Hi, Try only using MSCHAPv2,
Regards, Ricardo From: Emil Karlsson <emi...@kth.se> Reply-To: "users@cloudstack.apache.org" <users@cloudstack.apache.org> Date: Thursday, 21 April 2022, 9:51 AM To: "users@cloudstack.apache.org" <users@cloudstack.apache.org> Subject: Problem connecting to VPN Hi all, I am experiencing issues with VPN. I have set up an isolated network with a VPN, but can't connect to it. On my own device I setup a L2TP/IPsec VPN with the preshared key from CloudStack. The server is located behind a NAT, so the ports 500, 1701 and 4500 UDP are forwarded to the isolated network's public ip in CloudStack. It seems as if the initial setup is done by reading the tail of journalctl on my local machine, but right after that an error code is received which kills the VPN connection. Error message: Apr 21 13:55:50 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12295]: xl2tpd[12295]: Listening on IP address 0.0.0.0, port 36337 Apr 21 13:55:50 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12295]: xl2tpd[12295]: Connecting to host 130.237.83.249, port 1701 Apr 21 13:55:50 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12295]: xl2tpd[12295]: Connection established to 130.237.83.249, 1701. Local: 56329, Remote: 37074 (ref=0/0). Apr 21 13:55:50 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12295]: xl2tpd[12295]: Calling on tunnel 56329 Apr 21 13:55:50 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12295]: xl2tpd[12295]: Call established with 130.237.83.249, Local: 60132, Remote: 14169, Serial: 1 (ref=0/0) Apr 21 13:55:50 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12295]: xl2tpd[12295]: control_finish: Connection closed to 130.237.83.249, serial 1 () Apr 21 13:56:04 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12295]: xl2tpd[12295]: death_handler: Fatal signal 15 received Apr 21 13:56:04 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[910]: <warn> [1650542164.6400] vpn-connection[0x5592c68440c0,eb332772-87fc-4d85-a0f5-d7f15c797487,"VPN 1",0]: VPN plugin: failed: connect-failed (1) Apr 21 13:56:04 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[910]: <warn> [1650542164.6402] vpn-connection[0x5592c68440c0,eb332772-87fc-4d85-a0f5-d7f15c797487,"VPN 1",0]: VPN plugin: failed: connect-failed (1) Apr 21 13:56:04 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[910]: <info> [1650542164.6404] vpn-connection[0x5592c68440c0,eb332772-87fc-4d85-a0f5-d7f15c797487,"VPN 1",0]: VPN plugin: state changed: stopping (5) Apr 21 13:56:04 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> NetworkManager[12302]: Stopping strongSwan IPsec... Apr 21 13:56:04 n177-p213.eduroam.kth.se<http://n177-p213.eduroam.kth.se> charon[12262]: 00[DMN] SIGINT received, shutting down To access the server-side I used ssh to access the virtual router for the Isolated network. When reading the tail of journalctl I find the following error message, which appears every time a VPN-connection is attempted. Error message: Apr 21 11:58:51 r-5-VM xl2tpd[7124]: Connection established to <hidden client ip>, 52956. Local: 32408, Remote: 36988 (ref=0/0). LNS session is 'default' Apr 21 11:58:51 r-5-VM xl2tpd[7124]: start_pppd: I'm running: Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "/usr/sbin/pppd" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "plugin" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "pppol2tp.so" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "pppol2tp" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "7" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "pppol2tp_lns_mode" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "pppol2tp_tunnel_id" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "32408" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "pppol2tp_session_id" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "54146" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "passive" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "nodetach" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "10.1.2.1:10.1.2.2" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "refuse-pap" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "file" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: "/etc/ppp/options.xl2tpd" Apr 21 11:58:51 r-5-VM xl2tpd[7124]: Call established with <hidden client ip>, PID: 120925, Local: 54146, Remote: 64867, Serial: 1 Apr 21 11:58:51 r-5-VM pppd[120925]: Plugin pppol2tp.so loaded. Apr 21 11:58:51 r-5-VM pppd[120925]: The remote system is required to authenticate itself Apr 21 11:58:51 r-5-VM pppd[120925]: but I couldn't find any suitable secret (password) for it to use to do so. Apr 21 11:58:51 r-5-VM xl2tpd[7124]: write_packet: tty is not open yet. Apr 21 11:58:51 r-5-VM xl2tpd[7124]: write_packet: tty is not open yet. Apr 21 11:58:51 r-5-VM xl2tpd[7124]: child_handler : pppd exited for call 64867 with code 1 The client VPN is 'default'-configured on a Fedora 35 using packages Networkmanager-l2tp and networkmanager-l2tp-gnome . It is set up to accept any authentication protocol (PEP, CHAP, MSCHAP, MSCHAPv2, EAP). We use credentials from a VPN-user in CloudStack (created under Manage VPN User). See image below: [cid:ii_l28ys9us2] [cid:ii_l28ysdzu3] Thanks in advance, Best regards, Emil
