Jul
9
[原]解决PPTP中Refusing MPPE stateful mode offered by peer的问题
某项目,使用红旗DC Server 5.0 连接远端的一台硬件VPN设备,使用PPTP(点对点隧道协议)。先按[原]Linux 下部署PPTP VPN -- 客户端一文进行配置,并加上MPPE模块支持。但连接时,后台日志报错:
一、故障现象
经测试,同样的配置,在Win 7下连接是没问题的。换为两个Linux 环境下互联也正常。详细的故障日志为:
从日志来看,用户名和密码验证是没问题的,MPPE 加密也是必须的,问题应出在MPPE stateful mode 上。
二、分析问题
搜索了一下,这似乎与MPPE Protocol 使用的Changing Keys模式有关:
而man pppd可知,默认为stateless 模式:
三、解决问题
既然如此,使用stateful 模式即可:
修改后的配置文件为:
执行pon vpn 连接成功,查看日志为:
故障解决。
引用
Jul 9 02:55:35 qktest pppd[17038]: Refusing MPPE stateful mode offered by peer
Jul 9 02:55:35 qktest pppd[17038]: MPPE required but peer negotiation failed
Jul 9 02:55:35 qktest pppd[17038]: Connection terminated.
Jul 9 02:55:35 qktest pppd[17038]: MPPE required but peer negotiation failed
Jul 9 02:55:35 qktest pppd[17038]: Connection terminated.
一、故障现象
经测试,同样的配置,在Win 7下连接是没问题的。换为两个Linux 环境下互联也正常。详细的故障日志为:
引用
Jul 9 02:55:35 qktest pppd[17038]: CHAP authentication succeeded
Jul 9 02:55:35 qktest kernel: PPP MPPE Compression module registered
Jul 9 02:55:35 qktest pppd[17038]: Refusing MPPE stateful mode offered by peer
Jul 9 02:55:35 qktest pppd[17038]: MPPE required but peer negotiation failed
Jul 9 02:55:35 qktest pppd[17038]: Connection terminated.
Jul 9 02:55:35 qktest pptp[17039]: anon warn[decaps_hdlc:pptp_gre.c:204]: short read (-1): Input/output error
Jul 9 02:55:35 qktest pptp[17039]: anon warn[decaps_hdlc:pptp_gre.c:216]: pppd may have shutdown, see pppd log
Jul 9 02:55:35 qktest pptp[17058]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
Jul 9 02:55:35 qktest pptp[17058]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
Jul 9 02:55:35 qktest pptp[17058]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
Jul 9 02:55:35 qktest pppd[17038]: Exit.
Jul 9 02:55:35 qktest kernel: PPP MPPE Compression module registered
Jul 9 02:55:35 qktest pppd[17038]: Refusing MPPE stateful mode offered by peer
Jul 9 02:55:35 qktest pppd[17038]: MPPE required but peer negotiation failed
Jul 9 02:55:35 qktest pppd[17038]: Connection terminated.
Jul 9 02:55:35 qktest pptp[17039]: anon warn[decaps_hdlc:pptp_gre.c:204]: short read (-1): Input/output error
Jul 9 02:55:35 qktest pptp[17039]: anon warn[decaps_hdlc:pptp_gre.c:216]: pppd may have shutdown, see pppd log
Jul 9 02:55:35 qktest pptp[17058]: anon log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
Jul 9 02:55:35 qktest pptp[17058]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
Jul 9 02:55:35 qktest pptp[17058]: anon log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
Jul 9 02:55:35 qktest pppd[17038]: Exit.
从日志来看,用户名和密码验证是没问题的,MPPE 加密也是必须的,问题应出在MPPE stateful mode 上。
二、分析问题
搜索了一下,这似乎与MPPE Protocol 使用的Changing Keys模式有关:
引用
Stateless Mode Key Changes
Stateful Mode Key Changes
Stateful Mode Key Changes
而man pppd可知,默认为stateless 模式:
引用
nomppe-stateful
Disable MPPE stateful mode. This is the default.
Disable MPPE stateful mode. This is the default.
三、解决问题
既然如此,使用stateful 模式即可:
引用
mppe-stateful
Allow MPPE to use stateful mode. Stateless mode is still attempted first.
The default is to disallow stateful mode.
Allow MPPE to use stateful mode. Stateless mode is still attempted first.
The default is to disallow stateful mode.
修改后的配置文件为:
引用
[root@qktest ~]# cat /etc/ppp/peers/vpn
# written by pptpsetup
pty "pptp 124.248.205.115 --nolaunchpppd"
lock
noauth
debug
nobsdcomp
nodeflate
name test
remotename vpn
ipparam vpn
require-mppe-128
mppe-stateful
defaultroute
# written by pptpsetup
pty "pptp 124.248.205.115 --nolaunchpppd"
lock
noauth
debug
nobsdcomp
nodeflate
name test
remotename vpn
ipparam vpn
require-mppe-128
mppe-stateful
defaultroute
执行pon vpn 连接成功,查看日志为:
引用
Jul 9 03:38:11 qktest pppd[17436]: CHAP authentication succeeded
Jul 9 03:38:11 qktest pppd[17436]: MPPE 128-bit stateful compression enabled
Jul 9 03:38:11 qktest pppd[17436]: local IP address 10.230.0.95
Jul 9 03:38:11 qktest pppd[17436]: remote IP address 10.230.0.254
Jul 9 03:38:11 qktest pppd[17436]: MPPE 128-bit stateful compression enabled
Jul 9 03:38:11 qktest pppd[17436]: local IP address 10.230.0.95
Jul 9 03:38:11 qktest pppd[17436]: remote IP address 10.230.0.254
故障解决。