Package: xl2tpd Version: 1.3.8+dfsg-1 Severity: normal Dear Maintainer,
Versions of xl2tpd prior to 1.3.7 had various problems that made them unreliable whether built to use kernel support or standalone. 1.3.8, as used by "Stretch" and backported to "Jessie", is reliable if rebuilt to run standalone but crashes if using kernel support. The scenario in which we are using L2TP is that our ISP allows L2TP logins, and will use these to tunnel fixed IP4 or IP6 traffic back to a server https://aa.net.uk/broadband-l2tp.html With the poor support for IP6 from most phone companies and in particular from 4G, this is one of the very few ways of getting decent service in remote areas. Configuration relies on a 4G device establishing a connection (typically NATted), a post-up script fires up an L2TP tunnel, that starts a PPP daemon and a script in ppp/ip-up.d endows it with any fixed DNS servers etc. If I run xl2tpd with stdout output the startup messages look OK but it fails after a few seconds: -----8<----- xl2tpd[2776]: "/etc/ppp/options.aaisp-5" xl2tpd[2776]: control_finish: Connection closed to 90.155.53.19, serial 1 (LCP timeout) xl2tpd[2776]: Terminating pppd: sending TERM signal to pid 2919 xl2tpd[2776]: get_call: can't find call 38839 in tunnel 10606 (ref=0/0)xl2tpd[2776]: check_control: Received out of order control packet on tunnel 1331 (got 2, expected 3) ----->8----- A session logging to syslog shows this: -----8<----- Mar 2 14:46:26 pye-dev-00 xl2tpd[683]: "/etc/ppp/options.aaisp-5" Mar 2 14:46:26 pye-dev-00 pppd[1162]: Plugin pppol2tp.so loaded. Mar 2 14:46:26 pye-dev-00 pppd[1162]: pppd 2.4.7 started by root, uid 0 Mar 2 14:46:26 pye-dev-00 pppd[1162]: Using interface ppp17 Mar 2 14:46:26 pye-dev-00 pppd[1162]: Connect: ppp17 <--> Mar 2 14:46:26 pye-dev-00 NetworkManager[554]: <info> [1488465986.8784] manager: (ppp17): new Generic device (/org/freedesktop/NetworkManager/Devices/4) Mar 2 14:46:26 pye-dev-00 NetworkManager[554]: <info> [1488465986.9906] devices added (path: /sys/devices/virtual/net/ppp17, iface: ppp17) Mar 2 14:46:26 pye-dev-00 NetworkManager[554]: <warn> [1488465986.9907] failed to get MAC address for ppp17 Mar 2 14:46:26 pye-dev-00 NetworkManager[554]: <info> [1488465986.9908] get unmanaged devices count: 3 Mar 2 14:46:27 pye-dev-00 pppd[1162]: CHAP authentication succeeded: L2TP37120 Mar 2 14:46:27 pye-dev-00 pppd[1162]: CHAP authentication succeeded Mar 2 14:46:27 pye-dev-00 pppd[1162]: local IP address 81.187.204.131 Mar 2 14:46:27 pye-dev-00 pppd[1162]: remote IP address 81.187.81.187 Mar 2 14:46:27 pye-dev-00 pppd[1162]: local LL address fe80::7de2:ab95:6b4e:0553 Mar 2 14:46:27 pye-dev-00 pppd[1162]: remote LL address fe80::0203:97ff:fe05:4000 Mar 2 14:46:27 pye-dev-00 root: ppp17 0 81.187.204.131 81.187.81.187 Upping PPP over L2TP tunnel Mar 2 14:46:28 pye-dev-00 systemd[1]: Reloading OpenBSD Secure Shell server. Mar 2 14:46:28 pye-dev-00 systemd[1]: Reloaded OpenBSD Secure Shell server. Mar 2 14:46:28 pye-dev-00 systemd[1]: Reloading. Mar 2 14:46:28 pye-dev-00 kernel: [ 133.924485] ppp17: recursion detected Mar 2 14:46:28 pye-dev-00 kernel: [ 133.924502] ppp17: recursion detected ... Mar 2 14:46:34 pye-dev-00 kernel: [ 139.923324] net_ratelimit: 122 callbacks suppressed ... Mar 2 14:46:57 pye-dev-00 kernel: [ 162.604448] ppp17: recursion detected Mar 2 14:46:57 pye-dev-00 kernel: [ 162.604452] ppp17: recursion detected Mar 2 14:47:00 pye-dev-00 xl2tpd[683]: control_finish: Connection closed to 90.155.53.19, serial 1 (LCP timeout) Mar 2 14:47:00 pye-dev-00 xl2tpd[683]: Terminating pppd: sending TERM signal to pid 1162 Mar 2 14:47:00 pye-dev-00 pppd[1162]: Terminating on signal 15 Mar 2 14:47:00 pye-dev-00 pppd[1162]: Connect time 0.6 minutes. Mar 2 14:47:00 pye-dev-00 pppd[1162]: Sent 583531 bytes, received 17329 bytes. Mar 2 14:47:00 pye-dev-00 root: ppp17 0 81.187.204.131 81.187.81.187 Downing PPP over L2TP tunnel Mar 2 14:47:00 pye-dev-00 systemd[1]: Reloading. Mar 2 14:47:01 pye-dev-00 xl2tpd[683]: get_call: can't find call 31055 in tunnel 23587#012 (ref=0/0) Mar 2 14:47:01 pye-dev-00 xl2tpd[683]: check_control: Received out of order control packet on tunnel 1333 (got 2, expected 3) Mar 2 14:47:06 pye-dev-00 pppd[1162]: Connection terminated. Mar 2 14:47:06 pye-dev-00 pppd[1162]: Connect time 0.6 minutes. Mar 2 14:47:06 pye-dev-00 pppd[1162]: Sent 583531 bytes, received 17329 bytes. Mar 2 14:47:06 pye-dev-00 pppd[1162]: Modem hangup Mar 2 14:47:06 pye-dev-00 pppd[1162]: Exit. Mar 2 14:47:06 pye-dev-00 NetworkManager[554]: <info> [1488466026.6376] devices removed (path: /sys/devices/virtual/net/ppp17, iface: ppp17) Mar 2 14:47:06 pye-dev-00 NetworkManager[554]: <info> [1488466026.6378] get unmanaged devices count: 2 Mar 2 14:47:09 pye-dev-00 systemd[1]: Reloading. Mar 2 14:47:09 pye-dev-00 markMLl: Downing L2TP tunnel Mar 2 14:47:09 pye-dev-00 xl2tpd[683]: Disconnecting from 90.155.53.19, Local: 23587, Remote: 1333 Mar 2 14:47:09 pye-dev-00 xl2tpd[683]: Connection 1333 closed to 90.155.53.19, port 1701 (Goodbye!) ----->8----- Monitoring the session using Wireshark shows garbage being transferred (no LCP echo success, a large number of rubbish DNS lookups to random addresses). Rebuilding from source with USE_KERNEL disabled and only replacing the xl2tpd binary results in a robust system. I don't know whether this is, strictly, an xl2tpd problem, a pppd problem or something internal to the kernel. It might potentially also affect other protocols that embed PPP, e.g. PPPoE for ADSL. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xl2tpd depends on: ii libc6 2.24-9 ii libpcap0.8 1.8.1-3 ii lsb-base 9.20161125 ii ppp 2.4.7-1+4 xl2tpd recommends no packages. xl2tpd suggests no packages. -- Configuration Files: /etc/xl2tpd/xl2tpd.conf changed: ; ; Sample l2tpd configuration file ; ; This example file should give you some idea of how the options for l2tpd ; should work. The best place to look for a list of all options is in ; the source code itself, until I have the time to write better documentation :) ; Specifically, the file "file.c" contains a list of commands at the end. ; ; You most definitely don't have to spell out everything as it is done here ; ; [global] ; Global parameters: ; port = 1701 ; * Bind to port 1701 ; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are ; access control = yes ; * Refuse connections without IP match ; rand source = dev ; Source for entropy for random ; ; numbers, options are: ; ; dev - reads of /dev/urandom ; ; sys - uses rand() ; ; egd - reads from egd socket ; ; egd is not yet implemented ; ; [lns default] ; Our fallthrough LNS definition ; exclusive = no ; * Only permit one tunnel per host ; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range ; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts ; ip range = 192.168.0.5 ; * But this one is okay ; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP ; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's ; no lac = untrusted.marko.net ; * This guy can't connect ; hidden bit = no ; * Use hidden AVP's? ; local ip = 192.168.1.2 ; * Our local IP to use ; local ip range = 192.168.200.0-192.168.200.20 ; Alternatively, use a range for local addressing ; length bit = yes ; * Use length bit in payload? ; require chap = yes ; * Require CHAP auth. by peer ; refuse pap = yes ; * Refuse PAP authentication ; refuse chap = no ; * Refuse CHAP authentication ; refuse authentication = no ; * Refuse authentication altogether ; require authentication = yes ; * Require peer to authenticate ; unix authentication = no ; * Use /etc/passwd for auth. ; name = myhostname ; * Report this as our hostname ; ppp debug = no ; * Turn on PPP debugging ; pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file ; call rws = 10 ; * RWS for call (-1 is valid) ; tunnel rws = 4 ; * RWS for tunnel (must be > 0) ; flow bit = yes ; * Include sequence numbers ; challenge = yes ; * Challenge authenticate peer ; ; rx bps = 10000000 ; Receive tunnel speed ; tx bps = 10000000 ; Transmit tunnel speed ; bps = 100000 ; Define both receive and transmit speed in one option ; [lac marko] ; Example VPN LAC definition ; lns = lns.marko.net ; * Who is our LNS? ; lns = lns2.marko.net ; * A backup LNS (not yet used) ; redial = yes ; * Redial if disconnected? ; redial timeout = 15 ; * Wait n seconds between redials ; max redials = 5 ; * Give up after n consecutive failures ; hidden bit = yes ; * User hidden AVP's? ; local ip = 192.168.1.1 ; * Force peer to use this IP for us ; remote ip = 192.168.1.2 ; * Force peer to use this as their IP ; length bit = no ; * Use length bit in payload? ; require pap = no ; * Require PAP auth. by peer ; require chap = yes ; * Require CHAP auth. by peer ; refuse pap = yes ; * Refuse PAP authentication ; refuse chap = no ; * Refuse CHAP authentication ; refuse authentication = no ; * Refuse authentication altogether ; require authentication = yes ; * Require peer to authenticate ; name = marko ; * Report this as our hostname ; ppp debug = no ; * Turn on PPP debugging ; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this lac ; call rws = 10 ; * RWS for call (-1 is valid) ; tunnel rws = 4 ; * RWS for tunnel (must be > 0) ; flow bit = yes ; * Include sequence numbers ; challenge = yes ; * Challenge authenticate peer ; ; [lac cisco] ; Another quick LAC ; lns = cisco.marko.net ; * Required, but can take from default ; require authentication = yes [lac aaisp-5] lns = l2tp.aaisp.net.uk require authentication = no pppoptfile = /etc/ppp/options.aaisp-5 redial = yes ; * Redial if disconnected? redial timeout = 15 ; * Wait n seconds between redials max redials = 65535 ; * Give up after n consecutive failures -- no debconf information
