I have had an issue with L2TP ever since VyOS changed from the old pppd to accel-ppp. My quick solution has been to revert back to a version of VyOS where the change did not happen. Now I wanted to test out SSTP and must run a newer version and I also wanted to check if the problem is with L2TP and Ipsec or with the underlying PPP transport.
My problem is that I can not get the traffic routed, no matter what I do - there must be some configuration that I am missing. If I take a working configration from an older 1.2 build and migrate it to the latest buildof 1.3 (currently testing on VyOS 1.3-rolling-202006080117, but also tested on older builds) it simply will not route any traffic and I am unable to ping even the gateway address or anything on the LAN.
The Windows 10 client will connect, authenticate, get an ip-address from the pool, but no traffic will pass over the VPN connection (or get routed, or get blocked, or whatever).
I have routing working and with the same configuration on an old 1.2 build (without the SSTP part) on the same VM it works without a problem. I have also tested to add NAT/Masquerading to check if this has changed with the later builds - but it does not change anything.
My configuration is as below (stripped from passwords and public ip-addresses changed to 192.168.x.x):
set interfaces ethernet eth0 address ‘192.168.0.1/24’
set interfaces loopback lo
set protocols static route 0.0.0.0/0 next-hop 192.168.0.254
set service snmp community my_comunity
set service snmp contact ‘klase’
set service ssh
set system config-management commit-revisions ‘100’
set system domain-name ‘mydomain.com’
set system host-name ‘vyos’
set system login user vyos authentication encrypted-password ‘hash’
set system login user vyos authentication plaintext-password ‘’
set system name-server ‘8.8.8.8’
set system name-server ‘8.8.4.4’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal ‘enable’
set vpn l2tp remote-access authentication mode ‘radius’
set vpn l2tp remote-access authentication radius nas-identifier ‘192.168.0.1’
set vpn l2tp remote-access authentication radius server 192.168.0.10 key ‘xxxx’
set vpn l2tp remote-access authentication radius timeout ‘300’
set vpn l2tp remote-access client-ip-pool start ‘172.22.0.2’
set vpn l2tp remote-access client-ip-pool stop ‘172.22.0.254’
set vpn l2tp remote-access gateway-address ‘172.22.0.1’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘mysecret’
set vpn l2tp remote-access ipsec-settings ike-lifetime ‘3600’
set vpn l2tp remote-access outside-address ‘192.168.0.1’
set vpn sstp authentication mode ‘radius’
set vpn sstp authentication protocols ‘mschap-v2’
set vpn sstp authentication radius nas-identifier ‘192.168.0.1’
set vpn sstp authentication radius server 192.168.0.10 key ‘xxxx’
set vpn sstp authentication radius timeout ‘30’
set vpn sstp network-settings client-ip-settings gateway-address ‘172.22.10.1’
set vpn sstp network-settings client-ip-settings subnet ‘172.22.11.0/24’
set vpn sstp network-settings name-server ‘8.8.4.4’
set vpn sstp network-settings name-server ‘8.8.8.8’
set vpn sstp ssl ca-cert-file ‘/config/user-data/sstp/ca.crt’
set vpn sstp ssl cert-file ‘/config/user-data/sstp/server.crt’
set vpn sstp ssl key-file ‘/config/user-data/sstp/server.key’
Anyone have any ideas on what I could be missing, or that has changed going from pppd to accel-ppp?
Hi @klase, as I remember to exist only moment with proxy-arp, which was automatically in old l2tp daemon implementation.
Can you explain from which ip and what the host you can’t to reach?
Maybe better for understanding to draw a network map with ip addresses?
Below is a very rudimentary network map. Please note that the 192.168.0.x network is not the actual network used. The addresses used for that net are all public addresses from a /24 network.
I have tried a similar setup at home where the router is the only thing with a public IP-address on the “outside” and I do get the same problem.
I do get authenticated and get an ip-address from the pool. 172.22.0.x, but I am unable to reach anything from the client. If I add an alias to eth0 I am unable to reach that alias address, if I add a secondary interface to the router I cannot reach that interface and I can not reach anything on the same subnet as the router, or anything any router hops away. Since I don’t have the problem when I go back to previous versions of VyOS I really don’t think that there is a problem with my internal routing or firewalling (I do have several other VPN routers running ipsec, openvpn and wireguard in the infrastructure for both client connectivity and net<->net VPN’s)).
I have read the documentation for VyOS 1.3 and L2TP/SSTP setup and tried to do as little of a configurations as possible to eliminate everything else.
You do mention proxy-arp… Is there a way to turn it on, or is there some other requirements to fullfill to get it working when it does not have automatic proxy-arp?
Doing a traceroute to any ip-address in our network will only produce:
"* * * * Request timed out. "
Even for the first step.
I have tested to add set interfaces ethernet eth0 ip enable-proxy-arp
But it does not make any difference.
I currently only have one interface on the VPN router since it sits on the same network as the hosts to be reached. I will do a test to add a secondary interface tomorrow morning (it past midnight here now).
Hi, sorry for late reply. I have done a lot more testing and built a complete isolated test environment and also tested in a production environment with a stripped down configuration.
The currently running configuration is in the command below and I have also tested back and forth with proxy-arp on eth0 and/or eth1 and no proxy arp. The behaviour I get is that I can connect the VPN and get traffic flowing for a short period of time, but after 30seconds-1.5minutes traffic stopps flowing and I can not reach anything through the VPN connection. To start I can reach the IP-address of the VPN router (if I add an alias on the same network I can also reach that ip-address), I can ping google-dns’es and do a traceroute. I will try to find time during the weekend to setup an ubuntu server with accel ppp and see if I get the same behaviour. I have configured and tested to have a PPTP/SSTP server on Windows Remote Access & Routing and it seems to work - but I don’t really want to have it running on Windows…
Public ip-addresses and passwords changed/masked to my actual running config…
set interfaces ethernet eth0 address ‘x.x.95.14/25’
set interfaces ethernet eth0 address ‘172.22.0.1/16’
set interfaces ethernet eth0 hw-id ‘00:50:56:a2:97:41’
set interfaces ethernet eth1 address ‘x.x.96.14/24’
set interfaces ethernet eth1 hw-id ‘00:50:56:a2:b9:f2’
set interfaces ethernet eth1 ip enable-proxy-arp
set interfaces loopback lo
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address ‘172.22.0.0/16’
set nat source rule 10 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop x.x.95.1
set protocols static route 10.0.0.0/8 next-hop x.x.96.5
set protocols static route 172.16.0.0/16 next-hop x.x.96.5
set protocols static route 192.168.0.0/16 next-hop x.x.96.5
set service ssh
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘se-got-vpn04’
set system login user vyos authentication encrypted-password ‘************’
set system login user vyos authentication plaintext-password ‘’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn l2tp remote-access authentication local-users username l2tptest password ‘password4l2tptest’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access client-ip-pool start ‘172.22.0.2’
set vpn l2tp remote-access client-ip-pool stop ‘172.22.0.254’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘secret’
set vpn l2tp remote-access name-server ‘x.x.96.74’
set vpn l2tp remote-access name-server ‘x.x.96.35’
set vpn l2tp remote-access outside-address ‘x.x.95.14’
This is just a leftover from testing. I added an alias for testing if I could ping an IP-on the same sub-network. It has not been there most of the testing time.
Hi @klase, which local ip address has the client? Is from 192.168.0.X/24 and you trying to reach 192.168.0.X/24 over l2tp?
Can you share show ip route output?
The clients has had several different ip-addresses from several different local subnets (my guest WiFi, my “real” WiFi, tethered from a phone with WiFi sharing, connected from our summerhouse WiFi - where there is only a combined router/wifi accesspoint). I have tried to reach addresses on several public networks (x.x.94.x, x.x.95.x, x.x.154.x, etc), private networks (192.168.x.x, 172.x.x.x, 10.x.x.x) and also public internet addresses like 8.8.8.8 and 8.8.4.4 (using NAT on the router and also fully routed with NAT at the internet border gateway).
Output of show ip route below (masked) - when a client is connected and has received IP-addres 172.22.0.6:
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
S>* 0.0.0.0/0 [1/0] via 193.15.95.1, eth0, 3d02h10m
S>* 10.0.0.0/8 [1/0] via 193.15.96.5, eth1, 3d01h54m
S>* 172.16.0.0/16 [1/0] via 193.15.96.5, eth1, 3d01h54m
C>* 172.22.0.6/32 is directly connected, l2tp0, 00:00:04
S>* 192.168.0.0/16 [1/0] via 193.15.96.5, eth1, 3d01h54m
C>* 193.15.95.0/25 is directly connected, eth0, 3d02h10m
C>* 193.15.96.0/24 is directly connected, eth1, 00:03:34
After a lot of troubleshooting,installing a Ubuntu server and compiling accel-ppp on the server, reading logs and trial and error I am now pretty confident that the problem is in mppe negotiation. Observing the logs will give the error “l2tp0: username: send [LCP ProtoRej id=nnn <00fd>]”. Disabling LCP extensions in Windows will not help, but when I manually add the configuration options mppe=deny in the [ppp] and replace the mppe=prefer with mppe=deny in the [l2tp] section in /run/accel-pppd/l2tp.conf and then restart accel-ppp I starts working and I have had a successfull ping running a lot longer than previously. I have also tested the configuration on two more VyOS boxes where I have been unable to get L2TP VPN working and with these two keywords in the config it works.
I cannot find a way in VyOS to add manual keywords to the configuration file. Is there a way to do that or could this be implemented in a later release?
I have not yet verified that it is working in SSTP mode, but I will try to do this during the evening.
SSTP has the option to actually set mppe by: set vpn sstp ppp-settings mppe deny
This does not however seem to make any changes at all to the configuration in the file: /run/accel-pppd/sstp.conf
I still have some problems left when I switch to radius authentication since it seems to get configuration information from radius (other than authentication information) - but this could be by design and I will need to look into this a bit deeper.
I did have very similar problems with local authentication and did solve it by adding mppe=deny for both l2tp and ppp (I have now also added ccp=0, but I don’t think that really does any change when mppe=deny has been set). Worth noticing is that chaninging mppe to deny in the Vyos config does not change it in the actual configuration files.
My main problem now is when I add radius authentication (also Windows 2019 server NPS as radius). To simplify and show the difference I have modified the local /run/accel-pppd/l2tp.conf to have all configuration with only the “radius” module commented out in one case and the “chap-secretes” section commented in the other case.
Between the changes to the file the only other thing done is accel-cmd restart -p 2004
With local authentication everything works fine. I do get an IP-address, the connection works and I can reach resources on the local network. On the VyOS box I can run ifconfig and do get the configuration for l2tp0 as below:
When I enable radius the connection is established, I do get an IP-address, but the connection does not pass any traffic. Looking at ifconfig on the box will not show the l2tp0 interface unless I add “-a” and then the output is as below - there is no ipaddress or destination assigned.
l2tp0: flags=4240<POINTOPOINT,NOARP,MULTICAST> mtu 1400
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 70 bytes 5202 (5.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 70 (70.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
I have tested to change every possible option on the radius server for ip address assignment, but it does not make any difference (and since I actually get an ip-address for the client I don’t think that this is the problem).
I am running VyOS 1.3-rolling-202006160117
Below are masked configuration files and log extracts: Config file
The mppe: 128-bit session keys not allowed comes from turning off encryption (see below). Allowing mppe encryption in radius will remove that message in the log, but the result is still the same.
I have also tested PAP authentication, but the problem is not with authentication. I do get authenticated and get connected without any problems. I think that the problem is that there is no ip-addresses assigned to the L2TP/PPP interface on the VyOS server.
I will do a test setup with a free radius on sunday evening to see if the problem is the same with free radius, but for me that is not an option for “production” since I need to integrate with ActiveDirectory and a multifactor authentication solution.
Hi @Dmitry, I have done some more testing and also setup a freeradius server. With freeradius it works just the way it does with local users. No problems at all. With Microsoft Radius (NPS) it does not.
Looking in the logfiles there are two attributes missing from the response when using Microsoft NPS. Freeradius sends: <MS-MPPE-Encryption-Policy 1> <MS-MPPE-Encryption-Type 6>
I have tried to test every possible option for MPPE encrption on the settings page, but those attributes are not sent.
I have also tried to test different settings of mppe in the configuration file (deny/require/prefer) in both the l2tp and ppp section.
In the logfile I also get the message you noticed “mppe: 128-bit session keys not allowed, disabling mppe …”
After a lot more fiddeling with configurations I am now able to get the NAP service to send some more attributes: I am now getting <MS-MPPE-Encryption-Policy 2> <MS-MPPE-Encryption-Type 4> in my log. I do not get the “mppe: 128-bit session keys not allowed…” message anymore.
But still I don’t get any ip-addresses on the l2tp0 device and no traffic can pass the VPN connection.
Yes, could you send me your IP-address in a private message and I will do the configuration and send you the ip-address of the server and Radius Secret.
