC (0x0702)

*Mar 1 08:59:10.757: ppp4 LCP: ACFC (0x0802)

*Mar 1 08:59:10.757: ppp4 LCP: O CONFNAK [ACKrcvd] id 3 len 8

*Mar 1 08:59:10.757: ppp4 LCP: MRU 1500 (0x010405DC)

*Mar 1 08:59:10.833: ppp4 LCP: I CONFREQ [ACKrcvd] id 4 len 18

*Mar 1 08:59:10.837: ppp4 LCP: MRU 1500 (0x010405DC)

*Mar 1 08:59:10.837: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)

*Mar 1 08:59:10.837: ppp4 LCP: PFC (0x0702)

*Mar 1 08:59:10.837: ppp4 LCP: ACFC (0x0802)

*Mar 1 08:59:10.841: ppp4 LCP: O CONFACK [ACKrcvd] id 4 len 18

*Mar 1 08:59:10.841: ppp4 LCP: MRU 1500 (0x010405DC)

*Mar 1 08:59:10.841: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)

*Mar 1 08:59:10.841: ppp4 LCP: PFC (0x0702)

*Mar 1 08:59:10.845: ppp4 LCP: ACFC (0x0802)

*Mar 1 08:59:10.845: ppp4 LCP: State is Open

*Mar 1 08:59:10.845: ppp4 PPP: Phase is AUTHENTICATING, by this end

*Mar 1 08:59:10.849: ppp4 MS-CHAP: O CHALLENGE id 1 len 22 from "Cisco827H"

*Mar 1 08:59:10.933: ppp4 LCP: I IDENTIFY [Open] id 5 len 18 magic 0x360D64B6 M

SRASV5.10

*Mar 1 08:59:10.941: ppp4 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x360D64B6 M

SRAS-0-MOZ-LPXP

*Mar 1 08:59:10.957: ppp4 MS-CHAP: I RESPONSE id 1 len 63 from "Cisco827H"

*Mar 1 08:59:10.961: ppp4 PPP: Phase is FORWARDING, Attempting Forward

*Mar 1 08:59:10.961: ppp4 PPP: Phase is AUTHENTICATING, Unauthenticated User

*Mar 1 08:59:10.965: ppp4 PPP: Sent MSCHAP LOGIN Request

*Mar 1 08:59:11.133: ppp4 PPP: Received LOGIN Response PASS

*Mar 1 08:59:11.133: ppp4 PPP: Phase is FORWARDING, Attempting Forward

*Mar 1 08:59:11.285: Vi5.1 PPP: Phase is AUTHENTICATING, Authenticated User

*Mar 1 08:59:11.285: Vi5.1 MS-CHAP: O SUCCESS id 1 len 4

*Mar 1 08:59:11.289: Vi5.1 PPP: Phase is UP

*Mar 1 08:59:11.289: Vi5.1 IPCP: O CONFREQ [Closed] id 1 len 10

*Mar 1 08:59:11.289: Vi5.1 IPCP: Address 10.10.11.50 (0x03060A0A0B32)

*Mar 1 08:59:11.293: Vi5.1 PPP: Process pending packets

*Mar 1 08:59:13.277: Vi5.1 IPCP: TIMEout: State REQsent

*Mar 1 08:59:13.277: Vi5.1 IPCP: O CONFREQ [REQsent] id 2 len 10

*Mar 1 08:59:13.277: Vi5.1 IPCP: Address 10.10.11.50 (0x03060A0A0B32)

*Mar 1 08:59:13.605: Vi5.1 MS-CHAP: I RESPONSE id 1 len 63 from "Cisco827H"

*Mar 1 08:59:13.605: Vi5.1 MS-CHAP: O SUCCESS id 1 len 4

*Mar 1 08:59:15.293: Vi5.1 IPCP: TIMEout: State REQsent

*Mar 1 08:59:15.293: Vi5.1 IPCP: O CONFREQ [REQsent] id 3 len 10

*Mar 1 08:59:15.293: Vi5.1 IPCP: Address 10.10.11.50 (0x03060A0A0B32)

*Mar 1 08:59:16.609: Vi5.1 MS-CHAP: I RESPONSE id 1 len 63 from "Cisco827H"

*Mar 1 08:59:16.609: Vi5.1 MS-CHAP: O SUCCESS id 1 len 4

827H IOS

Using 2789 out of 131072 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco827H

!

aaa new-model

!

aaa authentication login userauthen local

aaa authentication ppp default local

aaa authentication ppp local local

aaa authorization network default local

aaa authorization network groupauthor local

aaa session-id common

enable secret xxxxx

!

username xxxx password xxxxx

ip subnet-zero

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

interface Loopback0

ip address 10.10.11.50 255.255.255.0

!

interface Ethernet0

ip address 10.10.10.50 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface Virtual-Template1

ip unnumbered Loopback0

ip mroute-cache

no keepalive

peer default ip address pool 801-Group-2

ppp max-bad-auth 3

ppp encrypt mppe auto

ppp authentication ms-chap

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer1

ip address x.x.x.x

ip access-group 112 in

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxx

ppp chap password xxxx

ppp pap sent-username xxxxxpassword xxxx

hold-queue 224 in

!

ip local pool vpnclient-pool 10.10.11.180 10.10.11.199

ip nat inside source list 105 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.1 25 interface Dialer1 25

ip nat inside source static tcp 10.10.10.1 3389 interface Dialer1 3389

ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80

ip nat inside source static tcp 10.10.10.50 23 interface Dialer1 23

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

logging trap debugging

logging 10.10.10.1

access-list 105 deny ip 10.10.10.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 105 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

radius-server retransmit 3

radius-server authorization permit missing Service-Type

!

line con 0

password xxxx

stopbits 1

line vty 0 4

exec-timeout 120 0

password xxxx

length 0

!

scheduler max-task-time 5000

end

artherrera · ‎05-29-2003

Hi

Couple things I am seeing in your configuration, the virtual Template is using the loopback interface, and access-group 112 applied to the dialer interface, but no access list 112 defined.

You might want to point your virtual template to the dialer interface, and add access list 112, you will need to allow tcp port 1723 and GRE, GRE is part of PPTP and the encryption is MPPE.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008009436a.shtml#router

Hope it helps

maurice.walsh · ‎05-29-2003

I did start with a access-list 112 as below, but it didn't work so I removed the access-list . I've now removed the access-group 112 in command from dialer1.

I've tried it with the virtual template unnumbered to Dialer1, but it's still the same. I've also noticed that I'm getting a memory error.

*Mar 1 00:03:05.459: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x804D89E8 reading 0x21C

access-list 112 permit icmp any any administratively-prohibited

access-list 112 permit icmp any any echo

access-list 112 permit icmp any any echo-reply

access-list 112 permit icmp any any packet-too-big

access-list 112 permit icmp any any time-exceeded

access-list 112 permit icmp any any traceroute

access-list 112 permit icmp any any unreachable

access-list 112 permit udp any eq bootps any eq bootpc

access-list 112 permit udp any eq bootps any eq bootps

access-list 112 permit udp any eq domain any

access-list 112 permit esp any any

access-list 112 permit udp any any eq isakmp

access-list 112 permit udp any any eq 10000

access-list 112 permit tcp any any eq 1723

access-list 112 permit gre any any

access-list 112 deny ip any any

maurice.walsh · ‎06-03-2003

I've upgraded the 827H to 12.2(11) and it works fine.