L2TP VPN Error: "MPPE required but peer negotiation failed"

Question

Level 1

24 points

L2TP VPN Error: "MPPE required but peer negotiation failed"

Clean Leopard Server install. Fairly clean Leopard client, too. Tried to setup an L2TP VPN service, and connect to it from the client machine, and I get this in the client's log:

11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] IPSec connection established
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] L2TP connection established.
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] Connect: ppp0 <--> socket[34:18]
11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] MPPE required but peer negotiation failed
11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] Connection terminated.

As far as I can tell from searching the web, MPPE should not even be involved (but I really don't know the protocol). If I setup a PPTP VPN on the same pair of machines all is well.

I really think this is a bug in either Leopard or Leopard Server. Anyone else bumping into this wall?

regards,

Bill.

Mac OS X (10.5)

Posted on Nov 6, 2007 8:35 PM

Reply

Answer 1

Guriboy

Level 1

15 points

Nov 8, 2007 5:15 PM in response to W. McHargue

I'm having this same problem as well. I'm trying to connect from 10.5 client to 10.3.9 server...

Reply

Answer 2

Noam

Level 1

4 points

Nov 10, 2007 2:18 PM in response to W. McHargue

Same problem here, but via PPTP:

Sat Nov 10 14:14:08 2007 : PPTP connection established.
Sat Nov 10 14:14:08 2007 : Using interface ppp0
Sat Nov 10 14:14:08 2007 : Connect: ppp0 <--> socket[34:17]
Sat Nov 10 14:14:11 2007 : LCP terminated by peer (MPPE required but not available)
Sat Nov 10 14:14:11 2007 : Connection terminated.
Sat Nov 10 14:14:11 2007 : PPTP disconnecting...
Sat Nov 10 14:14:11 2007 : PPTP disconnected

Reply

Answer 3

Noam

Level 1

4 points

Nov 10, 2007 2:25 PM in response to W. McHargue

The log excerpt I posted above was from a 10.4.10 client. Here's one from a 10.5 client:

Sat Nov 10 14:21:17 2007 : PPTP connection established.
Sat Nov 10 14:21:17 2007 : using link 0
Sat Nov 10 14:21:17 2007 : Using interface ppp0
Sat Nov 10 14:21:17 2007 : Connect: ppp0 <--> socket[34:17]
Sat Nov 10 14:21:17 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xfac2d9f7> <pcomp> <accomp>]
Sat Nov 10 14:21:17 2007 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xfac2d9f7> <pcomp> <accomp>]
Sat Nov 10 14:21:20 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xfac2d9f7> <pcomp> <accomp>]
Sat Nov 10 14:21:20 2007 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xd1dbe09d> <pcomp> <accomp>]
Sat Nov 10 14:21:20 2007 : lcp_reqci: returning CONFACK.
Sat Nov 10 14:21:20 2007 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xd1dbe09d> <pcomp> <accomp>]
Sat Nov 10 14:21:20 2007 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xfac2d9f7> <pcomp> <accomp>]
Sat Nov 10 14:21:20 2007 : sent [LCP EchoReq id=0x0 magic=0xfac2d9f7]
Sat Nov 10 14:21:21 2007 : rcvd [CHAP Challenge id=0xf9 <5d9afe09cb408337b32ea83cc0efa39d>, name = "server address"]
Sat Nov 10 14:21:21 2007 : sent [CHAP Response id=0xf9 <d1f28b1e24b1202e4579d56216cf418f00000000000000002c862b990f218657281399f9638a5e f50b36ff394eeeb68c00>, name = "name"]
Sat Nov 10 14:21:21 2007 : rcvd [LCP EchoRep id=0x0 magic=0xd1dbe09d]
Sat Nov 10 14:21:21 2007 : rcvd [CHAP Success id=0xf9 "S=1247DA51914932A4510EE99CF2CA17362DDA0AB4 M=Access granted"]
Sat Nov 10 14:21:21 2007 : sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Sat Nov 10 14:21:24 2007 : sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Sat Nov 10 14:21:25 2007 : rcvd [LCP TermReq id=0x3 "MPPE required but not available"]
Sat Nov 10 14:21:25 2007 : LCP terminated by peer (MPPE required but not available)

Reply

Answer 4

jalb

Level 1

0 points

Nov 12, 2007 8:19 AM in response to W. McHargue

Same error here, this is the log excerpt from a 10.5 Server, the 10.4 clients can connect flawlessly but the 10.5 clients get "Could not negociate a conection with the remote PPP server".

2007-11-12 11:05:54 EST Incoming call... Address given to client = 192.168.0.183
Mon Nov 12 11:05:54 2007 : Directory Services Authentication plugin initialized
Mon Nov 12 11:05:54 2007 : Directory Services Authorization plugin initialized
Mon Nov 12 11:05:54 2007 : L2TP incoming call in progress from '74.56.208.75'...
Mon Nov 12 11:05:54 2007 : L2TP received SCCRQ
Mon Nov 12 11:05:54 2007 : L2TP sent SCCRP
Mon Nov 12 11:05:54 2007 : L2TP received SCCCN
Mon Nov 12 11:05:54 2007 : L2TP received ICRQ
Mon Nov 12 11:05:54 2007 : L2TP sent ICRP
Mon Nov 12 11:05:54 2007 : L2TP received ICCN
Mon Nov 12 11:05:54 2007 : L2TP connection established.
Mon Nov 12 11:05:54 2007 : using link 1
Mon Nov 12 11:05:54 2007 : Using interface ppp1
Mon Nov 12 11:05:54 2007 : Connect: ppp1 <--> socket[34:18]
Mon Nov 12 11:05:54 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x1351a441> <pcomp> <accomp>]
Mon Nov 12 11:05:54 2007 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xb1bff63f> <pcomp> <accomp>]
Mon Nov 12 11:05:54 2007 : lcp_reqci: returning CONFACK.
Mon Nov 12 11:05:54 2007 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xb1bff63f> <pcomp> <accomp>]
Mon Nov 12 11:05:54 2007 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x1351a441> <pcomp> <accomp>]
Mon Nov 12 11:05:54 2007 : sent [LCP EchoReq id=0x0 magic=0x1351a441]
Mon Nov 12 11:05:54 2007 : sent [CHAP Challenge id=0x39 <7dc5e7b04fe03be6bb998ac58c0d5347>, name = "matix.private"]
Mon Nov 12 11:05:54 2007 : rcvd [LCP EchoReq id=0x0 magic=0xb1bff63f]
Mon Nov 12 11:05:54 2007 : sent [LCP EchoRep id=0x0 magic=0x1351a441]
Mon Nov 12 11:05:54 2007 : rcvd [LCP EchoRep id=0x0 magic=0xb1bff63f]
Mon Nov 12 11:05:54 2007 : rcvd [CHAP Response id=0x39 <a41ff886f553abc7e312a7fe50548fd00000000000000000d6a1d20794d48ab9afe33cb3460f0f 43c9e806066848f19d00>, name = "jalb"]
Mon Nov 12 11:05:54 2007 : sent [CHAP Success id=0x39 "S=271F84561DD67FE6962A3787F16F2587F174FDC1 M=Access granted"]
Mon Nov 12 11:05:54 2007 : CHAP peer authentication succeeded for jalb
Mon Nov 12 11:05:54 2007 : DSAccessControl plugin: User 'jalb' authorized for access
Mon Nov 12 11:05:54 2007 : sent [IPCP ConfReq id=0x1 <addr 192.168.0.110>]
Mon Nov 12 11:05:54 2007 : sent [ACSCP] 01 01 00 04
Mon Nov 12 11:05:54 2007 : rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Mon Nov 12 11:05:54 2007 : Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Mon Nov 12 11:05:54 2007 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 0a 12 06 01 00 00 60]
Mon Nov 12 11:05:54 2007 : rcvd [IPCP TermAck id=0x1]
Mon Nov 12 11:05:54 2007 : rcvd [ACSCP] 06 01 00 04
Mon Nov 12 11:05:54 2007 : rcvd [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]
Mon Nov 12 11:05:54 2007 : LCP terminated by peer (MPPE required but peer negotiation failed)
Mon Nov 12 11:05:54 2007 : sent [LCP TermAck id=0x2]
Mon Nov 12 11:05:54 2007 : L2TP received CDN
Mon Nov 12 11:05:54 2007 : Connection terminated.
Mon Nov 12 11:05:54 2007 : Connect time 0.0 minutes.
Mon Nov 12 11:05:54 2007 : Sent 0 bytes, received 0 bytes.
Mon Nov 12 11:05:54 2007 : L2TP disconnecting...
Mon Nov 12 11:05:54 2007 : L2TP sent CDN
Mon Nov 12 11:05:54 2007 : L2TP sent StopCCN
Mon Nov 12 11:05:54 2007 : L2TP disconnected
2007-11-12 11:05:54 EST --> Client with address = 192.168.0.183 has hungup
Mon Nov 12 11:10:19 2007 : rcvd [LCP TermReq id=0x2 "Peer not responding"]
Mon Nov 12 11:10:19 2007 : LCP terminated by peer (Peer not responding)
Mon Nov 12 11:10:19 2007 : ipcp: down
Mon Nov 12 11:10:19 2007 : sent [LCP TermAck id=0x2]
Mon Nov 12 11:10:22 2007 : rcvd [LCP TermReq id=0x3 "Peer not responding"]
Mon Nov 12 11:10:22 2007 : sent [LCP TermAck id=0x3]
Mon Nov 12 11:10:22 2007 : Connection terminated.
Mon Nov 12 11:10:22 2007 : Connect time 9.4 minutes.
Mon Nov 12 11:10:22 2007 : Sent 13988109 bytes, received 169539 bytes.
Mon Nov 12 11:10:22 2007 : L2TP disconnecting...
Mon Nov 12 11:10:22 2007 : L2TP disconnected
2007-11-12 11:10:22 EST --> Client with address = 192.168.0.181 has hungup

Reply

Answer 5

Komakino

Level 1

5 points

Nov 26, 2007 8:53 PM in response to W. McHargue

Same problem here, Mac OS X 10.5.1 attempting to connect to Mac OS X 10.4.11 Server using L2TP over IPSec. Mac OS X 10.4.x clients continue to connect normally. Here is the client log:

Nov 26 20:21:01 pppd[27503]: L2TP connecting to server '<hostname of server>' (<IP Address of server>)...
Nov 26 20:21:04 pppd[27503]: IPSec connection started
Nov 26 20:21:05 MBP pppd[27503]: IPSec connection established
Nov 26 20:21:07 MBP pppd[27503]: L2TP connection established.
Nov 26 20:21:07 MBP pppd[27503]: Connect: ppp0 <--> socket[34:18]
Nov 26 20:21:07 MBP pppd[27503]: MPPE required, but kernel has no support.
Nov 26 20:21:08 MBP pppd[27503]: Connection terminated.
Nov 26 20:21:08 MBP pppd[27503]: L2TP disconnecting...

Reply

Answer 6

aanon4

Level 1

18 points

Nov 26, 2007 10:56 PM in response to jalb

While I've not tried L2TP, I have managed to fix the MPPE problems I had with PPTP using the various steps discussed in this thread:

http://discussions.apple.com/thread.jspa?threadID=1229769

Hope that helps.

Reply

Answer 7

mriedel

Level 1

0 points

Dec 2, 2007 2:53 PM in response to W. McHargue

I have the exact same problem. Hopefully Apple will fix this soon. I'm trying to connect to a Linux Box with OpenSwan and L2tpd.

My Logs:

Leopard:
Dec 2 14:43:44 MRiedel-PB-G4 pppd[18603]: L2TP connecting to server XXXXXXXX...
Dec 2 14:43:47 MRiedel-PB-G4 pppd[18603]: IPSec connection started
Dec 2 14:43:48 MRiedel-PB-G4 pppd[18603]: IPSec connection established
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: L2TP connection established.
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: Connect: ppp0 <--> socket[34:18]
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: MPPE required but peer negotiation failed
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: Connection terminated.
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnecting...
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnected

And on the Linux Box:
Dec 2 23:43:47 bt-server pluto[2941]: "L2TP-PSK"[9] 63.231.xxx.xxx #16: STATE QUICKR2: IPsec SA established {ESP=>0x09c22235 <0x8522bdef xfrm=AES 128-HMACSHA1 NATD=63.231.52.188:4500 DPD=none}
Dec 2 23:43:49 bt-server l2tpd[6376]: control_finish: Peer requested tunnel 8 twice, ignoring second one.
Dec 2 23:43:49 bt-server l2tpd[6376]: Connection established to 63.231.xxx.xxx, 56177. Local: 51805, Remote: 8. LNS session is 'default'
Dec 2 23:43:49 bt-server l2tpd[6376]: Call established with 63.231.xxx.xxx, Local: 56732, Remote: 18603, Serial: 1
Dec 2 23:43:49 bt-server pppd[7541]: pppd 2.4.3 started by root, uid 0
Dec 2 23:43:49 bt-server pppd[7541]: using channel 2105
Dec 2 23:43:49 bt-server pppd[7541]: Using interface ppp2
Dec 2 23:43:49 bt-server pppd[7541]: Connect: ppp2 <--> /dev/pts/4
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP EchoReq id=0x0 magic=0x6d3895f7]
Dec 2 23:43:49 bt-server pppd[7541]: sent [CHAP Challenge id=0x12 <4885f2c708e0dbd85a3cf7cf60ed6b24>, name = "IPsecVPN"]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoReq id=0x0 magic=0x4d928d7a]
Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP EchoRep id=0x0 magic=0x6d3895f7]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoRep id=0x0 magic=0x4d928d7a]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CHAP Response id=0x12 <c574d7703411572a98de35e99f3d81ad00000000000000000b4906c55495f2727310659600c5c1 405145b06079ad9fbe00>, name = "xxx"]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CHAP Success id=0x12 "S=2C78FC23BCE0D753988BB8A6AA9EB3EB22326318 M=Access granted"]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Dec 2 23:43:50 bt-server pppd[7541]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.184.2>]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfRej id=0x1 <mppe +H -M +S +L -D -C>]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]
Dec 2 23:43:50 bt-server pppd[7541]: LCP terminated by peer (MPPE required but peer negotiation failed)
Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP TermAck id=0x2]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Dec 2 23:43:50 bt-server pppd[7541]: Discarded non-LCP packet when LCP not open
Dec 2 23:43:50 bt-server l2tpd[6376]: control_finish: Connection closed to 63.231.xxx.xxx, serial 1 ()
Dec 2 23:43:50 bt-server pppd[7541]: Terminating on signal 15
Dec 2 23:43:50 bt-server pppd[7541]: Modem hangup
Dec 2 23:43:50 bt-server pppd[7541]: Connection terminated.
Dec 2 23:43:50 bt-server pppd[7541]: Connect time 0.1 minutes.
Dec 2 23:43:50 bt-server pppd[7541]: Sent 41 bytes, received 10 bytes.
Dec 2 23:43:50 bt-server pppd[7541]: Exit.

Even if I force MPPE on the linux side, I get the same error. Please fix!

Regards

Reply

Answer 8

Dec 2, 2007 11:12 PM in response to mriedel

I don't know if this will help:

http://www.jacco2.dds.nl/networking/openswan-macosx.html

If the VPN server is behind NAT I don't know if you can get it working, you do seem to have some stuff "established"

Reply

Answer 9

mriedel

Level 1

0 points

Dec 2, 2007 11:56 PM in response to Leif Carlsson

Thanks for the URL! I did use this website a lot while setting up the server last year. I didn't have any problems with Tiger, so I don't think that my Linux Server is the problem. And to cite:

+Oct 30, 2007: First tests with Mac OS X 10.5 (Leopard) are inconclusive: some users report success, others had problems.+

Apparently I am one of those having problems... The problem can be described pretty straightforward. Ipsec connection gets established fine. L2tpd envokes pppd fine. Authentication succeeds. But no matter what encryption or compression the server proposes (tried some..), Leopard always replies with the same error...

Martin

Reply

Answer 10

Dec 10, 2007 10:33 AM in response to W. McHargue

i'm having the same problem, pptp works fine, l2tp is broken terribly.

my vpn hardware is an astaro security gateway v7.100

Message was edited by: nickatbarbarian

Reply

Answer 11

akutz

Level 1

0 points

Dec 10, 2007 3:48 PM in response to nickatbarbarian

I have performed thorough testing on this issue. The issue is that the L2TP VPN client connection does NOT load the MPPE module. The PPTP VPN client connection WILL load the module. I wrote an extensive blog on the matter and how to fix the problem at http://www.lostcreations.com/blog/20071209-9.

Hope this helps!

Reply

Answer 12

mriedel

Level 1

0 points

Dec 20, 2007 12:39 AM in response to akutz

Hm establishing a successful PPTP connection first, does NOT solve the problem for me. Could you please post how you configured the ppp connection on the server side...

Thanks...

Reply

Answer 13

mriedel

Level 1

0 points

Dec 20, 2007 1:15 AM in response to akutz

Oh, the last security update fixed my issue! Thank you, Apple!

Reply

Answer 14

Dec 20, 2007 7:51 AM in response to W. McHargue

So i followed the different steps in the discussions but still VPN no longer work through the network.

Can make a VPN connection (as welle PPTP as L2TP) form:
10.4.11 client -> 10.4.11 server OK
10.4.11 client -> 10.5.1 server NO
10.5.1 client -> 10.4.11 server NO
10.5.1 client -> 10.4.11 server OK on local network with no router
10.5.1 client -> 10.5.1 server NO

this is the log I have on the 10.5.1 server

Thu Dec 20 16:29:33 2007 : CHAP peer authentication succeeded for TestUser
Thu Dec 20 16:29:33 2007 : DSAccessControl plugin: User 'TestUser' authorized for access
Thu Dec 20 16:29:33 2007 : MPPE required, but keys are not available. Possible plugin problem?
Thu Dec 20 16:29:33 2007 : sent [LCP TermReq id=0x2 "MPPE required but not available"]

Reply

Answer 15

SpaceBass

Level 2

420 points

Dec 26, 2007 6:23 PM in response to W. McHargue

Just adding to the list of frustrated people...
I cannot say that my MPPE error coincided with any updates (perhaps it did) but I've spent a VERY frustrating 2 days fighting this thing.

I have two 10.5.1 clients with my, trying to connected to a 10.4 OS X Server l2tp endpoint.

One works perfectly (my wife's, predictably), mine has connected a few times, but 95% of the time it fails with the MPPE error. Its clearly a client thing as the VPNd logs show that the client is requesting it.

I would think there has to be a way to disable the requirement.

What I cannot understand is why two identical macbooks have different results

Reply

Shop

Quick Links

Shop Special Stores

Explore Mac

Shop Mac

More from Mac

Explore iPad

Shop iPad

More from iPad

Explore iPhone

Shop iPhone

More from iPhone

Explore Watch

Shop Watch

More from Watch

Explore Vision

Shop Vision

More from Vision

Explore AirPods

Shop AirPods

More from AirPods

Explore TV & Home

Shop TV & Home

More from TV & Home

Explore Entertainment

Support

Shop Accessories

Explore Accessories

Explore Support

Get Help

Helpful Topics

Quick Links

L2TP VPN Error: "MPPE required but peer negotiation failed"