Re: npppd - problem with simultaneous sessions

[YASUOKA Masahiko]

Hi,

It seems that only last person can use the tunnel.  This reminds me
problems through NAT.
True. Can it be caused by wrong PF rules?

No, I don't think so.

I suppose I could repeat the problem.

When the problem is happening, is the counter "dropped due to missing 
IPsec protection" incremented?

  % netstat -sp udp
  udp:
          655 datagrams received
          0 with incomplete header
          0 with bad data length field
          0 with bad checksum
          297 with no checksum
          356 input packets software-checksummed
          236 output packets software-checksummed
          46 dropped due to no socket
          0 broadcast/multicast datagrams dropped due to no socket
          3 dropped due to missing IPsec protection
          0 dropped due to full socket buffers
          609 delivered
          236 datagrams output
          354 missed PCB cache

I started looking into this problem.

On Thu, 7 Jan 2021 09:45:07 +0100
radek <r...@int.pl> wrote:
Hi,

It seems that only last person can use the tunnel.  This reminds me
problems through NAT.
True. Can it be caused by wrong PF rules?

Both sessions seem to be connected from A.B.C.D.  Are the clients
behind a NAT?
Yes, both client are behind the same router/NAT.
I have a 66/i386 box running npppd on producion and my two clients 
can be connected the same time flawlessly.

How about the npppd side?  Does the client directly connect to

> tunnel L2TP protocol l2tp {
>         listen on X.Y.Z.13
> }

X.Y.Z.13 ?  Or a NAT is there?
It is directly connected do X.Y.Z.13, no NAT.

On Thu, 07 Jan 2021 16:27:57 +0900 (JST)
YASUOKA Masahiko <yasu...@openbsd.org> wrote:

Hi,

On Wed, 6 Jan 2021 21:33:49 +0100
Radek <r...@int.pl> wrote:
> I have a box with relatively fresh install of 68/amd64, fully
> syspatched. There is a npppd server running on it. The problem is
> that I can have only one nppp session at one time. If the second
> vpn user connects the box, the first nppp session hangs/drops. I
> probably have missed something obvious in my setup but I really
> can't find what it is.

It seems that only last person can use the tunnel.  This reminds me
problems through NAT.

> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base
> logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP
> layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.1 
iface=pppx0

> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base
> logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP
> layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.11 
iface=pppx0

Both sessions seem to be connected from A.B.C.D.  Are the clients
behind a NAT?

How about the npppd side?  Does the client directly connect to

> tunnel L2TP protocol l2tp {
>         listen on X.Y.Z.13
> }

X.Y.Z.13 ?  Or a NAT is there?

On Wed, 6 Jan 2021 21:33:49 +0100
Radek <r...@int.pl> wrote:
> Hi @misc,
>
> I have a box with relatively fresh install of 68/amd64, fully
> syspatched. There is a npppd server running on it. The problem is
> that I can have only one nppp session at one time. If the second
> vpn user connects the box, the first nppp session hangs/drops. I
> probably have missed something obvious in my setup but I really
> can't find what it is.
>
> Please help me to solve the problem.
> Thank you.
>
> $cat /etc/npppd/npppd.conf
> authentication LOCAL type local {
>         users-file "/etc/npppd/npppd-users"
> }
> tunnel L2TP protocol l2tp {
>         listen on X.Y.Z.13
> }
> ipcp IPCP {
>         pool-address 10.109.4.1-10.109.4.32
>         dns-servers 1.1.1.1
> }
> # use pppx(4) interface.  use an interface per a ppp session.
> interface pppx0 address 10.109.4.254 ipcp IPCP
> bind tunnel from L2TP authenticated by LOCAL to pppx0
>
> $cat /etc/hostname.enc0
> up
>
>
> $cat /etc/sysctl.conf
> net.inet.ip.forwarding=1
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
> net.inet.gre.allow=1
> net.pipex.enable=1
>
> $cat /etc/rc.conf.local
> ipsec=YES
> ipsec_rules=/etc/ipsec.conf
> isakmpd_flags="-K"
> npppd_flags=""
>
> $cat /etc/ipsec.conf
> wan_ipv4 = X.Y.Z.13
> ike passive esp transport \
>  proto udp from $wan_ipv4 to any port 1701 \
>  main auth "hmac-sha1" enc "3des" group modp1024 \
>  quick auth "hmac-sha1" enc "aes" group modp1024 \
>  psk "pskpskpsk"
>
> $cat /etc/pf.conf
> [...]
> vpn_if     = "pppx"
> vpn_local  = "10.109.4.0/24"
>
> pass in on $ext_if proto udp from any to (egress:0) port
> {isakmp,ipsec-nat-t,l2tp}
> pass in on $ext_if proto {ah,esp}
> pass log proto { gre } from any to any keep state
>
> # filter all IPSec traffic on the enc interface
> pass on enc0 keep state (if-bound)
>
> # allow all trafic in on and out to the VPN network
> pass on $vpn_if from $vpn_local
> pass on $vpn_if to $vpn_local
>
> # NAT VPN traffic going out on the public interface with the 
public
> IP
> match out log on $ext_if inet proto { tcp, udp, icmp } from
> $vpn_local nat-to ($ext_if) set prio (3,7)
>
> some logs...
>
> Jan  6 20:53:14 fw-u last message repeated 4 times
> Jan  6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Jan  6 20:53:16 fw-u last message repeated 2 times
> Jan  6 20:53:16 fw-u isakmpd[11638]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 logtype=Started
> RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=1/26 protocol=1.0
> winsize=8 hostname=w520 vendor=Microsoft firm=0601
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendSCCRP
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvSCCN
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 SendZLB
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 RecvZLB
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 
RecvICRQ
> session_id=1
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 
SendICRP
> session_id=6499
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 
RecvICCN
> session_id=1 calling_number= tx_conn_speed=100000000 framing=sync
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499
> logtype=PPPBind ppp=0
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base
> logtype=Started tunnel=L2TP(A.B.C.D:1701)
> Jan  6 20:53:16 fw-u npppd[82720]: l2tpd ctrl=1 call=6499 SendZLB
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp
> logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 
magic=e916be4d/3c630a24
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId
> magic=3c630a24 text=MSRASV5.20
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId
> magic=3c630a24 text=MSRAS-0-W520
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=lcp RecvId
> magic=3c630a24 text=.=. .`.M........
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=chap
> proto=mschap_v2 logtype=Success username="rdk" realm=LOCAL
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe mismatch
> our=40bit,128bit,56bit,stateless peer=stateless
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp IP Address
> peer=0.0.0.0 our=10.109.4.1.
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=ipcp
> logtype=Opened ip=10.109.4.1 assignType=dynamic
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base
> logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP
> layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.1 
iface=pppx0
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=mppe
> logtype=Opened our=128bit,stateless peer=128bit,stateless
> Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base Using
> pipex=yes
> Jan  6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Jan  6 20:53:43 fw-u last message repeated 2 times
> Jan  6 20:53:43 fw-u isakmpd[11638]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 logtype=Started
> RecvSCCRQ from=A.B.C.D:1701/udp tunnel_id=2/20 protocol=1.0
> winsize=8 hostname=x vendor=Microsoft firm=0601
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendSCCRP
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvSCCN
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendZLB
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 
RecvICRQ
> session_id=1
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 
SendICRP
> session_id=11788
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 
RecvICCN
> session_id=1 calling_number= tx_conn_speed=100000000 framing=sync
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788
> logtype=PPPBind ppp=1
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base
> logtype=Started tunnel=L2TP(A.B.C.D:1701)
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 
SendZLB
> Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp
> logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 
magic=9699e1a6/244d01eb
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId
> magic=244d01eb text=MSRASV5.20
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId
> magic=244d01eb text=MSRAS-0-X
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId
> magic=244d01eb text=.*.(...N.....Z68
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=chap
> proto=mschap_v2 logtype=Success username="rdk-test" realm=LOCAL
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe mismatch
> our=40bit,128bit,56bit,stateless peer=stateless
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp IP Address
> peer=0.0.0.0 our=10.109.4.11.
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp
> logtype=Opened ip=10.109.4.11 assignType=dynamic
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base
> logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP
> layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.11 
iface=pppx0
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe
> logtype=Opened our=128bit,stateless peer=128bit,stateless
> Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base Using
> pipex=yes
>
> --
> Radek
>



--
Radek