Getting an L2TP (with IPSEC) VPN (remote-access) to work with PPPoE (in VyOS 1.1.8 and 1.2.0)

ciprian.craciun · April 12, 2019, 8:51pm

So I’ve tried to configure an L2TP-based VPN (remote-access) to work with my ISP which uses PPPoE connections (with dynamically assigned IP’s)…

It all goes smoothly by following L2TP — VyOS 1.4.x (sagitta) documentation, except that you need to know before-hand the outside-address value… (Which obviously changes after a reboot / reconnect)…

Luckily there is the set vpn l2tp remote-access dhcp-interface option, which unfortunately does not work with PPPoE interfaces, and fails with: The specified interface is not configured for DHCP.

However if one just edits /opt/vyatta/share/perl5/Vyatta/L2TPConfig.pm and searches for that error message (which seems to appear in three places) and just comments the code like:

#     return  (undef, "The specified interface is not configured for DHCP")
#       if (!Vyatta::Misc::is_dhcp_enabled($self->{_dhcp_if},0));

, it all goes smoothly.

However if your PPPoE connection disconnects and reconnects, the L2TP connection won’t work… Apparently not even a restart vpn will solve it, but instead you’ll have to either force a configure (by changing the actual value of dhcp-interface and commit), or reboot… (Or just sed-ing /etc files…)

If anyone has any idea on how to fix this better, please let me know.

ciprian.craciun · April 15, 2019, 8:56pm

Apparently the “hack” mentioned above doesn’t seem to work on VyOS 1.2, because the IPSec configuration is generated before the PPPoE interface is set-up. (Perhaps it happens the same also in 1.1.8?)

I’ve also tried the following which according to man ipsec.conf should work by setting left = %any (but which unfortunately doesn’t seem to work):

sub get_ra_conn {
  my ($self, $name) = @_;
  my $oaddr = $self->{_out_addr};
  if (defined($self->{_dhcp_if})){
    return  (undef, "The specified interface is not configured for DHCP")
      if (!Vyatta::Misc::is_dhcp_enabled($self->{_dhcp_if},0));
    my $dhcpif = $self->{_dhcp_if};
    $oaddr = get_dhcp_addr($dhcpif);
  }
+  if ($oaddr eq "0.0.0.0"){
+    $oaddr = "%any";
+  }

ciprian.craciun · April 15, 2019, 9:32pm

Apparently by applying the previous sub get_ra_conn patch, a manual restart of the VPN (i.e. restart vpn) after the system has booted should do the trick… (Also double-check that the xl2tpd is actually running…)

(Why the manual restart solves anything is beyond me…)

zsdc · April 16, 2019, 1:33pm

Hello, @ciprian.craciun!

I would recommend you to use scripting and event handler to reconfigure L2TP server in case of PPPoE interface change its status or IP.

ciprian.craciun · April 16, 2019, 1:37pm

Apparently on 1.2.0 (at least from April 2019), you can just use set vpn l2tp remote-access outside-address 0.0.0.0 and L2TP should work. (Without any additional patches as described in my previous post.)

However for some reason the xl2tpd daemon isn’t started, and you’ll have to manually start it with sudo systemctl start xl2tpd. I’ve opened an issue about this: ⚓ T1339 When configuring L2TP with IPsec on 1.2.0 (201904160337), the `xl2tpd` daemon isn't automatically started

ciprian.craciun · April 16, 2019, 1:38pm

How can I reconfigure the L2TP server? Is there a command that would force the re-generation of the involved configuration files?

(I’ve found the documentation about event handling, but not about reconfiguration.)