VPN/PPP Problem

bmenking · May 7, 2006, 12:19am

I have an interesting problem and I’m really sure it’s a misconfigured Windows 2003 server. Now, let me explain

The Mikrotik uses the RADIUS authentication from a Windows 2003 server. PPTP connections worked well until a configuration change was made. Here’s the log:

may/06/2006 19:10:19 pptp,info TCP connection established from x.x.x.x
may/06/2006 19:10:19 pptp,ppp,info <pptp-0>: waiting for call...
may/06/2006 19:10:21 pptp,ppp,info <pptp-userX>: authenticated
may/06/2006 19:10:21 pptp,ppp,info <pptp-userX>: terminating... - call cleared
may/06/2006 19:10:21 pptp,ppp,info <pptp-userX>: disconnected

Has anyone run into this before? The Windows VPN client (from my laptop) gives “Error 778: It was not possible to verify the identity of the server”

I can provide more information upon request…

Thanks!

andrewluck · May 7, 2006, 7:48am

PPTP connections worked well until a configuration change was made

Back out the configuration change; does it work again?

Need to see the IAS logs from the 2003 box.

Regards

Andrew

viking · May 7, 2006, 11:41am

I was traped in the same problem.and i my windows XP give out the error:"619…"at last i fugure out that because our compus network has been drop any data through port 1723.

bmenking · May 16, 2006, 7:05pm

Logs as follows:

172.26.10.254,bmenking,05/08/2006,21:24:32,IAS,VPI,6,2,7,1,5,58,61,5,31,66.191.238.9,30,64.89.90.7,32,MikroTik,4,172.26.10.254,26,0x00003A8C09087670696E6574,4108,172.26.10.254,4116,0,4128,Mikrotik,4120,vpinet,4155,0,4154,Use Windows authentication for all users,25,311 1 172.26.10.1 05/06/2006 03:59:54 29,4136,1,4142,0
172.26.10.254,bmenking,05/08/2006,21:24:32,IAS,VPI,25,311 1 172.26.10.1 05/06/2006 03:59:54 29,4154,Use Windows authentication for all users,4155,0,4128,Mikrotik,4116,0,4108,172.26.10.254,4136,2,4142,0
172.26.10.254,bmenking,05/08/2006,21:24:32,IAS,VPI,6,2,7,1,5,58,61,5,31,66.191.238.9,30,64.89.90.7,25,311 1 172.26.10.1 05/06/2006 03:59:54 29,44,81a00000,8,172.26.10.191,45,1,40,1,32,MikroTik,4,172.26.10.254,41,0,26,0x00003A8C09087670696E6574,4108,172.26.10.254,4116,0,4128,Mikrotik,4120,vpinet,4154,Use Windows authentication for all users,4136,4,4142,0
172.26.10.254,bmenking,05/08/2006,21:24:32,IAS,VPI,6,2,7,1,5,58,61,5,31,66.191.238.9,30,64.89.90.7,25,311 1 172.26.10.1 05/06/2006 03:59:54 29,44,81a00000,8,172.26.10.191,45,1,46,0,42,0,52,0,47,0,43,10,53,0,48,1,40,2,49,1,32,MikroTik,4,172.26.10.254,41,0,26,0x00003A8C09087670696E6574,4108,172.26.10.254,4116,0,4128,Mikrotik,4120,vpinet,4154,Use Windows authentication for all users,4136,4,4142,0

I realize that something got messed up in the configuration (W3K side) but maybe these logs will tell you something I’m now seeing. Thanks!

savage · May 16, 2006, 7:17pm

Well, unless you tell me (and I’m sure others) what goes on in those logs (I love Microsoft -grin-), we’re not going to get any wiser there.

However, -rant- pasting your exact error message, copied & pasted into google: http://www.pcreview.co.uk/forums/thread-1574610.php

It would seem that you are using certificates for authentication, and that the CA Root has problems authenticating the certificates - this is a W3K issue, not Mikrotik.

Spend some time on google, I doubt you’re going to get much help here on the MS side of things…

–
C

bmenking · May 16, 2006, 8:12pm

I already checked on Google before I posted (I hate forums, I want instant results) and attempted several solutions, one being that exact link. If that had worked, I wouldn’t be posting here

Anyway, as in my previous post, I realize that this is a W3K problem, not Mikrotik. My interest is whether or not someone has already dealt with this…

savage · May 16, 2006, 8:17pm

Well, this is definately a CA issue. Have you perhaps tried PAP authentication instead? Yes, it’s more insecure, but eleminate things untill you can pin point exactly what’s wrong…

Other than that, if you can tell me what is what in those log files so that I understand it, I’d be happy to toss my brain at it again..

–
C

bmenking · May 18, 2006, 4:48am

The IAS logs show an IAS_SUCCESS return code (researching that, it’s M$; could mean the function failed successfully). Since Mikrotik is logging a “call cleared” when terminating, is there a way to increase the verbosity of ppp logs on Mikrotik? Maybe I can get a more detailed idea of what is happening.

Thanks!

savage · May 18, 2006, 6:22am

Your comments about the log just put a smirk on my face, no phun intended

/system logging add topics=ppp,debug action=echo

Something like that… Just play arround in /system logging… It’s relatively easy to beef up the logging.

–
C

EDIT: Just a thought, but if you are using certificates for authentication, should these not be installed on MT ?? Just a thought I had…

bmenking · May 18, 2006, 3:23pm

I don’t recall using certs or installing them on MT. It originally worked out of the box… .until the W3K server got (re)configured. Then it broke.

Thanks for the logging help!

bmenking · May 18, 2006, 5:31pm

You know what? I should be looking at the RADIUS interaction between W3K radius and MT.

VPN Client <--> MT <--(radius)--> W3K

Would I be safe in saying that pptp has nothing to do with the interaction between MT and W3K RADIUS? MT should be handling all the nasty ppp stuff… right?

savage · May 18, 2006, 6:31pm

Yes. Provided, the NAS (ie. MT) is configured correctly to accommodate what Radius tells it to do… Now, if nothing changed on MT (your update? was only on Windows?), I’d definately focus on the Windows side of things…