Hi,
On Wed, 6 Jan 2021 21:33:49 +0100
Radek <r...@int.pl> wrote:
I have a box with relatively fresh install of 68/amd64, fully
syspatched. There is a npppd server running on it. The problem is
that I can have only one nppp session at one time. If the second
vpn user connects the box, the first nppp session hangs/drops. I
probably have missed something obvious in my setup but I really
can't find what it is.
It seems that only last person can use the tunnel. This reminds me
problems through NAT.
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base
logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP
layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.1 iface=pppx0
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base
logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP
layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.11 iface=pppx0
Both sessions seem to be connected from A.B.C.D. Are the clients
behind a NAT?
How about the npppd side? Does the client directly connect to
tunnel L2TP protocol l2tp {
listen on X.Y.Z.13
}
X.Y.Z.13 ? Or a NAT is there?
On Wed, 6 Jan 2021 21:33:49 +0100
Radek <r...@int.pl> wrote:
Hi @misc,
I have a box with relatively fresh install of 68/amd64, fully
syspatched. There is a npppd server running on it. The problem is
that I can have only one nppp session at one time. If the second
vpn user connects the box, the first nppp session hangs/drops. I
probably have missed something obvious in my setup but I really
can't find what it is.
Please help me to solve the problem.
Thank you.
$cat /etc/npppd/npppd.conf
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on X.Y.Z.13
}
ipcp IPCP {
pool-address 10.109.4.1-10.109.4.32
dns-servers 1.1.1.1
}
# use pppx(4) interface. use an interface per a ppp session.
interface pppx0 address 10.109.4.254 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0
$cat /etc/hostname.enc0
up
$cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.gre.allow=1
net.pipex.enable=1
$cat /etc/rc.conf.local
ipsec=YES
ipsec_rules=/etc/ipsec.conf
isakmpd_flags="-K"
npppd_flags=""
$cat /etc/ipsec.conf
wan_ipv4 = X.Y.Z.13
ike passive esp transport \
proto udp from $wan_ipv4 to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "aes" group modp1024 \
psk "pskpskpsk"
$cat /etc/pf.conf
[...]
vpn_if = "pppx"
vpn_local = "10.109.4.0/24"
pass in on $ext_if proto udp from any to (egress:0) port
{isakmp,ipsec-nat-t,l2tp}
pass in on $ext_if proto {ah,esp}
pass log proto { gre } from any to any keep state
# filter all IPSec traffic on the enc interface
pass on enc0 keep state (if-bound)
# allow all trafic in on and out to the VPN network
pass on $vpn_if from $vpn_local
pass on $vpn_if to $vpn_local
# NAT VPN traffic going out on the public interface with the public
IP
match out log on $ext_if inet proto { tcp, udp, icmp } from
$vpn_local nat-to ($ext_if) set prio (3,7)
some logs...
Jan 6 20:53:14 fw-u last message repeated 4 times
Jan 6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Jan 6 20:53:16 fw-u last message repeated 2 times
Jan 6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 logtype=Started
RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=1/26 protocol=1.0
winsize=8 hostname=w520 vendor=Microsoft firm=0601
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendSCCRP
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvSCCN
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendZLB
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvZLB
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICRQ
session_id=1
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendICRP
session_id=6499
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICCN
session_id=1 calling_number= tx_conn_speed=100000000 framing=sync
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499
logtype=PPPBind ppp=0
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base
logtype=Started tunnel=L2TP(A.B.C.D:1701)
Jan 6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendZLB
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp
logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 magic=e916be4d/3c630a24
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId
magic=3c630a24 text=MSRASV5.20
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId
magic=3c630a24 text=MSRAS-0-W520
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId
magic=3c630a24 text=.=. .`.M........
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=chap
proto=mschap_v2 logtype=Success username="rdk" realm=LOCAL
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe mismatch
our=40bit,128bit,56bit,stateless peer=stateless
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp IP Address
peer=0.0.0.0 our=10.109.4.1.
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp
logtype=Opened ip=10.109.4.1 assignType=dynamic
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base
logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP
layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.1 iface=pppx0
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe
logtype=Opened our=128bit,stateless peer=128bit,stateless
Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base Using
pipex=yes
Jan 6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Jan 6 20:53:43 fw-u last message repeated 2 times
Jan 6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 logtype=Started
RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=2/20 protocol=1.0
winsize=8 hostname=x vendor=Microsoft firm=0601
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendSCCRP
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvSCCN
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendZLB
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICRQ
session_id=1
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendICRP
session_id=11788
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICCN
session_id=1 calling_number= tx_conn_speed=100000000 framing=sync
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788
logtype=PPPBind ppp=1
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base
logtype=Started tunnel=L2TP(A.B.C.D:1701)
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendZLB
Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp
logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 magic=9699e1a6/244d01eb
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId
magic=244d01eb text=MSRASV5.20
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId
magic=244d01eb text=MSRAS-0-X
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId
magic=244d01eb text=.*.(...N.....Z68
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=chap
proto=mschap_v2 logtype=Success username="rdk-test" realm=LOCAL
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe mismatch
our=40bit,128bit,56bit,stateless peer=stateless
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp IP Address
peer=0.0.0.0 our=10.109.4.11.
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp
logtype=Opened ip=10.109.4.11 assignType=dynamic
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base
logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP
layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.11 iface=pppx0
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe
logtype=Opened our=128bit,stateless peer=128bit,stateless
Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base Using
pipex=yes
--
Radek
