You are not logged in.

Pages: 1

#1 2019-09-23 13:43:04

jlumme
Member
Registered: 2019-04-06
Posts: 9

[SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Trying to get my arch connected to our company VPN using NetworkManager and Libreswan. I can get connected if I just configure the ipsec and xl2tpd from the command line, but somehow with the NetworkManager I never manage to get further than the ipsec part.

My steps are similar to the wiki, but the configuration is slightly different. The command line configuration is as follows.
ipsec:

conn VPN
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport
     left=192.168.10.10
     leftprotoport=17/1701
     right=*SERVER IP*
     rightid=192.168.1.1          # Had to add this, otherwise the ipsec would keep complaining about expected and actual IP on the server side
     rightprotoport=17/1701
     ikev2=never
     ike=aes128-sha1;modp1024
     esp=aes128-sha1

xl2tpd:

[lac VPN]
lns = *SERVER IP*
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.VPN
length bit = yes

ppp options:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name *hidden*
password *hidden*

And with the above I have no issues, the ipsec and xl2tpd play nice and I can access the VPN connection.

Sep 23 22:24:30 simppa pluto[33534]: "VPN" #8: initiating Main Mode
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #8: WARNING: connection VPN PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #8: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #8: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #8: Peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #8: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP1024}
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #8: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#8 msgid:412b7fb5 proposal=AES_CBC_128-HMAC_SHA1_96 pfsgroup=no-pfs}
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: our client peer returned protocol id does not match my proposal - us: 17 vs them: 0
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: our client peer returned port doesn't match my proposal - us: 1701 vs them: 0
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: Allowing bad L2TP/IPsec proposal (see bug #849) anyway
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: peer client peer returned protocol id does not match my proposal - us: 17 vs them: 0
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: peer client peer returned port doesn't match my proposal - us: 1701 vs them: 0
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: Allowing bad L2TP/IPsec proposal (see bug #849) anyway
Sep 23 22:24:30 simppa pluto[33534]: "VPN" #9: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x22c4502d <0x939b93c2 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=*SERVER_IP*:4500 DPD=unsupported}
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: Connecting to host *SERVER_IP*, port 1701
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: Connection established to *SERVER_IP*, 1701.  Local: 60080, Remote: 10204 (ref=0/0).
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: Calling on tunnel 60080
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: Call established with *SERVER_IP*, Local: 19710, Remote: 30767, Serial: 5 (ref=0/0)
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: start_pppd: I'm running:
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "/usr/sbin/pppd"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "plugin"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "pppol2tp.so"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "pppol2tp"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "7"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "passive"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "nodetach"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: ":"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "debug"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "file"
Sep 23 22:24:41 simppa xl2tpd[26827]: xl2tpd[26827]: "/etc/ppp/options.l2tpd.VPN"
Sep 23 22:24:41 simppa pppd[34444]: Plugin pppol2tp.so loaded.
Sep 23 22:24:41 simppa pppd[34444]: pppd 2.4.7 started by root, uid 0
Sep 23 22:24:41 simppa pppd[34444]: using channel 36
Sep 23 22:24:41 simppa pppd[34444]: Using interface ppp0
Sep 23 22:24:41 simppa pppd[34444]: Connect: ppp0 <-->
Sep 23 22:24:41 simppa pppd[34444]: Overriding mtu 1500 to 1410
Sep 23 22:24:41 simppa pppd[34444]: PPPoL2TP options: debugmask 0
Sep 23 22:24:41 simppa pppd[34444]: Overriding mru 1500 to mtu value 1410
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic 0xd5ccd03c>]
Sep 23 22:24:41 simppa NetworkManager[463]: <info>  [1569245081.7932] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/36)
Sep 23 22:24:41 simppa pppd[34444]: rcvd [LCP ConfReq id=0x1 <mru 1792> <auth chap MS-v2> <magic 0xfb1ab8b8>]
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP ConfAck id=0x1 <mru 1792> <auth chap MS-v2> <magic 0xfb1ab8b8>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP ConfReq id=0x2 <mru 1410> <magic 0xd5ccd03c>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [LCP ConfAck id=0x2 <mru 1410> <magic 0xd5ccd03c>]
Sep 23 22:24:41 simppa pppd[34444]: Overriding mtu 1792 to 1410
Sep 23 22:24:41 simppa pppd[34444]: PPPoL2TP options: debugmask 0
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP EchoReq id=0x0 magic=0xd5ccd03c]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [CHAP Challenge id=0x1 <1a26ae6fdc7b3f1b667f7ec7c0a7d5d6>, name = "192.168.1.1"]
Sep 23 22:24:41 simppa pppd[34444]: added response cache entry 0
Sep 23 22:24:41 simppa pppd[34444]: sent [CHAP Response id=0x1 <52542afb77e2d6add688be42af1fc168000000000000000087e5e75f091dfdb4169ab5adc1620e5543a4af0e27772c2c00>, name = "vpnuser02"]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [LCP EchoRep id=0x0 magic=0xfb1ab8b8]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [CHAP Success id=0x1 "S=ED4D5DB2E5658A48BB3032BBD401969595668373"]
Sep 23 22:24:41 simppa pppd[34444]: response found in cache (entry 0)
Sep 23 22:24:41 simppa pppd[34444]: CHAP authentication succeeded
Sep 23 22:24:41 simppa pppd[34444]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [CCP ConfReq id=0x1 < 11 05 00 01 03>]
Sep 23 22:24:41 simppa pppd[34444]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP ProtRej id=0x3 80 fd 01 01 00 09 11 05 00 01 03]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Sep 23 22:24:41 simppa pppd[34444]: sent [IPCP ConfRej id=0x1 <addr 0.0.0.0>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [IPV6CP ConfReq id=0x1 <addr fe80::ae44:f2ff:fe64:aa54>]
Sep 23 22:24:41 simppa pppd[34444]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP ProtRej id=0x4 80 57 01 01 00 0e 01 0a ae 44 f2 ff fe 64 aa 54]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [IPCP ConfRej id=0x1 <ms-dns2 0.0.0.0>]
Sep 23 22:24:41 simppa pppd[34444]: sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [IPCP ConfReq id=0x2 <addr 192.168.1.1>]
Sep 23 22:24:41 simppa pppd[34444]: sent [IPCP ConfAck id=0x2 <addr 192.168.1.1>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [IPCP ConfNak id=0x2 <addr 172.16.101.100> <ms-dns1 192.168.1.1>]
Sep 23 22:24:41 simppa pppd[34444]: sent [IPCP ConfReq id=0x3 <addr 172.16.101.100> <ms-dns1 192.168.1.1>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [IPCP ConfAck id=0x3 <addr 172.16.101.100> <ms-dns1 192.168.1.1>]
Sep 23 22:24:41 simppa pppd[34444]: not replacing existing default route via 192.168.10.1
Sep 23 22:24:41 simppa pppd[34444]: Cannot determine ethernet address for proxy ARP
Sep 23 22:24:41 simppa pppd[34444]: local  IP address 172.16.101.100
Sep 23 22:24:41 simppa pppd[34444]: remote IP address 192.168.1.1
Sep 23 22:24:41 simppa pppd[34444]: primary   DNS address 192.168.1.1

---

With NetworkManager, when creating the L2TP type connection I feed it basically the server IP, the shared key and my username and password. When I try to connect to the VPN, the ipsec connection actually gets established same as with the command line as I see this:

Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #1: initiating Main Mode
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #1: WARNING: connection 1d8fabed-2748-443e-a050-cc206af8162d PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP1024}
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:ccfd98ba proposal=AES_CBC_128-HMAC_SHA1_96 pfsgroup=no-pfs}
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #2: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #2: peer client peer returned protocol id does not match my proposal - us: 17 vs them: 0
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #2: peer client peer returned port doesn't match my proposal - us: 1701 vs them: 0
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #2: Allowing bad L2TP/IPsec proposal (see bug #849) anyway
Sep 23 21:52:57 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x490d7710 <0xd8795135 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=202.213.133.11:4500 DPD=unsupported}

But 2 seconds after that the connection is torn down:

Sep 23 21:52:59 simppa pluto[32834]: "1d8fabed-2748-443e-a050-cc206af8162d" #1: received Delete SA payload: replace IPsec State #2 now

Now as ppp is the one that kicks off after ipsec connection, I started looking at those logs, and indeed I see following:

Sep 23 21:52:57 simppa nm-l2tp-service[32645]: xl2tpd started with pid 32862
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Not looking for kernel SAref support.
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Using l2tp kernel support.
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: xl2tpd version xl2tpd-1.3.14 started on simppa PID:32862
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Inherited by Jeff McAdams, (C) 2002
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Listening on IP address 0.0.0.0, port 49125
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Connecting to host *SERVER_IP*, port 1701
Sep 23 21:52:57 simppa NetworkManager[463]: <info>  [1569243177.8007] vpn-connection[0x561872e0c350,1d8fabed-2748-443e-a050-cc206af8162d,"Office",0]: VPN plugin: state changed: starting (3)
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Connection established to *SERVER_IP*, 1701.  Local: 25557, Remote: 35334 (ref=0/0).
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Calling on tunnel 25557
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: Call established with *SERVER_IP*, Local: 21398, Remote: 62647, Serial: 1 (ref=0/0)
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: start_pppd: I'm running:
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "/usr/sbin/pppd"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "plugin"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "pppol2tp.so"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "pppol2tp"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "7"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "passive"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "nodetach"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: ":"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "file"
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: "/var/run/nm-l2tp-1d8fabed-2748-443e-a050-cc206af8162d/ppp-options"
Sep 23 21:52:57 simppa pppd[32863]: Plugin pppol2tp.so loaded.
Sep 23 21:52:57 simppa pppd[32863]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
Sep 23 21:52:57 simppa pppd[32863]: pppd 2.4.7 started by root, uid 0
Sep 23 21:52:57 simppa pppd[32863]: Using interface ppp0
Sep 23 21:52:57 simppa pppd[32863]: Connect: ppp0 <-->
Sep 23 21:52:57 simppa pppd[32863]: Overriding mtu 1500 to 1410
Sep 23 21:52:57 simppa pppd[32863]: Overriding mru 1500 to mtu value 1410
Sep 23 21:52:57 simppa NetworkManager[463]: <info>  [1569243177.8469] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/33)
Sep 23 21:52:57 simppa pppd[32863]: Overriding mtu 1792 to 1410
Sep 23 21:52:57 simppa pppd[32863]: LCP terminated by peer
Sep 23 21:52:57 simppa pppd[32863]: Overriding mtu 1500 to 1410
Sep 23 21:52:57 simppa pppd[32863]: Overriding mru 1500 to mtu value 1410
Sep 23 21:52:57 simppa NetworkManager[463]: xl2tpd[32862]: control_finish: Connection closed to *SERVER_IP*, serial 1 ()

I can see the message which presumably kills the connection, but Im not really sure what to make of it..

Sep 23 21:52:57 simppa pppd[32863]: LCP terminated by peer

I tried each of the authentication options in the "PPP settings" window - but none of these seem any good. Also I looked inside the /var/run/nm-l2tp-1d8fabed-2748-443e-a050-cc206af8162d/ppp-options file (which gets created and deleted on the fly, quite annoying), the content what NetworkManager generates looks like this:

ipparam nm-l2tp-service-1d8fabed-2748-443e-a050-cc206af8162d
nodetach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
refuse-eap
refuse-pap
refuse-mschap
refuse-mschap-v2
novj
nopcomp
noaccomp
lcp-echo-failure 5
lcp-echo-interval 30
plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so
mru 1410
mtu 1410

The file seems to be missing the name and password fields that would enable it to authenticate.. could this be the problem ?
How does NetworkManager generate this file ? Any help would be greatly appreciated!

Last edited by jlumme (2019-09-30 13:19:46)

Offline

#2 2019-09-23 22:40:44

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

In the good connection I see this..

Sep 23 22:24:41 simppa pppd[34444]: rcvd [LCP ConfReq id=0x1 <mru 1792> <auth chap MS-v2> <magic 0xfb1ab8b8>]
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP ConfAck id=0x1 <mru 1792> <auth chap MS-v2> <magic 0xfb1ab8b8>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Sep 23 22:24:41 simppa pppd[34444]: sent [LCP ConfReq id=0x2 <mru 1410> <magic 0xd5ccd03c>]
Sep 23 22:24:41 simppa pppd[34444]: rcvd [LCP ConfAck id=0x2 <mru 1410> <magic 0xd5ccd03c>]

Which I don't see in the networkmanager connection attempt.

Also this, in what presume to be the networkmanagers running config..

refuse-mschap-v2

Is there a config item for mppe ?

Edit:  https://en.wikipedia.org/wiki/Microsoft … Encryption

Last edited by Zod (2019-09-23 22:53:09)

Offline

#3 2019-09-23 23:01:14

jlumme
Member
Registered: 2019-04-06
Posts: 9

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Thanks for your reply!

I tried multiple authentication methods, including the mschap. Here is the ppp file which gets generated by NetworkManager with that authentication enabled:

nodetach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
refuse-eap
refuse-pap
refuse-chap
require-mppe
novj
nopcomp
noaccomp
lcp-echo-failure 5
lcp-echo-interval 30
plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so
mru 1410
mtu 1410

The authentication information for ppp is still somewhere else (or nowehere) in the config file as you can see.

The log from that connection attempt says that authentication fails:

Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Using l2tp kernel support.
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: xl2tpd version xl2tpd-1.3.14 started on simppa PID:6344
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Inherited by Jeff McAdams, (C) 2002
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Listening on IP address 0.0.0.0, port 1701
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Connecting to host *SERVER_IP*, port 1701
Sep 24 07:55:21 simppa NetworkManager[447]: <info>  [1569279321.0682] vpn-connection[0x558ed92ac0d0,1d8fabed-2748-443e-a050-cc206af8162d,"VPN",0]: VPN plugin: state changed: starting (3)
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Connection established to *SERVER_IP*, 1701.  Local: 15551, Remote: 4783 (ref=0/0).
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Calling on tunnel 15551
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: Call established with *SERVER_IP*, Local: 6131, Remote: 15569, Serial: 1 (ref=0/0)
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: start_pppd: I'm running:
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "/usr/sbin/pppd"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "plugin"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "pppol2tp.so"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "pppol2tp"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "7"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "passive"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "nodetach"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: ":"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "file"
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: "/var/run/nm-l2tp-1d8fabed-2748-443e-a050-cc206af8162d/ppp-options"
Sep 24 07:55:21 simppa pppd[6345]: Plugin pppol2tp.so loaded.
Sep 24 07:55:21 simppa pppd[6345]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
Sep 24 07:55:21 simppa pppd[6345]: pppd 2.4.7 started by root, uid 0
Sep 24 07:55:21 simppa pppd[6345]: Using interface ppp0
Sep 24 07:55:21 simppa pppd[6345]: Connect: ppp0 <-->
Sep 24 07:55:21 simppa pppd[6345]: Overriding mtu 1500 to 1410
Sep 24 07:55:21 simppa pppd[6345]: Overriding mru 1500 to mtu value 1410
Sep 24 07:55:21 simppa NetworkManager[447]: <info>  [1569279321.1101] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/11)
Sep 24 07:55:21 simppa pppd[6345]: Overriding mtu 1792 to 1410
Sep 24 07:55:21 simppa pppd[6345]: MS-CHAP authentication failed: Authentication failed.
Sep 24 07:55:21 simppa pppd[6345]: CHAP authentication failed
Sep 24 07:55:21 simppa pppd[6345]: Overriding mtu 1500 to 1410
Sep 24 07:55:21 simppa pppd[6345]: Overriding mru 1500 to mtu value 1410
Sep 24 07:55:21 simppa pppd[6345]: Connection terminated.
Sep 24 07:55:21 simppa NetworkManager[447]: xl2tpd[6344]: control_finish: Connection closed to *SERVER_IP*, serial 1 ()

I presume by your question "is there a config option for mppe", you mean the "Use Point-To-Point encryption" option in the PPP options:
Screenshot-from-2019-09-24-07-56-17.png

Offline

#4 2019-09-24 01:04:09

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Try unselecting mschap and leaving mschapv2 selected.

In that last log it failed on authenticating with mschap when we know from the good log that it wants mschapv2.


Edit: Check that the shared key is correct

Couldn't you connect using the command line (nmcli?) and export/import into networkmanager?

Last edited by Zod (2019-09-24 02:56:31)

Offline

#5 2019-09-30 11:15:18

dkosovic
Member
Registered: 2017-12-16
Posts: 21

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Have a look at NetworkManager-l2tp's README.md file on how to enable debugging which also stops the run-time generated files from being deleted:

It'll then enable proper pppd debugging which should hopefully give a hint as to what is going wrong.

The following line in /var/run/nm-l2tp-UUID/ppp-options handles the username and password with a plugin that uses the Gnome or KDE Secret Service :

plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so

You shouldn't need to enable MPPE which is using a weak encryption, it's only really needed for L2TP users not using IPsec.

For the time being, I would stick with CHAP authentication as it seems to have succeeded for you, untick the other authentication methods.

You could also try stopping the xl2tpd service before starting NetworkManager-l2tp, see "Issue with not stopping system xl2tpd service" in the README.md file.

Offline

#6 2019-09-30 13:18:36

jlumme
Member
Registered: 2019-04-06
Posts: 9

Re: [SOLVED]Failing to establish L2TP/ipsec connection with NetworkManager

Zod, dkosovic - thank you for your replies.

It was indeed helpful to see the debug messages from the pppd debugging. And I got it working when comparing the outputs of the console and GUI connections more carefully with the debug options on.

In the end it was just the case of selecting the right authentication (and not enabling MPPE). Leaving only MSCHAPv2 selected was the right choice it seems. In the Ipsec settings, I had to enter "Remote ID", same as manually the "rightid" in the config files
The other end HW is RTX830 from Yamaha, for future reference just in case anyone else runs into this.

Offline

Pages: 1

Board footer

Powered by FluxBB