我正在使用 Arch Linux 路由器连接到 ISP 的 VPN,但由于某种原因,CHAP 身份验证被拒绝:
rcvd [LCP ConfReq id=0x1 <auth chap MD5> <mru 1436> <magic 0x5e9f9414>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MD5>]
如何修复此问题?
详细信息
日志
root@Chiruno:~# pon wan debug dump logfd 2 nodetach
pppd options in effect:
debug # (from command line)
nodetach # (from command line)
logfd 2 # (from command line)
ifname wan # (from /etc/ppp/peers/wan)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
refuse-pap # (from /etc/ppp/options.pptp)
# (from /etc/ppp/options)
# (from /etc/ppp/options.pptp)
refuse-mschap-v2 # (from /etc/ppp/options.pptp)
refuse-eap # (from /etc/ppp/options.pptp)
name username # (from /etc/ppp/peers/wan)
remotename PPTP # (from /etc/ppp/options.pptp)
# (from /etc/ppp/options.pptp)
pty /usr/sbin/pptp pptp.isp --nolaunchpppd # (from /etc/ppp/peers/wan)
ipparam $TUNNEL # (from /etc/ppp/peers/wan)
defaultroute # (from /etc/ppp/peers/wan)
replacedefaultroute # (from /etc/ppp/peers/wan)
nobsdcomp # (from /etc/ppp/options)
nodeflate # (from /etc/ppp/options)
using channel 672
Using interface wan
Connect: wan <--> /dev/pts/6
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x6fec8267> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <auth chap MD5> <mru 1436> <magic 0x5e9f9414>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth chap MD5>]
rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
sent [LCP ConfReq id=0x2 <magic 0x6fec8267>]
rcvd [LCP ConfReq id=0x2 <auth chap MD5> <mru 1436> <magic 0x5e9f9414>]
No auth is possible
sent [LCP ConfRej id=0x2 <auth chap MD5>]
Modem hangup
Connection terminated.
Script /usr/sbin/pptp pptp.isp --nolaunchpppd finished (pid 40392), status = 0x0
配置
/etc/ppp/options.pptp
###############################################################################
# $Id: options.pptp,v 1.4 2012/08/30 21:34:13 quozl Exp $
#
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from http://ppp.samba.org/
# and the kernel MPPE module available from the CVS repository also on
# http://ppp.samba.org/, which is packaged for DKMS as kernel_ppp_mppe.
###############################################################################
# Lock the port
lock
# Authentication
# We don't need the tunnel server to authenticate itself
noauth
# We won't do PAP, EAP, MSCHAP or MSCHAP-V2 but we will accept CHAP
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-mschap
refuse-mschap-v2
remotename PPTP
# Compression
# Turn off compression protocols we know won't be used
#nobsdcomp
#nodeflate
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose which of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
#
# Note that using PPTP with MPPE and MSCHAP-V2 should be considered
# insecure:
# http://marc.info/?l=pptpclient-devel&m=134372640219039&w=2
# https://github.com/moxie0/chapcrack/blob/master/README.md
# http://technet.microsoft.com/en-us/security/advisory/2743314
# http://ppp.samba.org/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# If the kernel is booted in FIPS mode (fips=1), the ppp_mppe.ko module
# is not allowed and PPTP-MPPE is not available.
# {{{
# Require MPPE 128-bit encryption
#require-mppe-128
# }}}
# http://mppe-mppc.alphacron.de/ fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# {{{
# Require MPPE 128-bit encryption
#mppe required,stateless
# }}}
/etc/ppp/peers/wan
pty "/usr/sbin/pptp pptp.isp --nolaunchpppd"
name username
remotename PPTP
require-chap
file /etc/ppp/options.pptp
ifname wan
ipparam $TUNNEL
defaultroute
replacedefaultroute
/etc/ppp/chap-秘密
# user remote secret IP addresses
"username" PPTP "P4ssw0rd!1!" *
原来我忘了/etc/ppp/options(在我的情况下,其中包含一个令人讨厌的小
refuse-chap)仍然被检查。不要重复我的错误!