Problem to connect L2TP Server with MPPE-128 Cryptographic

[isdn-network]

Good Day.

i want tell you bugreport from L2TP plugin for Network-Manager-l2tp-gnome.

OS: Debian-12. Network Manager v1.30.0

This bug have can't connect on my L2TP server with MPPE-128 Security.

I can success connect from gui NM only without mppe-128

However, i am manual setup MPPE-128 as ENABLE in gui Network Manager, on my VPN L2TP Connect

As a result, mppe-128 always does not work. Connect successfully only without mppe-128.

If created manual vpn L2TP on system files, on path /etc/xl2tpd/xl2tpd.conf and /etc/ppp/options.l2tp, i am successfully L2TP connect with MPPE-128 via terminal command xl2tpd.

I am manual added parameter require-mppe-128 on file options.l2tp

If start on terminal with command xl2tpd -D i see, was l2tp started successfully, and mppe-128 full worked.

MPPE-128 Dont works only with Network Manager.

Also, mppe 128 dont work in NM all other linux OS, Ubuntu, Mint, Fedora, and other.

As a result of studying the syslog from xl2tpd, we can conclude that NM does not pass the required connection parameter to xl2tpd, namely: require-mppe-128.

At the same time, in the config of my L2TP VPN connection at /etc/networkmanager/system-connection/myl2tp.nmconnection, the parameter “require-mppe-128 = yes” is present.

However, Network Manager apparently does not pass this parameter to xl2tpd\pppd daemons. Therefore, l2tp connects without MPPE-128 encryption.

This problem may be in the libraries nm-l2tp-pppd-plugin.so and pppol2tp.so or other libraries NM?

Maybe you can help me from this problem?

[dkosovic]

Is require-mppe-128 in the /var/run/nm-l2tp-*/ppp-options file that gets generated and is passed to xl2tpd/pppd?

If the ppp-options file is missing run the following and try to reconnecting the VPN, the generated files won't get deleted:

sudo killall -TERM nm-l2tp-service
sudo /usr/lib/NetworkManager/nm-l2tp-service --debug

[isdn-network]

File /var/run/nm-l2tp-*/ppp-options exists and looks like this:

ipparam nm-l2tp-service-4e250d8f-1d86-4e6c-bfb2-12c70f143729
nodetach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
refuse-eap
refuse-pap
refuse-chap
require-mppe-128
mppe-stateful
nobsdcomp
nodeflate
novj
nopcomp
noaccomp
lcp-echo-failure 0
lcp-echo-interval 0
plugin /usr/lib/pppd/2.4.9/nm-l2tp-pppd-plugin.so
mru 1452
mtu 1452

require-mppe-128 exists, however maybe do not send xl2tpd?

[dkosovic]

There is a pppoptfile option in /var/run/nm-l2tp-*/xl2tpd.conf for the ppp-options file and that xl2tpd.conf file is passed as an argument to xl2tpd, e.g..:

/usr/bin/xl2tpd -D -c .../xl2tpd.conf -C .../xl2tpd-control -p .../xl2tpd.pid

(note: .../ was just used for brevity, it would actually be a /var/run/nm-l2tp-*/ directory)

xl2tpd has been known to swallow ppp options and not pass them all along to xl2tpd's pppd child process, e.g. https://github.com/xelerance/xl2tpd/issues/108

I suspect you'll get the same issue if you modify /etc/ppp/options.l2tp to have the same options as the ppp-options file you provided in the last message (although don't use the plugin /usr/lib/pppd/2.4.9/nm-l2tp-pppd-plugin.so line which won't work without the rest of nm-l2tp).

nm-l2tp has switched to kl2tpd which is less buggy and only falls back to xl2tpd if kl2tpd isn't installed.

Debian doesn't have the go-l2tp package which includes kl2tpd yet, but the upstream authors are making one. But kl2tpd can readily be installed and run as /usr/local/sbin/kl2tpd by doing:

sudo apt install golang

go install "github.com/katalix/go-l2tp/...@latest"
sudo mkdir /usr/local/sbin
sudo cp go/bin/kl2tpd /usr/local/sbin

[isdn-network]

Thanks. How to switch NM to work with kl2tpd daemon?

[dkosovic]

If it detects a /usr/local/sbin/kl2tpd or /usr/sbin/kl2tpd file, it automatically uses kl2tpd.

Just follow the previous go install instructions to install kl2tpd to /usr/local/sbin/

[isdn-network]

Thanks. I'am success installed kl2tpd, but my L2TP connection does not work with mppe-128. Without mppe-128 all good works. Why? Yoy have any ideas? I can upload log on /usr/lib/NetworkManager/nm-l2tp-service --debug command

[dkosovic]

Sorry to hear kl2tpd didn't help. I have no idea what could be happening with mppe-128.

Unfortunately, pppd debugging continues to go to the journal even with nm-l2tp-service --debug which adds a debug option to the options file, the following might show the mppe negotiation when nm-l2tp-service --debug is used :

sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd

If you want to upload log that's fine.

The same /var/run/nm-l2tp-*/ppp-options file is used for both kl2tpd and xl2tpd with nm-l2tp, so looks liek the same issue with both.

[isdn-network]

I assume that the problem is only with the network manager and libraries NM. Not in demons kl2tpd\xl2tpd.

Because from the terminal if you give the command directly to xl2tp\kl2tp then everything works correctly

[dkosovic]

If I enable mppe-128 and start with the aforementioned nm-l2tp-service --debug which increases pppd debugging and use the following to see the pppd journal logs:

journalctl --no-hostname SYSLOG_IDENTIFIER=pppd

I see the following in there:

Nov 03 20:16:24 pppd[4644]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received

I suspect because I enabled MPPE and MPPE is negotiated through the Compression Control Protocol (CCP) I get that error message.

Do you see any errors or otherwise about CCP or MPPE negotiations in the journal logs?

I suspect most L2TP/IPsec users don't use MPPE as there is no need when a much stronger IPsec encryption is used.

[isdn-network]

Good Morning. Yes, i.am repeat this situation, enable debug log pppd and see too, "error with CCP".

I'am know, it will be better ipsec, but i'am have exactly mppe-128 :) This is Principial case))

I'am think, this problem not in pppd\xl2tpd\kl2tpd, daemons, this problem in realisation mikrotik L2TP Server or libraries L2TP Network.Manager.

If i'am use PPTP Connect to Mikrotik, MPPE its good worked, do not see error CCP in debug log.

Also, if i'am manual start L2TP in terminal, with manual config files, MPPE also good worked in L2TP Connection.

I am think, developers NM and nm-l2tp-libraries necessear repeat this in L2TP server in Mikrotik and searshing how fix this bug.

Not you, not a'am can't fix this bug manually.

Also, i'am create bugreport for Mikrotik RouterOS Developers, with this bug.

[dkosovic]

Your /var/run/nm-l2tp-*/ppp-options file has noccp which disables Compression Control Protocol, are you sure the manual config files you used had the same PPP options?

Commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/5fe98f70344e842faa28014be7ba259c2db7ae8b back in 2013 (long before I maintained the code) was when the noccp option was added:

/* pppd and xl2tpd on Linux require this option to support Android and iOS clients,
    and pppd on Linux clients won't work without the same option */
write_config_option (pppopt_fd, "noccp\n");

[isdn-network]

Thank you for pointing out the direction to look for the problem. Really, in my manual config file this option "nocccp" does not exist.

If I add this option manually to my config file, the same error occurs: it cannot connect with mppe encryption.

How can you configure a network manager so that it does not add this option to the auto-generated config file /var/run/nm-l2tp-*/ppp-options?

Now this option (noccp) is added automatically. How to disable this?

[dkosovic]

This issue has been fixed with commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/fdf5d98e86c5f0a97f9649fa3e23b3c001a93340

You'll need to rebuild from source code to use the bug fix, see the README.md file on how to build for Debian. Although the instructions in that README.md file are for Debian 11, it should be the same for Debian 12.

[isdn-network]

Good Day. I'am manual make project with from new commit.

After Make and install, i'am Start debug: /usr/lib/NetworkManager/nm-l2tp-service --debug

But, when a'am start L2TP connect, i see error in debug log:

root@linux:~# /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[2104] <debug> nm-l2tp-service (version 1.20.10) starting...
nm-l2tp[2104] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[2104] <info>  ipsec enable flag: (null)

Connection L2TP not established.

I don't understand why ipsec is here? This is simple L2TP, do not L2TP\Ipsec. I do not enable and set ipsec in my L2TP connection settings.

[dkosovic]

A null in the C language corresponds to false, so IPsec is not enabled.

[isdn-network]

L2TP connection is not established. Why? Before install commit established without mppe, after install - all do not work :(

[dkosovic]

Without seeing the log, difficult to say

[dkosovic]

You might like to try restarting NetworkManager or restarting the machine and then give it another go.

[isdn-network]

Aftrer restart, i see too this error.

No more errors appear in the log when the connection is turned on. In the log

journalctl --no-hostname SYSLOG_IDENTIFIER=pppd

also empty.

How and where can I view a more detailed log?

[dkosovic]

Looks like it is failing very early, you could try :

journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd

You definitely built it with the following. ./configure switches when you are on x86-64 Debian ?

./configure \
  --disable-static --prefix=/usr \
  --sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \
  --libexecdir=/usr/lib/NetworkManager \
  --runstatedir=/run \
  --with-pppd-plugin-dir=/usr/lib/pppd/2.4.9

[isdn-network]

Yes, I did everything like that. I see an error in the log:

<warn> [1699241950.2455] vpn[0x565061e7a350,7dbb6065-7193-4eea-b42f-10cfefda42d8,"muvpn"]: failed to connect: 'Cannot create run-dir /usr/local/var/run/nm-l2tp-7dbb6065- 7193->

For some reason the path changed from var\run to usr\local\var\run :(

[dkosovic]

Newer Linux distros now use /run instead of /var/run, but have a symlink between the two for backwards compatibility. Newer versions of the autoconf tools allow using --runstatedir=/run instead of needing to use --localstatedir=/var with configure. I can't explain why it is using /usr/local/var/run as you would only get that if you didn't specify any configure arguments.

You could try following using --localstatedir=/var with configure:

make clean

./configure \
  --disable-static --prefix=/usr \
  --sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \
  --libexecdir=/usr/lib/NetworkManager \
  --localstatedir=/var \
  --with-pppd-plugin-dir=/usr/lib/pppd/2.4.9

make

sudo make install

[dkosovic]

Forgot to mention, the shell line continuation character \ can be copied and pasted directly into a shell command line without issue.

[isdn-network]

Thanks! All work good! L2TP Successed connection with MPPE-128.

I can copy to backup files "nm-l2tp-service" && "nm-l2tp-auth-dialog" for next time simple manual copy this files to /usr/lib/NetworkManager? if i'am reinstall my Linux? To avoid rebuilding from sources in next future use?

[dkosovic]

It would only be nm-l2tp-service that you would need to copy (assuming it is not installing the upcoming Debian 13 which will have the fix, or some other linux distro which would require a rebuild of the source).

Glad to hear you got it going.

[isdn-network]

Thanks, nextime if a'am see any problems, i write to new bugreport.

And Finally Question:

This last commit will be added in Linux Repository, or does it need to be collected manually every time for all users who need it?

[dkosovic]

The upcoming network-manager-l2tp-1.20.12 Debian package will have the fix (Debian 13 and Ubuntu 24.04).

The latest two versions of Fedora will have the fix as soon as I have a new NetworkManager-l2tp 1.20.12 package, which might be after I add IP v6 support or it might be sooner.

[isdn-network]

Sorry, you say "NetworkManager-l2tp 1.20.12 package" but i'am see version 1.30.0 on Dialog "about" in Network Manager. How to possible? Or i.am something dont understund?

[dkosovic]

NetworkManager-l2tp is just a VPN plugin for NetworkManager, they are two separate packages with their own version numbers.

But having said that, the NetworkManager-l2tp 1.20.x version number means the code is compatible with NetworkManager 1.20 or later.

[isdn-network]

Thanks!