I use m0n0wall on my network. I've been running into this issue documented
My question is how would I go about implementing their recommendation for
extending the time-out value in m0n0wall?
Samuel D. Harris
From: Pete Klein [mailto:petek1827 at yahoo dot com]
Sent: Friday, March 16, 2007 10:38 PM
To: Holmes, Robert; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Radius & PPTP - Problem solved (for me anyway)
I finally solved my problem. It was a bad setting on
my Radius Server. Since I am using a different Radius
server than you are, this solution won't directly
solve your problem. However by understanding my
solution, it may point you in the right direction to
I am using the Multitech Radius Server. I was going
through the logs and noticed that the error messages
started to appear after all the stuff related to
setting up MPPE (Microsoft Point to Point Encryption).
I started to look at how MPPE worked and ran across
the following note in an old version the MPD manual
When enabled, MPPE types (40, 56 or 128 bit) and MPPE
policies (whether encryption is required or optional)
are controlled by the RADIUS server.
As a result I went back to the manual for the
Multitech Radius Server and started looking for
anything related to MPPE. Nothing. Then I looked at
the readme file and found the following line under a
section marked "About "users" file:"
MPPE (Microsoft Point to Point Encryption) can be
enabled by adding a line
Vendor-Specific = MPPE_ALLOWED
to the user file (no explanation of course).
Bingo, suddenly everything works.
Here is a link to my log after I did this:
For those who want to use the Multitech Radius Server
with Monowall's PPTP you need to edit each username in
the "user" file to look something like the following
(make sure you stop and the restart the Server after
you edit the file):
Username Auth-Type = Local, Password = "password"
Vendor-Specific = MPPE_ALLOWED
Needless to say I think you need to look at your
Radius Server settings specifically as they relate to
MPPE. It appears that there is nothing wrong with
Hope this helps. Please post if you get your system
--- "Holmes, Robert" <Robert dot Holmes at agilysys dot com>
> I have tried both 40bit and 128bit and it doesn't
> seem to matter. The
> m0n0wall supports 128-bit just fine with local
> users, so it's something
> funky with Radius that makes it have this issue.
> You may be right that
> m0n0wall is creating a rule in the background we are
> not aware of. I
> have a firewall rule that allows PPTP users to go
> anywhere, which also
> works great with local users. I've dumbed down the
> client on XP to use
> PAP and no encryption, but it doesn't seem to help.
> Lee, I am not using Captive Portal. When I tried it
> with pfSense too, I
> made a very vanilla configuration and it didn't work
> there either.
> Now, for what it's worth, at work I once had a
> Watchguard Firebox which
> is another m0n0wall/Sonicwall/Netscreen type of
> appliance. I believe it
> ran a very old version of Linux under the hood. It
> too had problems
> working with my Cisco ACS Radius server. When I
> pointed it to a
> Microsoft Radius server on Win2003, it worked fine.
> Unfortunately, I no
> longer have this Firebox to test with. However, I
> suppose I could
> attempt to point my m0n0wall at that Win2003 Radius
> server and see if it
> works. I'll try that next.
> -----Original Message-----
> From: Pete Klein [mailto:petek1827 at yahoo dot com]
> Sent: Friday, March 16, 2007 2:24 PM
> To: Holmes, Robert; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Radius & PPTP
> Hi Robert,
> I found the following old post of someone having a
> similar problem
> This post doesn't solve our problem but I notice
> that the writer had one
> type of error message (rec'd unexpected protocol...)
> when his client was
> set to 40 bit encryption and a different one when
> the client was set to
> 128 bit.
> I'm using the 98se client for testing which is only
> 40 bit. I am
> assuming since you are using XP that it is set by
> default to 128 bits,
> however could you confirm this? Also could you
> experiment with
> different settings to see if there is any change?
> I'm wondering if the
> "Require 128-bit encryption" setting is being enable
> on monowall even if
> it is not set.
> I also found this post on the pfsense site:
> I don't think this is the same problem but they
> might be related.
> I also checked the MPD documentation
> and they say the following in their troubleshooting
> Packets won't flow.
> Make sure you have set gateway_enable="YES" in
> otherwise your FreeBSD box will not route packets.
> Alternately, invoke
> sysctl -w
> net.inet.ip.forwarding=1 for immediate effect.
> Also, check your firewall settings. Mpd will
> create new interfaces
> which may need to be incorporated into your firewall
> rules. If you're
> doing PPTP, you need to allow TCP port 1723 and IP
> 47 (GRE).
> Since everything seems to work if Radius is disable
> I don't think any of
> this applies. However it is possible that mononwall
> is changing
> something behind the scenes.
> For the record I have the following set in the
> WAN TCP 1723 192.168.81.1 1723
> Has anyone on this mailing list ever successfully
> set up pptp to use a
> Radius Server???
> --- "Holmes, Robert" <Robert dot Holmes at agilysys dot com>
> > My settings, platform and problems are the same as
> yours Pete. I have
> > a WRAP, but I also tried it on a CDROM image under
> Vmware. I won't
> > post the log because its identical. Yes, I can
> ping myself, but no
> > one else.
> > I'll just confirm the same issue as you.
> > I tried pfSense thinking that maybe FreeBSD 6
> would fix it, but the
> > devs over there said they just sync the code from
> m0n0wall. I am
> > using a Windows PPTP client under XP. The same
> settings work to a
> > Microsoft PPTP server as well as m0n0wall with a
> local user list, so
> > it is something inherent in the Radius settings
> preventing it from
> > working.
> > Can anyone else also confirm this problem?
> > -Robert
> Need Mail bonding?
> Go to the Yahoo! Mail Q&A for great tips from Yahoo!
> Answers users.
Don't get soaked. Take a quick peek at the forecast
with the Yahoo! Search weather shortcut.
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch