L2TP client for testing with ACCEL-PPP

L2TP related questions
Post Reply
tj-19
Posts: 18
Joined: 10 Jun 2019, 20:42

L2TP client for testing with ACCEL-PPP

Post by tj-19 » 27 Jan 2021, 22:22

Dear all,

I’ve just got back around to testing with L2TP and want to find a client I can test with.

I need an L2TP client where I can set an L2TP secret without IPSEC and get prompted for a username and password, so I can test my ADSL/FTTC LNS configuration.

I’ve tried settings the following in the registry for Windows 10 but is doesn’t seem to work.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters

Adding the DWORD ProhibitIpSec and setting it to 1.

Is there a simple client for Windows, Android or Ubuntu?

Many Thanks,

dimka88
Posts: 761
Joined: 13 Oct 2014, 05:51
Contact:

Re: L2TP client for testing with ACCEL-PPP

Post by dimka88 » 28 Jan 2021, 05:58

Hello @tj-19, I think you can use Windows native client, but just disable encryption.

tj-19
Posts: 18
Joined: 10 Jun 2019, 20:42

Re: L2TP client for testing with ACCEL-PPP

Post by tj-19 » 28 Jan 2021, 16:19

Hi,

I've tired it by setting ProhibitIpSec (DWORD) to 1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters.

But it does not appear to work for Windows 10.

Maybe I am doing something wrong? Could you please check for me, maybe I have something misconfigured in ACCEL-PPP.

Can you check if the ProhibitIpSec works or not, I would be grateful.

Thanks,

tj-19
Posts: 18
Joined: 10 Jun 2019, 20:42

Re: L2TP client for testing with ACCEL-PPP

Post by tj-19 » 29 Jan 2021, 02:16

Hi Dimka88,

I’ve managed to get the L2TP client without IPSEC working in Windows 10 but only with L2TPNS not ACCEL-PPP as the server.

When using ACCEL-PPP, there appears to be an issue with the shared secret.

If I set secret=test under [l2tp] in accel-ppp.conf and then the word test under pre-shared key in my L2TP client config in windows 10, it will not work.

I get the following error in the accel-ppp.log.

"impossible to authenticate peer: invalid Challenge Response sent by peer (wrong secret)"

Please try it for yourself.

You will need to add the following DWORD in your windows Registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ProhibitIpSec and set it to 1.

This is the same issue I was having before.

Please see the following bug report.

viewtopic.php?f=8&t=2591

I realise you tested with a Cisco, however it does not appear to work with the Windows L2TP client or Juniper based LTS.

If I remove the secret from the l2tp config in accel-ppp and the windows client, I’m then able to connect using accel-ppp.

The realm stripping appears to work fine, thank you for adding this.

However, if I disconnect the user and immediately reconnect it doesn’t work straight away.

I have to wait a few minutes and then I can connect again.

Lastly, the authentication/login seems to take a long time when using ACCEL-PPP.

I’ve tested with L2TPNS and it’s instant, under 1 second. When using the Windows L2TP client. However, with accel-ppp it’s takes about 4 seconds to connect.

I’ve found that by setting acct-on=off under [radius] the connection is much faster. But I am then disconnected with the following error:- <Acct-Terminate-Cause NAS-Error>]

I would be grateful for any help you can give.

I’m using accel-ppp version 1.12.0-106-g87f24b5

Thanks,

[Errors after reconnecting]
[2021-01-29 00:32:34]: info: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): send [L2TP tid=13 sid=1 Ns=2 Nr=6 <Message-Type Call-Disconnect-Notify> <Assigned-Session-ID -13422> <Result-Code>]
[2021-01-29 00:32:36]: warn: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): discarding message with invalid tid 0
[2021-01-29 00:32:36]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message added to reception queue
[2021-01-29 00:32:36]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message acked by peer
[2021-01-29 00:32:36]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message processed from reception queue
[2021-01-29 00:32:36]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message sent from send queue
[2021-01-29 00:32:37]: warn: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): discarding message with invalid tid 0
[2021-01-29 00:32:37]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message added to reception queue
[2021-01-29 00:32:37]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message acked by peer
[2021-01-29 00:32:37]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message processed from reception queue
[2021-01-29 00:32:37]: debug: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): 0 message sent from send queue
[2021-01-29 00:32:38]: info: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): retransmission #3
[2021-01-29 00:32:38]: info: l2tp tunnel 35803-13 (XXX.XXX.XXX.XXX:37798): retransmit (timeout) [L2TP tid=13 sid=1 Ns=2 Nr=6 <Message-Type Call-Disconnect-Notify> <Assigned-Session-ID -13422>

tj-19
Posts: 18
Joined: 10 Jun 2019, 20:42

Re: L2TP client for testing with ACCEL-PPP

Post by tj-19 » 04 Feb 2021, 23:21

Hi,

Has anyone been able to verify what I have found?

Is it a configuration issue on my side or a bug?

I would be most grateful for any help.

dimka88
Posts: 761
Joined: 13 Oct 2014, 05:51
Contact:

Re: L2TP client for testing with ACCEL-PPP

Post by dimka88 » 10 Feb 2021, 10:36

Hi, you should not use `secret` in [l2tp] section. This usually required if you using accel-ppp as LNS connected to LAC.
Could you provide accel-ppp.conf?

tj-19
Posts: 18
Joined: 10 Jun 2019, 20:42

Re: L2TP client for testing with ACCEL-PPP

Post by tj-19 » 19 Feb 2021, 00:11

Hi Dimka,

Please see below example config, I have removed all the commented-out code and changed the IP addresses for security.

I am using ACCEL-PPP as an L2TP LNS to my providers LAC/LTS.

This is why I am using a shared secret.

Previously when using L2TPNS I have been able to set the password and connect with a shared secret using the Windows L2TP VPN client with IPSEC disabled.

May I ask why ACCEL-PPP works differently? Surely my connection using the Windows L2TP VPN client will provide a similar test environment like an LNS when the shared secret is set.

When I do remove the shared secret, I’m able to connect to ACCEL-PPP using the Windows L2TP VPN client but get disconnected after a few minutes. This doesn’t happen with L2TPNS.

So, I am guessing there is a keepalive issue? Or a problem because I am connecting from behind NAT?

Also, as referenced in my post above, I have noticed adding radius accounting causes the connection time to increase by a few seconds. Why is this?

There is also the issue of the strange error messages and not being able to immediately reconnect an L2TP session – See Errors after reconnecting from the above post.

Lastly, I see that ACCEL-PPP adds multiple L2TP interfaces, one for each L2TP session and an associated route. I.e. l2tp01, l2tp02 etc.

In L2TPNS it creates one interface tun0 and an entry for each connected session in the routing table.

I.e.

11.0.0.11 dev tun0 proto babel scope link
11.0.0.45 dev tun0 proto babel scope link
11.0.0.67 dev tun0 proto babel scope link

It is therefore much easier to add firewall and connection tracking rules, using just the common interface of tun0. Can you do this in ACCEL-PPP?

Thanks again for all your help, it is much apricated.

--- Abbreviated Config as requested ---

[modules]
log_file
l2tp
auth_chap_md5
radius


[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4

[common]

[ppp]
verbose=1
min-mtu=1280
mtu=1500
mru=1500
accomp=deny
pcomp=deny
ccp=0
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
lcp-echo-interval=20
lcp-echo-timeout=120
unit-cache=1

[auth]

[pptp]

[pppoe]

[l2tp]
verbose=1
secret=
reorder-timeout=0
ifname=l2tp%d

[sstp]

[ipoe]

[dns]
dns1=8.8.8.8
dns2=8.8.4.4

[wins]

[radius]
strip-realm=1
nas-identifier=lns-test
nas-ip-address=10.0.0.10
gw-ip-address=10.0.0.10
server=10.0.0.5,Testing,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=10.0.0.5:3799,Testing
verbose=1
timeout=3
max-try=3
acct-timeout=120
acct-delay-time=0
acct-on=off

[client-ip-range]
disable

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
copy=1
color=1
level=5

[log-pgsql]
conninfo=user=log
log-table=log

[pppd-compat]
verbose=1
ip-up=/etc/ppp/ip-up
ip-down=/etc/ppp/ip-down
radattr-prefix=/var/run/radattr

[chap-secrets]

[shaper]
verbose=1

[cli]
verbose=1
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001

[snmp]
master=0
agent-name=accel-ppp

[connlimit]
limit=10/min
burst=3
timeout=60

[ipv6-pool]
fc00:0:1::/48,64
delegate=fc00:1::/36,48

[ipv6-dns]


[ipv6-dhcp]
verbose=1
pref-lifetime=604800
valid-lifetime=2592000
route-via-gw=1

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest