I have a Cisco 2801 Router with the SEC/K9 modules loaded.
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
System image file is "flash:c2801-advsecurityk9
I am trying to run a PPTP VPN authenticated through Windows 2000 IAS RADIUS.
The client end is a Windows XP connecting using the standard windows DUN PPTP VPN.
Everything works flawlessely until I attempt to use encryption. Users can authenticate, connect, use network resources, etc. etc.
The working configuration on the Cisco is:
interface virtual-template 1 ppp encrypt mppe auto
The following also work:
interface virtual-template 1 ppp encrypt mppe 40
interface virtual-template 1 ppp encrypt mppe 128
I am using ms-chap / ms-chap-v2:
interface virtual-template 1 ppp authentication ms-chap ms-chap-v2
Everything works, but encryption is not...
When I tell the Windows client to require the use of encrpytion, some very odd things happen... The first time I try to connect, I will get an error 742: "The remote computer does not support the required encryption type." Oddly, if I try to connect within a few seconds of receiving the error, the connection then goes through, and everything again works as expected. Even looking at the "Status" of the connection shows MPPE 128-bit encryption. BUT THE LINK IS NOT ACTUALLY ENCRYPTED!!! Packet captures on the wire show all the data going clear through in non-encrypted GRE packets.
I see the following lines in the debug log of the Cisco that may be relevant:
026544: *Jun 23 04:31:33.973 UTC: RADIUS: MS-CHAP-MPPE-Keys  34 *
026548: *Jun 23 04:31:33.977 UTC: RADIUS: MS-MPPE-Enc-Policy  6
026549: *Jun 23 04:31:33.977 UTC: RADIUS: 00 00 00 02 [????]
026551: *Jun 23 04:31:33.977 UTC: RADIUS: MS-MPPE-Enc-Type  6
026552: *Jun 23 04:31:33.977 UTC: RADIUS: 00 00 00 0C [????]
026643: *Jun 23 04:31:34.057 UTC: Vi4 MPPE: RADIUS keying material missing
If I force the router to do the encryption, with:
interface virtual-template 1 ppp encrypt mppe auto required
Then the link will drop just after the connection is made, every time.
I see the following relevant line in the debug logs of the Cisco:
028180: *Jun 23 04:43:33.905 UTC: RADIUS: MS-CHAP-MPPE-Keys  34 *
028184: *Jun 23 04:43:33.905 UTC: RADIUS: MS-MPPE-Enc-Policy  6
028185: *Jun 23 04:43:33.905 UTC: RADIUS: 00 00 00 02 [????]
028187: *Jun 23 04:43:33.905 UTC: RADIUS: MS-MPPE-Enc-Type  6
028188: *Jun 23 04:43:33.905 UTC: RADIUS: 00 00 00 0C [????]
028279: *Jun 23 04:43:33.973 UTC: Vi4 MPPE: RADIUS keying material missing
028297: *Jun 23 04:43:34.009 UTC: Vi4 MPPE: Required encryption not negotiated
I am convinced this is not a general RADIUS / connection / authentication, etc. problem, because everything works fine when not using mppe.
I thought perhaps it might be this problem: CSCdv50861—MPPE does not negotiate with Windows 2000.
But that problem was supposedly fixed in IOS release 12.3, which I am running.
I remmember reading somewhere that MPPE 128 bit encryption does not work with hardware VPN boards, but I'm not sure if it was true, and regardless, my setup doesn't even seem to work with 40 bit mppe.
I've spent a good deal of time poring over the following pages, as they claim to have working solutions, but I still have no luck.
I have spent the last 3 days trying to find a solution, and I'm at my wits end...
The 100 points will be awarded to those who tell me it's not possible, either because of an IOS bug, hardware incompatability, etc., or it just plain can't be done.
But I will increase the points to 500, and award them accordingly if anyone can help me to a working solution. Thanks in advance!