Force MS-CHAPv2 VPN connection from Mac

Question

If you're trying to connect from a Mac to a Windows Server's VPN (PPTP), accepting only MS-CHAPv2, the client fails with the following error:

18/6/13 9:06:08.672 AM pppd[10247]: MS-CHAP authentication failed: E=691 Authentication failure

Proposed solutions (Post from Macworld, Post from Apple forum) are to disable the Digitally sign communications (always) and enable it only if client agrees (not tested, since we cannot change the settings on the server).

Often, you don't want to or can't change any setting on the server and thus look for a solution on the client side.

Has anyone found a command line to force the usage of MS-CHAPv2, or, in other words, to preclude the usage of any other authentication method?

Answer 1

MacOSX has pppd embedded and you can connect via the Terminal. To connect via pppd and have only a subset network routed through the vpn I use the following command line (multiline for readability):

sudo pppd 
   remoteaddress *vpn_server_address* 
   pty "*vpn_server_address* --nolaunchpppd" 
   lock 
   user *DOMAIN\\username* 
   password *password* 
   nomppe 
   require-mschap-v2 
   noauth 
   nobsdcomp 
   nodeflate 
   nodetach 
   plugin pptp.ppp 
   noipdefault 
   refuse-pap 
   refuse-eap 
   refuse-chap 
   refuse-mschap 
   plugin /System/Library/SystemConfiguration/PPPController.bundle/Contents/PlugIns/PPPDialogs.ppp  
   logfile /path/to/your/log.log

Then, I declare in another terminal the needed route, for example

sudo route add -net *distant_local_network* *gateway_ip* *mask*

for example

sudo route add -net 192.192.0.0 192.192.0.1 255.255.255.0

Then all the traffic to the distant network uses the VPN and the rest of Internet is still accessible.