PDA

View Full Version : SLES 12 SP1 VPN connection from AWS EC2 to Company network fails (PPTP)



wenneker_tv
22-Mar-2016, 15:57
Hi i'm fairly new to Linux and have some difficulties setting up a VPN connection. I normally work with windows so please have some patience...
For some reason the authentication fails when I try to connect. I'm running SUSE Linux Enterprise Server 12 SP1 on an AWS EC2 C4XL instance.
I know the credentials are correct since they do work on my windows laptop.

The message when I try to connect:


>pppd call wenvpn debug

using channel 7
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x10d31399> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <auth chap MS-v2> <magic 0x1>]
sent [LCP ConfAck id=0x0 <auth chap MS-v2> <magic 0x1>]
rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
sent [LCP ConfReq id=0x2 <magic 0x10d31399>]
rcvd [LCP ConfAck id=0x2 <magic 0x10d31399>]
sent [LCP EchoReq id=0x0 magic=0x10d31399]
rcvd [CHAP Challenge id=0x1 <32974a249148a4532b170e8ac868b8e1>, name = "WENNEKER"]
added response cache entry 0
sent [CHAP Response id=0x1 <d36ffb0a4c9277ac19ab85b839bbf0d70000000000000000cf d60c60f25dbaf7557810075ac3db682c514a4eeca2d69400>, name = "UserName"]
rcvd [LCP EchoRep id=0x0 magic=0x1]
rcvd [CHAP Failure id=0x1 "E=691 R=1 C=32974A249148A4532B170E8AC868B8E1 V=0 M=Good luck!"]
MS-CHAP authentication failed: Good luck!
CHAP authentication failed
sent [LCP TermReq id=0x3 "Failed to authenticate ourselves to peer"]
rcvd [LCP TermReq id=0x1]
sent [LCP TermAck id=0x1]
rcvd [LCP TermAck id=0x3]
Connection terminated.
Waiting for 1 child processes...
script pptp XX.XX.XX.XX --nolaunchpppd, pid 20548
Script pptp XX.XX.XX.XX --nolaunchpppd finished (pid 20548), status = 0x0




These are the settings in PPP/Peers/wenvpn:


>cat wenvpn

pty "pptp XX.XX.XX.XX --nolaunchpppd"
# Lock the port
lock
# We don't need the tunnel server to authenticate itself
noauth
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate
name UserName
remotename PPTP
ipparam wenvpn
require-mppe-128
#only allow MSChap-V2
refuse-eap
refuse-pap
refuse-chap
refuse-mschap





> cat chap-secrets

# Secrets for authentication using CHAP
# client server secret IP addresses

# OUTBOUND CONNECTIONS
# Here you should add your PPP Login and PPP password to connect to your
# provider via pap. The * means that the entry(login and passoword may be
# used for ANY host you connect to.
# Thus you do not have to worry about the foreign machine name. Just
# replace password with your password.
#hostname * password

# PREDIFINED CONNECTIONS
# These are user and password entries for publically accessible call-by-call
# Internet providers in Germany. If they confict with your config, remove them.
# READ_IN_CALLBYCALL_SECRETS

# INBOUND CONNECTIONS
#client hostname <password> 192.168.1.1

# added by pptpsetup for wenvpn
UserName PPTP "Password" *


Thanks!

jmozdzen
22-Mar-2016, 16:27
Hi wenneker_tv,

do you see the connection attempt at the dial-in server side? Does the server log details on why it refused the CHAP response (E=691 is an authentication failure)? If this is a MS Windows server, then maybe you're lacking the domain part of the user name, like "ourdomain\UserName".

Regards,
Jens

wenneker_tv
22-Mar-2016, 16:59
Hi Jens,

Thanks for your response. I'm trying to connect to a Draytek Vigor 2925 router. I don't think it supports domains. When I try to connect form my laptop (Windows 8.1) I get a few lines in the routers system log.
When I try to connect from the linux instance nothing is logged.

wenneker_tv
22-Mar-2016, 17:40
The logging feature in the web interface doesn't seem like it's much use. When I deliberately enter an incorrect password on the laptop nothing is logged either.
Just downloaded a separate syslog program. Can't make much sense from that log.


1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPP Start ()
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x01 ACCM: 0x0 Magic Number: 0x66b8046b Protocol Field Compression Address/Control Field Compression ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) ==> Protocol:LCP(c021) ConfRej Identifier:0x01 ACCM: 0x0 Protocol Field Compression Address/Control Field Compression ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) <== Protocol:LCP(c021) ConfAck Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x02 Magic Number: 0x66b8046b ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) ==> Protocol:LCP(c021) ConfAck Identifier:0x02 Magic Number: 0x66b8046b ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) ==> Protocol:CHAP(c223) Challenge Identifier:0x01 10 91 c9 e5 74 bc 60 b3 dd 72 3d a3 d7 f1 7f c6 6a 57 45 4e 4e 45 4b 45 52 ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) <== Protocol:LCP(c021) EchoReq Identifier:0x00Magic Number: 0x66b8 04 6b ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) ==> Protocol:LCP(c021) EchoRep Identifier:0x00Magic Number: 0x0 00 01 ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) <== Protocol:CHAP(c223) Response Identifier:0x01 31 34 92 71 b5 6c 41 d0 2d 28 c2 b1 cb e8 c4 50 50 00 00 00 00 00 00 00 00 15 21 cb a4 a2 2c d5 6b 8b 22 f2 9f 37 39 7c 05 b7 8c 33 09 e5 97 50 cc 00 57 65 6e 6e 65 6b 65 72 ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0, Wenneker) ==> Protocol:CHAP(c223) Failure Identifier:0x01E=691 R=1 C=91C9E574BC60B3DD723DA3D7F17FC66A V=0 M=Good luck! ##
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERCHAP Login Failed () -
1412016-03-22 17:33:22Mar 22 16:33:12WENNEKERPPTP (VPN-0) ==> Protocol:LCP(c021) TermReq Identifier:0x01 ##
1412016-03-22 17:33:23Mar 22 16:33:12WENNEKERPPTP (VPN-0) <== Protocol:LCP(c021) TermReq Identifier:0x03 46 61 69 6c 65 64 20 74 6f 20 61 75 74 68 65 6e 74 69 63 61 74 65 20 6f 75 72 73 65 6c 76 65 73 20 74 6f 20 70 65 65 72 ##
1412016-03-22 17:33:23Mar 22 16:33:12WENNEKERPPTP (VPN-0) ==> Protocol:LCP(c021) TermAck Identifier:0x03 ##
1412016-03-22 17:33:23Mar 22 16:33:12WENNEKERPPTP (VPN-0) <== Protocol:LCP(c021) TermAck Identifier:0x01 ##

jmozdzen
22-Mar-2016, 17:46
Hi wenneker_tv,

When I try to connect form my laptop (Windows 8.1) I get a few lines in the routers system log.
When I try to connect from the linux instance nothing is logged.

now that sounds a bit strange... I would have thought that failed accesses would at least get some form of logging message. Can you somehow confirm the request is reaching the router you're looking at? If there's some authentication back-end, maybe you can see some query there? OR try to increase the logging verbosity of the router?

The trace you posted does show proper responses from the PPTP server, and it shows E=691 - this typically points to a missing or wrong domain part or to a wrong password, possibly because special characters in the password needed to be quoted/escaped.

Regards,
Jens

wenneker_tv
22-Mar-2016, 17:46
Solved!

According to:
http://pptpclient.sourceforge.net/howto-diagnosis.phtml
E=691 indicates a wrong password.

I had special characters in the password. Removing those solved it.

Thanks for pointing me in the right direction.

jmozdzen
22-Mar-2016, 17:58
Hi wenneker_tv,

great you got it running, and thank you for reporting back!

Regards,
Jens