PPTP VPN Not Working - Peer failed CHAP authentication, PTY read or GRE write failed
- by armani
Brand-new install of CentOS 6.3. Followed this guide: http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm
And I got PPTPd running [v1.3.4]. I got the VPN to authenticate users against our Active Directory using winbind, smb, etc. All my tests to see if I'm still authenticated to the AD server pass ["kinit -V [email protected]", "smbclient", "wbinfo -t"].
VPN users were able to connect for like . . . an hour. I tried connecting from my Android phone using domain credentials and saw that I got an IP allocated for internal VPN users [which I've since changed the range, but even setting it back to the initial doesn't work]. Ever since then, no matter what settings I try, I pretty much consistently get this in my /var/log/messages [and the VPN client fails]:
[root@vpn2 ~]# tail /var/log/messages
Aug 31 15:57:22 vpn2 pppd[18386]: pppd 2.4.5 started by root, uid 0
Aug 31 15:57:22 vpn2 pppd[18386]: Using interface ppp0
Aug 31 15:57:22 vpn2 pppd[18386]: Connect: ppp0 <--> /dev/pts/1
Aug 31 15:57:22 vpn2 pptpd[18385]: GRE: Bad checksum from pppd.
Aug 31 15:57:24 vpn2 pppd[18386]: Peer armaniadm failed CHAP authentication
Aug 31 15:57:24 vpn2 pppd[18386]: Connection terminated.
Aug 31 15:57:24 vpn2 pppd[18386]: Exit.
Aug 31 15:57:24 vpn2 pptpd[18385]: GRE: read(fd=6,buffer=8059660,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Aug 31 15:57:24 vpn2 pptpd[18385]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Aug 31 15:57:24 vpn2 pptpd[18385]: CTRL: Client 208.54.86.242 control connection finished
Now before you go blaming the firewall [all other forum posts I find seem to go there], this VPN server is on our DMZ network. We're using a Juniper SSG-5 Gateway, and I've assigned a WAN IP to the VPN box itself, zoned into the DMZ zone. Then, I have full "Any IP / Any Protocol" open traffic rules between DMZ<--Untrust Zone, and DMZ<--Trust Zone. I'll limit this later to just the authenticating traffic it needs, but for now I think we can rule out the firewall blocking anything.
Here's my /etc/pptpd.conf [omitting comments]:
option /etc/ppp/options.pptpd
logwtmp
localip [EXTERNAL_IP_ADDRESS]
remoteip [ANOTHER_EXTERNAL_IP_ADDRESS, AND HAVE TRIED AN ARBITRARY GROUP LIKE 5.5.0.0-100]
Here's my /etc/ppp/options.pptpd.conf [omitting comments]:
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.200.42 # This is our internal domain controller
ms-wins 192.168.200.42
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
auth
nodefaultroute
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
Any help is GREATLY appreciated. I can give you any more info you need to know, and it's a new test server, so I can perform any tests/reboots required to get it up and going. Thanks a ton.
