Closed lprobsth closed 4 months ago
That behavior is a consequence of commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/fdf5d98e86c5f0a97f9649fa3e23b3c001a93340 in version 1.20.12 which doesn't disable the Compression Control Protocol (CCP) when MPPE is enabled (as MPPE protocol negotiation happens within CPP)
MPPE protocol negotiation had been broken since 2013 with commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/5fe98f70344e842faa28014be7ba259c2db7ae8b which disabled CCP :
When MPPE is successfully negotiated, the following should appear in the logs (or similar for MPPE 40 or 64-bit) :
MPPE 128-bit stateless compression enabled
MPPE encryption is very weak and is typically only used with L2TP VPN connections, not L2TP/IPsec which use much stronger IPsec encryption.
Ok then I'll disable MPPE for now and check the safety of the IPsec encryption in case of SoftEther VPN.
Thank you!
I can't connect without noccp
in my VPN environment.
Is there any way to insert noccp
into the auto-generated file(/var/run/nm-l2tp-xxx/ppp-options
)?
Is there any way to insert noccp into the auto-generated file(/var/run/nm-l2tp-xxx/ppp-options)?
Untick the MPPE box and the noccp
option is restored.
I thought the MPPE setting was required in my environment, but I was able to connect to the VPN even with it unchecked. ( I don't know why).
Thanks.
Previous versions could give the false impression that MPPE was enabled and being used, with new version it now fails when MPPE negotiations fail. Someone who was actually using MPPE reported last year that MPPE was broken. Apparently been broken for the past 10 years and there have been a number of Linux L2TP/IPsec docs that encouraged users to enable MPPE.
On manjaro I'm using L2TP/IPsec for connecting to a SoftEther VPN server. Until a month ago everything worked as intended. After a recent update the connection stopped working with the error "MPPE required but peer negotiation failed".
I looked into recent updates and tested some downgrades.
This is the combination that did not work: NetworkManager: 1.46.0 NetworkManager-l2tp: 1.20.12 PPP: 2.5.0
This is the combination that works: NetworkManager: 1.46.0 NetworkManager-l2tp: 1.20.10 PPP: 2.5.0
It seems that the update of the l2tp plugin broke the functionality. I looked into the changes between the versions but couldn't find the reason without further knowledge.
Do you need more details (configuration files, logs)?