Linux's SSTP-Client fails to connect

david-hoze commented 5 years ago

Hi, I'm using SSTP-Client on Ubuntu 18.04, and it fails connecting to an accel-ppp server I made.

I'm getting invalid Compound MAC on the syslog.. This is the full log:

Jul 23 09:21:18 accel-ppp-fixer accel-pppd: sstp: new connection from 79.177.68.246:36020
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: sstp: starting
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: sstp: started
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: sstp: recv [SSL <SNI mydomain.com>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75
}/ HTTP/1.1>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: recv [HTTP <Host: mydomain.com>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: recv [HTTP <Content-Length: 18446744073709551615>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: recv [HTTP <SSTPCORRELATIONID: 0c38434f-aa00-4c52-b666-ad665d1844b2>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: send [HTTP <HTTP/1.1 200 OK>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: send [HTTP <Date: Tue, 23 Jul 2019 09:21:18 GMT>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: send [HTTP <Content-Length: 18446744073709551615>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: lcp_layer_init
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: auth_layer_init
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: ccp_layer_init
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: ipcp_layer_init
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: ipv6cp_layer_init
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: ppp establishing
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: lcp_layer_start
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1400> <magic 5fd32ae2>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: recv [LCP ConfReq id=1 < 2 6 0 0 0 0 > <magic 059482c9> <pcomp> <accomp
>]
Jul 23 09:21:18 accel-ppp-fixer accel-pppd: :: send [LCP ConfRej id=1  < 2 6 0 0 0 0 > <pcomp> <accomp>]
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1400> <magic 5fd32ae2>]
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: recv [LCP ConfReq id=2 <magic 059482c9>]
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: send [LCP ConfAck id=2 ]
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: lcp_layer_started
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: auth_layer_start
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: send [MSCHAP-v2 Challenge id=1 <b28cd7946ad323bc82deb04248f3b51d>]
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: recv [SSTP SSTP_MSG_CALL_CONNECTED]
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: sstp: invalid Compound MACsend [SSTP SSTP_MSG_CALL_ABORT]
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: sstp: disconnect by peer
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: disconnecting
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: terminate
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: sstp: ppp: finished
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: lcp_layer_free
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: auth_layer_free
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: ccp_layer_free
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: ipcp_layer_free
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: :: ipv6cp_layer_free
Jul 23 09:21:19 accel-ppp-fixer accel-pppd: sstp: disconnected

This is my accel-ppp.conf:

[modules]
log_file
log_syslog
auth_mschap_v2
radius
ippool
sstp
[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4
[ppp]
verbose=3
min-mtu=1280
mtu=1400
mru=1400
mppe=prefer
ipv4=require
ipv6=deny
lcp-echo-interval=20
lcp-echo-timeout=120
[sstp]
verbose=1
ssl=1
ssl-ciphers=DEFAULT
ssl-prefer-server-ciphers=0
ssl-ca-file=/usr/local/etc/ca.crt
ssl-pemfile=/usr/local/etc/ca.pem
ssl-keyfile=/usr/local/etc/ca.key
host-name=mydomain.com
timeout=60
hello-interval=60
ip-pool=pool1
ifname=sstp%d
proxy-arp=0
[client-ip-range]
0.0.0.0/0
[dns]
dns1=8.8.8.8
dns2=8.8.4.4
[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
nas-identifier=accel-ppp
nas-ip-address=127.0.0.1
server=127.0.0.1,testing123,auth-port=1812,acct-port=1813,req-limit=0,fail-time=0,weight=1000
acct-interim-interval=500
acct-on=1
verbose=1
interim-verbose=1
[ip-pool]
gw-ip-address=10.0.0.1
10.31.3.3-254,pool1
10.31.4.3-254,pool2
[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
level=5

I'm using SSTP-Client with the network manager, I just created a new VPN connection, entered the host and username (password is prompted), and checked Use TLS hostname extensions.

themiron commented 5 years ago

hi, seems due some reason client sends SSTP_MSG_CALL_CONNECTED too early before get authenticated with mschapv2 messages. I'll take a look

inste commented 5 years ago

@david-hoze there's a bug in sstp-client in CMAC validation. Right now you can use PAP-only auth to connect, but if you want crypto binding to be working do fill bug to Eivind Naess - author of sstp-client.

themiron commented 4 years ago

@david-hoze issue should be fixed in https://github.com/accel-ppp/accel-ppp/

xebd / accel-ppp

Linux's SSTP-Client fails to connect #91