Your message dated Wed, 28 Feb 2024 11:17:51 +0000
with message-id 
<sybp282mb261763c82ff9478b903c603487...@sybp282mb2617.ausp282.prod.outlook.com>
and subject line RE: Bug#1064358: network-manager-l2tp: cannot connect with 
mschapv2 if mppe is required
has caused the Debian Bug report #1064358,
regarding network-manager-l2tp: cannot connect with mschapv2 if mppe is required
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1064358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064358
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: network-manager-l2tp
Version: 1.20.12-1
Severity: normal
X-Debbugs-Cc: [email protected]

Dear Maintainer,

since upgrading to 1.20.12-1, I cannot connect to my ipsec/l2tp vpn anymore. 

I tried many things, but the only thing that works is disabling mppe, 
or downgrading to 1.20.10-1

Here are the debug log for 1.20.12-1:

fév 20 20:04:02 sphax pppd[88301]: CHAP authentication succeeded
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info>  [helper-88301] 
phasechange: status 8 / phase 'network'
fév 20 20:04:02 sphax pppd[88301]: sent [CCP ConfReq id=0x1 <mppe +H -M +S +L 
-D -C>]
fév 20 20:04:02 sphax pppd[88301]: rcvd [IPCP ConfReq id=0x1 <addr 
192.168.50.1>]
fév 20 20:04:02 sphax pppd[88301]: sent [IPCP TermAck id=0x1]
fév 20 20:04:02 sphax pppd[88301]: rcvd [proto=0x8281] 01 01 00 04
fév 20 20:04:02 sphax pppd[88301]: Unsupported protocol 'MPLSCP' (0x8281) 
received
fév 20 20:04:02 sphax pppd[88301]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
fév 20 20:04:02 sphax pppd[88301]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0a 
12 06 01 00 00 60]
fév 20 20:04:02 sphax pppd[88301]: Protocol-Reject for 'Compression Control 
Protocol' (0x80fd) received
fév 20 20:04:02 sphax pppd[88301]: MPPE required but peer negotiation failed
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info>  [helper-88301] 
phasechange: status 10 / phase 'terminate'
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info>  [helper-88301] 
phasechange: status 5 / phase 'establish'
fév 20 20:04:02 sphax pppd[88301]: PPPoL2TP options: debugmask 0
fév 20 20:04:02 sphax pppd[88301]: sent [LCP TermReq id=0x4 "MPPE required but 
peer negotiation failed"]
fév 20 20:04:02 sphax pppd[88301]: rcvd [LCP TermAck id=0x4]
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948] <info>  [helper-88301] 
phasechange: status 11 / phase 'disconnect'
fév 20 20:04:02 sphax pppd[88301]: Connection terminated.


And here is the log with 1.20.10-1:

fév 20 20:02:00 sphax pppd[87014]: CHAP authentication succeeded
fév 20 20:02:00 sphax pppd[87014]: nm-l2tp[86623] <info>  [helper-87014] 
phasechange: status 8 / phase 'network'
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
fév 20 20:02:00 sphax pppd[87014]: sent [IPV6CP ConfReq id=0x1 <addr 
fe80::c09b:5a53:5fc8:54ac>]
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfReq id=0x1 <addr 
192.168.50.1>]
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfAck id=0x1 <addr 
192.168.50.1>]
fév 20 20:02:00 sphax pppd[87014]: rcvd [proto=0x8281] 01 01 00 04
fév 20 20:02:00 sphax pppd[87014]: Unsupported protocol 'MPLSCP' (0x8281) 
received
fév 20 20:02:00 sphax pppd[87014]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfNak id=0x1 <addr 
192.168.50.25>]
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfReq id=0x2 <addr 
192.168.50.25>]
fév 20 20:02:00 sphax pppd[87014]: rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 
01 0a c0 9b 5a 53 5f c8 54 ac]
fév 20 20:02:00 sphax pppd[87014]: Protocol-Reject for 'IPv6 Control Protocol' 
(0x8057) received
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfAck id=0x2 <addr 
192.168.50.25>]

I still have the «Unsupported protocol», but then the connection carries on and 
works. 

Don't hesitate to ask for more information, and thanks for your work,

-- 
Rémi


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages network-manager-l2tp depends on:
ii  libc6            2.37-15
ii  libglib2.0-0     2.78.4-1
ii  libnm0           1.44.2-7
ii  libnspr4         2:4.35-1.1
ii  libnss3          2:3.96.1-1
ii  libreswan        4.12-1
ii  libssl3          3.1.5-1
ii  network-manager  1.44.2-7
ii  ppp              2.4.9-1+1.1+b1
ii  xl2tpd           1.3.18-1

network-manager-l2tp recommends no packages.

network-manager-l2tp suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Just for completeness, I believe when MPPE is successfully negotiated, the 
following should appear in the logs (or similar for MPPE 40 or 64-bit) :
   MPPE 128-bit stateless compression enabled

Regarding GUI modifications, there are at least 3 different GUI front-end 
implementations and I'm only the upstream maintainer for one of them, also many 
people prefer the non-GUI nmcli.

For the time being I prefer an error if MPPE is enable and the negotiation 
fails. For existing VPN config files and establishing the VPN connection with 
the nm-l2tp-service, I don't like the idea of ignoring the MPPE setting if 
IPsec is enabled as it can give a false impression MPPE is enabled like in 
previous versions. For the connection editor GUI, I do like the idea of 
disabling the MPPE tick box if IPsec is enabled, but there are complications 
for existing VPN config files that have MPPE enabled, e.g. if MPPE is ignored 
in the connection editor, a new VPN config without MPPE enabled won't be 
generated unless the user clicks save or apply.

I'll close this issue, but will consider doing something in the upstream source 
code for the next release of NetworkManager-l2tp



Cheers,
Doug

--- End Message ---

Reply via email to