L2TP/IPSec Remote Access VPN does not work as expected in 1.3.1-S1
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	NikolayP
	Jun 3 2022, 2:30 PM

Description

Tested in VyOS 1.3.1-S1. And Windows 10 Pro 21H2
L2TP connects. However, it does not work as expected in 1.3.1-S1.
In 1.2.8 the same config works.

[email protected]:~$ sh vpn remote-access
 ifname | username | calling-sid |      ip      | rate-limit | type | comp | state  | rx-bytes | tx-bytes |  uptime
--------+----------+-------------+--------------+------------+------+------+--------+----------+----------+----------
 l2tp0  | test     | 192.168.6.1 | 172.25.255.1 |            | l2tp | mppe | active | 14.9 KiB | 240 B    | 00:00:12

To reproduce:

set interfaces dummy dum4 address '4.4.4.4/32'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.6.31/24'
set service ssh
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.1'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication require 'mschap-v2'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'test'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access outside-address '192.168.6.31'

Once the client is connected, traffic from the client does not pass even on 4.4.4.4.

ping 4.4.4.4 -t
Pinging 4.4.4.4 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 4.4.4.4:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

In 1.2.8 the same ping toward 4.4.4.4 is successful.

Details

Difficulty level: Unknown (require assessment)
Version: 1.3.1-S1
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

NikolayP triaged this task as High priority.Jun 3 2022, 2:30 PM

NikolayP created this task.

NikolayP created this object in space S1 VyOS Public.

Not sure if this is relevant to the task.
But once when shutting down a VM with VyOS 1.3.1-S1, it took a long time to shut down:

pasik added a subscriber: pasik.Jun 3 2022, 4:06 PM

@NikolayP , Looks like MTU and MPPE issue. Stoping daemon does not related to this I think.

Don't have any issues with Ubuntu

set interfaces dummy dum0 address '192.0.2.1/32'
set interfaces dummy dum4 address '203.0.113.1/24'
set interfaces ethernet eth0 address '192.168.122.11/24'
set interfaces ethernet eth0 description 'WAN'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.255.2'
set vpn l2tp remote-access client-ip-pool stop '192.168.255.254'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'secret'
set vpn l2tp remote-access outside-address '192.0.2.1'

Client

[email protected]:~$ ping 203.0.113.1
PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data.
64 bytes from 203.0.113.1: icmp_seq=1 ttl=64 time=0.295 ms
64 bytes from 203.0.113.1: icmp_seq=2 ttl=64 time=0.446 ms
^C
--- 203.0.113.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 0.295/0.370/0.446/0.075 ms
[email protected]:~$

[email protected]:~$ show l2tp-server sessions 
ifname | username |      ip       | ip6 | ip6-dp |  calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+----------+---------------+-----+--------+---------------+------------+--------+----------+----------+----------
 l2tp0  | test     | 192.168.255.3 |     |        | 192.168.122.1 |            | active | 00:08:20 | 33.9 KiB | 4.1 KiB
[email protected]:~$ 
[email protected]:~$ 
[email protected]:~$ tcpdump -nti l2tp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on l2tp0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
IP 192.168.255.3 > 203.0.113.1: ICMP echo request, id 9, seq 44, length 64
IP 203.0.113.1 > 192.168.255.3: ICMP echo reply, id 9, seq 44, length 64
IP 192.168.255.3 > 203.0.113.1: ICMP echo request, id 9, seq 45, length 64
IP 203.0.113.1 > 192.168.255.3: ICMP echo reply, id 9, seq 45, length 64

If your clients and server in one network, try to connect to "dummy" interface
Im my example clients in networks 192.168.122.x connecting not to 192.168.122.11 but to dummy 192.0.2.1/32 as outside-address and can ping dummy4 interface address

Same as Viacheslav. No issues on my tests in Ubuntu.

[email protected]# run show config comm | grep vpn
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username testuser password 'testuser'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.255.2'
set vpn l2tp remote-access client-ip-pool stop '192.168.255.254'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret '1q2w3e4r'
set vpn l2tp remote-access outside-address '192.168.25.2'
[edit]
[email protected]# run show l2tp-server sessions 
ifname | username |      ip       | ip6 | ip6-dp |  calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+----------+---------------+-----+--------+---------------+------------+--------+----------+----------+----------
 l2tp0  | testuser | 192.168.255.3 |     |        | 192.168.0.105 |            | active | 00:10:49 | 2.1 MiB  | 6.5 MiB
[edit]
[email protected]#

The problem seems to be in these lines:

set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.1'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'

Replacing "static IP" with 172.25.255.2 makes it work in VyOS 1.3.1

set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.2'

Full corrected config for 1.3.1 from the first post:

set interfaces dummy dum4 address '4.4.4.4/32'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.6.31/24'
set service ssh
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.2'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication require 'mschap-v2'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'test'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access outside-address '192.168.6.31'

In T4457#124584, @NikolayP wrote:

The problem seems to be in these lines:

set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.1'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'

Replacing "static IP" with 172.25.255.2 makes it work in VyOS 1.3.1

set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.2'

Full corrected config for 1.3.1 from the first post:

set interfaces dummy dum4 address '4.4.4.4/32'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.6.31/24'
set service ssh
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.2'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication require 'mschap-v2'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'test'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access outside-address '192.168.6.31'

I think this behaviour is correct as when you're defining the dynamic pool for l2tp clients from what I usually see is that the first address used by the VyOS to create linking between client and server-side. Here is the difference:

Using fist address from the dynamic pool as a static-ip for the client:

set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication local-users username test static-ip '192.168.9.15'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication radius server 10.30.1.95 key '8qwMCSUoLumc3AsdqiCNi'
set vpn l2tp remote-access authentication require 'mschap-v2'
set vpn l2tp remote-access client-ip-pool start '192.168.9.15'
set vpn l2tp remote-access client-ip-pool stop '192.168.9.30'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'mysecret'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access mtu '1480'
set vpn l2tp remote-access name-server '8.8.8.8'
set vpn l2tp remote-access name-server '9.9.9.9'
set vpn l2tp remote-access outside-address '192.0.0.2'

[email protected]:~$ show l2tp-server sessions
ifname | username |      ip      | ip6 | ip6-dp | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
--------+----------+--------------+-----+--------+-------------+------------+--------+----------+----------+----------
 l2tp0  | test     | 192.168.9.15 |     |        | 10.10.10.2  |            | active | 00:02:24 | 4.0 KiB  | 100 B


[email protected]:~$ ip link show

6: l2tp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1396 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp
    inet 192.168.9.15/32 scope global l2tp0
       valid_lft forever preferred_lft forever

Removing static-ip from the user configuration:

[email protected]:~$ show vpn remote-access
ifname | username | calling-sid |      ip      | rate-limit | type | comp | state  | rx-bytes | tx-bytes |  uptime
--------+----------+-------------+--------------+------------+------+------+--------+----------+----------+----------
 l2tp0  | test     | 10.10.10.2  | 192.168.9.16 |            | l2tp | mppe | active | 2.7 KiB  | 100 B    | 00:00:40


7: l2tp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1396 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp
    inet 192.168.9.15 peer 192.168.9.16/32 scope global l2tp0
       valid_lft forever preferred_lft forever

Using the second IP address as a static-ip for the user configuration:

[email protected]# set vpn l2tp remote-access authentication local-users username test static-ip 192.168.9.16
[email protected]# commit ; save ; exit
Saving configuration to '/config/config.boot'...
Done
exit

[email protected]:~$ show l2tp-server sessions
ifname | username |      ip      | ip6 | ip6-dp | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
--------+----------+--------------+-----+--------+-------------+------------+--------+----------+----------+----------
 l2tp0  | test     | 192.168.9.16 |     |        | 10.10.10.2  |            | active | 00:00:20 | 2.7 KiB  | 160 B

8: l2tp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1396 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp
    inet 192.168.9.15 peer 192.168.9.16/32 scope global l2tp0
       valid_lft forever preferred_lft forever

So as I mentioned, it seems to be expected behaviour...

Viacheslav closed this task as Invalid.Jun 28 2022, 8:38 AM

Maybe it depends on the version of accel-ppp.
In 1.2.8:

[email protected]:~$ dpkg -l | grep accel
ii  accel-ppp                        1.12.0-87-gbefc6e4               amd64        PPtP/L2TP/PPPoE/SSTP server for Linux

In 1.3.1-S1:

[email protected]:~$ sudo dpkg -l | grep accel
ii  accel-ppp                            1.12.0-170-g0b4ef98                 amd64        PPtP/L2TP/PPPoE/SSTP server for Linux

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.Aug 30 2022, 2:21 PM

	F2731935: image.png
	Jun 3 2022, 2:42 PM

L2TP/IPSec Remote Access VPN does not work as expected in 1.3.1-S1Closed, InvalidPublicActions

Description

Details

Event Timeline

L2TP/IPSec Remote Access VPN does not work as expected in 1.3.1-S1
Closed, InvalidPublic
Actions