I have upgraded from a VyOS 1.2 rolling build from April, when VyOS was using xl2tpd. I am now using VyOS 1.2-rolling-201910180117.
Unfortunately the L2TP (over IPsec) VPN connections do not seem to work anymore.
The clients do establish the IPSec, and I can see the IPsec associations with show vpn ipsec sa. I also see the ppp* devices with ip link show. Even running show vpn remote-access I briefly see those connections, but with an empty ip column.
Looking into the logs with journalctl I see (retaining only ppp related stuff, and anonymizing it):
ppp2:client-z: connect: ppp2 <--> l2tp(<IP>:<PORT> session <...>, <...>) ppp2:client-z: ppp connected ppp2:client-z: send [MSCHAP-v2 Success id=1 "S=<...> M=Authentication succeeded"] ppp2:client-z: auth_layer_started ppp2:client-z: ccp_layer_start ppp2:client-z: send [CCP ConfReq id=c7 <mppe +H -M +S -L -D -C>] ppp2:client-z: ipcp_layer_start ppp2:client-z: ipv6cp_layer_start ppp2:client-z: client-z: authentication succeeded ppp2:client-z: recv [IPCP ConfReq id=4f <addr 0.0.0.0>] ppp2:client-z: ppp: no free IPv4 address ppp2:client-z: send [LCP ProtoRej id=179 <8021>] ppp2:client-z: recv [LCP ProtoRej id=e0 <80fd>] ppp2:client-z: ccp_layer_finished ppp2:client-z: recv [LCP EchoReq id=0 <magic 0ad2be63>] ppp2:client-z: send [LCP EchoRep id=0 <magic 230139d4>] ... ppp2:client-z: terminate ppp2:client-z: lcp_layer_finish
The problematic line seems to be ppp2:client-z: ppp: no free IPv4 address.
My vpn l2tp remote-access configuration is pretty standard:
authentication { local-users { username client-z { password <...> static-ip x1.x2.x3.2 } } mode local require mschap-v2 } client-ip-pool { start x1.x2.x3.67 stop x1.x2.x3.93 } dns-servers { server-1 1.1.1.1 server-2 1.0.0.1 } idle 86400 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret <...> } ike-lifetime 86400 lifetime 86400 } mtu 1400 outside-address 0.0.0.0 ppp-options { lcp-echo-failure 30 lcp-echo-interval 12 }
However I did seem to track the problem in the /etc/accel-ppp/l2tp/l2tp.config file, where by manually adding the following line to both the [ip-pool] and [chap-secrets] section, everything worked again as expected (replace that with a proper IP from the same pool):
gw-ip-address=x1.x2.x3.1