On Mon, Nov 30, 2009 at 1:10 AM, James Carlson <carlsonj@xxxxxxxxxxxxxxx> wrote: > Diederik Hattingh wrote: >> Nov 29 14:29:35 [pppd] sent [LCP ConfAck id=0x2 <asyncmap 0x0> <magic >> 0x15190f75> <accomp>] > > It looks like you've trimmed away the beginning of the negotiation in > the debug information you posted. That's unfortunate, as this likely > includes important details that will be needed to resolve the problem. > > In the future, don't do that. Oops, sorry. > >> I read online that the NT Domain part must be left blank, but the >> domain added as prefix, as described above, to the username. Is this >> still valid? > > It depends on how the NT server is configured. There's no way to know > without asking the administrator of that system. Our system administrator informed me, and from what I have read online, it must always be "myworkdomain\username" I specified the domain separately, and also the username as mentioned before. > >> # Secrets for authentication using CHAP >> # client server secret IP addresses >> myworkdomain\\djh myworkdomain ***** >> myworkdomain myworkdomain\\djh ***** > > The second of those looks bogus; you would never identify yourself to > the peer as though your name were just "myworkdomain". I would have had > this for the first entry: > > myworkdomain\\djh * "my secret here" > > It shouldn't be necessary (or helpful) to specify the server's name in > the second column, particularly as Microsoft systems tend to refuse to > identify themselves. > > As for the double line seen in your configuration file, it looks to me > like whoever (or whatever) added it this way was confused about how that > file actually works. pptp-command made that file. Not sure why it wrote both lines? My pasword has a "#" in it. So to wrap it in quotes was essential. > >> Notice that the connection server is called server.myworkdomain.co.za, >> but the domain I specified as myworkdomain (without .co.za) > > I don't believe that NT authentication domains have anything to do with > DNS domain names. They're wholly unrelated concepts. You can't just > lop off the trailing ".co.za" and expect it to work, unless the NT > authentication domain (part of Kerberos, I think) just happens to be the > same as that portion of the DNS name by coincidence. You need to have > proper NT authentication credentials if you're going to use MS-CHAPv2. > The domain was just called myworkdomain. Another factor that really threw me off track was that the server I was trying to connect to had an open port 1723, but no VPN service was running on the server. The real address was server2.myworkdomain.co.za. Our IT guys help with this regard. In retrospect, I would have saved lots of time by following http://pptpclient.sourceforge.net/howto-diagnosis.phtml#fault_tree to the letter. Thanks for the help James Diederik -- To unsubscribe from this list: send the line "unsubscribe linux-ppp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html