Closed isdn-network closed 8 months ago
Is require-mppe-128
in the /var/run/nm-l2tp-*/ppp-options
file that gets generated and is passed to xl2tpd/pppd?
If the ppp-options
file is missing run the following and try to reconnecting the VPN, the generated files won't get deleted:
sudo killall -TERM nm-l2tp-service
sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
File /var/run/nm-l2tp-*/ppp-options exists and looks like this:
ipparam nm-l2tp-service-4e250d8f-1d86-4e6c-bfb2-12c70f143729
nodetach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
refuse-eap
refuse-pap
refuse-chap
require-mppe-128
mppe-stateful
nobsdcomp
nodeflate
novj
nopcomp
noaccomp
lcp-echo-failure 0
lcp-echo-interval 0
plugin /usr/lib/pppd/2.4.9/nm-l2tp-pppd-plugin.so
mru 1452
mtu 1452
require-mppe-128 exists, however maybe do not send xl2tpd?
There is a pppoptfile
option in /var/run/nm-l2tp-*/xl2tpd.conf
for the ppp-options file and that xl2tpd.conf file is passed as an argument to xl2tpd, e.g..:
/usr/bin/xl2tpd -D -c .../xl2tpd.conf -C .../xl2tpd-control -p .../xl2tpd.pid
(note: .../
was just used for brevity, it would actually be a /var/run/nm-l2tp-*/
directory)
xl2tpd has been known to swallow ppp options and not pass them all along to xl2tpd's pppd child process, e.g. https://github.com/xelerance/xl2tpd/issues/108
I suspect you'll get the same issue if you modify /etc/ppp/options.l2tp
to have the same options as the ppp-options
file you provided in the last message (although don't use the plugin /usr/lib/pppd/2.4.9/nm-l2tp-pppd-plugin.so
line which won't work without the rest of nm-l2tp).
nm-l2tp has switched to kl2tpd which is less buggy and only falls back to xl2tpd if kl2tpd isn't installed.
Debian doesn't have the go-l2tp package which includes kl2tpd yet, but the upstream authors are making one. But kl2tpd can readily be installed and run as /usr/local/sbin/kl2tpd
by doing:
sudo apt install golang
go install "github.com/katalix/go-l2tp/...@latest"
sudo mkdir /usr/local/sbin
sudo cp go/bin/kl2tpd /usr/local/sbin
Thanks. How to switch NM to work with kl2tpd daemon?
If it detects a /usr/local/sbin/kl2tpd
or /usr/sbin/kl2tpd
file, it automatically uses kl2tpd.
Just follow the previous go install
instructions to install kl2tpd
to /usr/local/sbin/
Thanks. I'am success installed kl2tpd, but my L2TP connection does not work with mppe-128. Without mppe-128 all good works. Why? Yoy have any ideas? I can upload log on /usr/lib/NetworkManager/nm-l2tp-service --debug command
Sorry to hear kl2tpd didn't help. I have no idea what could be happening with mppe-128.
Unfortunately, pppd debugging continues to go to the journal even with nm-l2tp-service --debug
which adds a debug option to the options file, the following might show the mppe negotiation when nm-l2tp-service --debug
is used :
sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd
If you want to upload log that's fine.
The same /var/run/nm-l2tp-*/ppp-options
file is used for both kl2tpd and xl2tpd with nm-l2tp, so looks liek the same issue with both.
I assume that the problem is only with the network manager and libraries NM. Not in demons kl2tpd\xl2tpd.
Because from the terminal if you give the command directly to xl2tp\kl2tp then everything works correctly
If I enable mppe-128 and start with the aforementioned nm-l2tp-service --debug
which increases pppd debugging and use the following to see the pppd journal logs:
journalctl --no-hostname SYSLOG_IDENTIFIER=pppd
I see the following in there:
Nov 03 20:16:24 pppd[4644]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
I suspect because I enabled MPPE and MPPE is negotiated through the Compression Control Protocol (CCP) I get that error message.
Do you see any errors or otherwise about CCP or MPPE negotiations in the journal logs?
I suspect most L2TP/IPsec users don't use MPPE as there is no need when a much stronger IPsec encryption is used.
Good Morning. Yes, i.am repeat this situation, enable debug log pppd and see too, "error with CCP".
I'am know, it will be better ipsec, but i'am have exactly mppe-128 :) This is Principial case))
I'am think, this problem not in pppd\xl2tpd\kl2tpd, daemons, this problem in realisation mikrotik L2TP Server or libraries L2TP Network.Manager.
If i'am use PPTP Connect to Mikrotik, MPPE its good worked, do not see error CCP in debug log.
Also, if i'am manual start L2TP in terminal, with manual config files, MPPE also good worked in L2TP Connection.
I am think, developers NM and nm-l2tp-libraries necessear repeat this in L2TP server in Mikrotik and searshing how fix this bug.
Not you, not a'am can't fix this bug manually.
Also, i'am create bugreport for Mikrotik RouterOS Developers, with this bug.
Your /var/run/nm-l2tp-*/ppp-options
file has noccp
which disables Compression Control Protocol, are you sure the manual config files you used had the same PPP options?
Commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/5fe98f70344e842faa28014be7ba259c2db7ae8b back in 2013 (long before I maintained the code) was when the noccp
option was added:
/* pppd and xl2tpd on Linux require this option to support Android and iOS clients,
and pppd on Linux clients won't work without the same option */
write_config_option (pppopt_fd, "noccp\n");
Thank you for pointing out the direction to look for the problem. Really, in my manual config file this option "nocccp" does not exist.
If I add this option manually to my config file, the same error occurs: it cannot connect with mppe encryption.
How can you configure a network manager so that it does not add this option to the auto-generated config file /var/run/nm-l2tp-*/ppp-options?
Now this option (noccp) is added automatically. How to disable this?
This issue has been fixed with commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/fdf5d98e86c5f0a97f9649fa3e23b3c001a93340
You'll need to rebuild from source code to use the bug fix, see the README.md file on how to build for Debian. Although the instructions in that README.md file are for Debian 11, it should be the same for Debian 12.
Good Day. I'am manual make project with from new commit.
After Make and install, i'am Start debug: /usr/lib/NetworkManager/nm-l2tp-service --debug
But, when a'am start L2TP connect, i see error in debug log:
root@linux:~# /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[2104] <debug> nm-l2tp-service (version 1.20.10) starting...
nm-l2tp[2104] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[2104] <info> ipsec enable flag: (null)
Connection L2TP not established.
I don't understand why ipsec is here? This is simple L2TP, do not L2TP\Ipsec. I do not enable and set ipsec in my L2TP connection settings.
A null
in the C language corresponds to false, so IPsec is not enabled.
L2TP connection is not established. Why? Before install commit established without mppe, after install - all do not work :(
Without seeing the log, difficult to say
You might like to try restarting NetworkManager or restarting the machine and then give it another go.
Aftrer restart, i see too this error.
No more errors appear in the log when the connection is turned on. In the log
journalctl --no-hostname SYSLOG_IDENTIFIER=pppd
also empty.
How and where can I view a more detailed log?
Looks like it is failing very early, you could try :
journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd
You definitely built it with the following. ./configure
switches when you are on x86-64 Debian ?
./configure \
--disable-static --prefix=/usr \
--sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \
--libexecdir=/usr/lib/NetworkManager \
--runstatedir=/run \
--with-pppd-plugin-dir=/usr/lib/pppd/2.4.9
Yes, I did everything like that. I see an error in the log:
<warn> [1699241950.2455] vpn[0x565061e7a350,7dbb6065-7193-4eea-b42f-10cfefda42d8,"muvpn"]: failed to connect: 'Cannot create run-dir /usr/local/var/run/nm-l2tp-7dbb6065- 7193->
For some reason the path changed from var\run to usr\local\var\run :(
Newer Linux distros now use /run
instead of /var/run
, but have a symlink between the two for backwards compatibility. Newer versions of the autoconf tools allow using --runstatedir=/run
instead of needing to use --localstatedir=/var
with configure. I can't explain why it is using /usr/local/var/run
as you would only get that if you didn't specify any configure arguments.
You could try following using --localstatedir=/var
with configure:
make clean
./configure \
--disable-static --prefix=/usr \
--sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \
--libexecdir=/usr/lib/NetworkManager \
--localstatedir=/var \
--with-pppd-plugin-dir=/usr/lib/pppd/2.4.9
make
sudo make install
Forgot to mention, the shell line continuation character \
can be copied and pasted directly into a shell command line without issue.
Thanks! All work good! L2TP Successed connection with MPPE-128.
I can copy to backup files "nm-l2tp-service" && "nm-l2tp-auth-dialog" for next time simple manual copy this files to /usr/lib/NetworkManager? if i'am reinstall my Linux? To avoid rebuilding from sources in next future use?
It would only be nm-l2tp-service
that you would need to copy (assuming it is not installing the upcoming Debian 13 which will have the fix, or some other linux distro which would require a rebuild of the source).
Glad to hear you got it going.
Thanks, nextime if a'am see any problems, i write to new bugreport.
And Finally Question:
This last commit will be added in Linux Repository, or does it need to be collected manually every time for all users who need it?
The upcoming network-manager-l2tp-1.20.12 Debian package will have the fix (Debian 13 and Ubuntu 24.04).
The latest two versions of Fedora will have the fix as soon as I have a new NetworkManager-l2tp 1.20.12 package, which might be after I add IP v6 support or it might be sooner.
Sorry, you say "NetworkManager-l2tp 1.20.12 package" but i'am see version 1.30.0 on Dialog "about" in Network Manager. How to possible? Or i.am something dont understund?
NetworkManager-l2tp is just a VPN plugin for NetworkManager, they are two separate packages with their own version numbers.
But having said that, the NetworkManager-l2tp 1.20.x version number means the code is compatible with NetworkManager 1.20 or later.
Thanks!
Good Day.
i want tell you bugreport from L2TP plugin for Network-Manager-l2tp-gnome.
OS: Debian-12. Network Manager v1.30.0
This bug have can't connect on my L2TP server with MPPE-128 Security.
I can success connect from gui NM only without mppe-128
However, i am manual setup MPPE-128 as ENABLE in gui Network Manager, on my VPN L2TP Connect
As a result, mppe-128 always does not work. Connect successfully only without mppe-128.
If created manual vpn L2TP on system files, on path /etc/xl2tpd/xl2tpd.conf and /etc/ppp/options.l2tp, i am successfully L2TP connect with MPPE-128 via terminal command xl2tpd.
I am manual added parameter require-mppe-128 on file options.l2tp
If start on terminal with command xl2tpd -D i see, was l2tp started successfully, and mppe-128 full worked.
MPPE-128 Dont works only with Network Manager.
Also, mppe 128 dont work in NM all other linux OS, Ubuntu, Mint, Fedora, and other.
As a result of studying the syslog from xl2tpd, we can conclude that NM does not pass the required connection parameter to xl2tpd, namely: require-mppe-128.
At the same time, in the config of my L2TP VPN connection at /etc/networkmanager/system-connection/myl2tp.nmconnection, the parameter “require-mppe-128 = yes” is present.
However, Network Manager apparently does not pass this parameter to xl2tpd\pppd daemons. Therefore, l2tp connects without MPPE-128 encryption.
This problem may be in the libraries nm-l2tp-pppd-plugin.so and pppol2tp.so or other libraries NM?
Maybe you can help me from this problem?