The current ifup-ipppd (version 6.67-1) script seems to consider +pap (+chap) 
as the opposite of -pap (-chap), leading to the incorrect setting of 
authentication options for ipppd. In fact, those ipppd options are completely 
unrelated.
+pap (+chap) means that the local side of the PPP connection requires the 
remote side to authenticate using pap (chap).
-pap (-chap) means that the local side of the PPP connection refuses to 
authenticate itself with the remote side using pap (chap).
Another way to say it is: "+" options refer to the authentication of the remote 
side by the local side whereas "-" options refer to the authentication of the 
local side by the remote side. This is a bit misleading, which is why newer 
versions of pppd have replaced those options by require-pap and refuse-pap.

Following is a patch which correct that issue.
Changes:
- AUTH is replaced by AUTHLOCAL and AUTHREMOTE
- AUTHLOCAL indicates which authentication schemes can be used for the 
authentication of the local side by the remote side. Authentication schemes are 
entered without leading "+" or "-". Possible values: "pap", "chap", "pap 
chap", "chap pap", "none", "noauth", "all"
- AUTHREMOTE indicates which authentication schemes will be used for the 
authentication of the remote side by the local side. Authentication schemes are 
entered without leading "+" or "-". Possible values: "pap", "chap", "pap 
chap", "chap pap", "none", "noauth"
- USER is replaced by NAMELOCAL and NAMEREMOTE
- NAMELOCAL is the username (of the local side) which will be used to 
authenticate the local side with the remote side.
- NAMEREMOTE is the username (of the remote side) which will be used to 
authenticate the remote side with the local side.
- DIALIN is removed as the trick is not required anymore