# VPN - MS-CHAPv2 mutual authentication failed

## mathew

I'm struggling to create a VPN connection to work. I have emerged gentoo-dev-sources-2.6.4-r1, ppp-2.4.2 and pptpclient-1.3.1. I followed the gentoo howto, but emerging php-gtk-1.0.0.tar.gz failed. Tried editing the /etc/ppp files manually, but no success.  :Crying or Very sad: 

When this didn't work, I applied the patches available from  http://www.polbox.com/h/hs001/ to the kernel and ppp. You can find a description of the steps I followed to patch in my gentoo blog in the section "issue connecting to vpn provided by watchguard firebox". Annoything is that I did have this working before upgrading my kernel.

This is the output when I try to connect:

```
bash-2.05b# pppd call ca debug dump logfd 2 nodetach

pppd options in effect:

debug           # (from command line)

nodetach                # (from command line)

logfd 2         # (from command line)

dump            # (from command line)

noauth          # (from /etc/ppp/options.pptp)

name xxxxxxxx              # (from /etc/ppp/peers/ca)

remotename PPTP         # (from /etc/ppp/peers/ca)

                # (from /etc/ppp/options.pptp)

pty pptp xxx.xxx.xxx.xxx --nolaunchpppd          # (from /etc/ppp/peers/ca)

mru 1420                # (from /etc/ppp/options.pptp)

mtu 1420                # (from /etc/ppp/options.pptp)

lcp-echo-failure 1000           # (from /etc/ppp/options.pptp)

lcp-echo-interval 1000          # (from /etc/ppp/options.pptp)

ipparam ca              # (from /etc/ppp/peers/ca)

nobsdcomp               # (from /etc/ppp/options.pptp)

nodeflate               # (from /etc/ppp/options.pptp)

require-mppe-128                # (from /etc/ppp/peers/ca)

using channel 18

Using interface ppp0

Connect: ppp0 <--> /dev/pts/21

sent [LCP ConfReq id=0x1 <mru 1420> <asyncmap 0x0> <magic 0x62742540> <pcomp> <accomp>]

sent [LCP ConfReq id=0x1 <mru 1420> <asyncmap 0x0> <magic 0x62742540> <pcomp> <accomp>]

rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap MS-v2> <magic 0x7f5fc9b6> <pcomp> <accomp>]

sent [LCP ConfAck id=0x1 <mru 338> <auth chap MS-v2> <magic 0x7f5fc9b6> <pcomp> <accomp>]

rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]

sent [LCP ConfReq id=0x2 <mru 1420> <magic 0x62742540> <pcomp> <accomp>]

rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]

sent [LCP ConfReq id=0x2 <mru 1420> <magic 0x62742540> <pcomp> <accomp>]

rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap MS-v2> <magic 0x7025da54> <pcomp> <accomp>]

sent [LCP ConfAck id=0x2 <mru 338> <auth chap MS-v2> <magic 0x7025da54> <pcomp> <accomp>]

rcvd [LCP ConfAck id=0x2 <mru 1420> <magic 0x62742540> <pcomp> <accomp>]

sent [LCP EchoReq id=0x0 magic=0x62742540]

rcvd [CHAP Challenge id=0x2 <c87b46a5721eb2de6528cb7cb74d031c>, name = "watchguard"]

sent [CHAP Response id=0x2 <634000e41cf4db8258c3949b5cc81b7300000000000000003115da0a51f222a90db9a59f3f519f3ca21514c6394892f900>, name = "xxxxxxxx"]

rcvd [LCP EchoRep id=0x0 magic=0x7025da54]

rcvd [CHAP Success id=0x2 "S=49131d654d7e700d6850caf2f799f3f024fec38a"]

MS-CHAPv2 mutual authentication failed.

sent [LCP TermReq id=0x3 "Failed to authenticate ourselves to peer"]

rcvd [IPCP ConfReq id=0x1 <addr 10.176.190.250>]

Discarded non-LCP packet when LCP not open

rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]

Discarded non-LCP packet when LCP not open

rcvd [LCP TermAck id=0x3]

Connection terminated.

Waiting for 1 child processes...

  script pptp xxx.xxx.xxx.xxx --nolaunchpppd, pid 5997

Script pptp xxx.xxx.xxx.xxx --nolaunchpppd finished (pid 5997), status = 0x0
```

It appears that the key line is MS-CHAPv2 mutual authentication failed., but I don't know why!

What's more frustrating is that this all works seamlessly if i boot into windows.

----------

## mathew

Turned on the computer that I was previously running gentoo on and was able to successfully connect.

This is the output for a successful connection:

```
pppd pty 'pptp 203.38.176.146 --nolaunchpppd' call ca debug dump logfd 2 nodetach

pppd options in effect:

debug           # (from command line)

nodetach                # (from command line)

logfd 2         # (from command line)

dump            # (from command line)

noauth          # (from /etc/ppp/options.pptp)

name xxxxxxxx              # (from /etc/ppp/peers/ca)

remotename PPTP         # (from /etc/ppp/peers/ca)

                # (from /etc/ppp/options.pptp)

pty pptp xxx.xxx.xxx.xxx --nolaunchpppd          # (from command line)

mru 1000                # (from /etc/ppp/options.pptp)

mtu 1000                # (from /etc/ppp/options.pptp)

nopcomp         # (from /etc/ppp/options.pptp)

lcp-echo-failure 10             # (from /etc/ppp/options.pptp)

lcp-echo-interval 10            # (from /etc/ppp/options.pptp)

nobsdcomp               # (from /etc/ppp/options.pptp)

nodeflate               # (from /etc/ppp/options.pptp)

mppe-40         # (from /etc/ppp/options.pptp)

mppe-128                # (from /etc/ppp/options.pptp)

mppe-stateless          # (from /etc/ppp/options.pptp)

using channel 8

Using interface ppp0

Connect: ppp0 <--> /dev/pts/1

sent [LCP ConfReq id=0x1 <mru 1000> <asyncmap 0x0> <magic 0xa7c76fe5> <accomp>]

rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap 81> <magic 0xcd7fb146> <pcomp> <accomp>]

sent [LCP ConfRej id=0x1 <pcomp>]

rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]

sent [LCP ConfReq id=0x2 <mru 1000> <magic 0xa7c76fe5> <accomp>]

rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap 81> <magic 0xcd7fb146> <accomp>]

sent [LCP ConfAck id=0x2 <mru 338> <auth chap 81> <magic 0xcd7fb146> <accomp>]

rcvd [LCP ConfAck id=0x2 <mru 1000> <magic 0xa7c76fe5> <accomp>]

sent [LCP EchoReq id=0x0 magic=0xa7c76fe5]

cbcp_lowerup

want: 2

rcvd [CHAP Challenge id=0x1 <340cdbea2c3a43d18b45e6885b4ac3bb>, name = "watchguard"]

sent [CHAP Response id=0x1 <a8f3b5eadbb0d1105b59163bec7fb6c200000000000000002b923aad3cb48d6535c6c0f3184d2216788299a3d7db2dbe00>, name = "xxxxxxxx"]

rcvd [LCP EchoRep id=0x0 magic=0xcd7fb146]

rcvd [CHAP Success id=0x1 "S=238138e1c728b14b77db7c13dd8d7e6b2a3c4b2d"]

Remote message: S=238138e1c728b14b77db7c13dd8d7e6b2a3c4b2d

sent [IPCP ConfReq id=0x1 <addr xxx.xxx.xxx.xxx> <compress VJ 0f 01>]

sent [CCP ConfReq id=0x1 <mppe 1 0 0 60>]

rcvd [IPCP ConfReq id=0x1 <addr xxx.xxx.xxx.xxx>]

sent [IPCP ConfAck id=0x1 <addr xxx.xxx.xxx.xxx>]

rcvd [CCP ConfReq id=0x1 <mppe 1 0 0 40>]

sent [CCP ConfAck id=0x1 <mppe 1 0 0 40>]

rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]

sent [IPCP ConfReq id=0x2 <addr xxx.xxx.xxx.xxx>]

rcvd [CCP ConfNak id=0x1 <mppe 1 0 0 40>]

sent [CCP ConfReq id=0x2 <mppe 1 0 0 40>]

rcvd [IPCP ConfNak id=0x2 <addr 172.18.0.35>]

sent [IPCP ConfReq id=0x3 <addr 172.18.0.35>]

rcvd [CCP ConfAck id=0x2 <mppe 1 0 0 40>]

MPPE 128 bit, stateless compression enabled

rcvd [IPCP ConfAck id=0x3 <addr xxx.xxx.xxx.xxx>]

local  IP address xxx.xxx.xxx.xxx

remote IP address xxx.xxx.xxx.xxx

Script /etc/ppp/ip-up started (pid 20184)

Script /etc/ppp/ip-up finished (pid 20184), status = 0x0

sent [LCP EchoReq id=0x1 magic=0xa7c76fe5]
```

Does the line "MPPE 128 bit, stateless compression enabled" mean that I need MPPC?

----------

## mathew

Found an email titled watchguard..pptp-1.3.1 which suggests it might be an issue with the watchguard firebox server. Doesn't surprise me, but doesn't help either   :Sad: 

----------

## froke

check out this thread https://forums.gentoo.org/viewtopic.php?t=139828

For the authentication problem, make sure your password in /etc/ppp/chap-secrets is in quotes if it contains special characters.

If you are getting the "Unsupported protocol 0x2145 recieved" then that latest patches on this site has exactly what you need: http://www.polbox.com/h/hs001/

----------

