Bug#1064358: network-manager-l2tp: cannot connect with mschapv2 if mppe is required

2024-02-27 Thread Rémi Letot 
Oh, strange, I didn't receive your answer by mail...

I actually have no idea if MPPE is used in my 1.20.10-1 log, I just
configured it as I was told and never thought about it :)

Now that I documented myself, it makes sense that IPSEC is much
stronger. The l2tp tunnel being protected by IPSEC, there is no need for
MPPE at the l2tp level.

So now I can upgrade and adapt my configurations, but it would probably
be interresting to disable the MPPE possibility if IPSEC is used: make
it unselectable in the gui, or not enforce it when the vpn is created.

Thanks,
-- 
Rémi Letot

Bug#1064358: network-manager-l2tp: cannot connect with mschapv2 if mppe is required

2024-02-21 Thread Douglas Kosovic 
Hi Rémi,

> since upgrading to 1.20.12-1, I cannot connect to my ipsec/l2tp vpn anymore. 
> 
> I tried many things, but the only thing that works is disabling mppe, or 
> downgrading to 1.20.10-1
> 
> Here are the debug log for 1.20.12-1:
> ...
> 
> And here is the log with 1.20.10-1:
...
> I still have the «Unsupported protocol», but then the connection carries on 
> and works. 


That behaviour is a consequence of the following commit in version 1.20.12 
which doesn't disable the Compression Control Protocol (CCP) when MPPE is 
enabled (as MPPE protocol negotiation happens within CPP) :

https://github.com/nm-l2tp/NetworkManager-l2tp/commit/fdf5d98e86c5f0a97f9649fa3e23b3c001a93340

MPPE protocol negotiation had been broken since 2013 with the following commit 
which disabled CCP :

https://github.com/nm-l2tp/NetworkManager-l2tp/commit/5fe98f70344e842faa28014be7ba259c2db7ae8b

I don't think any MPPE encryption is being used in your 1.20.10-1 log output, 
even though MPPE is enabled, or am I interpreting things wrong?

MPPE encryption is very weak and is typically only used with L2TP VPN 
connections, not L2TP/IPsec which use much stronger IPsec encryption.


 
Cheers,
Doug

Bug#1064358: network-manager-l2tp: cannot connect with mschapv2 if mppe is required

2024-02-20 Thread Rémi Letot 
Package: network-manager-l2tp
Version: 1.20.12-1
Severity: normal
X-Debbugs-Cc: hob...@poukram.net

Dear Maintainer,

since upgrading to 1.20.12-1, I cannot connect to my ipsec/l2tp vpn anymore. 

I tried many things, but the only thing that works is disabling mppe, 
or downgrading to 1.20.10-1

Here are the debug log for 1.20.12-1:

fév 20 20:04:02 sphax pppd[88301]: CHAP authentication succeeded
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948]   [helper-88301] 
phasechange: status 8 / phase 'network'
fév 20 20:04:02 sphax pppd[88301]: sent [CCP ConfReq id=0x1 ]
fév 20 20:04:02 sphax pppd[88301]: rcvd [IPCP ConfReq id=0x1 ]
fév 20 20:04:02 sphax pppd[88301]: sent [IPCP TermAck id=0x1]
fév 20 20:04:02 sphax pppd[88301]: rcvd [proto=0x8281] 01 01 00 04
fév 20 20:04:02 sphax pppd[88301]: Unsupported protocol 'MPLSCP' (0x8281) 
received
fév 20 20:04:02 sphax pppd[88301]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
fév 20 20:04:02 sphax pppd[88301]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0a 
12 06 01 00 00 60]
fév 20 20:04:02 sphax pppd[88301]: Protocol-Reject for 'Compression Control 
Protocol' (0x80fd) received
fév 20 20:04:02 sphax pppd[88301]: MPPE required but peer negotiation failed
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948]   [helper-88301] 
phasechange: status 10 / phase 'terminate'
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948]   [helper-88301] 
phasechange: status 5 / phase 'establish'
fév 20 20:04:02 sphax pppd[88301]: PPPoL2TP options: debugmask 0
fév 20 20:04:02 sphax pppd[88301]: sent [LCP TermReq id=0x4 "MPPE required but 
peer negotiation failed"]
fév 20 20:04:02 sphax pppd[88301]: rcvd [LCP TermAck id=0x4]
fév 20 20:04:02 sphax pppd[88301]: nm-l2tp[87948]   [helper-88301] 
phasechange: status 11 / phase 'disconnect'
fév 20 20:04:02 sphax pppd[88301]: Connection terminated.


And here is the log with 1.20.10-1:

fév 20 20:02:00 sphax pppd[87014]: CHAP authentication succeeded
fév 20 20:02:00 sphax pppd[87014]: nm-l2tp[86623]   [helper-87014] 
phasechange: status 8 / phase 'network'
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfReq id=0x1 ]
fév 20 20:02:00 sphax pppd[87014]: sent [IPV6CP ConfReq id=0x1 ]
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfReq id=0x1 ]
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfAck id=0x1 ]
fév 20 20:02:00 sphax pppd[87014]: rcvd [proto=0x8281] 01 01 00 04
fév 20 20:02:00 sphax pppd[87014]: Unsupported protocol 'MPLSCP' (0x8281) 
received
fév 20 20:02:00 sphax pppd[87014]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfNak id=0x1 ]
fév 20 20:02:00 sphax pppd[87014]: sent [IPCP ConfReq id=0x2 ]
fév 20 20:02:00 sphax pppd[87014]: rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 
01 0a c0 9b 5a 53 5f c8 54 ac]
fév 20 20:02:00 sphax pppd[87014]: Protocol-Reject for 'IPv6 Control Protocol' 
(0x8057) received
fév 20 20:02:00 sphax pppd[87014]: rcvd [IPCP ConfAck id=0x2 ]

I still have the «Unsupported protocol», but then the connection carries on and 
works. 

Don't hesitate to ask for more information, and thanks for your work,

-- 
Rémi


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages network-manager-l2tp depends on:
ii  libc62.37-15
ii  libglib2.0-0 2.78.4-1
ii  libnm0   1.44.2-7
ii  libnspr4 2:4.35-1.1
ii  libnss3  2:3.96.1-1
ii  libreswan4.12-1
ii  libssl3  3.1.5-1
ii  network-manager  1.44.2-7
ii  ppp  2.4.9-1+1.1+b1
ii  xl2tpd   1.3.18-1

network-manager-l2tp recommends no packages.

network-manager-l2tp suggests no packages.

-- no debconf information