2014-10-09 0:53 GMT+02:00 Michael Richardson <mcr@xxxxxxxxxxxx>: >I suspect that RDP triggers it with a full-sized TCP packet. [...] > Do you have appropriate > patches/things-enabled, so that the esp/l2tp/ppp packets all stay in the > kernel? If not, then you might also get some debug from xl2tp. > I am not sure what esp is. PPP and MPPE are in the kernel. xl2tpd log says: This binary does not support kernel L2TP. So I guess l2tp traffic is not in the kernel with my build. I enabled all xl2tpd debug options and get some results that seems to confirm what you say about the full-sized TCP packet. A whole connect/troubles/disconnect session is logged. Troubles start at "Unsupported protocol..." lines. I don't know how to sort, though. Log is attached. > Can you tcpdump on the pppX interfaces on both sides? > I suspect that RDP triggers it with a full-sized TCP packet. > I can't now but I'll do it tomorrow if the provided xl2tpd debug isn't enough. > > > This initially seemed to me an IPSEC problem but, after much > > troubleshooting, removing the ppp option "require-mppe-128" option and > > adding "nomppe", effectively disabling MPPE, resulted in a extremely > > reliable connection again. > > MPPE and IPsec are not related. AFAIK, MPPE provides for encryption within > PPP. you would be double encrypting. > Yes, I knew. In fact I was more than satisfied with the reliability I get with "nomppe". But maybe MS-CHAP v2 use MPPE for authentication encryption? I don't know. > > client-server related: RDP it's just the trigger, after the whole > > connection TCP/IP connection is corrupted and must be reset; - It's not > > Does other traffic continue to function? > Is one end Windows? > > No, other traffic stops as well. VPN traffic is Windows-Windows. ipsec-ppp-l2tp endpoints are Windows-Linux.
Attachment:
log-xl2tpd-pppd
Description: Binary data
