Some problem about vpn and radius

xuefeigz · December 14, 2018, 3:51am

I used vyos 1.1.6,test L2TP and PPTP , the authentication mode is radius,:

I used pc, L2TP and PPTP is ok;
I used Phone(android) , PPTP is ok;
Iused Phone(android) ,L2TP is fail;

The radius server log:

“HDQSVRADC01”,“IAS”,12/14/2018,11:26:21,1,“fei.xue”,“CDS\fei.xue”,“127.0.1.1”,0,0,“10.131.1.3”,“Template of CoreRos-1-3”,1,2,2,0,“311 1 10.131.2.10 04/27/2018 23:30:21 271”,“L2TP”,1,
“HDQSVRADC01”,“IAS”,12/14/2018,11:26:21,3,“CDS\fei.xue”,0,“10.131.1.3”,“Template of CoreRos-1-3”,2,19,“311 1 10.131.2.10 04/27/2018 23:30:21 271”,“L2TP”,1,

The vyos L2TP ERROR log:

2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: packet from 106.121.15.188:6495: received Vendor ID payload [RFC 3947]
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: packet from 106.121.15.188:6495: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: packet from 106.121.15.188:6495: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: packet from 106.121.15.188:6495: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: packet from 106.121.15.188:6495: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: packet from 106.121.15.188:6495: received Vendor ID payload [Dead Peer Detection]
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: “remote-access-mac-zzz”[18] 106.121.15.188:6495 #18: responding to Main Mode from unknown peer 106.121.15.188:6495
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: “remote-access-mac-zzz”[18] 106.121.15.188:6495 #18: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP_1024] refused due to strict flag
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: “remote-access-mac-zzz”[18] 106.121.15.188:6495 #18: NAT-Traversal: Result using RFC 3947: peer is NATed
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: “remote-access-mac-zzz”[18] 106.121.15.188:6495 #18: Peer ID is ID_IPV4_ADDR: ‘10.147.182.49’
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: “remote-access-mac-zzz”[19] 106.121.15.188:6495 #18: deleting connection “remote-access-mac-zzz” instance with peer 106.121.15.188 {isakmp=#0/ipsec=#0}
2018-12-14 11:26:17 System0.Debug 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: | NAT-T: new mapping 106.121.15.188:6495/6496)
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: “remote-access-mac-zzz”[19] 106.121.15.188:6496 #18: sent MR3, ISAKMP SA established
2018-12-14 11:26:17 System0.Warning 10.131.1.3 Dec 14 03:25:42 vyos pluto[2832]: “remote-access-mac-zzz”[19] 106.121.15.188:6496 #18: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2018-12-14 11:26:18 System0.Warning 10.131.1.3 Dec 14 03:25:43 vyos pluto[2832]: “remote-access-mac-zzz”[19] 106.121.15.188:6496 #19: IPSec Transform [AES_CBC (256), HMAC_SHA2_256] refused due to strict flag
2018-12-14 11:26:18 System0.Warning 10.131.1.3 Dec 14 03:25:43 vyos pluto[2832]: “remote-access-mac-zzz”[19] 106.121.15.188:6496 #19: responding to Quick Mode
2018-12-14 11:26:19 System0.Warning 10.131.1.3 Dec 14 03:25:43 vyos pluto[2832]: “remote-access-mac-zzz”[19] 106.121.15.188:6496 #19: Dead Peer Detection (RFC 3706) enabled
2018-12-14 11:26:19 System0.Warning 10.131.1.3 Dec 14 03:25:43 vyos pluto[2832]: “remote-access-mac-zzz”[19] 106.121.15.188:6496 #19: IPsec SA established {ESP=>0x0f354681 <0xc4134491 NATOA=0.0.0.0}
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: control_finish: Peer requested tunnel 55336 twice, ignoring second one.
2018-12-14 11:26:21 Daemon.Notice 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: Connection established to 106.121.15.188, 56210. Local: 57361, Remote: 55336 (ref=0/0). LNS session is ‘default’
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: start_pppd: I’m running:
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “/usr/sbin/pppd”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “passive”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “nodetach”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “10.255.255.0:10.131.56.100”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “refuse-pap”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “auth”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “name”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “VyattaL2TPServer”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “debug”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “file”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “/etc/ppp/options.xl2tpd”
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: “/dev/pts/1”
2018-12-14 11:26:21 Daemon.Notice 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: Call established with 106.121.15.188, Local: 43586, Remote: 46497, Serial: -526642408
2018-12-14 11:26:21 Local2.Info 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: Plugin radius.so loaded.
2018-12-14 11:26:21 Local2.Info 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: RADIUS plugin initialized.
2018-12-14 11:26:21 Local2.Info 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: Plugin radattr.so loaded.
2018-12-14 11:26:21 Local2.Info 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: RADATTR plugin initialized.
2018-12-14 11:26:21 Local2.Notice 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: pppd 2.4.4 started by root, uid 0
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: using channel 15
2018-12-14 11:26:21 Local7.Info 10.131.1.3 Dec 14 03:25:46 vyos zebra[2407]: interface ppp0 index 18 <POINTOPOINT,NOARP,MULTICAST> added.
2018-12-14 11:26:21 Local2.Info 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: Using interface ppp0
2018-12-14 11:26:21 Local2.Notice 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: Connect: ppp0 <–> /dev/pts/1
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x22d25068> ]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: rcvd [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0xd77e3861> ]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: lcp_reqci: returning CONFACK.
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: sent [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <magic 0xd77e3861> ]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: rcvd [LCP ConfNak id=0x1 ]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0x22d25068> ]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic 0x22d25068> ]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: sent [CHAP Challenge id=0x60 <53a0ed6568e089a266226f31cc964c57b8>, name = “xl2tpd”]
2018-12-14 11:26:21 Local7.Info 10.131.1.3 Dec 14 03:25:46 vyos zebra[2407]: interface ppp0 mtu changed from 1500 to 1400
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: rcvd [CHAP Response id=0x60 <674f8282b8b6e980992d53a52b444c70>, name = “fei.xue”]
2018-12-14 11:26:21 Local2.Warning 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: Peer fei.xue failed CHAP authentication
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: sent [CHAP Failure id=0x60 “”]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: sent [LCP TermReq id=0x3 “Authentication failed”]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: rcvd [LCP TermReq id=0x2 “Failed to authenticate ourselves to peer”]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: sent [LCP TermAck id=0x2]
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: rcvd [LCP TermAck id=0x3]
2018-12-14 11:26:21 Local2.Notice 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: Connection terminated: no multilink.
2018-12-14 11:26:21 Local7.Info 10.131.1.3 Dec 14 03:25:46 vyos zebra[2407]: interface ppp0 index 18 deleted.
2018-12-14 11:26:21 Local7.Info 10.131.1.3 Dec 14 03:25:46 vyos ripd[2409]: interface delete ppp0 index 18 flags 0x1090 metric 1 mtu 1400
2018-12-14 11:26:21 Local7.Info 10.131.1.3 Dec 14 03:25:46 vyos ripngd[2411]: interface delete ppp0 index 18 flags 0x1090 metric 1 mtu 1400
2018-12-14 11:26:21 Local2.Debug 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: RADATTR plugin removed file /var/run/radattr.ppp0.
2018-12-14 11:26:21 Local2.Info 10.131.1.3 Dec 14 03:25:46 vyos pppd[7784]: Exit.
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: child_handler : pppd exited for call 46497 with code 11
2018-12-14 11:26:21 Daemon.Info 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: call_close: Call 43586 to 106.121.15.188 disconnected
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: result_code_avp: avp is incorrect size. 8 < 10
2018-12-14 11:26:21 Daemon.Warning 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
2018-12-14 11:26:21 Daemon.Debug 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: Terminating pppd: sending TERM signal to pid 7784
2018-12-14 11:26:21 Daemon.Info 10.131.1.3 Dec 14 03:25:46 vyos xl2tpd[5230]: Connection 55336 closed to 106.121.15.188, port 56210 (Result Code: expected at least 10, got 8)
2018-12-14 11:26:26 Daemon.Debug 10.131.1.3 Dec 14 03:25:51 vyos xl2tpd[5230]: Unable to deliver closing message for tunnel 57361. Destroying anyway.

2018-12-14 11:26:40 System0.Warning 10.131.1.3 Dec 14 03:26:04 vyos pluto[2832]: ERROR: asynchronous network error report on eth0 for message to 106.121.15.188 port 6496, complainant 106.121.15.188: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

2018-12-14 11:26:55 System0.Warning 10.131.1.3 Dec 14 03:26:19 vyos pluto[2832]: ERROR: asynchronous network error report on eth0 for message to 106.121.15.188 port 6496, complainant 106.121.15.188: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

xuefeigz · December 14, 2018, 7:29am

I config the win2008 NPS as radius server ; I configed as this article : Page not found | thomas. madej.ca

ArneO · December 14, 2018, 8:48am

Does it work with local users?

xuefeigz · January 9, 2019, 6:29am

No，it work in radius mode.