IPSEC/L2TP with RADIUS on WIN2019 Server - Need help

Bug report created and pull request already added https://phabricator.vyos.net/T2565

1 Like

@hook.ua can you check configured secret on the radius server and VyOS?

gw-ip-address must present in both sections (ip-pool, radius), and even in [chap-secrets] if used this auth type.

accordingly to accel documentation - seems not.
https://accel-ppp.org/wiki/doku.php?id=configfile

gw-ip-address = x.x.x.x

Specifies IPv4 address to use as local address of ppp interface if Radius is used for IPv4 address assignment.

In my case IP address to client assigned by VYOS L2TP server.
Therefore gw-ip-address items not obligatory.

@hook.ua can you check configured secret on the radius server and VyOS?

Seems correct but will double check it

Hi @hook.ua,

Did you check this? I have successfully connected Windows 10 client to my test router.

Hi, Dmitry.

Checked.
It is ok with secret.

Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: :: send [RADIUS(1) Access-Request id=1 <User-Name "DOMAIN\user"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "yyy.yyy.yyy.27"> <Called-Station-Id "zzz.zzz.zzz.222"> <MS-CHAP-Challenge 0x309b48b6cb5f458b0d2c6f107ed63c54> <MS-CHAP2-Response 0x0100f0aba803c2e81bbad2f750b76a847d0500000000000000009cd0da5b50d318b2ba59f9a80c3d7dfbde8083ae7e497e41>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local netplugd[829]: ppp0: ignoring event
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: :: recv [RADIUS(1) Access-Accept id=1 <Framed-IP-Address 255.255.255.255> <Framed-Protocol PPP> <Service-Type Framed-User> <Class 0x987a08e800000137000102000a0100320000000054f3c4d1119b2bb901d63b4657fb2bfb0000000000000033> <MS-MPPE-Recv-Key 0x80651a5d8f895e8d63579d7c3058190e604f51d93e3b92378ca90ee6f201acb002d3> <MS-MPPE-Send-Key 0x8066db55586ba676f1565890ed6f11d6d8c55f897c405a30f465b78f61436f1881b3> <MS-CHAP2-Success 0x01533d45384630323430454631303434383939443141363235393142373231304539314443434339323930> <MS-CHAP-Domain "DOMAIN"> <MS-Link-Utilization-Threshold 50> <MS-Link-Drop-Time-Limit 120>]

RADIUS secret involved on earlier stages, when RADIUS client (vyos router) authenticated on RADIUS server (Windows 2019 Server Network Policy Server)

AFAIU Access-Request and Access-Accept tells everything end successfully and access granted.

But flood by send [LCP ProtoRej id=246 <00fd>] depends on RADIUS Server Network Policy setting - exactly the IP settings.

Only in this radio position i could avoid the flood
But there is a problem with address assignments:

Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: recv [IPCP ConfAck id=dd <addr 10.1.0.7>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: recv [IPCP ConfReq id=8 <addr 0.0.0.0> <dns1 0.0.0.0>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: send [IPCP ConfNak id=8 <addr 255.255.255.255> <dns1 10.1.0.50>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local kernel: l2tp0: renamed from ppp0
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: recv [IPCP ConfReq id=9 <addr 255.255.255.255> <dns1 10.1.0.50>]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: send [IPCP ConfAck id=9]
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: ipcp_layer_started
Jun 09 17:31:43 VYOS-ROUTER.DOMAIN.local accel-l2tp[4017]: ppp0:DOMAIN\user: rename interface to 'l2tp0'

to rewind fast back:
I have 3 type of l2tp clients - IoS, Linux and Windows
Without RADIUS all 3 types work fine.
Only one problem - manual login\password management.

With RADIUS IoS and Linux both still works fine.
Only Windows 10 Clients can’t connect.

I gonna compare the address assignment and sequence for every type of client.
To see what is difference.

UPD-1
Finally - Windows 10 Clients lost the gateway during connection.
With all identical settings from different sources IoS and Linux work fine.

Framed-IP-Address 255.255.255.255 ins not valid. As I remember in RFC used 255.255.255.254 for delegation ip address from server. Can you try to set Assing a static ipv4 address?
Note: try to update you router to the latest version.

yes, thanks.
Updated version generates correct conf file

[radius]
verbose=1
server=10.1.0.50,<secret>,auth-port=1812,req-limit=0,fail-time=0
acct-timeout=3
timeout=3
max-try=3

bind=10.1.0.13
gw-ip-address=10.1.0.7

Static address checked, assigned correctly.
All clients obtained the correct IP address from VYOS (either static from RADIUS policy or dynamic inside the ip-pool settings)

Problem IMHO in gateway assignment.
Windows 10 client does not recognize settings and got Default Gateway as 0.0.0.0

UPD
Suddenly everything stop working.
local authentication mode gives the same error - send [LCP ProtoRej id=217 <00fd>] and miss the default gateway on windows 10 client

actual config is below

local# cat /run/accel-pppd/l2tp.conf
### generated by accel_l2tp.py ###
[modules]
log_syslog
l2tp
chap-secrets
auth_mschap_v2

ippool
shaper
ipv6pool
ipv6_nd
ipv6_dhcp

[core]
thread-count=1

[log]
syslog=accel-l2tp,daemon
copy=1
level=5

[dns]
dns1=10.1.0.50

[l2tp]
verbose=1
ifname=l2tp%d
ppp-max-mtu=1436
mppe=prefer
bind=zzz.zzz.zzz.222

[client-ip-range]
0.0.0.0/0

[ip-pool]
10.1.0.126-135
gw-ip-address=10.1.0.7

[chap-secrets]
chap-secrets=/run/accel-pppd/l2tp.chap-secrets
gw-ip-address=10.1.0.7

[ppp]
verbose=1
check-ip=1
single-session=replace
lcp-echo-timeout=3600
lcp-echo-interval=30
lcp-echo-failure=3

[cli]
tcp=127.0.0.1:2004
sessions-columns=ifname,username,calling-sid,ip,rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime[edit]

connection log looks good also

accel-l2tp[3714]: :: starting data channel for l2tp(yyy.yyy.yyy.27:1701 session 43970-1, 63844-1)
accel-l2tp[3714]: :: lcp_layer_init
accel-l2tp[3714]: :: auth_layer_init
accel-l2tp[3714]: :: ccp_layer_init
accel-l2tp[3714]: :: ipcp_layer_init
accel-l2tp[3714]: :: ipv6cp_layer_init
accel-l2tp[3714]: :: ppp establishing
accel-l2tp[3714]: :: lcp_layer_start
accel-l2tp[3714]: :: send [LCP ConfReq id=60 <auth MSCHAP-v2> <mru 1436> <magic 7c9d3d2d>]
accel-l2tp[3714]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 29023bbf> <pcomp> <accomp> < d 3 6 >]
accel-l2tp[3714]: :: send [LCP ConfRej id=0  <pcomp> <accomp> < d 3 6 >]
accel-l2tp[3714]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 29023bbf>]
accel-l2tp[3714]: :: send [LCP ConfAck id=1 ]
accel-l2tp[3714]: :: fsm timeout 9
accel-l2tp[3714]: :: send [LCP ConfReq id=60 <auth MSCHAP-v2> <mru 1436> <magic 7c9d3d2d>]
accel-l2tp[3714]: :: recv [LCP ConfAck id=60 <auth MSCHAP-v2> <mru 1436> <magic 7c9d3d2d>]
accel-l2tp[3714]: :: lcp_layer_started
accel-l2tp[3714]: :: auth_layer_start
accel-l2tp[3714]: :: send [MSCHAP-v2 Challenge id=1 <cbe69d33d6fe41a968317eca7e49c37>]
accel-l2tp[3714]: :: recv [LCP Ident id=2 <MSRASV5.20>]
accel-l2tp[3714]: :: recv [LCP Ident id=3 <MSRAS-0-DESKTOP-AAVEJ6V>]
accel-l2tp[3714]: [43B blob data]
accel-l2tp[3714]: :: recv [MSCHAP-v2 Response id=1 <761fbdbbb93f9a2c3f87aa23dd51cf1>, <fdbc74c646762d8fd119e3d6ccf817b6c3d23a5c2afa92d>, F=0, name="user@domain.pro"]
accel-l2tp[3714]: ppp0:user@domain.pro: connect: ppp0 <--> l2tp(yyy.yyy.yyy.27:1701 session 43970-1, 63844-1)
accel-l2tp[3714]: ppp0:user@domain.pro: ppp connected
accel-l2tp[3714]: ppp0:user@domain.pro: send [MSCHAP-v2 Success id=1 "S=EA2F51F6E385B8E72F40A1FD01F768A2161121A2 M=Authentication succeeded"]
accel-l2tp[3714]: ppp0:user@domain.pro: auth_layer_started
accel-l2tp[3714]: ppp0:user@domain.pro: ccp_layer_start
accel-l2tp[3714]: ppp0:user@domain.pro: send [CCP ConfReq id=65 <mppe +H -M +S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: ipcp_layer_start
accel-l2tp[3714]: ppp0:user@domain.pro: ipv6cp_layer_start
accel-l2tp[3714]: ppp0:user@domain.pro: user@domain.pro: authentication succeeded
netplugd[893]: ppp0: ignoring event
netplugd[893]: ppp0: ignoring event
systemd-udevd[3919]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
accel-l2tp[3714]: ppp0:user@domain.pro: recv [CCP ConfReq id=5 <mppe +H -M -S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [CCP ConfNak id=5 <mppe +H -M +S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfReq id=4b <addr 10.1.0.7>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfRej id=6 <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [CCP ConfAck id=65 <mppe +H -M +S -L -D -C>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [CCP ConfReq id=7 <mppe +H -M +S -L -D -C> (mppe enabled)]
accel-l2tp[3714]: ppp0:user@domain.pro: send [CCP ConfAck id=7]
accel-l2tp[3714]: ppp0:user@domain.pro: ccp_layer_started
netplugd[893]: ppp0: ignoring event
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfAck id=4b <addr 10.1.0.7>]
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfReq id=8 <addr 0.0.0.0> <dns1 0.0.0.0>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfNak id=8 <addr 10.1.0.129> <dns1 10.1.0.50>]
kernel: l2tp0: renamed from ppp0
accel-l2tp[3714]: ppp0:user@domain.pro: recv [IPCP ConfReq id=9 <addr 10.1.0.129> <dns1 10.1.0.50>]
accel-l2tp[3714]: ppp0:user@domain.pro: send [IPCP ConfAck id=9]
accel-l2tp[3714]: ppp0:user@domain.pro: ipcp_layer_started
accel-l2tp[3714]: ppp0:user@domain.pro: rename interface to 'l2tp0'
accel-l2tp[3714]: l2tp0:user@domain.pro: session started over l2tp session 43970-1, 63844-1
netplugd[893]: l2tp0: ignoring event
netplugd[893]: l2tp0: ignoring event
bgpd[983]: [EC 100663301] INTERFACE_STATE: Cannot find IF ppp0 in VRF 0
ripd[991]: interface delete ppp0 vrf 0 index 15 flags 0x1090 metric 0 mtu 1396
ripngd[995]: interface delete ppp0 vrf 0 index 15 flags 0x1090 metric 0 mtu 1396
ntpd[2130]: Listen normally on 20 l2tp0 10.1.0.7:123

any idea will be highly appreciated.

Maybe you know how I can reproduce this issue in my LAB?
In your config output, I see you using chap-secrets instead of radius.

I have to check how do that
I switched to chap-secret (local authentication mode) from radius just to check that “plan B” for remote access still works. Unfortunately struck in the same issue. Windows reboot doesn’t help :cry:

UPD
Accordingly to

Each protocol carried over PPP has an associated Network Control Protocol (NCP) that negotiates options for the protocol and brings up the link for that protocol (Table 3-1 on page 3-4)

0x00FD means compression protocol

Accordingly to RFC 1661
https://tools.ietf.org/html/rfc1661#section-5.7
Protocol-Reject means that some requested feature unsupported

  Upon reception of a Protocol-Reject, the implementation MUST stop
  sending packets of the indicated protocol at the earliest
  opportunity.

Therefore, stream of accel-l2tp[3714]: l2tp0 send [LCP ProtoRej id=160 <00fd>] means that Windows client somehow requests compression but VYOS does not support it.
LCP compression in the L2TP section definitely disabled (check box is off)

Hi @hook.ua, check please is [ppp]ccp=0 in config

Hi, Dmitry.
No, there is not such option.
I’ve added it and everything went smooth, problem is gone.

How do you plan to insert this option during configuration?
There is no option in vyos configuration.
May be mppe deny?

Thanks for your help.

You can simple insert this option, by editing template sudo nano /usr/share/vyos/templates/accel-ppp/l2tp.config.tmpl and then reconfigure l2tp service.
But better create bug report on the phabricator. This issue appears with MS-CHAP-v1/v2 and enabled CCP and for others protocols.

Note: CCP should be disabled by default. In CLI we only have the option to enable CCP.
https://phabricator.vyos.net/T2601

Great. thanks, will change the template.

have made very simple hack

[ppp]
{% if ccp_disable or (auth_mode == 'radius') %}
ccp=0
{% endif %}

It seems i didn’t have the right to create phabricator topics.
Will be highly appreciated to you do so.

Thanks

Note: for l2tp we can disable CCP by following command

set vpn l2tp remote-access ccp-disable
1 Like

Something went wrong :slight_smile:

vyos@VWF186:~$ configure
[edit]
vyos@VWF186# set vpn l2tp remote-access ccp-disable
[edit]
vyos@VWF186# commit
[ vpn l2tp ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report Time:      2020-06-16 12:53:52
Image Version:    VyOS 1.3-rolling-202006160117
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Tue 16 Jun 2020 01:17 UTC
Build UUID:       0d4bfbf2-1fd2-4165-8f64-28dc2d08672d
Build Commit ID:  1dfa9a3c7cce72

Architecture:     x86_64
Boot via:         installed image
System type:      Xen HVM guest

Hardware vendor:  Xen
Hardware model:   HVM domU
Hardware S/N:     9b365372-9071-cc5e-1b20-0722ec376886
Hardware UUID:    9b365372-9071-cc5e-1b20-0722ec376886

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/vpn_l2tp.py", line 371, in <module>
    c = get_config()
  File "/usr/libexec/vyos/conf_mode/vpn_l2tp.py", line 281, in get_config
    l2tp[['ccp_disable']] = True
TypeError: unhashable type: 'list'



[[vpn]] failed
Commit failed
[edit]
vyos@#

Yes, typo in /usr/libexec/vyos/conf_mode/vpn_l2tp.py . We need to delete redundancy [ ]

l2tp['ccp_disable'] = True

I will create a task on the phabricator

1 Like

Hi, did you also get it working using radius authentication? I have the same problem and got it working with disabling mppe and ccp as long as I don’t enable radius authentication. When I enable radius it stops working. If you got it working, would you mind sharing your config, and also the Windows config for NPS (if you have done anything special there).

The latest rolling already has fixes for disabling CCP.
I can get a working router in my LAB with enable or disable CCP with RADIUS or local user, does not matter.
Tell me how to reproduce your issue.

Hi Dimitry, thanks for taking the time to answer and try to solve the issues. I posted quite a long response in L2TP/SSTP - can't get traffic routed or passed over the VPN connection yesterday with info on my problem, configuration and log-files.

I will download the latest rolling release and test if there are any differences later this evening.

Tested with the latest rolling. I can confirm that CCP disable works as expected.

As long as I use local user authentication it works perfect.

When I switch to radius it stops working.

The client (Win10) will authenticate and get an IP-address, but I can not reach anything on “the other side”. Looking on the vyos server there is no l2tp interface for the connection (there is an interface created, but it does not have any ip-address assignment). The only difference in the configuration is switching to radius (Windows Server 2019 Network Policy Server).

I comment the authentication section in the config below and uncomment the “local” authenticate section - everything else stays the same:

 l2tp {
     remote-access {
         authentication {
             mode radius
             mppe deny
             radius {
                 nas-identifier x.x.96.14
                 server x.x.96.60 {
                     key RadiusSecret
                 }
                 timeout 300
             }
         }
         ccp-disable
         /* authentication {
            local-users {
               username test {
                   password testpassword
               }
            }
            mode local
        }
*/
         client-ip-pool {
             subnet 172.22.0.0/16
         }
         gateway-address 10.255.255.0
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret L2TP4MFA!safe#2
             }
             ike-lifetime 3600
         }
         name-server x.x.96.74
         name-server x.x.96.35
         outside-address x.x.96.14
     }
 }

The settings on my NPS Server are as below screenshots show