User Name
Password
AppleNova Forums » Genius Bar »

Can't connect to VPN; works from Windows


Register Members List Calendar Search FAQ Posting Guidelines
Can't connect to VPN; works from Windows
Thread Tools
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2008-01-12, 15:39

10.5, PPTP (not L2TP/IPSec).

I have verbose logging on, so here's the log of a session that supposedly fails at authentication:
Code:
Sat Jan 12 21:26:06 2008 : PPTP connecting to server [..] Sat Jan 12 21:26:07 2008 : PPTP connection established. Sat Jan 12 21:26:07 2008 : using link 0 Sat Jan 12 21:26:07 2008 : Using interface ppp0 Sat Jan 12 21:26:07 2008 : Connect: ppp0 <--> socket[34:17] Sat Jan 12 21:26:07 2008 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x353d85fb> <pcomp> <accomp>] Sat Jan 12 21:26:07 2008 : rcvd [LCP ConfReq id=0x0 <mru 1400> <auth chap MS-v2> <magic 0x61122bde> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint 13 17 01 ae d9 02 c1 91 94 4d 63 a8 0c e0 be f5 69 5c 55 00 00 00 00> < 17 04 00 0e>] Sat Jan 12 21:26:07 2008 : lcp_reqci: rcvd unknown option 13 Sat Jan 12 21:26:07 2008 : lcp_reqci: rcvd unknown option 23 Sat Jan 12 21:26:07 2008 : lcp_reqci: returning CONFREJ. Sat Jan 12 21:26:07 2008 : sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614> < 17 04 00 0e>] Sat Jan 12 21:26:07 2008 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x353d85fb> <pcomp> <accomp>] Sat Jan 12 21:26:07 2008 : rcvd [LCP ConfReq id=0x1 <mru 1400> <auth chap MS-v2> <magic 0x61122bde> <pcomp> <accomp> <endpoint 13 17 01 ae d9 02 c1 91 94 4d 63 a8 0c e0 be f5 69 5c 55 00 00 00 00>] Sat Jan 12 21:26:07 2008 : lcp_reqci: returning CONFACK. Sat Jan 12 21:26:07 2008 : sent [LCP ConfAck id=0x1 <mru 1400> <auth chap MS-v2> <magic 0x61122bde> <pcomp> <accomp> <endpoint 13 17 01 ae d9 02 c1 91 94 4d 63 a8 0c e0 be f5 69 5c 55 00 00 00 00>] Sat Jan 12 21:26:07 2008 : sent [LCP EchoReq id=0x0 magic=0x353d85fb] Sat Jan 12 21:26:07 2008 : rcvd [CHAP Challenge id=0x0 <805ffcb88a699a213f7b918b3511a2e5>, name = "FIREWALL"] Sat Jan 12 21:26:07 2008 : sent [CHAP Response id=0x0 <f90b7cf154829c41faa860bf81325bcf0000000000000000fd64a5581250f44846b8310709f4634c22d91ffec8e3642500>, name = "S\37777777703\37777777666ren"] Sat Jan 12 21:26:07 2008 : rcvd [LCP EchoRep id=0x0 magic=0x61122bde] Sat Jan 12 21:26:08 2008 : rcvd [CHAP Failure id=0x0 "E=691 R=1 C=EFBEDD81C41AC69CBC390B36E2342534 V=3"] Sat Jan 12 21:26:08 2008 : MS-CHAP authentication failed: E=691 Authentication failure Sat Jan 12 21:26:09 2008 : rcvd [CHAP Failure id=0x0 "E=691 R=1 C=EFBEDD81C41AC69CBC390B36E2342534 V=3"] Sat Jan 12 21:26:09 2008 : MS-CHAP authentication failed: E=691 Authentication failure Sat Jan 12 21:26:11 2008 : rcvd [CHAP Failure id=0x0 "E=691 R=1 C=EFBEDD81C41AC69CBC390B36E2342534 V=3"] Sat Jan 12 21:26:11 2008 : MS-CHAP authentication failed: E=691 Authentication failure Sat Jan 12 21:26:12 2008 : sent [CHAP Response id=0x1 <15583d346d73fedac7c1473afb2feab80000000000000000644a8c1097688284a6ef02ff66f673c3d6c82e62397508dc00>, name = "S\37777777703\37777777666ren"] Sat Jan 12 21:26:12 2008 : rcvd [CHAP Failure id=0x1 "E=691 R=1 C=E1B89E3BC154B8FB4F401356DFECC0BD V=3"] Sat Jan 12 21:26:12 2008 : MS-CHAP authentication failed: E=691 Authentication failure Sat Jan 12 21:26:13 2008 : sent [LCP TermReq id=0x2 "User cancelled authentication"] Sat Jan 12 21:26:13 2008 : rcvd [LCP TermAck id=0x2 "User cancelled authentication"] Sat Jan 12 21:26:13 2008 : Connection terminated. Sat Jan 12 21:26:13 2008 : PPTP disconnecting... Sat Jan 12 21:26:13 2008 : PPTP disconnected
Points of interest:
  • My account name is Sören (with the umlaut), so that might be throwing it off. The verbose logging says it's escaping this as "S\37777777703\37777777666ren", which may very well be completely wrong (but how am I to know?).
  • Authentication is supposed to be MS-CHAPv2. In the log, this does appear:
    Code:
    Sat Jan 12 21:26:07 2008 : rcvd [LCP ConfReq id=0x1 <mru 1400> <auth chap MS-v2>
    However, pppd then tries MS-CHAP (v1?):
    Code:
    Sat Jan 12 21:26:08 2008 : MS-CHAP authentication failed: E=691 Authentication failure
  • Some info on the Web claims Leopard enforces MPPE encryption. The server may not support this properly.

I cannot force MS-CHAPv2 because I cannot edit pppd's options: Leopard passes those directly using launchd with some weird undocumented trick.

Now, it would be nice if I got this to work on Leopard, but not prudent. It does work in Windows. But! Windows's VPN client doesn't appear to have an on-demand feature. I don't mind connecting to the VPN once a day, but I do mind having to reconnect every now and then because it lost its connection, and I certainly get aggravated when Outlook and Visual SourceSafe and IDontCareWhatElse tell me they can't connect. As I understand it, OS X's VPN client has an on-demand feature where you define a domain (say, applenova.com) and then whenever a connection attempt is made by any app to something.applenova.com, the VPN connection gets opened automatically.

So, does anyone know a third-party app that accomplishes just that in Windows, so I can have some peace & quiet?
  quote
Gargoyle
http://ga.rgoyle.com
 
Join Date: May 2004
Location: In your dock hiding behind your finder icon!
 
2008-01-12, 18:05

I connect to a windows VPN fine! Have you checked the settings on your sever I think there is an encrypted password option somewhere....

Hang on, I'll see if I can dig it out...

Quote:
From Administrative Tools, open Domain Controller Security Settings.
Go to Local Policies then Security Options.

Scroll down to find the entry Microsoft network server: Digitally sign communications (always). Set this to Disabled.

The only thing left to do is to reload the security policy, as changes don’t otherwise take effect for some time. Open up a command window and type:

gpupdate

OK, I have given up keeping this sig up to date. Lets just say I'm the guy that installs every latest version as soon as its available!
  quote
mattf
Member
 
Join Date: Feb 2005
Location: Devonshire - nearly twinned with Narnia
 
2008-01-13, 06:18

Quote:
Originally Posted by chucker View Post

Now, it would be nice if I got this to work on Leopard, but not prudent. It does work in Windows. But! Windows's VPN client doesn't appear to have an on-demand feature. I don't mind connecting to the VPN once a day, but I do mind having to reconnect every now and then because it lost its connection, and I certainly get aggravated when Outlook and Visual SourceSafe and IDontCareWhatElse tell me they can't connect. As I understand it, OS X's VPN client has an on-demand feature where you define a domain (say, applenova.com) and then whenever a connection attempt is made by any app to something.applenova.com, the VPN connection gets opened automatically.

So, does anyone know a third-party app that accomplishes just that in Windows, so I can have some peace & quiet?
Assuming you mean Windows XP, the best (although far from perfect) way of keeping a persistent VPN connection (not on-demand) that I've seen is documented here. I've done that in the distant past, checking the VPN connection every minute rather than the 6 minutes they are using in the example.

If you have access to a Windows Server version on the remote side of the VPN, then just install RRAS and setup a static route to the IP range you need.

Last edited by mattf : 2008-01-13 at 06:20. Reason: Edited for clarity
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2008-01-13, 06:29

Quote:
Originally Posted by Gargoyle View Post
I connect to a windows VPN fine! Have you checked the settings on your sever I think there is an encrypted password option somewhere....

Hang on, I'll see if I can dig it out...
I'd rather leave the server-side settings alone so I don't break things for the coworkers. As far as I'm concerned, this is an OS X problem, and it's OS X's job to fix it, since it works fine in Windows.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2008-01-13, 06:31

Quote:
Originally Posted by mattf View Post
Assuming you mean Windows XP, the best (although far from perfect) way of keeping a persistent VPN connection (not on-demand) that I've seen is documented here. I've done that in the distant past, checking the VPN connection every minute rather than the 6 minutes they are using in the example.

If you have access to a Windows Server version on the remote side of the VPN, then just install RRAS and setup a static route to the IP range you need.
Both of those would keep the VPN connected even while I'm at work. I want it only while I'm at home. And Windows has no (easy) concept of network locations.
  quote
mattf
Member
 
Join Date: Feb 2005
Location: Devonshire - nearly twinned with Narnia
 
2008-01-13, 06:48

Quote:
Originally Posted by chucker View Post
I want it only while I'm at home. And Windows has no (easy) concept of network locations.
Ah, yes, that is a pain in the arse. Feasibly, you could run their vpndial.bat as a standalone executable, rather than installing it as a service - only employing it when you're at home?
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2008-01-13, 06:55

Quote:
Originally Posted by mattf View Post
Feasibly, you could run their vpndial.bat as a standalone executable, rather than installing it as a service - only employing it when you're at home?
Yup, thinking about just that…
  quote
Gargoyle
http://ga.rgoyle.com
 
Join Date: May 2004
Location: In your dock hiding behind your finder icon!
 
2008-01-13, 07:00

Quote:
Originally Posted by chucker View Post
I'd rather leave the server-side settings alone so I don't break things for the coworkers. As far as I'm concerned, this is an OS X problem, and it's OS X's job to fix it, since it works fine in Windows.
It's not really an OS X problem - there isn't anything to fix!

It's a setting that is incompatible with the VPN client in OS X. Indeed, future versions of the VPN client might support digitally signed connections but what difference does it make? the link is still encrypted.

I have made the change on our server and it has had no side effects.

OK, I have given up keeping this sig up to date. Lets just say I'm the guy that installs every latest version as soon as its available!
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
Direct X now for Macintosh bazzler Third-Party Products 27 2006-10-29 14:29
How do you say "OS X"? intlplby General Discussion 145 2006-07-28 21:27
Windows Activation Hell pmazer General Discussion 7 2006-05-16 11:29
Sharing internet from Windows to Mac Dorian Gray Genius Bar 6 2005-11-08 16:14
Windows File Sharing works...a little too well ar1550 Apple Products 23 2005-02-18 17:05


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 10:40.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2024, AppleNova