search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

Connection problem: pppd[36241]: LCP terminated by peer #153

Closed xqqy closed 3 years ago

xqqy commented 3 years ago

Dear developer:

Thanks for your project. But for me there is a problem that stop me from using it to connect to my university's vpn channel and I have no idea about how to solve it at all. Hope you could help me.

Start from the server: I think our school use Huawei's L2TP vpn gate(I guess that because we got "SecoClient" software for windows and mac from Network Centre website). It works good on Windows both in default vpn\SecoClient by Huawei and Android "L2TP/IPSEC PSK" vpn.

Back to the Linux(I'm using debian buster now), I added my connection in KDE settings and set the "Phase1 Algorithms" and "Phase2 Algorithms". Further, I have tried 'systemctl stop xl2tpd', not work for me too. What did happened is after I click "connect", It would show "connected OK" for a while and disconnect by it self. During this priod, no network is avaliable at all.

Following is the log and my system infomation. For privacy reason I replace my student number,user name and secrets with '☺️'include it. Hope you could help me.

Log and infomations

connection id : 'BTBU-VPN' permissions : ['user:☺️☺️☺️☺️:'] type : 'vpn' uuid : '65db84d1-01dc-45bc-9bf0-8af65de45759'

vpn data : {'gateway': 'lvpn.btbu.edu.cn', 'ipsec-enabled': 'yes', 'ipsec-esp': 'aes256-sha1,aes128-sha1,3des-sha1!', 'ipsec-forceencaps': 'yes', 'ipsec-ike': 'aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp384,aes128-sha1-modp1024,aes128-sha1-ecp256,3des-sha1-modp2048,3des-sha1-modp1024!', 'ipsec-psk': '☺️☺️☺️☺️', 'password-flags': '0', 'user': '☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️'} secrets : {'password': '☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️☺️'} service-type : 'org.freedesktop.NetworkManager.l2tp'

ipv4 dns : [] dns-search : [] method : 'auto'

ipv6 dns : [] dns-search : [] method : 'auto'

nm-l2tp[37547] starting ipsec Stopping strongSwan IPsec failed: starter is not running Starting strongSwan 5.7.2 IPsec [starter]... Loading config setup Loading conn '65db84d1-01dc-45bc-9bf0-8af65de45759' found netkey IPsec stack nm-l2tp[37547] Spawned ipsec up script with PID 37623. initiating Main Mode IKE_SA 65db84d1-01dc-45bc-9bf0-8af65de45759[1] to 203.93.30.78 generating ID_PROT request 0 [ SA V V V V V ] sending packet: from 192.168.1.247[500] to 203.93.30.78[500] (532 bytes) received packet: from 203.93.30.78[500] to 192.168.1.247[500] (164 bytes) parsed ID_PROT response 0 [ SA V V V V ] received NAT-T (RFC 3947) vendor ID received Cisco Unity vendor ID received DPD vendor ID received unknown vendor ID: 48:55:41:57:45:49:2d:49:4b:45:76:31:44:53:43:50 selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 192.168.1.247[500] to 203.93.30.78[500] (372 bytes) received packet: from 203.93.30.78[500] to 192.168.1.247[500] (372 bytes) parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH ] sending packet: from 192.168.1.247[4500] to 203.93.30.78[4500] (76 bytes) received packet: from 203.93.30.78[4500] to 192.168.1.247[4500] (76 bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA 65db84d1-01dc-45bc-9bf0-8af65de45759[1] established between 192.168.1.247[192.168.1.247]...203.93.30.78[203.93.30.78] scheduling reauthentication in 9816s maximum IKE_SA lifetime 10356s generating QUICK_MODE request 367104570 [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 192.168.1.247[4500] to 203.93.30.78[4500] (252 bytes) received packet: from 203.93.30.78[4500] to 192.168.1.247[4500] (188 bytes) parsed QUICK_MODE response 367104570 [ HASH SA No ID ID NAT-OA NAT-OA ] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ CHILD_SA 65db84d1-01dc-45bc-9bf0-8af65de45759{1} established with SPIs c34cbc72_i 0b2df6f6_o and TS 192.168.1.247/32[udp/l2f] === 203.93.30.78/32[udp/l2f] connection '65db84d1-01dc-45bc-9bf0-8af65de45759' established successfully nm-l2tp[37547] strongSwan IPsec tunnel is up. Message: 22:55:52.670: xl2tpd started with pid 37633 xl2tpd[37633]: Not looking for kernel SAref support. xl2tpd[37633]: Using l2tp kernel support. xl2tpd[37633]: xl2tpd version xl2tpd-1.3.12 started on XQQY-debian PID:37633 xl2tpd[37633]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[37633]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[37633]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[37633]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[37633]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[37633]: get_call: allocating new tunnel for host 203.93.30.78, port 1701. xl2tpd[37633]: Connecting to host 203.93.30.78, port 1701 xl2tpd[37633]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. xl2tpd[37633]: control_finish: sending SCCRQ xl2tpd[37633]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[37633]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[37633]: framing_caps_avp: supported peer frames: async sync xl2tpd[37633]: hostname_avp: peer reports hostname 'L_USG6650' xl2tpd[37633]: assigned_tunnel_avp: using peer's tunnel 35 xl2tpd[37633]: bearer_caps_avp: supported peer bearers: analog digital xl2tpd[37633]: receive_window_size_avp: peer wants RWS of 8. Will use flow control. xl2tpd[37633]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 35, call is 0. xl2tpd[37633]: control_finish: sending SCCCN xl2tpd[37633]: Connection established to 203.93.30.78, 1701. Local: 42373, Remote: 35 (ref=0/0). xl2tpd[37633]: Calling on tunnel 42373 xl2tpd[37633]: control_finish: message type is (null)(0). Tunnel is 35, call is 0. xl2tpd[37633]: control_finish: sending ICRQ xl2tpd[37633]: message_type_avp: message type 11 (Incoming-Call-Reply) xl2tpd[37633]: assigned_call_avp: using peer's call 1227 xl2tpd[37633]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 35, call is 1227. xl2tpd[37633]: control_finish: Sending ICCN xl2tpd[37633]: Call established with 203.93.30.78, Local: 19741, Remote: 1227, Serial: 1 (ref=0/0) xl2tpd[37633]: start_pppd: I'm running: xl2tpd[37633]: "/usr/sbin/pppd" xl2tpd[37633]: "plugin" xl2tpd[37633]: "pppol2tp.so" xl2tpd[37633]: "pppol2tp" xl2tpd[37633]: "7" xl2tpd[37633]: "passive" xl2tpd[37633]: "nodetach" xl2tpd[37633]: ":" xl2tpd[37633]: "debug" xl2tpd[37633]: "file" xl2tpd[37633]: "/run/nm-l2tp-ppp-options-65db84d1-01dc-45bc-9bf0-8af65de45759" xl2tpd[37633]: message_type_avp: message type 14 (Call-Disconnect-Notify) xl2tpd[37633]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 () xl2tpd[37633]: assigned_call_avp: using peer's call 1227 xl2tpd[37633]: control_finish: message type is Call-Disconnect-Notify(14). Tunnel is 35, call is 1227. xl2tpd[37633]: control_finish: Connection closed to 203.93.30.78, serial 1 () xl2tpd[37633]: Terminating pppd: sending TERM signal to pid 37634 nm-l2tp[37547] Terminated xl2tpd daemon with PID 37633. xl2tpd[37633]: death_handler: Fatal signal 15 received xl2tpd[37633]: Connection 35 closed to 203.93.30.78, port 1701 (Server closing) Stopping strongSwan IPsec... Message: 22:56:48.903: ipsec shut down nm-l2tp[37547] xl2tpd exited with error code 1 Stopping strongSwan IPsec failed: starter is not running ** Message: 22:56:48.907: ipsec shut down

- sudo tail -f /var/log/messages

Jan 23 22:53:41 XQQY-debian NetworkManager[928]: [1611413621.7707] settings-connection[0x563dcd57b530,65db84d1-01dc-45bc-9bf0-8af65de45759]: write: successfully commited (keyfile: update /etc/NetworkManager/system-connections/BTBU-VPN.nmconnection (65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN")) Jan 23 22:55:49 XQQY-debian NetworkManager[928]: [1611413749.3669] audit: op="connection-activate" uuid="65db84d1-01dc-45bc-9bf0-8af65de45759" name="BTBU-VPN" pid=37478 uid=1000 result="success" Jan 23 22:55:49 XQQY-debian NetworkManager[928]: [1611413749.3707] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",0]: Saw the service appear; activating connection Jan 23 22:55:52 XQQY-debian NetworkManager[928]: [1611413752.6715] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",0]: VPN plugin: state changed: starting (3) Jan 23 22:55:52 XQQY-debian pppd[37634]: Plugin pppol2tp.so loaded. Jan 23 22:55:52 XQQY-debian pppd[37634]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded. Jan 23 22:55:52 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] initializing Jan 23 22:55:52 XQQY-debian pppd[37634]: pppd 2.4.7 started by xqqy, uid 0 Jan 23 22:55:52 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 3 / phase 'serial connection' Jan 23 22:55:52 XQQY-debian NetworkManager[928]: [1611413752.6884] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/11) Jan 23 22:55:52 XQQY-debian pppd[37634]: Using interface ppp0 Jan 23 22:55:52 XQQY-debian pppd[37634]: Connect: ppp0 <--> Jan 23 22:55:52 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 5 / phase 'establish' Jan 23 22:55:52 XQQY-debian pppd[37634]: Overriding mtu 1500 to 1400 Jan 23 22:55:52 XQQY-debian pppd[37634]: Overriding mru 1500 to mtu value 1400 Jan 23 22:55:55 XQQY-debian pppd[37634]: Overriding mtu 1500 to 1400 Jan 23 22:55:55 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 6 / phase 'authenticate' Jan 23 22:55:55 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] passwd-hook: requesting credentials... Jan 23 22:55:55 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] passwd-hook: got credentials from NetworkManager-l2tp Jan 23 22:55:55 XQQY-debian pppd[37634]: CHAP authentication succeeded: Welcome to . Jan 23 22:55:55 XQQY-debian pppd[37634]: CHAP authentication succeeded Jan 23 22:55:55 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 8 / phase 'network' Jan 23 22:55:55 XQQY-debian pppd[37634]: local IP address 10.140.217.118 Jan 23 22:55:55 XQQY-debian pppd[37634]: remote IP address 203.93.30.78 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7020] device (ppp0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external') Jan 23 22:55:55 XQQY-debian pppd[37634]: primary DNS address 59.64.80.111 Jan 23 22:55:55 XQQY-debian pppd[37634]: secondary DNS address 211.82.112.111 Jan 23 22:55:55 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 9 / phase 'running' Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7028] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external') Jan 23 22:55:55 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] ip-up: event Jan 23 22:55:55 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] ip-up: sending Ip4Config to NetworkManager-l2tp... Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7114] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: VPN Gateway: 203.93.30.78 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Tunnel Device: "ppp0" Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: IPv4 configuration: Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Internal Address: 10.140.217.118 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Internal Prefix: 32 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Internal Point-to-Point Address: 203.93.30.78 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Static Route: 0.0.0.0/0 Next Hop: 0.0.0.0 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7119] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Static Route: 203.93.30.78/32 Next Hop: 0.0.0.0 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7120] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Internal DNS: 59.64.80.111 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7120] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: Internal DNS: 211.82.112.111 Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7120] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: DNS Domain: '(none)' Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7120] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: Data: No IPv6 configuration Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7120] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: VPN plugin: state changed: started (4) Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7126] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: VPN connection: (IP Config Get) complete Jan 23 22:55:55 XQQY-debian NetworkManager[928]: [1611413755.7163] policy: set 'BTBU-VPN' (ppp0) as default for IPv4 routing and DNS Jan 23 22:56:45 XQQY-debian pppd[37634]: LCP terminated by peer Jan 23 22:56:45 XQQY-debian NetworkManager[928]: [1611413805.7966] device (ppp0): state change: disconnected -> unmanaged (reason 'connection-assumed', sys-iface-state: 'external') Jan 23 22:56:45 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 8 / phase 'network' Jan 23 22:56:45 XQQY-debian pppd[37634]: Connect time 0.9 minutes. Jan 23 22:56:45 XQQY-debian pppd[37634]: Sent 1154292029 bytes, received 0 bytes. Jan 23 22:56:45 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 5 / phase 'establish' Jan 23 22:56:45 XQQY-debian pppd[37634]: Overriding mtu 1500 to 1400 Jan 23 22:56:45 XQQY-debian pppd[37634]: Overriding mru 1500 to mtu value 1400 Jan 23 22:56:45 XQQY-debian pppd[37634]: Terminating on signal 15 Jan 23 22:56:45 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 10 / phase 'terminate' Jan 23 22:56:48 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 11 / phase 'disconnect' Jan 23 22:56:48 XQQY-debian pppd[37634]: Connection terminated. Jan 23 22:56:48 XQQY-debian NetworkManager[928]: [1611413808.7990] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: VPN plugin: state changed: stopping (5) Jan 23 22:56:48 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] phasechange: status 1 / phase 'dead' Jan 23 22:56:48 XQQY-debian pppd[37634]: Modem hangup Jan 23 22:56:48 XQQY-debian pppd[37634]: nm-l2tp[37547] [helper-37634] exit: cleaning up Jan 23 22:56:48 XQQY-debian pppd[37634]: Exit. Jan 23 22:56:48 XQQY-debian NetworkManager[928]: [1611413808.9039] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",11:(ppp0)]: VPN plugin: state changed: stopped (6) Jan 23 22:56:48 XQQY-debian NetworkManager[928]: [1611413808.9085] policy: set '有线网络' (enp5s0) as default for IPv4 routing and DNS Jan 23 22:56:48 XQQY-debian NetworkManager[928]: [1611413808.9126] vpn-connection[0x563dcd62e150,65db84d1-01dc-45bc-9bf0-8af65de45759,"BTBU-VPN",0]: VPN plugin: failed: connect-failed (1)


- system infomation:

System: Debian GNU/Linux 10 KDE Plasma version: 5.14.5 Qt version: 5.11.3 KDE frame version: 5.54.0 kennal version: 4.19.0-13-amd64 OS type: 64-bit Processor: 12 × AMD Ryzen 5 3600 6-Core Processor Memory: 15.6 GiB 

- network-manager-l2tp infomation:

Package: network-manager-l2tp Version: 1.2.10-1 Installed-Size: 580 Maintainer: Douglas Kosovic doug@uq.edu.au Architecture: amd64 Depends: libc6 (>= 2.4), libglib2.0-0 (>= 2.41.1), libnm0 (>= 1.1.90), ppp (<< 2.4.7-3~), ppp (>= 2.4.7-2+~), network-manager (>= 1.2.0), xl2tpd, strongswan | libreswan Description-en: network management framework (L2TP plugin core) NetworkManager is a system network service that manages your network devices and connections, attempting to keep active network connectivity when available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE devices, and provides VPN integration with a variety of different VPN services. . This package provides a VPN plugin for L2TP with optional IPsec support. Description-md5: b8d9d1900636d73d8e74c8b4bff1cf02 Homepage: https://github.com/nm-l2tp/network-manager-l2tp Section: net Priority: optional Filename: pool/main/n/network-manager-l2tp/network-manager-l2tp_1.2.10-1_amd64.deb Size: 96380 MD5sum: c9fe9e480c3e6bc928431da95f785d1b SHA256: e94bd9c649dd43ed19974586887fc5d8d811b1d325ab8f3e0ea2005fc6272d14

dkosovic commented 3 years ago

It is a great bug report, but I'm at a loss as to what is wrong.

You could try blacklisting the l2tp_netlink and l2tp_ppp kernel modules and see if you have more luck with userspace.

Create a /etc/modprobe.d/blacklist-l2tp_netlink.conf file which contains:

blacklist l2tp_netlink

Create a /etc/modprobe.d/blacklist.conf-l2tp_ppp file that contains :

blacklist l2tp_ppp

then reboot.

xqqy commented 3 years ago

Thanks for your reply. However, in a short, seems I don't have enough luck with userspace and these method did not worked for me.

Both I tried to create /etc/modprobe.d/blacklist-l2tp_netlink.conf with /etc/modprobe.d/blacklist.conf-l2tp_ppp and with /etc/modprobe.d/blacklist-l2tp_ppp.conf(I think the back is the right filename to work or lsmod would still show l2tp_ppp and l2tp_netlink are loaded.)

For what's I could do is attach a log file...

dkosovic commented 3 years ago

I'm not really sure what is going on. According to the LCP terminated by peer message, it is the VPN server terminating the connection for some reason, perhaps the server logs might give some insight.

In the PPP Options dialog box, you could try ticking the "Send PPP echo packets". Although it doesn't appear to be an authentication issue, you could try unticking all the authentication methods in the PPP Options, except for MSCHAPv2. In the logs it has CHAP authentication succeeded, so isn't clear which version of CHAP succeeded, sometimes selecting only MSCHAPv2 fixes issues.

dkosovic commented 3 years ago

I notice Huawei has a somewhat dated CentOS 7 openswan + xl2tpd example for connecting to their L2TP VPN server :

I would ignore the openswan instructions and use the NetworkManager-l2tp generated ipsec.conf file instead and continue to use strongswan as you have been able to establish an IPsec connection with strongswan. To establish an IPsec connection on the command-line, issue :

sudo ipsec restart --conf /var/run/nm-l2tp-65db84d1-01dc-45bc-9bf0-8af65de45759/ipsec.conf --debug
sleep 2
sudo ipsec up 65db84d1-01dc-45bc-9bf0-8af65de45759

sudo ipsec status

Follow the Huawei instructions for /etc/ppp/peers/testvpn.l2tpd , /etc/xl2tpd/xl2tpd.conf and /etc/ppp/chap-secrets along with enabling services (IP forwarding) and the routing.

To perform the xl2tpd connection, issue:

sudo systemctl restart xl2tpd
echo "c testvpn" > /var/run/xl2tpd/l2tp-control

If you are able to establish a connection with xl2tpd using the Huawei instructions, then there is something we need to add or remove from the NetworkManager-l2tp generated xl2tpd.conf and/or ppp-options files to make it compatible with the Huawei VPN server.

xqqy commented 3 years ago

Sorry for least so long to reply. I wasted some time on how to set up a l2tp vpn with xl2tpd cli interface. And I found even I set the vpn manually, it would perform as what nm-l2tp did. So maybe it is the Huawei's fault? Follows is my simple reasoning.

What's more, I managed to found a huawei GUI application vpn 'SecoClient' on a website, which does works. Follow the Huawei's instruction, on last step 'Add a route to the intranet.' Uppon that, 10.1.1.0 are set on Huawei's router. 

# Route  add  –net  10.1.1.0  netmask  255.255.255.0  dev  ppp0  /*ppp0 indicates the PPP interface generated after L2TP negotiation.*/

Therefore, I looked up the sudo route , which I found these difference:

enp5s0 is my net card, I have no idea about what 'XiaoQiang' means, but seems it is a Chinese releated word.

dkosovic commented 3 years ago

I think XiaoQiang is what systemd usually labels _gateway.

L2TP/IPsec is a PPP based VPN, so it is no surprise to notice ppp0 in the routing table's interface column. The IPsec used with L2TP/IPsec is IKEv1.

The newer IPsec IKEv2 does not use L2TP (and therefore PPP). I suspect the Huawei SecoClient is using IPsec IKEv2. NetworkManager-strongswan and later versions of NetworkManager-libreswan are IPsec IKEv2 GUI clients. You might have more luck with those clients. But I don't think NetworkManager-libreswan has been packaged for Debian.

There is a IPsec IKEv1 that doesn't use L2TP which uses XAUTH instead of L2TP and is what older Cisco and some other VPN servers use, but suspect that is not the case here. NetworkManager-libreswan supports this case.

sudo apt install resolvconf might help with your DNS issue.

dkosovic commented 3 years ago

I think the following NetworkManager-l2tp route might be causing issues:

203.93.30.78    0.0.0.0         255.255.255.255 UH    50     0        0 ppp0

See https://github.com/nm-l2tp/NetworkManager-l2tp/issues/132, it was fixed with NetworkManager-l2tp 1.8.6.

As a temp workaround, you could issue:

sudo route del -net 203.93.30.78 gw 0.0.0.0 netmask 255.255.255.255 dev ppp0
xqqy commented 3 years ago

I think the following NetworkManager-l2tp route might be causing issues:

203.93.30.78    0.0.0.0         255.255.255.255 UH    50     0        0 ppp0

See #132, it was fixed with NetworkManager-l2tp 1.8.6.

As a temp workaround, you could issue:

sudo route del -net 203.93.30.78 gw 0.0.0.0 netmask 255.255.255.255 dev ppp0

Thanks a lot, this does slove the whole problem.