VPN l2tp over IPSec: ppp - No auth is possible. Ubuntu 18.04 LTS

0


I setup IPSec over VPN using this tutorial
https://20notes.net/linux/setup-l2tp-over-ipsec-client-on-ubuntu-18-04-using-gnome
It is working using NetworkManager.
However NetworkManager allow only one active l2tp over ipsec connection.

I try to setup this VPN from console, based on files generated by NetworkManager

Ipsec is setting up:

# ipsec up ipsecVpn
# ipsec status
Security Associations (1 up, 0 connecting):
ipsecVpn[3]: ESTABLISHED 6 seconds ago, 192.168.1.10[192.168.1.10]...vpn.remote.addr.ip[vpn.remote.addr.ip]
ipsecVpn{3}:  INSTALLED, TRANSPORT, reqid 3, ESP in UDP SPIs: c1942484_i 553e0362_o
ipsecVpn{3}:   192.168.1.10/32[udp/l2f] === vpn.remote.addr.ip/32[udp/l2f]

But I have problem with xl2tpd, or in more detail with ppp.

# xl2tpd -c /etc/xl2tpd/ipsecVpn.conf

=== /var/log/syslog
Oct 16 11:58:43 vpn-access-server xl2tpd[2447]: Not looking for kernel SAref support.
Oct 16 11:58:43 vpn-access-server xl2tpd[2447]: Using l2tp kernel support.
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: xl2tpd version xl2tpd-1.3.10 started on vpn-access-server PID:2448
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Forked by Scott Balmos and David Stipp, (C) 2001
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Inherited by Jeff McAdams, (C) 2002
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Listening on IP address 0.0.0.0, port 1701
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Connecting to host vpn.remote.addr.ip, port 1701
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: sending SCCRQ
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 17068, call is 0.
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: sending SCCCN
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Connection established to vpn.remote.addr.ip, 1701.  Local: 5476, Remote: 17068 (ref=0/0).
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Calling on tunnel 5476
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: message type is (null)(0).  Tunnel is 17068, call is 0.
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: sending ICRQ
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: message type is Incoming-Call-Reply(11).  Tunnel is 17068, call is 17053.
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: Sending ICCN
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: Call established with vpn.remote.addr.ip, Local: 5089, Remote: 17053, Serial: 1 (ref=0/0)
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: start_pppd: I'm running:
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "/usr/sbin/pppd"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "plugin"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "pppol2tp.so"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "pppol2tp"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "7"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "passive"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "nodetach"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: ":"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "debug"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "file"
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: "/etc/xl2tpd/ipsecVpn.options"
Oct 16 11:58:43 vpn-access-server pppd[2449]: Plugin pppol2tp.so loaded.
Oct 16 11:58:43 vpn-access-server systemd-udevd[2450]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Oct 16 11:58:43 vpn-access-server pppd[2449]: Plugin /usr/lib/pppd/2.4.7/pppol2tp.so loaded.
Oct 16 11:58:43 vpn-access-server pppd[2449]: pppd 2.4.7 started by ubuntu, uid 0
Oct 16 11:58:43 vpn-access-server pppd[2449]: using channel 1
Oct 16 11:58:43 vpn-access-server pppd[2449]: Using interface ppp0
Oct 16 11:58:43 vpn-access-server pppd[2449]: Connect: ppp0 <-->
Oct 16 11:58:43 vpn-access-server pppd[2449]: Overriding mtu 1500 to 1400
Oct 16 11:58:43 vpn-access-server pppd[2449]: PPPoL2TP options: debugmask 0
Oct 16 11:58:43 vpn-access-server pppd[2449]: Overriding mru 1500 to mtu value 1400
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0xf347cbf3>]
Oct 16 11:58:43 vpn-access-server xl2tpd[2448]: control_finish: message type is Set-Link-Info(16).  Tunnel is 17068, call is 17053.
Oct 16 11:58:43 vpn-access-server systemd-timesyncd[1129]: Network configuration changed, trying to establish connection.
Oct 16 11:58:43 vpn-access-server networkd-dispatcher[1227]: WARNING:Unknown index 6 seen, reloading interface list
Oct 16 11:58:43 vpn-access-server dnsmasq[1913]: reading /etc/resolv.conf
Oct 16 11:58:43 vpn-access-server dnsmasq[1913]: using nameserver 127.0.0.53#53
Oct 16 11:58:43 vpn-access-server dnsmasq[1913]: reading /etc/resolv.conf
Oct 16 11:58:43 vpn-access-server dnsmasq[1913]: using nameserver 127.0.0.53#53
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfRej id=0x1 <mru 1400> <asyncmap 0x0>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfReq id=0x2 <auth chap MS-v2> <magic 0xf347cbf3>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x2 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x2 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfAck id=0x2 <auth chap MS-v2> <magic 0xf347cbf3>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x3 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x3 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x4 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x4 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x5 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x5 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server systemd-timesyncd[1129]: Synchronized to time server 91.189.91.157:123 (ntp.ubuntu.com).
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x6 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x6 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x7 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x7 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x8 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x8 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x9 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x9 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0xa <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0xa <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0xb <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0xb <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0xc <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0xc <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0xd <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0xd <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0xe <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0xe <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0xf <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0xf <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x10 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x10 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x11 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x11 <auth chap MS-v2>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: rcvd [LCP ConfReq id=0x12 <auth chap MS-v2> <magic 0x53ce473f>]
Oct 16 11:58:43 vpn-access-server pppd[2449]: No auth is possible
Oct 16 11:58:43 vpn-access-server pppd[2449]: sent [LCP ConfRej id=0x12 <auth chap MS-v2>]
Oct 16 11:58:44 vpn-access-server pppd[2449]: rcvd [LCP TermReq id=0x13 "Peer Terminated"]
Oct 16 11:58:44 vpn-access-server pppd[2449]: sent [LCP TermAck id=0x13]
Oct 16 11:58:44 vpn-access-server xl2tpd[2448]: control_finish: message type is Stop-Control-Connection-Notification(4).  Tunnel is 17068, call is 0.
Oct 16 11:58:44 vpn-access-server xl2tpd[2448]: control_finish: Connection closed to vpn.remote.addr.ip, port 1701 (No Error), Local: 5476, Remote: 17068
Oct 16 11:58:44 vpn-access-server charon: 16[NET] received packet: from vpn.remote.addr.ip[4500] to 192.168.1.10[4500] (68 bytes)
Oct 16 11:58:44 vpn-access-server xl2tpd[2448]: Terminating pppd: sending TERM signal to pid 2449
Oct 16 11:58:44 vpn-access-server pppd[2449]: Terminating on signal 15
Oct 16 11:58:44 vpn-access-server charon: 16[ENC] parsed INFORMATIONAL_V1 request 3742305360 [ HASH D ]
Oct 16 11:58:44 vpn-access-server pppd[2449]: sent [LCP TermReq id=0x3 "User request"]
Oct 16 11:58:44 vpn-access-server charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 34ffd9b0
Oct 16 11:58:44 vpn-access-server charon: 16[IKE] closing CHILD_SA ipsecVpn{1} with SPIs c1db3e26_i (1040 bytes) 34ffd9b0_o (917 bytes) and TS 192.168.1.10/32[udp/l2f] === vpn.remote.addr.ip/32[udp/l2f]
Oct 16 11:58:44 vpn-access-server charon: 05[NET] received packet: from vpn.remote.addr.ip[4500] to 192.168.1.10[4500] (84 bytes)
Oct 16 11:58:44 vpn-access-server charon: 05[ENC] parsed INFORMATIONAL_V1 request 3054304841 [ HASH D ]
Oct 16 11:58:44 vpn-access-server charon: 05[IKE] received DELETE for IKE_SA ipsecVpn[1]
Oct 16 11:58:44 vpn-access-server charon: 05[IKE] deleting IKE_SA ipsecVpn[1] between 192.168.1.10[192.168.1.10]...vpn.remote.addr.ip[vpn.remote.addr.ip]
Oct 16 11:58:47 vpn-access-server pppd[2449]: sent [LCP TermReq id=0x4 "User request"]
Oct 16 11:58:50 vpn-access-server pppd[2449]: Connection terminated.
Oct 16 11:58:50 vpn-access-server charon: 12[KNL] interface ppp0 deleted
Oct 16 11:58:50 vpn-access-server systemd-timesyncd[1129]: Network configuration changed, trying to establish connection.
Oct 16 11:58:50 vpn-access-server dnsmasq[1913]: reading /etc/resolv.conf
Oct 16 11:58:50 vpn-access-server dnsmasq[1913]: using nameserver 127.0.0.53#53
Oct 16 11:58:50 vpn-access-server pppd[2449]: Modem hangup
Oct 16 11:58:50 vpn-access-server pppd[2449]: Exit.
================================

ppp write "No auth is possible"
I could establish connection on this user and password using NetworkManager GUI.
Configuration files below

# cat /etc/xl2tpd/ipsecVpn.conf
[global]
access control = yes
port = 1701
debug state = yes
[lac l2tp]
lns = vpn.remote.addr.ip
ppp debug = yes
pppoptfile = /etc/xl2tpd/ipsecVpn.options
autodial = yes
tunnel rws = 8
tx bps = 100000000
rx bps = 100000000

# cat /etc/xl2tpd/ipsecVpn.options
debug
nodetach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
require-mschap-v2
refuse-eap
refuse-pap
lcp-echo-failure 30
lcp-echo-interval 5
plugin /usr/lib/pppd/2.4.7/pppol2tp.so
mru 1400
mtu 1400

ppp options generated by NetworkManager contains different plugin

plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so

But with this plugin it is also not working.

# ll /etc/ppp/chap-secrets 
-rw------- 1 root root 251 Oct 15 15:29 /etc/ppp/chap-secrets
# cat /etc/ppp/chap-secrets 
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
vpnuser  *       "PasswordContains#and&"      *

# iptables -L -vn
Chain INPUT (policy ACCEPT 6 packets, 940 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8 packets, 892 bytes)
 pkts bytes target     prot opt in     out     source               destination         

# dpkg -l | grep xl2tp
ii  xl2tpd                                1.3.10-1ubuntu1                             amd64        layer 2 tunneling protocol implementation
# dpkg -l | grep ppp
ii  ppp                                   2.4.7-2+2ubuntu1.1                          amd64        Point-to-Point Protocol (PPP) - daemon
# dpkg -l | grep strongswan
ii  libstrongswan                         5.6.2-1ubuntu2.4                            amd64        strongSwan utility and crypto library
ii  libstrongswan-standard-plugins        5.6.2-1ubuntu2.4                            amd64        strongSwan utility and crypto library (standard plugins)
ii  strongswan                            5.6.2-1ubuntu2.4                            all          IPsec VPN solution metapackage
ii  strongswan-charon                     5.6.2-1ubuntu2.4                            amd64        strongSwan Internet Key Exchange daemon
ii  strongswan-libcharon                  5.6.2-1ubuntu2.4                            amd64        strongSwan charon library
ii  strongswan-starter                    5.6.2-1ubuntu2.4                            amd64        strongSwan daemon starter and configuration file parser

Any ideas why this is not working ?

Lukasz Czyzewski

Posted 2019-10-16T10:31:48.283

Reputation: 1

I can't see the name option anywhere in the config file for the username to use for the connection. What you seem to have is more a server side configuration where the username is coming from the client trying to connect.

The /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so plugin uses D-Bus, it won't do anything by itself without the NeedSecrets (i.e. user credentials), SetIp4Config and SetStatemethods being called on the org.freedesktop.NetworkManager.l2tp.ppp D-Bus interface. – Douglas Kosovic – 2019-10-20T03:02:07.343

This is because ppp use only /etc/ppp/chap-secrets for user and password. From ppp documentation - see [man pppd] https://linux.die.net/man/8/pppd - I could not set user and/or password in configuration file. Also note that pppd is started by xl2tpd - see [man xl2tpd] https://linux.die.net/man/5/xl2tpd.conf - 'auth file' is not forwared to pppd. I run pppd in in 'strace' and see that it read /etc/ppp/chap-secrets

– Lukasz Czyzewski – 2019-10-21T10:45:33.370

After commit https://github.com/xelerance/xl2tpd/commit/e140bb6a1ab846e4cf548f4dbcdca6a3604248c6 xl2tpd stopped passing some options to pppd which was annoying as I had to modify the nm-l2tp-service source code to compensate and not use some of the options, I'm guessing that is the same issue you are seeing with auth file. The approach on https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup definitely used to work for setting the username and password in the PPP options files. Sorry I can't confirm if it still works for me as it has been a few years since I last tried.

– Douglas Kosovic – 2019-10-21T12:01:45.980

I also assumed setting name in the PPP options config file would then lookup the corresponding password in the CHAP secrets file if password wasn't already set as a PPP option. – Douglas Kosovic – 2019-10-21T12:23:54.343

No answers

Asked: 2019-10-16T10:31:48.283

Viewed: 131 times

Active: 2019-10-16T10:31:48.283