search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

Failed to connect to MSCHAPv2 IPSec/L2TP VPN from Linux #198

Closed tukusejssirs closed 1 year ago

tukusejssirs commented 1 year ago

I need to connect to a VPN_1 with similar configuration as another VPN_2, however, I can successfully connect to VPN_2 (however, I need to remove a route), but it fails to connect to VPN_1. I can connect to both on MS Windows 10. Both require using MSCHAPv2.

This is what works for VPN_2:

nmcli c add con-name "$con_name" type vpn vpn-type l2tp vpn.data "gateway=$vpn_ip, ipsec-enabled=yes, ipsec-psk=$psk, password-flags=0, user=$user" vpn.secrets "password=$pass"

nmcli c up "$con_name"; sudo ip r del "$vpn_ip"

But it does not work for VPN_1. I also tried to create the connection using:

nmcli c add con-name "$con_name" type vpn vpn-type l2tp vpn.data "gateway=$vpn_ip, ipsec-enabled=yes, ipsec-psk=$psk, password-flags=0, user=$user" vpn.secrets "password=$pass refuse-chap=yes refuse-eap=yes refuse-mschap=yes refuse-pap=yes"

which fails too.

I’ve found these logs in journalctl -b:

Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: Using l2tp kernel support.
Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: xl2tpd version xl2tpd-1.3.18 started on $hostname PID:196098
Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: Forked by Scott Balmos and David Stipp, (C) 2001
Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: Inherited by Jeff McAdams, (C) 2002
Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: Listening on IP address 0.0.0.0, port 1701
Dec 13 17:19:29 $hostname NetworkManager[196098]: xl2tpd[196098]: Connecting to host $vpn_ip, port 1701
Dec 13 17:19:29 $hostname kernel: l2tp_ppp: PPPoL2TP kernel driver, V2.0
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: Connection established to $vpn_ip, 1701.  Local: 53073, Remote: 42483 (ref=0/0).
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: Calling on tunnel 53073
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: check_control: Received out of order control packet on tunnel 42483 (got 0, expected 1)
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: handle_control: bad control packet!
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: Call established with $vpn_ip, Local: 34555, Remote: 5652, Serial: 1 (ref=0/0)
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: start_pppd: I'm running:
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "/usr/sbin/pppd"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "plugin"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "pppol2tp.so"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "pppol2tp"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "7"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "passive"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "nodetach"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: ":"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "file"
Dec 13 17:19:32 $hostname NetworkManager[196098]: xl2tpd[196098]: "/var/run/nm-l2tp-5b494393-7666-490a-b673-3643c7037095/ppp-options"
Dec 13 17:19:32 $hostname pppd[196175]: Plugin pppol2tp.so loaded.
Dec 13 17:19:32 $hostname pppd[196175]: Plugin /usr/lib/pppd/2.4.9/nm-l2tp-pppd-plugin.so loaded.
Dec 13 17:19:32 $hostname pppd[196175]: pppd 2.4.9 started by root, uid 0
Dec 13 17:19:32 $hostname pppd[196175]: Using interface ppp0
Dec 13 17:19:32 $hostname pppd[196175]: Connect: ppp0 <-->
Dec 13 17:19:32 $hostname pppd[196175]: Overriding mtu 1500 to 1400
Dec 13 17:19:32 $hostname pppd[196175]: Overriding mru 1500 to mtu value 1400
Dec 13 17:19:32 $hostname NetworkManager[799]: <info>  [1670948372.6108] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/86)
Dec 13 17:19:35 $hostname pppd[196175]: Overriding mtu 1500 to 1400
Dec 13 17:19:35 $hostname pppd[196175]: EAP: Identity prompt "Name"
Dec 13 17:19:36 $hostname pppd[196175]: EAP: peer reports authentication failure
Dec 13 17:19:36 $hostname pppd[196175]: Overriding mtu 1500 to 1400
Dec 13 17:19:36 $hostname pppd[196175]: Overriding mru 1500 to mtu value 1400
Dec 13 17:19:36 $hostname pppd[196175]: Connection terminated.
Dec 13 17:19:36 $hostname charon[195882]: 14[KNL] interface ppp0 deleted
Dec 13 17:19:36 $hostname NetworkManager[196098]: xl2tpd[196098]: death_handler: Fatal signal 15 received
Dec 13 17:19:36 $hostname NetworkManager[196098]: xl2tpd[196098]: Terminating pppd: sending TERM signal to pid 196175
Dec 13 17:19:36 $hostname NetworkManager[196098]: xl2tpd[196098]: Connection 42483 closed to $vpn_ip, port 1701 (Server closing)
Dec 13 17:19:36 $hostname NetworkManager[799]: <warn>  [1670948376.8671] vpn[0x558f494e80b0,5b494393-7666-490a-b673-3643c7037095,"vpn_mriiot_cct"]: dbus: failure: connect-failed (1)

I use Arch Linux.

Versions:

Thanks for help! :pray:

tukusejssirs commented 1 year ago

Aaargh, it seams like I misplaced the protocol config (which protocols should be disabled).

It actually works using:

nmcli c add con-name "$con_name" type vpn vpn-type l2tp vpn.data "gateway=$vpn_ip, ipsec-enabled=yes, ipsec-psk=$psk, password-flags=0, user=$user, refuse-chap=yes, refuse-eap=yes, refuse-mschap=yes, refuse-pap=yes" vpn.secrets "password=$pass"

Sorry for the noise! :pray:

A bit OT: is there a list of all config options? :pray:

dkosovic commented 1 year ago

A bit OT: is there a list of all config options? :pray:

See: