Re: npppd - problem with simultaneous sessions

radek Thu, 07 Jan 2021 00:46:17 -0800

Hi, 

> It seems that only last person can use the tunnel.  This reminds me 
> problems through NAT.
True. Can it be caused by wrong PF rules?


> Both sessions seem to be connected from A.B.C.D.  Are the clients 
> behind a NAT?
Yes, both client are behind the same router/NAT.
I have a 66/i386 box running npppd on producion and my two clients can be 
connected the same time flawlessly.

> How about the npppd side?  Does the client directly connect to
> 
> > tunnel L2TP protocol l2tp {
> >         listen on X.Y.Z.13
> > }
> 
> X.Y.Z.13 ?  Or a NAT is there?
It is directly connected do X.Y.Z.13, no NAT.

On Thu, 07 Jan 2021 16:27:57 +0900 (JST)
YASUOKA Masahiko <[email protected]> wrote:

> Hi,
> 
> On Wed, 6 Jan 2021 21:33:49 +0100
> Radek <[email protected]> wrote:
> > I have a box with relatively fresh install of 68/amd64, fully 
> > syspatched. There is a npppd server running on it. The problem is 
> > that I can have only one nppp session at one time. If the second 
> > vpn user connects the box, the first nppp session hangs/drops. I 
> > probably have missed something obvious in my setup but I really 
> > can't find what it is.
> 
> It seems that only last person can use the tunnel.  This reminds me 
> problems through NAT.
> 
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base 
> > logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP 
> > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.1 iface=pppx0
> 
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base 
> > logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP 
> > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.11 iface=pppx0
> 
> Both sessions seem to be connected from A.B.C.D.  Are the clients 
> behind a NAT?
> 
> How about the npppd side?  Does the client directly connect to
> 
> > tunnel L2TP protocol l2tp {
> >         listen on X.Y.Z.13
> > }
> 
> X.Y.Z.13 ?  Or a NAT is there?
> 
> On Wed, 6 Jan 2021 21:33:49 +0100
> Radek <[email protected]> wrote:
> > Hi @misc,
> >
> > I have a box with relatively fresh install of 68/amd64, fully 
> > syspatched. There is a npppd server running on it. The problem is 
> > that I can have only one nppp session at one time. If the second 
> > vpn user connects the box, the first nppp session hangs/drops. I 
> > probably have missed something obvious in my setup but I really 
> > can't find what it is.
> >
> > Please help me to solve the problem.
> > Thank you.
> >
> > $cat /etc/npppd/npppd.conf
> > authentication LOCAL type local {
> >         users-file "/etc/npppd/npppd-users"
> > }
> > tunnel L2TP protocol l2tp {
> >         listen on X.Y.Z.13
> > }
> > ipcp IPCP {
> >         pool-address 10.109.4.1-10.109.4.32
> >         dns-servers 1.1.1.1
> > }
> > # use pppx(4) interface.  use an interface per a ppp session.
> > interface pppx0 address 10.109.4.254 ipcp IPCP
> > bind tunnel from L2TP authenticated by LOCAL to pppx0
> >
> > $cat /etc/hostname.enc0
> > up
> >
> >
> > $cat /etc/sysctl.conf
> > net.inet.ip.forwarding=1
> > net.inet.ipcomp.enable=1
> > net.inet.esp.enable=1
> > net.inet.gre.allow=1
> > net.pipex.enable=1
> >
> > $cat /etc/rc.conf.local
> > ipsec=YES
> > ipsec_rules=/etc/ipsec.conf
> > isakmpd_flags="-K"
> > npppd_flags=""
> >
> > $cat /etc/ipsec.conf
> > wan_ipv4 = X.Y.Z.13
> > ike passive esp transport \
> >  proto udp from $wan_ipv4 to any port 1701 \
> >  main auth "hmac-sha1" enc "3des" group modp1024 \
> >  quick auth "hmac-sha1" enc "aes" group modp1024 \
> >  psk "pskpskpsk"
> >
> > $cat /etc/pf.conf
> > [...]
> > vpn_if     = "pppx"
> > vpn_local  = "10.109.4.0/24"
> >
> > pass in on $ext_if proto udp from any to (egress:0) port 
> > {isakmp,ipsec-nat-t,l2tp}
> > pass in on $ext_if proto {ah,esp}
> > pass log proto { gre } from any to any keep state
> >
> > # filter all IPSec traffic on the enc interface
> > pass on enc0 keep state (if-bound)
> >
> > # allow all trafic in on and out to the VPN network
> > pass on $vpn_if from $vpn_local
> > pass on $vpn_if to $vpn_local
> >
> > # NAT VPN traffic going out on the public interface with the public 
> > IP
> > match out log on $ext_if inet proto { tcp, udp, icmp } from 
> > $vpn_local nat-to ($ext_if) set prio (3,7)
> >
> > some logs...
> >
> > Jan  6 20:53:14 fw-u last message repeated 4 times
> > Jan  6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable: 
> > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> > Jan  6 20:53:16 fw-u last message repeated 2 times
> > Jan  6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable: 
> > GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 logtype=Started 
> > RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=1/26 protocol=1.0 
> > winsize=8 hostname=w520 vendor=Microsoft firm=0601
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendSCCRP
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvSCCN
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendZLB
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvZLB
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICRQ 
> > session_id=1
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendICRP 
> > session_id=6499
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 RecvICCN 
> > session_id=1 calling_number= tx_conn_speed=100000000 framing=sync
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 
> > logtype=PPPBind ppp=0
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base 
> > logtype=Started tunnel=L2TP(A.B.C.D:1701)
> > Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendZLB
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp 
> > logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 magic=e916be4d/3c630a24
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId 
> > magic=3c630a24 text=MSRASV5.20
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId 
> > magic=3c630a24 text=MSRAS-0-W520
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId 
> > magic=3c630a24 text=.=. .`.M........
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=chap 
> > proto=mschap_v2 logtype=Success username="rdk" realm=LOCAL
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe mismatch 
> > our=40bit,128bit,56bit,stateless peer=stateless
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp IP Address 
> > peer=0.0.0.0 our=10.109.4.1.
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp 
> > logtype=Opened ip=10.109.4.1 assignType=dynamic
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base 
> > logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP 
> > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.1 iface=pppx0
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe 
> > logtype=Opened our=128bit,stateless peer=128bit,stateless
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base Using 
> > pipex=yes
> > Jan  6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable: 
> > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> > Jan  6 20:53:43 fw-u last message repeated 2 times
> > Jan  6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable: 
> > GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 logtype=Started 
> > RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=2/20 protocol=1.0 
> > winsize=8 hostname=x vendor=Microsoft firm=0601
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendSCCRP
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvSCCN
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendZLB
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICRQ 
> > session_id=1
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendICRP 
> > session_id=11788
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICCN 
> > session_id=1 calling_number= tx_conn_speed=100000000 framing=sync
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 
> > logtype=PPPBind ppp=1
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base 
> > logtype=Started tunnel=L2TP(A.B.C.D:1701)
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendZLB
> > Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp 
> > logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 magic=9699e1a6/244d01eb
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId 
> > magic=244d01eb text=MSRASV5.20
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId 
> > magic=244d01eb text=MSRAS-0-X
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId 
> > magic=244d01eb text=.*.(...N.....Z68
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=chap 
> > proto=mschap_v2 logtype=Success username="rdk-test" realm=LOCAL
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe mismatch 
> > our=40bit,128bit,56bit,stateless peer=stateless
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp IP Address 
> > peer=0.0.0.0 our=10.109.4.11.
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp 
> > logtype=Opened ip=10.109.4.11 assignType=dynamic
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base 
> > logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP 
> > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.11 iface=pppx0
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe 
> > logtype=Opened our=128bit,stateless peer=128bit,stateless
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base Using 
> > pipex=yes
> >
> > -- 
> > Radek
> >
> 


-- 
Radek

Re: npppd - problem with simultaneous sessions

Reply via email to