I have had an issue with L2TP ever since VyOS changed from the old pppd to accel-ppp. My quick solution has been to revert back to a version of VyOS where the change did not happen. Now I wanted to test out SSTP and must run a newer version and I also wanted to check if the problem is with L2TP and Ipsec or with the underlying PPP transport.

My problem is that I can not get the traffic routed, no matter what I do - there must be some configuration that I am missing. If I take a working configration from an older 1.2 build and migrate it to the latest buildof 1.3 (currently testing on VyOS 1.3-rolling-202006080117, but also tested on older builds) it simply will not route any traffic and I am unable to ping even the gateway address or anything on the LAN.

The Windows 10 client will connect, authenticate, get an ip-address from the pool, but no traffic will pass over the VPN connection (or get routed, or get blocked, or whatever).

I have routing working and with the same configuration on an old 1.2 build (without the SSTP part) on the same VM it works without a problem. I have also tested to add NAT/Masquerading to check if this has changed with the later builds - but it does not change anything.

My configuration is as below (stripped from passwords and public ip-addresses changed to 192.168.x.x):

set interfaces ethernet eth0 address ‘192.168.0.1/24’
set interfaces loopback lo
set protocols static route 0.0.0.0/0 next-hop 192.168.0.254
set service snmp community my_comunity
set service snmp contact ‘klase’
set service ssh
set system config-management commit-revisions ‘100’
set system domain-name ‘mydomain.com’
set system host-name ‘vyos’
set system login user vyos authentication encrypted-password ‘hash’
set system login user vyos authentication plaintext-password ‘’
set system name-server ‘8.8.8.8’
set system name-server ‘8.8.4.4’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal ‘enable’
set vpn l2tp remote-access authentication mode ‘radius’
set vpn l2tp remote-access authentication radius nas-identifier ‘192.168.0.1’
set vpn l2tp remote-access authentication radius server 192.168.0.10 key ‘xxxx’
set vpn l2tp remote-access authentication radius timeout ‘300’
set vpn l2tp remote-access client-ip-pool start ‘172.22.0.2’
set vpn l2tp remote-access client-ip-pool stop ‘172.22.0.254’
set vpn l2tp remote-access gateway-address ‘172.22.0.1’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘mysecret’
set vpn l2tp remote-access ipsec-settings ike-lifetime ‘3600’
set vpn l2tp remote-access outside-address ‘192.168.0.1’
set vpn sstp authentication mode ‘radius’
set vpn sstp authentication protocols ‘mschap-v2’
set vpn sstp authentication radius nas-identifier ‘192.168.0.1’
set vpn sstp authentication radius server 192.168.0.10 key ‘xxxx’
set vpn sstp authentication radius timeout ‘30’
set vpn sstp network-settings client-ip-settings gateway-address ‘172.22.10.1’
set vpn sstp network-settings client-ip-settings subnet ‘172.22.11.0/24’
set vpn sstp network-settings name-server ‘8.8.4.4’
set vpn sstp network-settings name-server ‘8.8.8.8’
set vpn sstp ssl ca-cert-file ‘/config/user-data/sstp/ca.crt’
set vpn sstp ssl cert-file ‘/config/user-data/sstp/server.crt’
set vpn sstp ssl key-file ‘/config/user-data/sstp/server.key’

Anyone have any ideas on what I could be missing, or that has changed going from pppd to accel-ppp?

Hi @klase, as I remember to exist only moment with proxy-arp, which was automatically in old l2tp daemon implementation.
Can you explain from which ip and what the host you can’t to reach?
Maybe better for understanding to draw a network map with ip addresses?

Below is a very rudimentary network map. Please note that the 192.168.0.x network is not the actual network used. The addresses used for that net are all public addresses from a /24 network.

I have tried a similar setup at home where the router is the only thing with a public IP-address on the “outside” and I do get the same problem.

I do get authenticated and get an ip-address from the pool. 172.22.0.x, but I am unable to reach anything from the client. If I add an alias to eth0 I am unable to reach that alias address, if I add a secondary interface to the router I cannot reach that interface and I can not reach anything on the same subnet as the router, or anything any router hops away. Since I don’t have the problem when I go back to previous versions of VyOS I really don’t think that there is a problem with my internal routing or firewalling (I do have several other VPN routers running ipsec, openvpn and wireguard in the infrastructure for both client connectivity and net<->net VPN’s)).

I have read the documentation for VyOS 1.3 and L2TP/SSTP setup and tried to do as little of a configurations as possible to eliminate everything else.

You do mention proxy-arp… Is there a way to turn it on, or is there some other requirements to fullfill to get it working when it does not have automatic proxy-arp?

image915×657 47.9 KB

I’m not sure that this the same issue, but you can read more VPN: hosts in remote LAN unreachable after update 1.2.3 -> 1.2 rolling - #5 by Dmitry

Can you show traceroute from L2TP or SSTP client to some host, which you can’t reach?
Change/Mask please first two octets on real ip addresses.

Doing a traceroute to any ip-address in our network will only produce:
"* * * * Request timed out. "
Even for the first step.
I have tested to add
set interfaces ethernet eth0 ip enable-proxy-arp
But it does not make any difference.
I currently only have one interface on the VPN router since it sits on the same network as the hosts to be reached. I will do a test to add a secondary interface tomorrow morning (it past midnight here now).

Hello @klase, do you have any results?
Is address 172.22.0.1 available via ICMP from l2tp client? run ping 172.22.0.1

Hi, sorry for late reply. I have done a lot more testing and built a complete isolated test environment and also tested in a production environment with a stripped down configuration.

The currently running configuration is in the command below and I have also tested back and forth with proxy-arp on eth0 and/or eth1 and no proxy arp. The behaviour I get is that I can connect the VPN and get traffic flowing for a short period of time, but after 30seconds-1.5minutes traffic stopps flowing and I can not reach anything through the VPN connection. To start I can reach the IP-address of the VPN router (if I add an alias on the same network I can also reach that ip-address), I can ping google-dns’es and do a traceroute. I will try to find time during the weekend to setup an ubuntu server with accel ppp and see if I get the same behaviour. I have configured and tested to have a PPTP/SSTP server on Windows Remote Access & Routing and it seems to work - but I don’t really want to have it running on Windows…

Public ip-addresses and passwords changed/masked to my actual running config…

set interfaces ethernet eth0 address ‘x.x.95.14/25’
set interfaces ethernet eth0 address ‘172.22.0.1/16’
set interfaces ethernet eth0 hw-id ‘00:50:56:a2:97:41’
set interfaces ethernet eth1 address ‘x.x.96.14/24’
set interfaces ethernet eth1 hw-id ‘00:50:56:a2:b9:f2’
set interfaces ethernet eth1 ip enable-proxy-arp
set interfaces loopback lo
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address ‘172.22.0.0/16’
set nat source rule 10 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop x.x.95.1
set protocols static route 10.0.0.0/8 next-hop x.x.96.5
set protocols static route 172.16.0.0/16 next-hop x.x.96.5
set protocols static route 192.168.0.0/16 next-hop x.x.96.5
set service ssh
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘se-got-vpn04’
set system login user vyos authentication encrypted-password ‘************’
set system login user vyos authentication plaintext-password ‘’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn l2tp remote-access authentication local-users username l2tptest password ‘password4l2tptest’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access client-ip-pool start ‘172.22.0.2’
set vpn l2tp remote-access client-ip-pool stop ‘172.22.0.254’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘secret’
set vpn l2tp remote-access name-server ‘x.x.96.74’
set vpn l2tp remote-access name-server ‘x.x.96.35’
set vpn l2tp remote-access outside-address ‘x.x.95.14’

Hi, why you need 172.22.0.1 on eth0?

Can you try to define a different address range for l2tp/sstp for testing?

This is just a leftover from testing. I added an alias for testing if I could ping an IP-on the same sub-network. It has not been there most of the testing time.

Hi @klase, which local ip address has the client? Is from 192.168.0.X/24 and you trying to reach 192.168.0.X/24 over l2tp?
Can you share show ip route output?

The clients has had several different ip-addresses from several different local subnets (my guest WiFi, my “real” WiFi, tethered from a phone with WiFi sharing, connected from our summerhouse WiFi - where there is only a combined router/wifi accesspoint). I have tried to reach addresses on several public networks (x.x.94.x, x.x.95.x, x.x.154.x, etc), private networks (192.168.x.x, 172.x.x.x, 10.x.x.x) and also public internet addresses like 8.8.8.8 and 8.8.4.4 (using NAT on the router and also fully routed with NAT at the internet border gateway).

Output of show ip route below (masked) - when a client is connected and has received IP-addres 172.22.0.6:

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route

S>* 0.0.0.0/0 [1/0] via 193.15.95.1, eth0, 3d02h10m
S>* 10.0.0.0/8 [1/0] via 193.15.96.5, eth1, 3d01h54m
S>* 172.16.0.0/16 [1/0] via 193.15.96.5, eth1, 3d01h54m
C>* 172.22.0.6/32 is directly connected, l2tp0, 00:00:04
S>* 192.168.0.0/16 [1/0] via 193.15.96.5, eth1, 3d01h54m
C>* 193.15.95.0/25 is directly connected, eth0, 3d02h10m
C>* 193.15.96.0/24 is directly connected, eth1, 00:03:34

ifconfig also shows the l2tp0 network with “correct” ip-addresses:
l2tp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1396
inet 172.22.0.2 netmask 255.255.255.255 destination 172.22.0.6
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 1176 bytes 98554 (96.2 KiB)
RX errors 1 dropped 0 overruns 0 frame 0
TX packets 106 bytes 62828 (61.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

After a lot of troubleshooting,installing a Ubuntu server and compiling accel-ppp on the server, reading logs and trial and error I am now pretty confident that the problem is in mppe negotiation. Observing the logs will give the error “l2tp0: username: send [LCP ProtoRej id=nnn <00fd>]”. Disabling LCP extensions in Windows will not help, but when I manually add the configuration options mppe=deny in the [ppp] and replace the mppe=prefer with mppe=deny in the [l2tp] section in /run/accel-pppd/l2tp.conf and then restart accel-ppp I starts working and I have had a successfull ping running a lot longer than previously. I have also tested the configuration on two more VyOS boxes where I have been unable to get L2TP VPN working and with these two keywords in the config it works.

I cannot find a way in VyOS to add manual keywords to the configuration file. Is there a way to do that or could this be implemented in a later release?

I have not yet verified that it is working in SSTP mode, but I will try to do this during the evening.

SSTP has the option to actually set mppe by:
set vpn sstp ppp-settings mppe deny
This does not however seem to make any changes at all to the configuration in the file:
/run/accel-pppd/sstp.conf

I still have some problems left when I switch to radius authentication since it seems to get configuration information from radius (other than authentication information) - but this could be by design and I will need to look into this a bit deeper.

I have been getting L2TP and SSTP to work with local authentication and I have also been following this thread: IPSEC/L2TP with RADIUS on WIN2019 Server - Need help - #21 by hook.ua

I did have very similar problems with local authentication and did solve it by adding mppe=deny for both l2tp and ppp (I have now also added ccp=0, but I don’t think that really does any change when mppe=deny has been set). Worth noticing is that chaninging mppe to deny in the Vyos config does not change it in the actual configuration files.

My main problem now is when I add radius authentication (also Windows 2019 server NPS as radius). To simplify and show the difference I have modified the local /run/accel-pppd/l2tp.conf to have all configuration with only the “radius” module commented out in one case and the “chap-secretes” section commented in the other case.

Between the changes to the file the only other thing done is accel-cmd restart -p 2004

With local authentication everything works fine. I do get an IP-address, the connection works and I can reach resources on the local network. On the VyOS box I can run ifconfig and do get the configuration for l2tp0 as below:

l2tp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
inet 10.255.255.0 netmask 255.255.255.255 destination 172.22.0.0
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 219 bytes 20860 (20.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 188 bytes 83951 (81.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

When I enable radius the connection is established, I do get an IP-address, but the connection does not pass any traffic. Looking at ifconfig on the box will not show the l2tp0 interface unless I add “-a” and then the output is as below - there is no ipaddress or destination assigned.
l2tp0: flags=4240<POINTOPOINT,NOARP,MULTICAST> mtu 1400
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 70 bytes 5202 (5.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 70 (70.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

I have tested to change every possible option on the radius server for ip address assignment, but it does not make any difference (and since I actually get an ip-address for the client I don’t think that this is the problem).

I am running VyOS 1.3-rolling-202006160117

Below are masked configuration files and log extracts:
Config file

generated by accel_l2tp.py

[modules]
log_syslog
l2tp
chap-secrets
auth_mschap_v2

— Uncomment to test radius

#radius
ippool
shaper
ipv6pool
ipv6_nd
ipv6_dhcp

[core]
thread-count=2

[log]
syslog=accel-l2tp,daemon
copy=1
level=5

[dns]
dns1=x.x.96.74
dns2=x.x.96.35

[l2tp]
verbose=1
ifname=l2tp%d
ppp-max-mtu=1436
mppe=deny
ccp=0
bind=x.x.96.14

[client-ip-range]
0.0.0.0/0

[ip-pool]
172.22.0.0/16
gw-ip-address=10.255.255.0

Comment below section for radius mode

[chap-secrets]
chap-secrets=/run/accel-pppd/sstp.chap-secrets
gw-ip-address=10.255.255.0

[radius]
gw-ip-address=10.255.255.0
verbose=1
server=x.x.96.60,MyBigSecret,auth-port=1812,req-limit=0,fail-time=0
acct-timeout=3
timeout=300
max-try=3
nas-identifier=x.x.96.14
gw-ip-address=10.255.255.0

[ppp]
mppe=deny
ccp=0
verbose=1
check-ip=1
single-session=replace
lcp-echo-timeout=0
lcp-echo-interval=30
lcp-echo-failure=3

[cli]
tcp=127.0.0.1:2004

LOG FILE
First attempt is with local authentication, the second attempt is with Radius - masked out sensitive info

Jun 16 08:45:12 vyos accel-l2tp: terminate, sig = 15
Jun 16 08:45:12 vyos accel-l2tp: l2tp0:mylocaluser: send [LCP TermReq id=204]
Jun 16 08:45:12 vyos netplugd[986]: l2tp0: ignoring event
Jun 16 08:45:12 vyos accel-l2tp: l2tp0:mylocaluser: recv [LCP TermAck id=cc]
Jun 16 08:45:12 vyos netplugd[986]: l2tp0: ignoring event
Jun 16 08:45:12 vyos accel-l2tp: l2tp session 37009-13, 44069-1: data channel closed, disconnecting session
Jun 16 08:45:12 vyos accel-l2tp: l2tp session 37009-13, 44069-1: sending CDN (res: 2, err: 0)
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): send [L2TP tid=13 sid=1 Ns=13 Nr=4 <Assigned-Session-ID -21467> ]
Jun 16 08:45:12 vyos accel-l2tp: l2tp0:: session destroyed
Jun 16 08:45:12 vyos accel-l2tp: l2tp session 37009-13, 44069-1: deleting session
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): no more session, disconnecting tunnel
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): sending StopCCN (res: 1, err: 0)
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): send [L2TP tid=13 sid=0 Ns=14 Nr=4 <Assigned-Tunnel-ID -28527> ]
Jun 16 08:45:12 vyos accel-l2tp: l2tp session 37009-13, 44069-1: session destroyed
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): context thread is closing, disconnecting tunnel
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): tunnel disconnection acknowledged by peer, deleting tunnel
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): deleting tunnel
Jun 16 08:45:12 vyos accel-l2tp: l2tp tunnel 37009-13 (x.x.217.67:1701): tunnel destroyed
Jun 16 08:45:13 vyos accel-l2tp: l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
Jun 16 08:45:14 vyos ntpd[1476]: Deleting interface #6 l2tp0, 10.255.255.0#123, interface stats: received=0, sent=0, dropped=0, active_time=661 secs
Jun 16 08:45:56 vyos charon: 11[NET] received packet: from x.x.217.67[500] to y.y.96.14[500] (408 bytes)
Jun 16 08:45:56 vyos charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 16 08:45:56 vyos charon: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Jun 16 08:45:56 vyos charon: 11[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Jun 16 08:45:56 vyos charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 16 08:45:56 vyos charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 16 08:45:56 vyos charon: 11[IKE] received FRAGMENTATION vendor ID
Jun 16 08:45:56 vyos charon: 11[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jun 16 08:45:56 vyos charon: 11[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jun 16 08:45:56 vyos charon: 11[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jun 16 08:45:56 vyos charon: 11[IKE] x.x.217.67 is initiating a Main Mode IKE_SA
Jun 16 08:45:56 vyos charon: 11[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 16 08:45:56 vyos charon: 11[ENC] generating ID_PROT response 0 [ SA V V V V ]
Jun 16 08:45:56 vyos charon: 11[NET] sending packet: from y.y.96.14[500] to x.x.217.67[500] (156 bytes)
Jun 16 08:45:56 vyos charon: 10[NET] received packet: from x.x.217.67[500] to y.y.96.14[500] (260 bytes)
Jun 16 08:45:56 vyos charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 16 08:45:56 vyos charon: 10[IKE] remote host is behind NAT
Jun 16 08:45:56 vyos charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 16 08:45:56 vyos charon: 10[NET] sending packet: from y.y.96.14[500] to x.x.217.67[500] (244 bytes)
Jun 16 08:45:56 vyos charon: 12[NET] received packet: from x.x.217.67[4500] to y.y.96.14[4500] (68 bytes)
Jun 16 08:45:56 vyos charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 16 08:45:56 vyos charon: 12[CFG] looking for pre-shared key peer configs matching y.y.96.14…x.x.217.67[192.168.2.88]
Jun 16 08:45:56 vyos charon: 12[CFG] selected peer config “remote-access”
Jun 16 08:45:56 vyos charon: 12[IKE] detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs
Jun 16 08:45:56 vyos charon: 12[IKE] schedule delete of duplicate IKE_SA for peer ‘192.168.2.88’ due to uniqueness policy and suspected reauthentication
Jun 16 08:45:56 vyos charon: 12[IKE] IKE_SA remote-access[7] established between y.y.96.14[y.y.96.14]…x.x.217.67[192.168.2.88]
Jun 16 08:45:56 vyos charon: 12[IKE] DPD not supported by peer, disabled
Jun 16 08:45:56 vyos charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
Jun 16 08:45:56 vyos charon: 12[NET] sending packet: from y.y.96.14[4500] to x.x.217.67[4500] (68 bytes)
Jun 16 08:45:56 vyos charon: 14[NET] received packet: from x.x.217.67[4500] to y.y.96.14[4500] (436 bytes)
Jun 16 08:45:56 vyos charon: 14[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Jun 16 08:45:56 vyos charon: 14[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 16 08:45:56 vyos charon: 14[IKE] received 3600s lifetime, configured 0s
Jun 16 08:45:56 vyos charon: 14[IKE] received 250000000 lifebytes, configured 0
Jun 16 08:45:56 vyos charon: 14[IKE] detected rekeying of CHILD_SA remote-access{6}
Jun 16 08:45:56 vyos charon: 14[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Jun 16 08:45:56 vyos charon: 14[NET] sending packet: from y.y.96.14[4500] to x.x.217.67[4500] (204 bytes)
Jun 16 08:45:56 vyos charon: 15[NET] received packet: from x.x.217.67[4500] to y.y.96.14[4500] (60 bytes)
Jun 16 08:45:56 vyos charon: 15[ENC] parsed QUICK_MODE request 1 [ HASH ]
Jun 16 08:45:56 vyos charon: 15[IKE] CHILD_SA remote-access{7} established with SPIs cb76f6d5_i 65b1e758_o and TS y.y.96.14/32[udp/l2f] === x.x.217.67/32[udp/l2f]
Jun 16 08:45:56 vyos accel-l2tp: l2tp: recv [L2TP tid=0 sid=0 Ns=0 Nr=0 <Protocol-Version 256> <Framing-Capabilities 1> <Bearer-Capabilities 0> <Firmware-Revision 2560> <Assigned-Tunnel-ID 14> <Recv-Window-Size 8>]
Jun 16 08:45:56 vyos accel-l2tp: l2tp: handling SCCRQ from x.x.217.67
Jun 16 08:45:56 vyos accel-l2tp: l2tp: new tunnel 9959-14 created following reception of SCCRQ from x.x.217.67:1701
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): sending SCCRP
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): send [L2TP tid=14 sid=0 Ns=0 Nr=1 <Protocol-Version 256> <Framing-Capabilities 1> <Assigned-Tunnel-ID 9959> <Recv-Window-Size 16>]
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): recv [L2TP tid=9959 sid=0 Ns=1 Nr=1 ]
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): handling SCCCN
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): established at y.y.96.14:1701
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): recv [L2TP tid=9959 sid=0 Ns=2 Nr=1 <Assigned-Session-ID 1> <Call-Serial-Number 0> <Bearer-Type 2>]
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): handling ICRQ
Jun 16 08:45:56 vyos accel-l2tp: l2tp session 9959-14, 2537-1: sending ICRP
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): new session 2537-1 created following reception of ICRQ
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): send [L2TP tid=14 sid=1 Ns=1 Nr=3 <Assigned-Session-ID 2537>]
Jun 16 08:45:56 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): recv [L2TP tid=9959 sid=2537 Ns=3 Nr=2 <TX-Speed 400000000> <Framing-Type 1> <Proxy-Authen-Type 4>]
Jun 16 08:45:56 vyos accel-l2tp: l2tp session 9959-14, 2537-1: handling ICCN
Jun 16 08:45:56 vyos accel-l2tp: :: starting data channel for l2tp(x.x.217.67:1701 session 9959-14, 2537-1)
Jun 16 08:45:56 vyos accel-l2tp: :: send [LCP ConfReq id=7d <mru 1436> <magic 61ea223e>]
Jun 16 08:45:56 vyos accel-l2tp: :: recv [LCP ConfReq id=0 <mru 1400> <magic 5a47421a> ]
Jun 16 08:45:56 vyos accel-l2tp: :: send [LCP ConfRej id=0 ]
Jun 16 08:45:56 vyos accel-l2tp: :: recv [LCP ConfReq id=1 <mru 1400> <magic 5a47421a>]
Jun 16 08:45:56 vyos accel-l2tp: :: send [LCP ConfAck id=1 ]
Jun 16 08:45:59 vyos accel-l2tp: :: send [LCP ConfReq id=7d <mru 1436> <magic 61ea223e>]
Jun 16 08:45:59 vyos accel-l2tp: :: recv [LCP ConfAck id=7d <mru 1436> <magic 61ea223e>]
Jun 16 08:45:59 vyos accel-l2tp: :: send [MSCHAP-v2 Challenge id=1 <8d18d1a58aa9e1d48297de7284723437>]
Jun 16 08:45:59 vyos accel-l2tp: :: recv [MSCHAP-v2 Response id=1 , <7c18df3277824e0e2f6a265f5c19858ff7933b672ee22>, F=0, name=“mylocaluser”]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: connect: ppp0 ↔ l2tp(x.x.217.67:1701 session 9959-14, 2537-1)
Jun 16 08:45:59 vyos netplugd[986]: ppp0: ignoring event
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: send [MSCHAP-v2 Success id=1 “S=968856B8F73E91EAD9FDA2EE9D23D16CB1BBE71B M=Authentication succeeded”]
Jun 16 08:45:59 vyos netplugd[986]: ppp0: ignoring event
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: mylocaluser: authentication succeeded
Jun 16 08:45:59 vyos systemd-udevd[3119]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: IPV6CP: discarding packet
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: send [LCP ProtoRej id=127 <8057>]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: CCP: discarding packet
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: send [LCP ProtoRej id=128 <80fd>]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: recv [IPCP ConfReq id=4 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: send [IPCP ConfReq id=a0 <addr 10.255.255.0>]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: send [IPCP ConfRej id=4 <wins1 0.0.0.0> <wins2 0.0.0.0>]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: recv [IPCP ConfAck id=a0 <addr 10.255.255.0>]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: recv [IPCP ConfReq id=5 <addr 0.0.0.0> <dns1 0.0.0.0> <dns2 0.0.0.0>]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: send [IPCP ConfNak id=5 <addr 172.22.0.0> ]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: recv [IPCP ConfReq id=6 <addr 172.22.0.0> ]
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: send [IPCP ConfAck id=6]
Jun 16 08:45:59 vyos kernel: [ 2672.619816] l2tp0: renamed from ppp0
Jun 16 08:45:59 vyos netplugd[986]: l2tp0: ignoring event
Jun 16 08:45:59 vyos netplugd[986]: l2tp0: ignoring event
Jun 16 08:45:59 vyos accel-l2tp: ppp0:mylocaluser: rename interface to ‘l2tp0’
Jun 16 08:45:59 vyos accel-l2tp: l2tp0:mylocaluser: session started over l2tp session 9959-14, 2537-1
Jun 16 08:46:00 vyos ntpd[1476]: Listen normally on 7 l2tp0 10.255.255.0:123
Jun 16 08:46:06 vyos charon: 13[IKE] deleting IKE_SA remote-access[6] between y.y.96.14[y.y.96.14]…x.x.217.67[192.168.2.88]
Jun 16 08:46:06 vyos charon: 13[IKE] sending DELETE for IKE_SA remote-access[6]
Jun 16 08:46:06 vyos charon: 13[ENC] generating INFORMATIONAL_V1 request 4078688329 [ HASH D ]
Jun 16 08:46:06 vyos charon: 13[NET] sending packet: from y.y.96.14[4500] to x.x.217.67[4500] (84 bytes)
Jun 16 08:49:21 vyos accel-l2tp: cli: tcp: new connection from 127.0.0.1
Jun 16 08:49:21 vyos accel-l2tp: terminate, sig = 15
Jun 16 08:49:21 vyos accel-l2tp: l2tp0:mylocaluser: send [LCP TermReq id=135]
Jun 16 08:49:21 vyos netplugd[986]: l2tp0: ignoring event
Jun 16 08:49:21 vyos accel-l2tp: l2tp0:mylocaluser: recv [LCP TermAck id=87]
Jun 16 08:49:21 vyos netplugd[986]: l2tp0: ignoring event
Jun 16 08:49:21 vyos accel-l2tp: l2tp session 9959-14, 2537-1: data channel closed, disconnecting session
Jun 16 08:49:21 vyos accel-l2tp: l2tp session 9959-14, 2537-1: sending CDN (res: 2, err: 0)
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): send [L2TP tid=14 sid=1 Ns=5 Nr=4 <Assigned-Session-ID 2537> ]
Jun 16 08:49:21 vyos accel-l2tp: l2tp0:: session destroyed
Jun 16 08:49:21 vyos accel-l2tp: l2tp session 9959-14, 2537-1: deleting session
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): no more session, disconnecting tunnel
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): sending StopCCN (res: 1, err: 0)
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): send [L2TP tid=14 sid=0 Ns=6 Nr=4 <Assigned-Tunnel-ID 9959> ]
Jun 16 08:49:21 vyos accel-l2tp: l2tp session 9959-14, 2537-1: session destroyed
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): context thread is closing, disconnecting tunnel
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): discarding message received while disconnecting
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): tunnel disconnection acknowledged by peer, deleting tunnel
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): deleting tunnel
Jun 16 08:49:21 vyos accel-l2tp: l2tp tunnel 9959-14 (x.x.217.67:1701): tunnel destroyed
Jun 16 08:49:22 vyos accel-l2tp: l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
Jun 16 08:49:22 vyos ntpd[1476]: Deleting interface #7 l2tp0, 10.255.255.0#123, interface stats: received=0, sent=0, dropped=0, active_time=202 secs
Jun 16 08:49:42 vyos charon: 13[NET] received packet: from x.x.217.67[500] to y.y.96.14[500] (408 bytes)
Jun 16 08:49:42 vyos charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 16 08:49:42 vyos charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Jun 16 08:49:42 vyos charon: 13[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Jun 16 08:49:42 vyos charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Jun 16 08:49:42 vyos charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 16 08:49:42 vyos charon: 13[IKE] received FRAGMENTATION vendor ID
Jun 16 08:49:42 vyos charon: 13[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jun 16 08:49:42 vyos charon: 13[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jun 16 08:49:42 vyos charon: 13[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jun 16 08:49:42 vyos charon: 13[IKE] x.x.217.67 is initiating a Main Mode IKE_SA
Jun 16 08:49:42 vyos charon: 13[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 16 08:49:42 vyos charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V ]
Jun 16 08:49:42 vyos charon: 13[NET] sending packet: from y.y.96.14[500] to x.x.217.67[500] (156 bytes)
Jun 16 08:49:42 vyos charon: 12[NET] received packet: from x.x.217.67[500] to y.y.96.14[500] (260 bytes)
Jun 16 08:49:42 vyos charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 16 08:49:42 vyos charon: 12[IKE] remote host is behind NAT
Jun 16 08:49:42 vyos charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 16 08:49:42 vyos charon: 12[NET] sending packet: from y.y.96.14[500] to x.x.217.67[500] (244 bytes)
Jun 16 08:49:42 vyos charon: 14[NET] received packet: from x.x.217.67[4500] to y.y.96.14[4500] (68 bytes)
Jun 16 08:49:42 vyos charon: 14[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 16 08:49:42 vyos charon: 14[CFG] looking for pre-shared key peer configs matching y.y.96.14…x.x.217.67[192.168.2.88]
Jun 16 08:49:42 vyos charon: 14[CFG] selected peer config “remote-access”
Jun 16 08:49:42 vyos charon: 14[IKE] detected reauth of existing IKE_SA, adopting 2 children and 0 virtual IPs
Jun 16 08:49:42 vyos charon: 14[IKE] schedule delete of duplicate IKE_SA for peer ‘192.168.2.88’ due to uniqueness policy and suspected reauthentication
Jun 16 08:49:42 vyos charon: 14[IKE] IKE_SA remote-access[8] established between y.y.96.14[y.y.96.14]…x.x.217.67[192.168.2.88]
Jun 16 08:49:42 vyos charon: 14[IKE] DPD not supported by peer, disabled
Jun 16 08:49:42 vyos charon: 14[ENC] generating ID_PROT response 0 [ ID HASH ]
Jun 16 08:49:42 vyos charon: 14[NET] sending packet: from y.y.96.14[4500] to x.x.217.67[4500] (68 bytes)
Jun 16 08:49:42 vyos charon: 16[NET] received packet: from x.x.217.67[4500] to y.y.96.14[4500] (436 bytes)
Jun 16 08:49:42 vyos charon: 16[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Jun 16 08:49:42 vyos charon: 16[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 16 08:49:42 vyos charon: 16[IKE] received 3600s lifetime, configured 0s
Jun 16 08:49:42 vyos charon: 16[IKE] received 250000000 lifebytes, configured 0
Jun 16 08:49:42 vyos charon: 16[IKE] detected rekeying of CHILD_SA remote-access{7}
Jun 16 08:49:42 vyos charon: 16[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Jun 16 08:49:42 vyos charon: 16[NET] sending packet: from y.y.96.14[4500] to x.x.217.67[4500] (204 bytes)
Jun 16 08:49:42 vyos charon: 06[NET] received packet: from x.x.217.67[4500] to y.y.96.14[4500] (60 bytes)
Jun 16 08:49:42 vyos charon: 06[ENC] parsed QUICK_MODE request 1 [ HASH ]
Jun 16 08:49:42 vyos charon: 06[IKE] CHILD_SA remote-access{8} established with SPIs c54860f4_i 6a361b8c_o and TS y.y.96.14/32[udp/l2f] === x.x.217.67/32[udp/l2f]
Jun 16 08:49:42 vyos accel-l2tp: l2tp: recv [L2TP tid=0 sid=0 Ns=0 Nr=0 <Protocol-Version 256> <Framing-Capabilities 1> <Bearer-Capabilities 0> <Firmware-Revision 2560> <Assigned-Tunnel-ID 15> <Recv-Window-Size 8>]
Jun 16 08:49:42 vyos accel-l2tp: l2tp: handling SCCRQ from x.x.217.67
Jun 16 08:49:42 vyos accel-l2tp: l2tp: new tunnel 22439-15 created following reception of SCCRQ from x.x.217.67:1701
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): sending SCCRP
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): send [L2TP tid=15 sid=0 Ns=0 Nr=1 <Protocol-Version 256> <Framing-Capabilities 1> <Assigned-Tunnel-ID 22439> <Recv-Window-Size 16>]
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): recv [L2TP tid=22439 sid=0 Ns=1 Nr=1 ]
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): handling SCCCN
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): established at y.y.96.14:1701
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): recv [L2TP tid=22439 sid=0 Ns=2 Nr=1 <Assigned-Session-ID 1> <Call-Serial-Number 0> <Bearer-Type 2>]
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): handling ICRQ
Jun 16 08:49:42 vyos accel-l2tp: l2tp session 22439-15, 50483-1: sending ICRP
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): new session 50483-1 created following reception of ICRQ
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): send [L2TP tid=15 sid=1 Ns=1 Nr=3 <Assigned-Session-ID -15053>]
Jun 16 08:49:42 vyos accel-l2tp: l2tp tunnel 22439-15 (x.x.217.67:1701): recv [L2TP tid=22439 sid=50483 Ns=3 Nr=2 <TX-Speed 400000000> <Framing-Type 1> <Proxy-Authen-Type 4>]
Jun 16 08:49:42 vyos accel-l2tp: l2tp session 22439-15, 50483-1: handling ICCN
Jun 16 08:49:42 vyos accel-l2tp: :: starting data channel for l2tp(x.x.217.67:1701 session 22439-15, 50483-1)
Jun 16 08:49:42 vyos accel-l2tp: :: send [LCP ConfReq id=6a <mru 1436> <magic 2c1b032b>]
Jun 16 08:49:42 vyos accel-l2tp: :: recv [LCP ConfReq id=0 <mru 1400> <magic 27bc49fe> ]
Jun 16 08:49:42 vyos accel-l2tp: :: send [LCP ConfRej id=0 ]
Jun 16 08:49:42 vyos accel-l2tp: :: recv [LCP ConfReq id=1 <mru 1400> <magic 27bc49fe>]
Jun 16 08:49:42 vyos accel-l2tp: :: send [LCP ConfAck id=1 ]
Jun 16 08:49:45 vyos accel-l2tp: :: send [LCP ConfReq id=6a <mru 1436> <magic 2c1b032b>]
Jun 16 08:49:45 vyos accel-l2tp: :: recv [LCP ConfAck id=6a <mru 1436> <magic 2c1b032b>]
Jun 16 08:49:45 vyos accel-l2tp: :: send [MSCHAP-v2 Challenge id=1 ]
Jun 16 08:49:45 vyos accel-l2tp: :: recv [MSCHAP-v2 Response id=1 <16795f88c1c1a1a97930197a5082ea27>, <2b3e4815cec3d85c3dc95dc1526b454a07f5672cffeb174>, F=0, name="radius.user@domain.com"]
Jun 16 08:49:45 vyos accel-l2tp: :: send [RADIUS(1) Access-Request id=1 <User-Name “radius.user@domain.com”> <NAS-Identifier “y.y.96.14”> <Calling-Station-Id “x.x.217.67”> <Called-Station-Id “y.y.96.14”> <MS-CHAP-Challenge 0xe1d43f4ef145491dd448c2f4bf725557> <MS-CHAP2-Response 0x010016795f88c1c1a1a97930197a5082ea2700000000000000002b3e48150cec3d85c3dc95dc1526b454a07f5672cffeb174>]
Jun 16 08:49:47 vyos accel-l2tp: :: recv [MSCHAP-v2 Response id=1 <16795f88c1c1a1a97930197a5082ea27>, <2b3e4815cec3d85c3dc95dc1526b454a07f5672cffeb174>, F=0, name="radius.user@domain.com"]
Jun 16 08:49:49 vyos accel-l2tp: :: recv [RADIUS(1) Access-Accept id=1 <Class 0xac3a093b0000013700010200c10f603c000000007c3c5746a5a3743501d643b6ea8ef60e0000000000000001> <MS-MPPE-Recv-Key 0x800150d333502121727f93cafeda1d63c88dcd4fa108a2095a416d18670de95c0018> <MS-MPPE-Send-Key 0x8002e3af53f147a1aa2738c360d71a14561d708b11330b5975886496c39768bea8aa> <MS-CHAP2-Success 0x01533d30344346344335334143334644344130393735393346424434323730353246313935354544433746> <MS-CHAP-Domain “#001DOMAIN”>]
Jun 16 08:49:49 vyos accel-l2tp: :: mppe: 128-bit session keys not allowed, disabling mppe …
Jun 16 08:49:49 vyos netplugd[986]: ppp0: ignoring event
Jun 16 08:49:49 vyos netplugd[986]: ppp0: ignoring event
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: connect: ppp0 ↔ l2tp(x.x.217.67:1701 session 22439-15, 50483-1)
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: send [MSCHAP-v2 Success id=1 “S=04CF4C53AC3FD4A097593FBD427052F1955EDC7F M=Authentication succeeded”]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: radius.user@domain.com: authentication succeeded
Jun 16 08:49:49 vyos systemd-udevd[3168]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: IPV6CP: discarding packet
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: send [LCP ProtoRej id=108 <8057>]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: CCP: discarding packet
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: send [LCP ProtoRej id=109 <80fd>]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: recv [IPCP ConfReq id=4 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: send [IPCP ConfReq id=c5 <addr 10.255.255.0>]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: send [IPCP ConfRej id=4 <wins1 0.0.0.0> <wins2 0.0.0.0>]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: recv [IPCP ConfAck id=c5 <addr 10.255.255.0>]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: recv [IPCP ConfReq id=5 <addr 0.0.0.0> <dns1 0.0.0.0> <dns2 0.0.0.0>]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: send [IPCP ConfNak id=5 <addr 172.22.0.0> ]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: recv [IPCP ConfReq id=6 <addr 172.22.0.0> ]
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: send [IPCP ConfAck id=6]
Jun 16 08:49:49 vyos kernel: [ 2903.400663] l2tp0: renamed from ppp0
Jun 16 08:49:49 vyos netplugd[986]: l2tp0: ignoring event
Jun 16 08:49:49 vyos accel-l2tp: ppp0:radius.user@domain.com: rename interface to ‘l2tp0’
Jun 16 08:49:49 vyos accel-l2tp: l2tp0:radius.user@domain.com: send [RADIUS(1) Accounting-Request id=1 <User-Name “radius.user@domain.com”> <NAS-Identifier “y.y.96.14”> <NAS-Port 0> <NAS-Port-Id “l2tp0”> <Calling-Station-Id “x.x.217.67”> <Called-Station-Id “y.y.96.14”> <Class 0xac3a093b0000013700010200c10f603c000000007c3c5746a5a3743501d643b6ea8ef60e0000000000000001> <Acct-Session-Id “c7e8f1f2ca680093”> <Acct-Session-Time 0> <Acct-Input-Octets 0> <Acct-Output-Octets 0> <Acct-Input-Packets 0> <Acct-Output-Packets 0> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 172.22.0.0>]
Jun 16 08:49:52 vyos charon: 10[IKE] deleting IKE_SA remote-access[7] between y.y.96.14[y.y.96.14]…x.x.217.67[192.168.2.88]
Jun 16 08:49:52 vyos charon: 10[IKE] sending DELETE for IKE_SA remote-access[7]
Jun 16 08:49:52 vyos charon: 10[ENC] generating INFORMATIONAL_V1 request 2022811798 [ HASH D ]
Jun 16 08:49:52 vyos charon: 10[NET] sending packet: from y.y.96.14[4500] to x.x.217.67[4500] (84 bytes)
Jun 16 08:54:49 vyos accel-l2tp: l2tp0:radius.user@domain.com: send [RADIUS(1) Accounting-Request id=1 <User-Name “radius.user@domain.com”> <NAS-Identifier “y.y.96.14”> <NAS-Port 0> <NAS-Port-Id “l2tp0”> <Calling-Station-Id “x.x.217.67”> <Called-Station-Id “y.y.96.14”> <Class 0xac3a093b0000013700010200c10f603c000000007c3c5746a5a3743501d643b6ea8ef60e0000000000000001> <Acct-Session-Id “c7e8f1f2ca680093”> <Acct-Session-Time 0> <Acct-Input-Octets 0> <Acct-Output-Octets 0> <Acct-Input-Packets 0> <Acct-Output-Packets 0> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 172.22.0.0>]

Hello @klase, I think the main reason in this log output string

Jun 16 08:49:49 vyos accel-l2tp: :: mppe: 128-bit session keys not allowed, disabling mppe …

I use FreeRadius for testing, and it seems don’t receive this attribute. Try set auth type PAP for testing

set vpn l2tp remote-access authentication require pap 

Hi @Dmitry,

The mppe: 128-bit session keys not allowed comes from turning off encryption (see below). Allowing mppe encryption in radius will remove that message in the log, but the result is still the same.

I have also tested PAP authentication, but the problem is not with authentication. I do get authenticated and get connected without any problems. I think that the problem is that there is no ip-addresses assigned to the L2TP/PPP interface on the VyOS server.

I will do a test setup with a free radius on sunday evening to see if the problem is the same with free radius, but for me that is not an option for “production” since I need to integrate with ActiveDirectory and a multifactor authentication solution.

image1028×723 97.4 KB

Hi @Dmitry, I have done some more testing and also setup a freeradius server. With freeradius it works just the way it does with local users. No problems at all. With Microsoft Radius (NPS) it does not.
Looking in the logfiles there are two attributes missing from the response when using Microsoft NPS. Freeradius sends: <MS-MPPE-Encryption-Policy 1> <MS-MPPE-Encryption-Type 6>

I have tried to test every possible option for MPPE encrption on the settings page, but those attributes are not sent.

I have also tried to test different settings of mppe in the configuration file (deny/require/prefer) in both the l2tp and ppp section.

In the logfile I also get the message you noticed “mppe: 128-bit session keys not allowed, disabling mppe …”

Copy of relevant logfile lines below:
Freeradius

Jun 21 20:06:32 vyos accel-l2tp: :: send [RADIUS(1) Access-Request id=1 <User-Name “TestUser”> <NAS-Identifier “x.x…96.14”> <Calling-Station-Id “y.y.217.67”> <Called-Station-Id “x.x…96.14”> <MS-CHAP-Challenge 0xb805b06016ab8f9e383c1a458aa3a8bc> <MS-CHAP2-Response 0x010090178bf21dd89846a0268a1a3e53ed26000000000000000031fcba57f05f9360b91e757c2716cd93d2adfd703d18f31e>]
Jun 21 20:06:32 vyos accel-l2tp: :: recv [RADIUS(1) Access-Accept id=1 <MS-CHAP2-Success 0x01533d43373031303337453937343932453130464631303944464142363243434238353037343137354431> <MS-MPPE-Recv-Key 0x83f042da7e66fd179fd7626c807390a84c5642a442b3be3c45eca13c78c59f99dcf7> <MS-MPPE-Send-Key 0x8e5c8183f6964cf4440a8c437533aa31cf348257df6a0e22746dbd43cfcdea41bf23> <MS-MPPE-Encryption-Policy 1> <MS-MPPE-Encryption-Type 6>]

Microsoft NPS
Jun 21 20:12:30 vyos accel-l2tp: :: send [RADIUS(1) Access-Request id=1 <User-Name “MyTestUser@domain.com”> <NAS-Identifier “x.x…96.14”> <Calling-Station-Id “y.y.217.67”> <Called-Station-Id “x.x…96.14”> <MS-CHAP-Challenge 0xeb0023b4376ce2b6a0bc7c84633cce6f> <MS-CHAP2-Response 0x0100359cca40fa0e5f3dae1d179264d98e9f0000000000000000f36e59d50f3394526ec684e6b7d29427a9a2ab0f0de01098>]
Jun 21 20:12:31 vyos accel-l2tp: :: recv [MSCHAP-v2 Response id=1 <359cca40fae5f3dae1d179264d98e9f>, , F=0, name="MyTestUser@domain.com"]
Jun 21 20:12:33 vyos accel-l2tp: :: recv [MSCHAP-v2 Response id=1 <359cca40fae5f3dae1d179264d98e9f>, , F=0, name="MyTestUser@domain.com"]
Jun 21 20:12:34 vyos accel-l2tp: :: recv [RADIUS(1) Access-Accept id=1 <Class 0xac4809490000013700010200c10f603c000000007c3c5746a5a3743501d643b6ea8ef60e000000000000000f> <MS-MPPE-Recv-Key 0x8019834ac83b843fd7cebb6228b4272ebc8b0188ba07743b37d0c31b492b34167dad> <MS-MPPE-Send-Key 0x801aa2ca51b26162c18fe0c7f62948105dd8a4e9c36aac7083b88fd230170831fdb0> <MS-CHAP2-Success 0x01533d34454641373037413943353745434243364237454442353533364633384243373131313641333937> <MS-CHAP-Domain “#001DOMAIN”>]
Jun 21 20:12:34 vyos accel-l2tp: :: mppe: 128-bit session keys not allowed, disabling mppe …

After a lot more fiddeling with configurations I am now able to get the NAP service to send some more attributes: I am now getting <MS-MPPE-Encryption-Policy 2> <MS-MPPE-Encryption-Type 4> in my log. I do not get the “mppe: 128-bit session keys not allowed…” message anymore.

But still I don’t get any ip-addresses on the l2tp0 device and no traffic can pass the VPN connection.

LOG
Jun 21 21:23:23 vyos accel-l2tp: :: recv [RADIUS(1) Access-Accept id=1 <Port-Limit 1> <Class 0xa71f09010000013700010200c10f603c000000007c3c5746a5a3743501d64811eb8a6dff0000000000000002> <MS-MPPE-Recv-Key 0x800369d060536b1d3a33470aed402255ef1c9d618cb2fdc86c4bfe43fb1237356612> <MS-MPPE-Send-Key 0x8004abd6be0f4e1851fb409fed7aa9b697a6df4f7699c4a1d2c600960d3647ea7e87> <MS-CHAP2-Success 0x01533d31443031424337343435343731353335423133324641383936434343343831433143393445314636> <MS-CHAP-Domain “#001DOMAIN”> <MS-MPPE-Encryption-Policy 2> <MS-MPPE-Encryption-Type 4>]

Hi @klase, can you configure Microsoft NPS for my testing router reachable from the internet?

Yes, could you send me your IP-address in a private message and I will do the configuration and send you the ip-address of the server and Radius Secret.