Page MenuHomePhabricator

L2TP remote-access vpn terminated and not showing as connected
Open, NormalPublicBUG

Description

We have had an issue in 1.1.8 with users being disconnected and not able to reconnect for about 1 1/2 hours.
An upgrade to 1.2.1 does not seem to fix this.

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.28-amd64-vyos, x86_64):
  uptime: 5 days, since Apr 17 21:51:27 2019
  malloc: sbrk 1892352, mmap 0, used 816912, free 1075440
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  <myip>
Connections:
remote-access:  <myip>...%any  IKEv1, dpddelay=15s
remote-access:   local:  [<myip>] uses pre-shared key authentication
remote-access:   remote: uses pre-shared key authentication
remote-access:   child:  dynamic[0/l2f] === dynamic TRANSPORT, dpdaction=clear
Security Associations (1 up, 0 connecting):
remote-access[9]: ESTABLISHED 4 days ago, <myip>[<myip>]...<remoteip>[192.168.86.233]
remote-access[9]: IKEv1 SPIs: 312521118b937676_i 4e6a19cdc71b0bff_r*, rekeying disabled
remote-access[9]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
remote-access{17}:  INSTALLED, TRANSPORT, reqid 12, ESP in UDP SPIs: ca2677d8_i da308546_o
remote-access{17}:  3DES_CBC/HMAC_SHA1_96, 623481 bytes_i (3847 pkts, 1465s ago), 3717233 bytes_o (19435 pkts, 417916s ago), rekeying disabled
remote-access{17}:   <myip>/32[udp/l2f] === <remoteip>/32[udp/l2f]

vyos@sr01:~$ show vpn ipsec sa
Connection    State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
------------  -------  ----  --------------  ----------------  -----------  ----------

vyos@sr01:~$ show vpn remote-access
No active remote access VPN sessions

An ipsec statusall shows the user as connected. But the Vyos commands do not see this connection.
Only when we run ipsec restart the user can connect again, after this session is terminated.
Waiting for 1 1/2 hours seems to drop this connection and the user can connect again without our help.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.1
Why the issue appeared?
Will be filled on close

Event Timeline

Merijn created this task.Apr 23 2019, 12:39 PM

Relevant config:

set ipsec ipsec-interfaces interface 'eth0'
set ipsec nat-networks allowed-network 0.0.0.0/0
set ipsec nat-traversal 'enable'
set l2tp remote-access authentication local-users username test password '<password>'
set l2tp remote-access authentication mode 'local'
set l2tp remote-access client-ip-pool start '10.0.253.220'
set l2tp remote-access client-ip-pool stop '10.0.253.240'
set l2tp remote-access dns-servers server-1 '10.0.253.5'
set l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set l2tp remote-access ipsec-settings authentication pre-shared-secret '<secret>'
set l2tp remote-access ipsec-settings ike-lifetime '3600'
set l2tp remote-access outside-address '<myip>'
set l2tp remote-access outside-nexthop '<mygateway>'
pasik added a subscriber: pasik.Apr 28 2019, 9:58 AM
syncer assigned this task to Dmitry.Aug 31 2019, 12:43 AM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
Dmitry added a comment.Sep 2 2019, 7:01 PM

Hello @Merijn, do you have possibility provide logs while this issue appear and client try connect to l2tp server?
As example show log tail 100 | strip-private

primoz added a subscriber: primoz.Oct 12 2019, 11:11 AM

Hi,

if you're using new enough version to use accel-ppp, then current config doesn't work as outside-next hop puts address in l2tp.config:

[ip-pool]
192.168.180.100-200
gw-ip-address=<outside-nexthop>

Which has a different functionality then specified in config. Change <mygateway> to a fake gw IP you want to have for your l2tp clients ... like 10.0.253.1 or something and the connection will stop failing (at least it does for me).

Dmitry added a comment.Fri, Dec 6, 4:49 PM

Hello @primoz , seems you right. left|rightnexthop deprecated in strongswan.

This parameter is usually not needed any more because the NETKEY IPsec stack does not require
explicit routing entries for the traffic to be tunneled. If left|sourceip is used with IKEv1
then left|rightnexthop must still be set in order for the source routes to work properly.

And in CLI rolling l2tp implementation we need replace outside-nexthop to gw-ip-address.

Hello @Merijn , do you still have this issue in 1.2.3 or 1.2.4-epa or latest rolling?