IPSEC/L2TP with RADIUS on WIN2019 Server - Need help

hook.ua · June 6, 2020, 11:13am

Hello there.

Need help with L2TP “authentication mode radius”
local user authentication mode works fine.

adding the RADIUS authentication gives the problem with Win10 clients.
vyos is recent rolling release
RADIUS server is WINDOWS SERVER 2019 with AD

Linux (UBUNTU 20.20) and IOS worked very fine.
But for Windows 10 connection being established after authentication log filled by

Jun 06 13:45:35 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=226 <00fd>]
Jun 06 13:45:35 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=237 <00fd>]
...
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=3 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=4 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=5 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=6 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=7 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=8 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=9 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=10 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=11 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=12 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=13 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=14 <00fd>]
Jun 06 13:45:37 vyos-router.local accel-l2tp[6881]: l2tp0:DOMAIN\USER: send [LCP ProtoRej id=15 <00fd>]

and channel just falls down

Configuration very simple

l2tp {
        remote-access {
            authentication {
                mode radius
                mppe prefer
                radius {
                    server 192.168.1.50 {
                        key <radius-key>
                        port 1812
                    }
                    source-address 192.168.1.13
                }
                require chap
                require mschap
                require mschap-v2
            }
            client-ip-pool {
                start 192.168.1.126
                stop 192.168.1.135
            }
            gateway-address 192.168.1.13
            /* gateway-address 192.168.1.7 */
            idle 3600
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret <preshared-secret-key>
                }
                ike-lifetime 3600
                lifetime 120
            }
            name-server 192.168.1.50
            outside-address xxx.xxx.xxx.222
        }
}

Any idea and/or help will be highly appreciated.
what message [LCP ProtoRej id=8 <00fd>] really meant?

Thanks

c-po · June 6, 2020, 1:29pm

Hi,

please note you need to alter your Windows 10 IPsec/L2TP settings afterwards to match this:

hook.ua · June 6, 2020, 3:21pm

Hi, many thanks.

I’ve played with suggested settings many times.

Neither CHAP alone nor MS-CHAP V2 with/or without Automatically use doesn’t help.
Any type of authentication works similar.

One things i didn’t tested is the Maximum strength in Data encryption.
Checked just now.

Same behavior again.

Dmitry · June 8, 2020, 6:33am

Hi @hook.ua, can you try to change gateway-address. Try set 10.255.255.0 as an example.

set vpn l2tp remote-access gateway-address 10.255.255.0

If it possible provide VyOS log when Win10 client trying to connect.

hook.ua · June 8, 2020, 7:08am

Hi, Dmitry
Thanks, another gateway does not help

Excessive log is below, sorry for lengthy reply.



Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[NET] received packet: from zzz.zzz.zzz.27[45250] to yyy.yyy.yyy.222[500] (408 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[IKE] received FRAGMENTATION vendor ID
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[IKE] zzz.zzz.zzz.27 is initiating a Main Mode IKE_SA
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 07[NET] sending packet: from yyy.yyy.yyy.222[500] to zzz.zzz.zzz.27[45250] (156 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 08[NET] received packet: from zzz.zzz.zzz.27[45250] to yyy.yyy.yyy.222[500] (260 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 08[IKE] remote host is behind NAT
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 08[NET] sending packet: from yyy.yyy.yyy.222[500] to zzz.zzz.zzz.27[45250] (244 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[NET] received packet: from zzz.zzz.zzz.27[45898] to yyy.yyy.yyy.222[4500] (68 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[CFG] looking for pre-shared key peer configs matching yyy.yyy.yyy.222...zzz.zzz.zzz.27[192.168.1.233]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[CFG] selected peer config "remote-access"
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[IKE] IKE_SA remote-access[1] established between yyy.yyy.yyy.222[yyy.yyy.yyy.222]...zzz.zzz.zzz.27[192.168.1.233]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[IKE] DPD not supported by peer, disabled
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 09[NET] sending packet: from yyy.yyy.yyy.222[4500] to zzz.zzz.zzz.27[45898] (68 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 11[NET] received packet: from zzz.zzz.zzz.27[45898] to yyy.yyy.yyy.222[4500] (276 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 11[IKE] received 3600s lifetime, configured 0s
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 11[IKE] received 250000000 lifebytes, configured 0
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 11[NET] sending packet: from yyy.yyy.yyy.222[4500] to zzz.zzz.zzz.27[45898] (204 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 12[NET] received packet: from zzz.zzz.zzz.27[45898] to yyy.yyy.yyy.222[4500] (60 bytes)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local charon[4985]: 12[IKE] CHILD_SA remote-access{1} established with SPIs ca1af019_i df46b64c_o and TS yyy.yyy.yyy.222/32[udp/l2f] === zzz.zzz.zzz.27/32[udp/l2f]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp: recv [L2TP tid=0 sid=0 Ns=0 Nr=0 <Message-Type Start-Ctrl-Conn-Request> <Protocol-Version 256> <Framing-Capabilities 1> <Bearer-Capabilities 0> <Firmware-Revision 2560> <Host-Name DESKTOP-AAVEJ6V.disti.pro> <Vendor-Name Microsoft> <Assigned-Tunnel-ID 5> <Recv-Window-Size 8>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp: handling SCCRQ from zzz.zzz.zzz.27
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp: new tunnel 46629-5 created following reception of SCCRQ from zzz.zzz.zzz.27:1701
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): sending SCCRP
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=0 Nr=1 <Message-Type Start-Ctrl-Conn-Reply> <Protocol-Version 256> <Host-Name accel-ppp> <Framing-Capabilities 1> <Assigned-Tunnel-ID -18907> <Vendor-Name accel-ppp> <Recv-Window-Size 16>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message sent from send queue
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 2 messages added to reception queue
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message acked by peer
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): recv [L2TP tid=46629 sid=0 Ns=1 Nr=1 <Message-Type Start-Ctrl-Conn-Connected>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): handling SCCCN
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): established at yyy.yyy.yyy.222:1701
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): recv [L2TP tid=46629 sid=0 Ns=2 Nr=1 <Message-Type Incoming-Call-Request> <Assigned-Session-ID 1> <Call-Serial-Number 0> <Bearer-Type 2>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): handling ICRQ
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp session 46629-5, 15040-1: sending ICRP
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): new session 15040-1 created following reception of ICRQ
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 2 messages processed from reception queue
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=1 Ns=1 Nr=3 <Message-Type Incoming-Call-Reply> <Assigned-Session-ID 15040>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message sent from send queue
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message added to reception queue
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message acked by peer
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): recv [L2TP tid=46629 sid=15040 Ns=3 Nr=2 <Message-Type Incoming-Call-Connected> <TX-Speed 866700000> <Framing-Type 1> <Proxy-Authen-Type 4>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp session 46629-5, 15040-1: handling ICCN
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message processed from reception queue
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 0 message sent from send queue
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): sending ZLB
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=2 Nr=4]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: starting data channel for l2tp(zzz.zzz.zzz.27:1701 session 46629-5, 15040-1)
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: lcp_layer_init
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: auth_layer_init
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: ccp_layer_init
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: ipcp_layer_init
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: ipv6cp_layer_init
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: ppp establishing
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: lcp_layer_start
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: send [LCP ConfReq id=41 <auth MSCHAP-v2> <mru 1436> <magic 5e0d44e8>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 5efd33e3> <pcomp> <accomp> < d 3 6 >]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: send [LCP ConfRej id=0  <pcomp> <accomp> < d 3 6 >]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 5efd33e3>]
Jun 08 09:58:23 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: send [LCP ConfAck id=1 ]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: fsm timeout 9
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: send [LCP ConfReq id=41 <auth MSCHAP-v2> <mru 1436> <magic 5e0d44e8>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [LCP ConfAck id=41 <auth MSCHAP-v2> <mru 1436> <magic 5e0d44e8>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: lcp_layer_started
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: auth_layer_start
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: send [MSCHAP-v2 Challenge id=1 <6e4bf4eb6e6c31d6e834a2946354361>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [LCP Ident id=2 <MSRASV5.20>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [LCP Ident id=3 <MSRAS-0-DESKTOP-AAVEJ6V>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [LCP Ident id=4 <K----G-+n->]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [MSCHAP-v2 Response id=1 <e7e87962cca643dc0764683cdbb9ef>, <4a1fb68518c47b123c925047a2b6b1b480f091b8ce5ca9>, F=0, name="DOMAIN\user"]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: send [RADIUS(1) Access-Request id=1 <User-Name "DOMAIN\user"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "zzz.zzz.zzz.27"> <Called-Station-Id "yyy.yyy.yyy.222"> <MS-CHAP-Challenge 0x6e4bf4eb6e6c31d6e834a29463540361> <MS-CHAP2-Response 0x0100e7e87962cca6430dc0764683cdbb09ef00000000000000004a1fb68518c47b123c925047a2b6b1b480f0091b08ce5ca9>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: recv [RADIUS(1) Access-Accept id=1 <Framed-IP-Address 255.255.255.255> <Framed-Protocol PPP> <Service-Type Framed-User> <Class 0x986c08da00000137000102000a0100320000000054f3c4d1119b2bb901d63b4657fb2bfb0000000000000025> <MS-MPPE-Recv-Key 0x8049a8ff53c6a8ec23b8c96dd514089cd7d374f4f3ab8ea6e411c6c4a95e7db7f41a> <MS-MPPE-Send-Key 0x804a20afd908c65d5368a72cf8af8134583bd394edf4439d59147151b72d74c3f9e4> <MS-CHAP2-Success 0x01533d45453842353639454437324643313730343337364444463444314237353835423935303430414142> <MS-CHAP-Domain "DOMAIN"> <MS-Link-Utilization-Threshold 50> <MS-Link-Drop-Time-Limit 120>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: radius: gw-ip-address not specified, cann't assign IP address...
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local systemd-udevd[5047]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: :: mppe: 128-bit session keys not allowed, disabling mppe ...
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: connect: ppp0 <--> l2tp(zzz.zzz.zzz.27:1701 session 46629-5, 15040-1)
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: ppp connected
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [MSCHAP-v2 Success id=1 "S=EE8B569ED72FC1704376DDF4D1B7585B95040AAB M=Authentication succeeded"]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: auth_layer_started
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: ccp_layer_start
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [CCP ConfReq id=e <mppe -H -M -S -L -D -C>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: ipcp_layer_start
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: ipv6cp_layer_start
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: DOMAIN\user: authentication succeeded
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local netplugd[830]: ppp0: ignoring event
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local netplugd[830]: ppp0: ignoring event
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: recv [CCP ConfReq id=5 <mppe +H -M -S -L -D -C>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [CCP ConfNak id=5 <mppe +H -M +S -L -D -C>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [IPCP ConfReq id=f5 <addr 10.255.255.0>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [IPCP ConfRej id=6 <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: recv [CCP ConfAck id=e <mppe -H -M -S -L -D -C>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: recv [CCP ConfReq id=7 <mppe +H -M +S -L -D -C> (mppe enabled)]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [CCP ConfAck id=7]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: ccp_layer_started
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local netplugd[830]: ppp0: ignoring event
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: recv [IPCP ConfAck id=f5 <addr 10.255.255.0>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: recv [IPCP ConfReq id=8 <addr 0.0.0.0> <dns1 0.0.0.0>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [IPCP ConfNak id=8 <addr 10.1.0.126> <dns1 10.1.0.50>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local kernel: l2tp0: renamed from ppp0
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: recv [IPCP ConfReq id=9 <addr 10.1.0.126> <dns1 10.1.0.50>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: send [IPCP ConfAck id=9]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: ipcp_layer_started
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: ppp0:DOMAIN\user: rename interface to 'l2tp0'
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [RADIUS(1) Accounting-Request id=1 <User-Name "DOMAIN\user"> <NAS-Port 0> <NAS-Port-Id "l2tp0"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "zzz.zzz.zzz.27"> <Called-Station-Id "yyy.yyy.yyy.222"> <Class 0x986c08da00000137000102000a0100320000000054f3c4d1119b2bb901d63b4657fb2bfb0000000000000025> <Acct-Status-Type Start> <Acct-Authentic RADIUS> <Acct-Session-Id "437f9ddde741faf7"> <Acct-Session-Time 0> <Acct-Input-Octets 0> <Acct-Output-Octets 0> <Acct-Input-Packets 0> <Acct-Output-Packets 0> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 10.1.0.126>]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local ripd[929]: interface delete ppp0 vrf 0 index 14 flags 0x1090 metric 0 mtu 1396
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local netplugd[830]: l2tp0: ignoring event
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local ripngd[934]: interface delete ppp0 vrf 0 index 14 flags 0x1090 metric 0 mtu 1396
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local bgpd[921]: [EC 100663301] INTERFACE_STATE: Cannot find IF ppp0 in VRF 0
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: recv [RADIUS(1) Accounting-Response id=1]
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: session started over l2tp session 46629-5, 15040-1
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local netplugd[830]: l2tp0: ignoring event
Jun 08 09:58:26 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [LCP ProtoRej id=67 <00fd>]

// ********************* ... sequence cut to reduce log size

Jun 08 09:58:28 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [LCP ProtoRej id=103 <00fd>]
Jun 08 09:58:28 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [LCP ProtoRej id=104 <00fd>]
Jun 08 09:58:28 VYOS-ROUTER.DOMAIN.local ntpd[2059]: Listen normally on 13 l2tp0 10.255.255.0:123
Jun 08 09:58:28 VYOS-ROUTER.DOMAIN.local ntpd[2059]: new interface(s) found: waking up resolver
Jun 08 09:58:28 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [LCP ProtoRej id=105 <00fd>]

// ********************* ... sequence cut to reduce log size

Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [LCP ProtoRej id=166 <00fd>]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local netplugd[830]: l2tp0: ignoring event
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: recv [LCP TermReq id=a]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [LCP TermAck id=10]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: terminate
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: lcp_layer_finish
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: auth_layer_finish
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: auth_layer_finished
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: ccp_layer_finish
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: ccp_layer_finished
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: ipcp_layer_finish
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: ipcp_layer_finished
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: ipv6cp_layer_finish
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: ipv6cp_layer_finished
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: send [RADIUS(1) Accounting-Request id=2 <User-Name "DOMAIN\user"> <NAS-Port 0> <NAS-Port-Id "l2tp0"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "zzz.zzz.zzz.27"> <Called-Station-Id "yyy.yyy.yyy.222"> <Class 0x986c08da00000137000102000a0100320000000054f3c4d1119b2bb901d63b4657fb2bfb0000000000000025> <Acct-Status-Type Stop> <Acct-Authentic RADIUS> <Acct-Session-Id "437f9ddde741faf7"> <Acct-Session-Time 9> <Acct-Input-Octets 8999> <Acct-Output-Octets 246> <Acct-Input-Packets 107> <Acct-Output-Packets 9> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 10.1.0.126> <Acct-Terminate-Cause User-Request>]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:DOMAIN\user: recv [RADIUS(1) Accounting-Response id=2]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message added to reception queue
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 0 message acked by peer
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): recv [L2TP tid=46629 sid=15040 Ns=4 Nr=2 <Message-Type Call-Disconnect-Notify> <Result-Code> <Assigned-Session-ID 1>]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp session 46629-5, 15040-1: handling CDN
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp session 46629-5, 15040-1: CDN received from peer (result: 3, error: 0), disconnecting session
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp session 46629-5, 15040-1: deleting session
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp session 46629-5, 15040-1: deleting data channel
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): no more session, disconnecting tunnel
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): sending StopCCN (res: 1, err: 0)
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=2 Nr=5 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message sent from send queue
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message processed from reception queue
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 0 message sent from send queue
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): sending ZLB
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=3 Nr=5]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local netplugd[830]: l2tp0: ignoring event
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local bgpd[921]: [EC 100663301] INTERFACE_STATE: Cannot find IF l2tp0 in VRF 0
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local ripd[929]: interface delete l2tp0 vrf 0 index 14 flags 0x10 metric 0 mtu 1396
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local ripngd[934]: interface delete l2tp0 vrf 0 index 14 flags 0x10 metric 0 mtu 1396
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:: lcp_layer_free
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:: auth_layer_free
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:: ccp_layer_free
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:: ipcp_layer_free
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:: ipv6cp_layer_free
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:: ppp destablished
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp0:: session destroyed
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp session 46629-5, 15040-1: session destroyed
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message added to reception queue
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 0 message acked by peer
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): discarding message received while disconnecting
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 1 message processed from reception queue
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): 0 message sent from send queue
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): sending ZLB
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=3 Nr=6]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 14[NET] received packet: from zzz.zzz.zzz.27[45898] to yyy.yyy.yyy.222[4500] (76 bytes)
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 14[ENC] parsed INFORMATIONAL_V1 request 1006894663 [ HASH D ]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 14[IKE] received DELETE for ESP CHILD_SA with SPI df46b64c
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 14[IKE] closing CHILD_SA remote-access{1} with SPIs ca1af019_i (11892 bytes) df46b64c_o (3337 bytes) and TS yyy.yyy.yyy.222/32[udp/l2f] === zzz.zzz.zzz.27/32[udp/l2f]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 15[NET] received packet: from zzz.zzz.zzz.27[45898] to yyy.yyy.yyy.222[4500] (84 bytes)
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 15[ENC] parsed INFORMATIONAL_V1 request 2231969093 [ HASH D ]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 15[IKE] received DELETE for IKE_SA remote-access[1]
Jun 08 09:58:32 VYOS-ROUTER.DOMAIN.local charon[4985]: 15[IKE] deleting IKE_SA remote-access[1] between yyy.yyy.yyy.222[yyy.yyy.yyy.222]...zzz.zzz.zzz.27[192.168.1.233]
Jun 08 09:58:33 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmission #1
Jun 08 09:58:33 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmit (timeout) [L2TP tid=5 sid=0 Ns=2 Nr=5 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:33 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:34 VYOS-ROUTER.DOMAIN.local ntpd[2059]: Deleting interface #13 l2tp0, 10.255.255.0#123, interface stats: received=0, sent=0, dropped=0, active_time=6 secs
Jun 08 09:58:35 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmission #2
Jun 08 09:58:35 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmit (timeout) [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:35 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:39 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmission #3
Jun 08 09:58:39 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmit (timeout) [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:39 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:47 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmission #4
Jun 08 09:58:47 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmit (timeout) [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:58:47 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:59:03 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmission #5
Jun 08 09:59:03 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): retransmit (timeout) [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:59:03 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): send [L2TP tid=5 sid=0 Ns=2 Nr=6 <Message-Type Stop-Ctrl-Conn-Notify> <Assigned-Tunnel-ID -18907> <Result-Code>]
Jun 08 09:59:19 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): no acknowledgement from peer after 5 retransmissions, deleting tunnel
Jun 08 09:59:19 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): deleting tunnel
Jun 08 09:59:19 VYOS-ROUTER.DOMAIN.local accel-l2tp[4945]: l2tp tunnel 46629-5 (zzz.zzz.zzz.27:1701): tunnel destroyed

Dmitry · June 8, 2020, 7:49am

Hi @hook.ua. It seems this a bug.
radius: gw-ip-address not specified, cann't assign IP address...
This means gw-ip-address not defined in accel-ppp [radius] section. Need to create a bug report on the https://phabricator.vyos.net/.

ps:// can you try manually add gw-ip-address to file daemon config for checking?

sudo nano /var/run/accel-pppd/l2tp.conf

add to section [radius]

[radius]
gw-ip-address=10.255.255.0

Run accel-cmd restart -p 2004 for restarting daemon.

hook.ua · June 8, 2020, 7:53am

Hi, Dmitry.
I really appreciated by your attention.
Used this log many times to find any kind of error but missed this one.

Will try to check ASAP manual configuration.

UPD:

It seems the gateway injected into wrong section

[ip-pool]
10.1.0.126-135
gw-ip-address=10.255.255.0

[radius]
verbose=1
server=10.1.0.50,<secret>,auth-port=1812,req-limit=0,fail-time=0
acct-timeout=3
timeout=3
max-try=3

UPD-2:

need deep dig into the code of vpn_l2tp.py
Does not have internet connection from client PC, but need to check IP settings.

Sorry, have to go just now.

Dmitry · June 8, 2020, 8:25am

gw-ip-address must present in both sections (ip-pool, radius), and even in [chap-secrets] if used this auth type.

Dmitry · June 8, 2020, 9:11am

Bug report created and pull request already added ⚓ T2565 Cannot connect to l2tp server with radius auth

Dmitry · June 8, 2020, 10:45am

@hook.ua can you check configured secret on the radius server and VyOS?

hook.ua · June 8, 2020, 4:49pm

gw-ip-address must present in both sections (ip-pool, radius), and even in [chap-secrets] if used this auth type.

accordingly to accel documentation - seems not.
https://accel-ppp.org/wiki/doku.php?id=configfile

gw-ip-address = x.x.x.x

Specifies IPv4 address to use as local address of ppp interface if Radius is used for IPv4 address assignment.

In my case IP address to client assigned by VYOS L2TP server.
Therefore gw-ip-address items not obligatory.

@hook.ua can you check configured secret on the radius server and VyOS?

Seems correct but will double check it

Dmitry · June 9, 2020, 8:32am

Hi @hook.ua,

Did you check this? I have successfully connected Windows 10 client to my test router.

hook.ua · June 9, 2020, 2:47pm

Hi, Dmitry.

Checked.
It is ok with secret.

Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: :: send [RADIUS(1) Access-Request id=1 <User-Name "DOMAIN\user"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "yyy.yyy.yyy.27"> <Called-Station-Id "zzz.zzz.zzz.222"> <MS-CHAP-Challenge 0x309b48b6cb5f458b0d2c6f107ed63c54> <MS-CHAP2-Response 0x0100f0aba803c2e81bbad2f750b76a847d0500000000000000009cd0da5b50d318b2ba59f9a80c3d7dfbde8083ae7e497e41>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local netplugd[829]: ppp0: ignoring event
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: :: recv [RADIUS(1) Access-Accept id=1 <Framed-IP-Address 255.255.255.255> <Framed-Protocol PPP> <Service-Type Framed-User> <Class 0x987a08e800000137000102000a0100320000000054f3c4d1119b2bb901d63b4657fb2bfb0000000000000033> <MS-MPPE-Recv-Key 0x80651a5d8f895e8d63579d7c3058190e604f51d93e3b92378ca90ee6f201acb002d3> <MS-MPPE-Send-Key 0x8066db55586ba676f1565890ed6f11d6d8c55f897c405a30f465b78f61436f1881b3> <MS-CHAP2-Success 0x01533d45384630323430454631303434383939443141363235393142373231304539314443434339323930> <MS-CHAP-Domain "DOMAIN"> <MS-Link-Utilization-Threshold 50> <MS-Link-Drop-Time-Limit 120>]

RADIUS secret involved on earlier stages, when RADIUS client (vyos router) authenticated on RADIUS server (Windows 2019 Server Network Policy Server)

AFAIU Access-Request and Access-Accept tells everything end successfully and access granted.

But flood by send [LCP ProtoRej id=246 <00fd>] depends on RADIUS Server Network Policy setting - exactly the IP settings.

Only in this radio position i could avoid the flood
But there is a problem with address assignments:

Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: recv [IPCP ConfAck id=dd <addr 10.1.0.7>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: recv [IPCP ConfReq id=8 <addr 0.0.0.0> <dns1 0.0.0.0>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: send [IPCP ConfNak id=8 <addr 255.255.255.255> <dns1 10.1.0.50>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local kernel: l2tp0: renamed from ppp0
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: recv [IPCP ConfReq id=9 <addr 255.255.255.255> <dns1 10.1.0.50>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: send [IPCP ConfAck id=9]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: ipcp_layer_started
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: rename interface to 'l2tp0'

to rewind fast back:
I have 3 type of l2tp clients - IoS, Linux and Windows
Without RADIUS all 3 types work fine.
Only one problem - manual login\password management.

With RADIUS IoS and Linux both still works fine.
Only Windows 10 Clients can’t connect.

I gonna compare the address assignment and sequence for every type of client.
To see what is difference.

UPD-1
Finally - Windows 10 Clients lost the gateway during connection.
With all identical settings from different sources IoS and Linux work fine.

Dmitry · June 9, 2020, 9:33pm

Framed-IP-Address 255.255.255.255 ins not valid. As I remember in RFC used 255.255.255.254 for delegation ip address from server. Can you try to set Assing a static ipv4 address?
Note: try to update you router to the latest version.

hook.ua · June 10, 2020, 5:51am

yes, thanks.
Updated version generates correct conf file

[radius]
verbose=1
server=10.1.0.50,<secret>,auth-port=1812,req-limit=0,fail-time=0
acct-timeout=3
timeout=3
max-try=3

bind=10.1.0.13
gw-ip-address=10.1.0.7

Static address checked, assigned correctly.
All clients obtained the correct IP address from VYOS (either static from RADIUS policy or dynamic inside the ip-pool settings)

Problem IMHO in gateway assignment.
Windows 10 client does not recognize settings and got Default Gateway as 0.0.0.0

UPD
Suddenly everything stop working.
local authentication mode gives the same error - send [LCP ProtoRej id=217 <00fd>] and miss the default gateway on windows 10 client

actual config is below

local# cat /run/accel-pppd/l2tp.conf
### generated by accel_l2tp.py ###
[modules]
log_syslog
l2tp
chap-secrets
auth_mschap_v2

ippool
shaper
ipv6pool
ipv6_nd
ipv6_dhcp

[core]
thread-count=1

[log]
syslog=accel-l2tp,daemon
copy=1
level=5

[dns]
dns1=10.1.0.50

[l2tp]
verbose=1
ifname=l2tp%d
ppp-max-mtu=1436
mppe=prefer
bind=zzz.zzz.zzz.222

[client-ip-range]
0.0.0.0/0

[ip-pool]
10.1.0.126-135
gw-ip-address=10.1.0.7

[chap-secrets]
chap-secrets=/run/accel-pppd/l2tp.chap-secrets
gw-ip-address=10.1.0.7

[ppp]
verbose=1
check-ip=1
single-session=replace
lcp-echo-timeout=3600
lcp-echo-interval=30
lcp-echo-failure=3

[cli]
tcp=127.0.0.1:2004
sessions-columns=ifname,username,calling-sid,ip,rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime[edit]

connection log looks good also

accel-l2tp[3714]: :: starting data channel for l2tp(yyy.yyy.yyy.27:1701 session 43970-1, 63844-1)
accel-l2tp[3714]: :: lcp_layer_init
accel-l2tp[3714]: :: auth_layer_init
accel-l2tp[3714]: :: ccp_layer_init
accel-l2tp[3714]: :: ipcp_layer_init
accel-l2tp[3714]: :: ipv6cp_layer_init
accel-l2tp[3714]: :: ppp establishing
accel-l2tp[3714]: :: lcp_layer_start
accel-l2tp[3714]: :: send [LCP ConfReq id=60 <auth MSCHAP-v2> <mru 1436> <magic 7c9d3d2d>]
accel-l2tp[3714]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 29023bbf> <pcomp> <accomp> < d 3 6 >]
accel-l2tp[3714]: :: send [LCP ConfRej id=0  <pcomp> <accomp> < d 3 6 >]
accel-l2tp[3714]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 29023bbf>]
accel-l2tp[3714]: :: send [LCP ConfAck id=1 ]
accel-l2tp[3714]: :: fsm timeout 9
accel-l2tp[3714]: :: send [LCP ConfReq id=60 <auth MSCHAP-v2> <mru 1436> <magic 7c9d3d2d>]
accel-l2tp[3714]: :: recv [LCP ConfAck id=60 <auth MSCHAP-v2> <mru 1436> <magic 7c9d3d2d>]
accel-l2tp[3714]: :: lcp_layer_started
accel-l2tp[3714]: :: auth_layer_start
accel-l2tp[3714]: :: send [MSCHAP-v2 Challenge id=1 <cbe69d33d6fe41a968317eca7e49c37>]
accel-l2tp[3714]: :: recv [LCP Ident id=2 <MSRASV5.20>]
accel-l2tp[3714]: :: recv [LCP Ident id=3 <MSRAS-0-DESKTOP-AAVEJ6V>]
accel-l2tp[3714]: [43B blob data]
accel-l2tp[3714]: :: recv [MSCHAP-v2 Response id=1 <761fbdbbb93f9a2c3f87aa23dd51cf1>, <fdbc74c646762d8fd119e3d6ccf817b6c3d23a5c2afa92d>, F=0, name="user@domain.pro"]
accel-l2tp[3714]: ppp0:user@domain.pro: connect: ppp0 <--> l2tp(yyy.yyy.yyy.27:1701 session 43970-1, 63844-1)
accel-l2tp[3714]: ppp0:user@domain.pro: ppp connected
accel-l2tp[3714]: ppp0:user@domain.pro: send [MSCHAP-v2 Success id=1 "S=EA2F51F6E385B8E72F40A1FD01F768A2161121A2 M=Authentication succeeded"]
accel-l2tp[3714]: ppp0:user@domain.pro: auth_layer_started
accel-l2tp[3714]: ppp0:user@domain.pro: ccp_layer_start
accel-l2tp[3714]: ppp0:user@domain.pro: send [CCP ConfReq id=65 <mppe +H -M +S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: ipcp_layer_start
accel-l2tp[3714]: ppp0:user@domain.pro: ipv6cp_layer_start
accel-l2tp[3714]: ppp0:user@domain.pro: user@domain.pro: authentication succeeded
netplugd[893]: ppp0: ignoring event
netplugd[893]: ppp0: ignoring event
systemd-udevd[3919]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
accel-l2tp[3714]: ppp0:user@domain.pro: recv [CCP ConfReq id=5 <mppe +H -M -S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [CCP ConfNak id=5 <mppe +H -M +S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfReq id=4b <addr 10.1.0.7>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfRej id=6 <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [CCP ConfAck id=65 <mppe +H -M +S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [CCP ConfReq id=7 <mppe +H -M +S -L -D -C> (mppe enabled)]
accel-l2tp[3714]: ppp0:user@domain.pro: send [CCP ConfAck id=7]
accel-l2tp[3714]: ppp0:user@domain.pro: ccp_layer_started
netplugd[893]: ppp0: ignoring event
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfAck id=4b <addr 10.1.0.7>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfReq id=8 <addr 0.0.0.0> <dns1 0.0.0.0>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfNak id=8 <addr 10.1.0.129> <dns1 10.1.0.50>]
kernel: l2tp0: renamed from ppp0
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfReq id=9 <addr 10.1.0.129> <dns1 10.1.0.50>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfAck id=9]
accel-l2tp[3714]: ppp0:user@domain.pro: ipcp_layer_started
accel-l2tp[3714]: ppp0:user@domain.pro: rename interface to 'l2tp0'
accel-l2tp[3714]: l2tp0:user@domain.pro: session started over l2tp session 43970-1, 63844-1
netplugd[893]: l2tp0: ignoring event
netplugd[893]: l2tp0: ignoring event
bgpd[983]: [EC 100663301] INTERFACE_STATE: Cannot find IF ppp0 in VRF 0
ripd[991]: interface delete ppp0 vrf 0 index 15 flags 0x1090 metric 0 mtu 1396
ripngd[995]: interface delete ppp0 vrf 0 index 15 flags 0x1090 metric 0 mtu 1396
ntpd[2130]: Listen normally on 20 l2tp0 10.1.0.7:123

any idea will be highly appreciated.

Dmitry · June 10, 2020, 2:26pm

Maybe you know how I can reproduce this issue in my LAB?
In your config output, I see you using chap-secrets instead of radius.

hook.ua · June 10, 2020, 2:37pm

I have to check how do that
I switched to chap-secret (local authentication mode) from radius just to check that “plan B” for remote access still works. Unfortunately struck in the same issue. Windows reboot doesn’t help

UPD
Accordingly to

Each protocol carried over PPP has an associated Network Control Protocol (NCP) that negotiates options for the protocol and brings up the link for that protocol (Table 3-1 on page 3-4)

0x00FD means compression protocol

Accordingly to RFC 1661

Protocol-Reject means that some requested feature unsupported

  Upon reception of a Protocol-Reject, the implementation MUST stop
  sending packets of the indicated protocol at the earliest
  opportunity.

Therefore, stream of accel-l2tp[3714]: l2tp0 send [LCP ProtoRej id=160 <00fd>] means that Windows client somehow requests compression but VYOS does not support it.
LCP compression in the L2TP section definitely disabled (check box is off)

Dmitry · June 16, 2020, 6:53am

Hi @hook.ua, check please is [ppp]ccp=0 in config

hook.ua · June 16, 2020, 7:37am

Hi, Dmitry.
No, there is not such option.
I’ve added it and everything went smooth, problem is gone.

How do you plan to insert this option during configuration?
There is no option in vyos configuration.
May be mppe deny?

Thanks for your help.

Dmitry · June 16, 2020, 7:41am

You can simple insert this option, by editing template sudo nano /usr/share/vyos/templates/accel-ppp/l2tp.config.tmpl and then reconfigure l2tp service.
But better create bug report on the phabricator. This issue appears with MS-CHAP-v1/v2 and enabled CCP and for others protocols.

Note: CCP should be disabled by default. In CLI we only have the option to enable CCP.
https://phabricator.vyos.net/T2601