PPTP "MPPE required, but keys are not available"

Question

Level 1

0 points

PPTP "MPPE required, but keys are not available"

Dear all

Since last reboot of my server I got following errormessage in VPN Logfile when user tries to connect to the server trough PPTP:

MPPE required, but keys are not available. Possible plugin problem?

Anyone have an idea, what could be wrong ?

May as another information: After restart of the server I had problem, that VPN Server was not started, because the L2TP definitions where not correct... Logfile told me. So I have redefined the PPTP and L2TP setting, but disabled the L2TP login, because I have definied this "only" for test purposes. All definitions where made with Server Administrator.

Before restart of Server Login trough PPTP was working quite well... 😟

I forgott to say, that the Server (Leopard 10.5.1) is an OD Master, which is working quite well (until now). The authentication type for PPTP is set to MS-CHAP (Kerberos is grayed out, I don't know why)

Cheers Daniel

Message was edited by: Daniel Lang

MacPro, Mac OS X (10.5)

Posted on Dec 11, 2007 5:03 AM

Reply

Answer 1

Daniel Lang Author

Level 1

0 points

Dec 11, 2007 5:40 PM in response to Daniel Lang

Here I have now some logfiles from vpnd... may this helps to see the problem I have overseen:

Wed Dec 12 02:21:21 2007 : Directory Services Authentication plugin initialized
Wed Dec 12 02:21:21 2007 : Directory Services Authorization plugin initialized
Wed Dec 12 02:21:21 2007 : PPTP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Dec 12 02:21:21 2007 : PPTP connection established.
Wed Dec 12 02:21:21 2007 : using link 0
Wed Dec 12 02:21:21 2007 : Using interface ppp0
Wed Dec 12 02:21:21 2007 : Connect: ppp0 <--> socket[34:17]
Wed Dec 12 02:21:21 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
Wed Dec 12 02:21:21 2007 : rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp> <callback CBCP>]
Wed Dec 12 02:21:21 2007 : lcp_reqci: rcvd unknown option 13
Wed Dec 12 02:21:21 2007 : lcp_reqci: returning CONFREJ.
Wed Dec 12 02:21:21 2007 : sent [LCP ConfRej id=0x0 <callback CBCP>]
Wed Dec 12 02:21:21 2007 : rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp>]
Wed Dec 12 02:21:21 2007 : lcp_reqci: returning CONFACK.
Wed Dec 12 02:21:21 2007 : sent [LCP ConfAck id=0x1 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp>]
Wed Dec 12 02:21:24 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
Wed Dec 12 02:21:24 2007 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
Wed Dec 12 02:21:24 2007 : sent [LCP EchoReq id=0x0 magic=0x5045e9f1]
Wed Dec 12 02:21:24 2007 : sent [CHAP Challenge id=0x82 <ea8c6372a227309685ab6c0a36d64aec>, name = "server.anywhere.com"]
Wed Dec 12 02:21:24 2007 : rcvd [LCP code=0xc id=0x2 0f b9 00 5f 4d 53 52 41 53 56 35 2e 31 30]
Wed Dec 12 02:21:24 2007 : sent [LCP CodeRej id=0x2 0c 02 00 12 0f b9 00 5f 4d 53 52 41 53 56 35 2e 31 30]
Wed Dec 12 02:21:24 2007 : rcvd [LCP code=0xc id=0x3 0f b9 00 5f 4d 53 52 41 53 2d 30 2d 50 43 31 36 37]
Wed Dec 12 02:21:24 2007 : sent [LCP CodeRej id=0x3 0c 03 00 15 0f b9 00 5f 4d 53 52 41 53 2d 30 2d 50 43 31 36 37]
Wed Dec 12 02:21:24 2007 : rcvd [LCP EchoRep id=0x0 magic=0xfb9005f]
Wed Dec 12 02:21:24 2007 : rcvd [CHAP Response id=0x82 <41....0>, name = "testuser"]
Wed Dec 12 02:21:24 2007 : DSAuth plugin: Could not retrieve key agent account information.
Wed Dec 12 02:21:24 2007 : sent [CHAP Success id=0x82 "S=4020C83B....A M=Access granted"]
Wed Dec 12 02:21:24 2007 : CHAP peer authentication succeeded for testuser
Wed Dec 12 02:21:24 2007 : DSAccessControl plugin: User 'testuser' authorized for access
Wed Dec 12 02:21:24 2007 : MPPE required, but keys are not available. Possible plugin problem?
Wed Dec 12 02:21:24 2007 : sent [LCP TermReq id=0x4 "MPPE required but not available"]
Wed Dec 12 02:21:24 2007 : rcvd [CCP ConfReq id=0x4 <mppe +H +M +S +L -D +C>]
Wed Dec 12 02:21:24 2007 : rcvd [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins1 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins3 0.0.0.0>]
Wed Dec 12 02:21:24 2007 : rcvd [LCP TermAck id=0x4 "MPPE required but not available"]
Wed Dec 12 02:21:24 2007 : Connection terminated.
Wed Dec 12 02:21:24 2007 : Connect time 0.1 minutes.
Wed Dec 12 02:21:24 2007 : Sent 0 bytes, received 0 bytes.
Wed Dec 12 02:21:25 2007 : PPTP disconnecting...
Wed Dec 12 02:21:25 2007 : PPTP disconnected
2007-12-12 02:21:25 CET --> Client with address = 192.168.yyy.yyy has hungup

Reply

Answer 2

Daniel Lang Author

Level 1

0 points

Dec 11, 2007 7:03 PM in response to Daniel Lang

ok folks... seems to be up and running again (until now ... 😉 )

first tried to fix vpn access user with following command

mkpassdb -setkeyagent xxxxx (where xxxxx is the UID of the existing vpn_yyyyyy user)

but no go... still not working.

so I added new vpn keyagent user with following command

vpnaddkeyagentuser /LDAPv3/127.0.0.1

and YEAH!! here the music plays again. the command added a second vpn_yyyyyyy user to the OD, which is working again well.

Now I had to get rid of the old corrupted vpn_yyyyyyy user in the OD with User Admin and all are happy again...

Why the **** the old vpn_yyyy user has lost this rights.... only apple knows (I hope so)! And I hope the folks in cupertino will give that big cat more stability in 10.5.2

However... thanks anyway and cheers for now
Daniel

null

Message was edited by: Daniel Lang

Reply

Answer 3

Jan 7, 2008 4:00 PM in response to Daniel Lang

Upgraded to 10.5.1 Server from 10.4.11. Had the same errors generated with attempted VPN access.

This solution worked for me as well (vpnaddkeyagentuser /LDAPv3/127.0.0.1)

I have not deleted the original VPN MPEE Key Agent User using Workgroup Manager. VPN access is now available, however.

Reply

Answer 4

Feb 7, 2008 7:13 AM in response to Daniel Lang

Had the same MPPE problem with some of the 10.5 clients when connectiong over l2tp, windows clients are not affected.

i changed the MPPE settings in the following plist.
/Library/Preferences/SystemConfiguration/preferences.plist

disabled these siblings (changing 1 to 0):
CCPMPPE128Enabled
CCPMPPE40Enabled

Reply

Answer 5

Feb 12, 2008 5:28 AM in response to Daniel Lang

Daniel Lang wrote:
so I added new vpn keyagent user with following command

vpnaddkeyagentuser /LDAPv3/127.0.0.1

and YEAH!! here the music plays again. the command added a second vpn_yyyyyyy user to the OD, which is working again well.

For the benefit of everyone

*vpnaddkeyagentuser /LDAPv3/127.0.0.1*

is only correct if your VPN server is also your OD master. If like me you use different servers to run your VPN and OD master then you need to substitute the IP address of your OD master server, e.g.

*vpnaddkeyagentuser /LDAPv3/192.168.123.11*

Note: this command should be run on the VPN server not the OD master.

I currently (thanks to this command) have a Mac OS X 10.4.11 VPN server connected to a Mac OS X 10.5.1 OD master, and both L2TP and PPTP are working fine.

Reply

Answer 6

Feb 13, 2008 6:49 AM in response to Daniel Lang

Daniel a BIG thanx!

tried your initial suggestion of "mkpassdb -setkeyagent xxxxx", however it gave me an error about 'not found', or similar.

then tried "vpnaddkeyagentuser /LDAPv3/127.0.0.1" and BINGO!

My PPTP VPN is back up and running thanx to you!

Reply

Answer 7

Feb 25, 2008 4:34 PM in response to John Lockwood

This worked for me to get PPTP going, but I still can't get L2TP going...

Reply

Answer 8

Mar 21, 2008 10:58 AM in response to Jean-Paul Scholten

Fwiw, I got the same results by changing this setting in Networking Preferences.

* Open System Preferences.
* Select "Network"
* Select your VPN network connection.
* Set the "Encryption" setting to "None".

Changing the setting above fixed my VPN connection problem.

hth.

Reply

Answer 9

Unifex

Level 1

0 points

May 17, 2008 7:33 AM in response to Jeff Ramnani

If you do this, doesn't it defeat the purpose of having a VPN in the first place?

Reply