Your message dated Wed, 28 Feb 2024 11:17:51 +0000
with message-id
<sybp282mb261763c82ff9478b903c603487...@sybp282mb2617.ausp282.prod.outlook.com>
and subject line RE: Bug#1064358: network-manager-l2tp: cannot connect with
mschapv2 if mppe is required
has caused the Debian Bug report #1064358,
regarding network-manager-l2tp: cannot connect with mschapv2 if mppe is required
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1064358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064358
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: network-manager-l2tp
Version: 1.20.12-1
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
since upgrading to 1.20.12-1, I cannot connect to my ipsec/l2tp vpn anymore.
I tried many things, but the only thing that works is disabling mppe,
or downgrading to 1.20.10-1
Here are the debug log for 1.20.12-1:
fév 20 20:04:02 sphax pppd[88301]: CHAP authentication succeeded
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info> [helper-88301]
phasechange: status 8 / phase 'network'
fév 20 20:04:02 sphax pppd[88301]: sent [CCP ConfReq id=0x1 <mppe +H -M +S +L
-D -C>]
fév 20 20:04:02 sphax pppd[88301]: rcvd [IPCP ConfReq id=0x1 <addr
192.168.50.1>]
fév 20 20:04:02 sphax pppd[88301]: sent [IPCP TermAck id=0x1]
fév 20 20:04:02 sphax pppd[88301]: rcvd [proto=0x8281] 01 01 00 04
fév 20 20:04:02 sphax pppd[88301]: Unsupported protocol 'MPLSCP' (0x8281)
received
fév 20 20:04:02 sphax pppd[88301]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
fév 20 20:04:02 sphax pppd[88301]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0a
12 06 01 00 00 60]
fév 20 20:04:02 sphax pppd[88301]: Protocol-Reject for 'Compression Control
Protocol' (0x80fd) received
fév 20 20:04:02 sphax pppd[88301]: MPPE required but peer negotiation failed
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info> [helper-88301]
phasechange: status 10 / phase 'terminate'
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info> [helper-88301]
phasechange: status 5 / phase 'establish'
fév 20 20:04:02 sphax pppd[88301]: PPPoL2TP options: debugmask 0
fév 20 20:04:02 sphax pppd[88301]: sent [LCP TermReq id=0x4 "MPPE required but
peer negotiation failed"]
fév 20 20:04:02 sphax pppd[88301]: rcvd [LCP TermAck id=0x4]
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info> [helper-88301]
phasechange: status 11 / phase 'disconnect'
fév 20 20:04:02 sphax pppd[88301]: Connection terminated.
And here is the log with 1.20.10-1:
fév 20 20:02:00 sphax pppd[87014]: CHAP authentication succeeded
fév 20 20:02:00 sphax pppd[87014]: nm-l2tp[86623] <info> [helper-87014]
phasechange: status 8 / phase 'network'
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
fév 20 20:02:00 sphax pppd[87014]: sent [IPV6CP ConfReq id=0x1 <addr
fe80::c09b:5a53:5fc8:54ac>]
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfReq id=0x1 <addr
192.168.50.1>]
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfAck id=0x1 <addr
192.168.50.1>]
fév 20 20:02:00 sphax pppd[87014]: rcvd [proto=0x8281] 01 01 00 04
fév 20 20:02:00 sphax pppd[87014]: Unsupported protocol 'MPLSCP' (0x8281)
received
fév 20 20:02:00 sphax pppd[87014]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfNak id=0x1 <addr
192.168.50.25>]
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfReq id=0x2 <addr
192.168.50.25>]
fév 20 20:02:00 sphax pppd[87014]: rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e
01 0a c0 9b 5a 53 5f c8 54 ac]
fév 20 20:02:00 sphax pppd[87014]: Protocol-Reject for 'IPv6 Control Protocol'
(0x8057) received
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfAck id=0x2 <addr
192.168.50.25>]
I still have the «Unsupported protocol», but then the connection carries on and
works.
Don't hesitate to ask for more information, and thanks for your work,
--
Rémi
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages network-manager-l2tp depends on:
ii libc6 2.37-15
ii libglib2.0-0 2.78.4-1
ii libnm0 1.44.2-7
ii libnspr4 2:4.35-1.1
ii libnss3 2:3.96.1-1
ii libreswan 4.12-1
ii libssl3 3.1.5-1
ii network-manager 1.44.2-7
ii ppp 2.4.9-1+1.1+b1
ii xl2tpd 1.3.18-1
network-manager-l2tp recommends no packages.
network-manager-l2tp suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Just for completeness, I believe when MPPE is successfully negotiated, the
following should appear in the logs (or similar for MPPE 40 or 64-bit) :
MPPE 128-bit stateless compression enabled
Regarding GUI modifications, there are at least 3 different GUI front-end
implementations and I'm only the upstream maintainer for one of them, also many
people prefer the non-GUI nmcli.
For the time being I prefer an error if MPPE is enable and the negotiation
fails. For existing VPN config files and establishing the VPN connection with
the nm-l2tp-service, I don't like the idea of ignoring the MPPE setting if
IPsec is enabled as it can give a false impression MPPE is enabled like in
previous versions. For the connection editor GUI, I do like the idea of
disabling the MPPE tick box if IPsec is enabled, but there are complications
for existing VPN config files that have MPPE enabled, e.g. if MPPE is ignored
in the connection editor, a new VPN config without MPPE enabled won't be
generated unless the user clicks save or apply.
I'll close this issue, but will consider doing something in the upstream source
code for the next release of NetworkManager-l2tp
Cheers,
Doug
--- End Message ---