vpn fails to connect when server requires only 128 bit encryption

Bug #371402 reported by Andrew Brzezinski
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
network-manager-pptp (Ubuntu)
Fix Released
Medium
Unassigned
Declined for Jaunty by Jean-Baptiste Lallement
Karmic
Fix Released
Medium
Unassigned
Lucid
Won't Fix
Medium
Unassigned

Bug Description

Binary package hint: network-manager-pptp

Everything worked fine in 8.10 and before. In 9.04 it fails. The server (U of Illinois) I connect to wants you to set 128 bit encryption and disable the 40 bit. I worked around the problem by replacing the gconf file, ~/.gconf/system/networking/connections/1/connection/%gconf.xml with a similar one from another machine (This other machine worked fine after the upgrade from 8.10 to 9.04). It seems the problem appears only when you edit the vpn-connection using 9.04. The difference between the two files is an extra line that seems partially redundant.

configured in 9.04 (does not work):
... <entry name="require-mppe-128" mtime="1241379158" type="string"> ...
... <entry name="require-mppe" mtime="1241379158" type="string"> ...

configured in 8.10 (works in 9.04):
... <entry name="require-mppe-128" mtime="1241379158" type="string"> ...

Regarrds.

== Regression details ==
Discovered in version: 9.04
Last known good version: 8.10

ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 9.04
NonfreeKernelModules: nvidia
Package: network-manager-pptp 0.7.1~rc4.20090316+bzr23-0ubuntu3
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: network-manager-pptp
Uname: Linux 2.6.28-11-generic x86_64

Revision history for this message
Andrew Brzezinski (abrzezi2) wrote :
Revision history for this message
Alexander Sack (asac) wrote :

isnt there an option for mppe in the UI?

Revision history for this message
Andrew Brzezinski (abrzezi2) wrote : Re: [Bug 371402] Re: vpn fails to connect when server requires only 128 bit encryption

There is an option and that is how I configured it prior to the latest
version. But now it makes a different %gconf.xml file that does not work
for making a vpn connection.

Best Regards,
Andrew

On Mon, 2009-05-04 at 20:03 +0000, Alexander Sack wrote:
> isnt there an option for mppe in the UI?
>

Revision history for this message
Andrew Brzezinski (abrzezi2) wrote :

Just to clarify, I tried to set-up the VPN via the UI, but it wouldn't
connect. I worked around the problem by using an older %gconf.xml file.
Hope this helps.
-Andrew

On Mon, 2009-05-04 at 20:03 +0000, Alexander Sack wrote:
> isnt there an option for mppe in the UI?
>

Revision history for this message
Alexander Sack (asac) wrote :

this regression was introduced by commit 5d2b36b9c4b8da6532f2548e828e653f1c42a0f4

git diff 5d2b36b9c4b8da6532f2548e828e653f1c42a0f4^ 5d2b36b9c4b8da6532f2548e828e653f1c42a0f4
diff --git a/ChangeLog b/ChangeLog
index f8bc56e..b36b916 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-02-06 Dan Williams <email address hidden>
+
+ Patch from Russell Suter <email address hidden>
+
+ * properties/advanced-dialog.c
+ - (advanced_dialog_new_hash_from_dialog): fix saving MPPE values
+
 2008-12-13 Przemysław Grzegorczyk <email address hidden>

        * src/nm-pptp-pppd-plugin.c:
diff --git a/properties/advanced-dialog.c b/properties/advanced-dialog.c
index dfd43df..0e1368b 100644
--- a/properties/advanced-dialog.c
+++ b/properties/advanced-dialog.c
@@ -385,10 +385,11 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog, GError **error)
                        g_hash_table_insert (hash, g_strdup (NM_PPTP_KEY_REQUIRE_MPPE_40), g_strdup ("yes"));
                        break;
                default:
- g_hash_table_insert (hash, g_strdup (NM_PPTP_KEY_REQUIRE_MPPE), g_strdup ("yes"));
                        break;
                }

+ g_hash_table_insert (hash, g_strdup (NM_PPTP_KEY_REQUIRE_MPPE), g_strdup ("yes"));
+
                widget = glade_xml_get_widget (xml, "ppp_allow_stateful_mppe");
                if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (widget)))
                        g_hash_table_insert (hash, g_strdup (NM_PPTP_KEY_MPPE_STATEFUL), g_strdup ("yes"));

backing that out of network-manager-pptp would fix it for you. Have to check why that was accepted as a bugfix.

Changed in network-manager-pptp (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Andrew Fister (andrewfister) wrote :

I confirm the OP's report and workaround. I'm also connecting to the University of Illinois VPN. Just thought I'd give some corroboration :-)

Revision history for this message
eliot_rosewater (mbutala2004) wrote :

I can also confirm the report and the workaround. I can now connect to CITES VPN at the U of I from Jaunty.

Revision history for this message
David Jordan (dmj726) wrote :

I can confirm that this affects Jaunty and now Karmic too. I could not connect to the U of I VPN until I removed "require-mppe" via opening gconf and going to system->networking->connections->1->vpn. I right clicked "require-mppe" and selected "Unset Key". After this the VPN worked. I would suggest modifying network manager to not set "require-mppe" if there is "require-mppe-128" selected.

Revision history for this message
David Jordan (dmj726) wrote :

After looking over the patch Alexander Sack pointed out, that looks like it fixes the issue where leaving and reentering the advanced menu would reset the mppe settings. This meant that one had to set the mppe settings if they ever went into that menu again. This was a known issue in 8.10 with the UIUC CITES VPN, but could be worked around by not reentering the menu.

Revision history for this message
Nils-Werner Claesson (nwclaesson) wrote : Re: [Bug 371402] Re: vpn fails to connect when server requires only 128 bit encryption

This error only occurs to me when I use UMTS and WLAN. I have made all the
correct settings.

On Sun, Oct 11, 2009 at 12:39 PM, dmj726 <email address hidden> wrote:

> I can confirm that this affects Jaunty and now Karmic too. I could not
> connect to the U of I VPN until I removed "require-mppe" via opening
> gconf and going to system->networking->connections->1->vpn. I right
> clicked "require-mppe" and selected "Unset Key". After this the VPN
> worked. I would suggest modifying network manager to not set "require-
> mppe" if there is "require-mppe-128" selected.
>
> --
> vpn fails to connect when server requires only 128 bit encryption
> https://bugs.launchpad.net/bugs/371402
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “network-manager-pptp” package in Ubuntu: Triaged
>
> Bug description:
> Binary package hint: network-manager-pptp
>
> Everything worked fine in 8.10 and before. In 9.04 it fails. The server (U
> of Illinois) I connect to wants you to set 128 bit encryption and disable
> the 40 bit. I worked around the problem by replacing the gconf file,
> ~/.gconf/system/networking/connections/1/connection/%gconf.xml with a
> similar one from another machine (This other machine worked fine after the
> upgrade from 8.10 to 9.04). It seems the problem appears only when you edit
> the vpn-connection using 9.04. The difference between the two files is an
> extra line that seems partially redundant.
>
> configured in 9.04 (does not work):
> ... <entry name="require-mppe-128" mtime="1241379158" type="string"> ...
> ... <entry name="require-mppe" mtime="1241379158" type="string"> ...
>
> configured in 8.10 (works in 9.04):
> ... <entry name="require-mppe-128" mtime="1241379158" type="string"> ...
>
> Regarrds.
>
> ProblemType: Bug
> Architecture: amd64
> DistroRelease: Ubuntu 9.04
> NonfreeKernelModules: nvidia
> Package: network-manager-pptp 0.7.1~rc4.20090316+bzr23-0ubuntu3
> ProcEnviron:
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: network-manager-pptp
> Uname: Linux 2.6.28-11-generic x86_64
>

--
Med vänliga hälsningar / Mit freundlichen Grüssen

Nils-Werner Claesson
+46 (0) 76 040 51 39 | <email address hidden>

Life is not days passed, but times remembered

Revision history for this message
David Jordan (dmj726) wrote :

I made a fix for this bug:

 0c39c37fe4a395529bb7025027f60931152fd6ac on 'master' and 814bccb6d7d103b1e0ec3338c3140cb43a39b91d on 0.7.x branch

properties: really fix saving MPPE settings (lp:371402)NETWORKMANAGER_0_7
Found by David Jordan and others Fixed for some, but broken for others by commit 22d8b96a294673431a94c4976870cfbd2746d469. REQUIRE_MPPE will pass --require-mppe to pppd, which will let pppd accept both 128 and 64 bit connections. Some servers have policy that will reject clients that accept lower-security encryption, so setting REQUIRE_MPPE only when neither 128 or 64 are set is the right fix.

This fix should be incorporated into Karmic before the final, and backported to Jaunty if possible.

tags: added: regression-potential
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-pptp - 0.8~a~git.20091013t190309.0c39c37-0ubuntu1

---------------
network-manager-pptp (0.8~a~git.20091013t190309.0c39c37-0ubuntu1) karmic; urgency=low

  * upstream snapshot 2009-10-13 19:03:09 (GMT)
    + 0c39c37fe4a395529bb7025027f60931152fd6ac
    - properties: really fix saving MPPE settings (LP: #371402)
    - ppp: add minimal debugging output to the ppp plugin

 -- Alexander Sack <email address hidden> Thu, 15 Oct 2009 00:19:09 +0200

Changed in network-manager-pptp (Ubuntu Karmic):
status: Triaged → Fix Released
danerben (danerben)
Changed in network-manager-pptp (Ubuntu Karmic):
status: Fix Released → Invalid
Revision history for this message
danerben (danerben) wrote :

Confirm this bug on Ubuntu 9.10. Got the latest network-manager and it still can't save settings for 128-bit encoding... Nothing helps so far.

Revision history for this message
Andrew Fister (andrewfister) wrote :

I don't think you didn't want to set Invalid, which indicates a bug report that is not really describing a bug. I've reset it as Confirmed for now.

Changed in network-manager-pptp (Ubuntu Karmic):
status: Invalid → Confirmed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Are you guys still able to reproduce this issue in Lucid? There has been some additional changes in 0.8 which may have corrected the problem.

Changed in network-manager-pptp (Ubuntu Karmic):
status: Confirmed → Incomplete
description: updated
tags: added: regression-release
removed: regression-potential
Changed in network-manager-pptp (Ubuntu Karmic):
status: Incomplete → Fix Released
Changed in network-manager-pptp (Ubuntu Lucid):
status: New → Incomplete
importance: Undecided → Medium
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Closing karmic task because of comment #12
Opening lucid task due to Mathieu's comment.

Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in network-manager-pptp (Ubuntu Lucid):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.