Page MenuHomeVyOS Platform

L2TP/IPSec Remote Access VPN does not work as expected in 1.3.1-S1
Open, HighPublic

Description

Tested in VyOS 1.3.1-S1. And Windows 10 Pro 21H2
L2TP connects. However, it does not work as expected in 1.3.1-S1.
In 1.2.8 the same config works.

[email protected]:~$ sh vpn remote-access
 ifname | username | calling-sid |      ip      | rate-limit | type | comp | state  | rx-bytes | tx-bytes |  uptime
--------+----------+-------------+--------------+------------+------+------+--------+----------+----------+----------
 l2tp0  | test     | 192.168.6.1 | 172.25.255.1 |            | l2tp | mppe | active | 14.9 KiB | 240 B    | 00:00:12

To reproduce:

set interfaces dummy dum4 address '4.4.4.4/32'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.6.31/24'
set service ssh
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.1'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication require 'mschap-v2'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'test'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access outside-address '192.168.6.31'

Once the client is connected, traffic from the client does not pass even on 4.4.4.4.

ping 4.4.4.4 -t
Pinging 4.4.4.4 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 4.4.4.4:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

In 1.2.8 the same ping toward 4.4.4.4 is successful.

Details

Difficulty level
Unknown (require assessment)
Version
1.3.1-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

NikolayP triaged this task as High priority.Fri, Jun 3, 2:30 PM
NikolayP created this task.
NikolayP created this object in space S1 VyOS Public.

Not sure if this is relevant to the task.
But once when shutting down a VM with VyOS 1.3.1-S1, it took a long time to shut down:

@NikolayP , Looks like MTU and MPPE issue. Stoping daemon does not related to this I think.

Don't have any issues with Ubuntu

set interfaces dummy dum0 address '192.0.2.1/32'
set interfaces dummy dum4 address '203.0.113.1/24'
set interfaces ethernet eth0 address '192.168.122.11/24'
set interfaces ethernet eth0 description 'WAN'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.255.2'
set vpn l2tp remote-access client-ip-pool stop '192.168.255.254'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'secret'
set vpn l2tp remote-access outside-address '192.0.2.1'

Client

[email protected]:~$ ping 203.0.113.1
PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data.
64 bytes from 203.0.113.1: icmp_seq=1 ttl=64 time=0.295 ms
64 bytes from 203.0.113.1: icmp_seq=2 ttl=64 time=0.446 ms
^C
--- 203.0.113.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 0.295/0.370/0.446/0.075 ms
[email protected]:~$
[email protected]:~$ show l2tp-server sessions 
ifname | username |      ip       | ip6 | ip6-dp |  calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+----------+---------------+-----+--------+---------------+------------+--------+----------+----------+----------
 l2tp0  | test     | 192.168.255.3 |     |        | 192.168.122.1 |            | active | 00:08:20 | 33.9 KiB | 4.1 KiB
[email protected]:~$ 
[email protected]:~$ 
[email protected]:~$ tcpdump -nti l2tp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on l2tp0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
IP 192.168.255.3 > 203.0.113.1: ICMP echo request, id 9, seq 44, length 64
IP 203.0.113.1 > 192.168.255.3: ICMP echo reply, id 9, seq 44, length 64
IP 192.168.255.3 > 203.0.113.1: ICMP echo request, id 9, seq 45, length 64
IP 203.0.113.1 > 192.168.255.3: ICMP echo reply, id 9, seq 45, length 64

If your clients and server in one network, try to connect to "dummy" interface
Im my example clients in networks 192.168.122.x connecting not to 192.168.122.11 but to dummy 192.0.2.1/32 as outside-address and can ping dummy4 interface address

Same as Viacheslav. No issues on my tests in Ubuntu.

[email protected]# run show config comm | grep vpn
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username testuser password 'testuser'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.255.2'
set vpn l2tp remote-access client-ip-pool stop '192.168.255.254'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret '1q2w3e4r'
set vpn l2tp remote-access outside-address '192.168.25.2'
[edit]
[email protected]# run show l2tp-server sessions 
ifname | username |      ip       | ip6 | ip6-dp |  calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+----------+---------------+-----+--------+---------------+------------+--------+----------+----------+----------
 l2tp0  | testuser | 192.168.255.3 |     |        | 192.168.0.105 |            | active | 00:10:49 | 2.1 MiB  | 6.5 MiB
[edit]
[email protected]#

The problem seems to be in these lines:

set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.1'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'

Replacing "static IP" with 172.25.255.2 makes it work in VyOS 1.3.1

set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.2'

Full corrected config for 1.3.1 from the first post:

set interfaces dummy dum4 address '4.4.4.4/32'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.6.31/24'
set service ssh
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication local-users username test static-ip '172.25.255.2'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication require 'mschap-v2'
set vpn l2tp remote-access client-ip-pool start '172.25.255.1'
set vpn l2tp remote-access client-ip-pool stop '172.25.255.14'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'test'
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access outside-address '192.168.6.31'