Hello PPP mantainers,
I configured an IPsec-L2TP VPN on my work network. The VPN has both
endpoints on natted networks: ipsec client/server are both NAT enabled
and routers are configured to properly forward IPSEC UPD ports and to
passthrough VPN traffic. For some weeks it has worked reliably.
Recently it stopped working properly with RDP (Remote Desktop
Protocol) seeming to be the most effective trigger that leads the
connection to a corrupted state.
Enabling the full PPP debug, when the connection is corrupted the log
begin to be spammed with plenty of warnings of spurious packets:
Oct 1 14:18:55 lanmaster pppd[1977]: rcvd [proto=0xa1] 5f e4 25 5a 19
6b ad 6b
b7 0d 60 f7 49 f8 47 f3
5d 87 73 97 12 b2 a7 63 54 21 05 35 43 6a 94 14 ...
Oct 1 14:18:55 lanmaster pppd[1977]: Unsupported protocol 0xa1 received
Oct 1 14:18:55 lanmaster pppd[1977]: sent [LCP ProtRej id=0x21 00 a1
5f e4 25 5
a 19 6b ad 6b b7 0d 60
f7 49 f8 47 f3 5d 87 73 97 12 b2 a7 63 54 21 05 35 43 6a
...]
Oct 1 14:18:55 lanmaster pppd[1977]: rcvd [proto=0x36f4] 76 df 4c 41
50 1b ad 4
d 5d c6 2e fb c7 77 1d
6f ae b3 6c 55 db 2b 89 94 6c 7b e3 66 1d 2c d2 57 ...
Oct 1 14:18:55 lanmaster pppd[1977]: Unsupported protocol 0x36f4 received
Oct 1 14:18:55 lanmaster pppd[1977]: sent [LCP ProtRej id=0x22 36 f4
76 df 4c 4
1 50 1b ad 4d 5d c6 2e
fb c7 77 1d 6f ae b3 6c 55 db 2b 89 94 6c 7b e3 66 1d 2c
...]
Oct 1 14:18:56 lanmaster pppd[1977]: rcvd [proto=0xda76] 17 88 8a 2f
86 5e 3f 4
c 69 3e e4 ff bb 61 5d
f8 0f 3e da ab 0b 7c 29 3b 99 87 7c 7e f7 12 4a 7b ...
Oct 1 14:18:56 lanmaster pppd[1977]: Unsupported protocol 0xda76 received
Oct 1 14:18:56 lanmaster pppd[1977]: sent [LCP ProtRej id=0x23 da 76 17 88 8a 2
[...]
This initially seemed to me an IPSEC problem but, after much
troubleshooting, removing the ppp option "require-mppe-128" option and
adding "nomppe", effectively disabling MPPE, resulted in a extremely
reliable connection again.
My observations:
- PPP doesn't detect a disconnection of a corruption. The client can
still proper hang-up;
- It's not RDP client-server related: RDP it's just the trigger, after
the whole connection TCP/IP connection is corrupted and must be reset;
- It's not Windows ipsec-ppp-l2tp client problem: same happen with
Windows 8.1 and fresh Windows7 client installed;
- It doesn't seem to be linux kernel problem: I tried to install older
ubuntu 3.2.0 kernels observing same problems. Now I use 3.13.0 kernel
with no changes as well;
- Tweaking PPP MTU doesn't help. I haven't tried tweaking ipsec MTU.
My stack version has been recently updated (from Ubuntu 12.04, that
had the same problem. Now it's 14.04):
- ppp 2.4.5-5.1ubuntu2
- xl2tpd 1.3.6+dfsg-1:
- openswan 1:2.6.38-1
- kernel 3.13.0-36
I'm unable to say if updates on these packages triggered the problem.
The workaround is effective for me as I don't need the PPP link to be
encrypted but the configuration should be supported with MPPE enabled
I offer my help to do further testing if someone notice there could be
a problem in PPP (for example the MPPE state could be partially
corrupted but PPP is unable to detect it). Also it may be useful for
others that may have the same problem.
I attached the faulty configuration and the initial log of the
l2tp-ppp connection.
In case CC me as I'm not subscribed. Thanks.
Francesco
Attachment:
xl2tpd.conf
Description: Binary data
Attachment:
ipsec.conf
Description: Binary data
Attachment:
l2tp-ppp-init.log
Description: Binary data
Attachment:
ppp.xl2tpd
Description: Binary data
