PPP connection corruption with Windows client, MPPE, and RDP

From: Francesco Pretto <ceztko@gmail.com>
To: linux-ppp@vger.kernel.org
Subject: PPP connection corruption with Windows client, MPPE, and RDP
Date: Wed, 08 Oct 2014 21:16:35 +0000	[thread overview]
Message-ID: <CALas-ij41eAabeTrq+VVPoBc2eZwnPyj0vdKPDBvWKQ5LU0NPQ@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 3622 bytes --]

Hello PPP mantainers,

I configured an IPsec-L2TP VPN on my work network. The VPN has both
endpoints on natted networks: ipsec client/server are both NAT enabled
and routers are configured to properly forward IPSEC UPD ports and to
passthrough VPN traffic. For some weeks it has worked reliably.
Recently it stopped working properly with RDP (Remote Desktop
Protocol) seeming to be the most effective trigger that leads the
connection to a corrupted state.

Enabling the full PPP debug, when the connection is corrupted the log
begin to be spammed with plenty of warnings of spurious packets:
Oct  1 14:18:55 lanmaster pppd[1977]: rcvd [proto=0xa1] 5f e4 25 5a 19
6b ad 6b
                                               b7 0d 60 f7 49 f8 47 f3
5d 87 73 97 12 b2 a7 63 54 21 05 35 43 6a 94 14 ...
Oct  1 14:18:55 lanmaster pppd[1977]: Unsupported protocol 0xa1 received
Oct  1 14:18:55 lanmaster pppd[1977]: sent [LCP ProtRej id=0x21 00 a1
5f e4 25 5
                                                a 19 6b ad 6b b7 0d 60
f7 49 f8 47 f3 5d 87 73 97 12 b2 a7 63 54 21 05 35 43 6a

                        ...]
Oct  1 14:18:55 lanmaster pppd[1977]: rcvd [proto=0x36f4] 76 df 4c 41
50 1b ad 4
                                                d 5d c6 2e fb c7 77 1d
6f ae b3 6c 55 db 2b 89 94 6c 7b e3 66 1d 2c d2 57 ...
Oct  1 14:18:55 lanmaster pppd[1977]: Unsupported protocol 0x36f4 received
Oct  1 14:18:55 lanmaster pppd[1977]: sent [LCP ProtRej id=0x22 36 f4
76 df 4c 4
                                                1 50 1b ad 4d 5d c6 2e
fb c7 77 1d 6f ae b3 6c 55 db 2b 89 94 6c 7b e3 66 1d 2c

                        ...]
Oct  1 14:18:56 lanmaster pppd[1977]: rcvd [proto=0xda76] 17 88 8a 2f
86 5e 3f 4
                                                c 69 3e e4 ff bb 61 5d
f8 0f 3e da ab 0b 7c 29 3b 99 87 7c 7e f7 12 4a 7b ...
Oct  1 14:18:56 lanmaster pppd[1977]: Unsupported protocol 0xda76 received
Oct  1 14:18:56 lanmaster pppd[1977]: sent [LCP ProtRej id=0x23 da 76 17 88 8a 2
[...]

This initially seemed to me an IPSEC problem but, after much
troubleshooting, removing the ppp option "require-mppe-128" option and
adding "nomppe", effectively disabling MPPE, resulted in a extremely
reliable connection again.

My observations:
- PPP doesn't detect a disconnection of a corruption. The client can
still proper hang-up;
- It's not RDP client-server related: RDP it's just the trigger, after
the whole connection TCP/IP connection is corrupted and must be reset;
- It's not Windows ipsec-ppp-l2tp client problem: same happen with
Windows 8.1 and fresh Windows7 client installed;
- It doesn't seem to be linux kernel problem: I tried to install older
ubuntu 3.2.0 kernels observing same problems. Now I use 3.13.0 kernel
with no changes as well;
- Tweaking PPP MTU doesn't help. I haven't tried tweaking ipsec MTU.

My stack version has been recently updated (from Ubuntu 12.04, that
had the same problem. Now it's 14.04):
- ppp 2.4.5-5.1ubuntu2
- xl2tpd 1.3.6+dfsg-1:
- openswan 1:2.6.38-1
- kernel 3.13.0-36

I'm unable to say if updates on these packages triggered the problem.

The workaround is effective for me as I don't need the PPP link to be
encrypted but the configuration should be supported with MPPE enabled
I offer my help to do further testing if someone notice there could be
a problem in PPP (for example the MPPE state could be partially
corrupted but PPP is unable to detect it). Also it may be useful for
others that may have the same problem.

I attached the faulty configuration and  the initial log of the
l2tp-ppp connection.

In case CC me as I'm not subscribed. Thanks.

Francesco

[-- Attachment #2: xl2tpd.conf --]
[-- Type: application/octet-stream, Size: 171 bytes --]

[global]
ipsec saref = yes

[lns default]
ip range = 192.168.101.200-192.168.101.250
local ip = 192.168.101.26
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

[-- Attachment #3: ipsec.conf --]
[-- Type: application/octet-stream, Size: 726 bytes --]

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
#    klipsdebug="all"
#    plutodebug="all"

# Removed as said here http://ubuntuforums.org/showthread.php?t=2238692
#conn L2TP-PSK-NAT
#    rightsubnet=vhost:%priv
#    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
# rekey seems ok
#    rekey=no
#    keyingtries=3
    rekey=yes
    keyingtries=%forever
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.101.20
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=10
    dpdtimeout=10
    dpdaction=restart

[-- Attachment #4: l2tp-ppp-init.log --]
[-- Type: application/octet-stream, Size: 6803 bytes --]

Oct  1 14:26:20 lanmaster xl2tpd[2331]: Enabling IPsec SAref processing for L2TP transport mode SAs
Oct  1 14:26:20 lanmaster xl2tpd[2331]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Oct  1 14:26:20 lanmaster xl2tpd[2331]: setsockopt recvref[30]: Protocol not available
Oct  1 14:26:20 lanmaster xl2tpd[2331]: This binary does not support kernel L2TP.
Oct  1 14:26:20 lanmaster xl2tpd[2332]: xl2tpd version xl2tpd-1.3.6 started on lanmaster PID:2332
Oct  1 14:26:20 lanmaster xl2tpd[2332]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Oct  1 14:26:20 lanmaster xl2tpd[2332]: Forked by Scott Balmos and David Stipp, (C) 2001
Oct  1 14:26:20 lanmaster xl2tpd[2332]: Inherited by Jeff McAdams, (C) 2002
Oct  1 14:26:20 lanmaster xl2tpd[2332]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Oct  1 14:26:20 lanmaster xl2tpd[2332]: Listening on IP address 0.0.0.0, port 1701
Oct  1 14:26:52 lanmaster xl2tpd[2332]: Connection established to 151.44.6.95, 1701.  Local: 56337, Remote: 4 (ref=0/0).  LNS session is 'default'
Oct  1 14:26:52 lanmaster xl2tpd[2332]: check_control: Received out of order control packet on tunnel 4 (got 3, expected 2)
Oct  1 14:26:52 lanmaster xl2tpd[2332]: handle_packet: bad control packet!
Oct  1 14:26:52 lanmaster xl2tpd[2332]: result_code_avp: result code not appropriate for Incoming-Call-Request.  Ignoring.
Oct  1 14:26:52 lanmaster xl2tpd[2332]: start_pppd: I'm running:
Oct  1 14:26:52 lanmaster xl2tpd[2332]: "/usr/sbin/pppd"
Oct  1 14:26:52 lanmaster xl2tpd[2332]: "passive"
Oct  1 14:26:52 lanmaster xl2tpd[2332]: "nodetach"
Oct  1 14:26:52 lanmaster xl2tpd[2332]: "192.168.101.26:192.168.101.200"
Oct  1 14:26:52 lanmaster xl2tpd[2332]: "file"
Oct  1 14:26:52 lanmaster xl2tpd[2332]: "/etc/ppp/options.xl2tpd"
Oct  1 14:26:52 lanmaster xl2tpd[2332]: "/dev/pts/4"
Oct  1 14:26:52 lanmaster xl2tpd[2332]: Call established with 151.44.6.95, Local: 64253, Remote: 1, Serial: 0
Oct  1 14:26:52 lanmaster pppd[2342]: pppd 2.4.5 started by administrator, uid 0
Oct  1 14:26:52 lanmaster pppd[2342]: using channel 4
Oct  1 14:26:52 lanmaster pppd[2342]: Using interface ppp0
Oct  1 14:26:52 lanmaster pppd[2342]: Connect: ppp0 <--> /dev/pts/4
Oct  1 14:26:52 lanmaster pppd[2342]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1bdc7d96> <pcomp> <accomp>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x73850649> <pcomp> <accomp> <callback CBCP>]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1bdc7d96> <pcomp> <accomp>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x73850649> <pcomp> <accomp>]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x73850649> <pcomp> <accomp>]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [LCP EchoReq id=0x0 magic=0x1bdc7d96]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [CHAP Challenge id=0x18 <f7ec1620075266e102f103ddfb989f86>, name = "l2tpd"]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [LCP Ident id=0x2 magic=0x73850649 "MSRASV5.20"]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [LCP Ident id=0x3 magic=0x73850649 "MSRAS-0-LAPTOP-BBK"]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [LCP Ident id=0x4 magic=0x73850649 "\37777777626\023?\37777777630\37777777625mPH\37777777671\37777777643D\37777777765\37777777773\027\001\37777777612"]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [LCP EchoRep id=0x0 magic=0x73850649]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [CHAP Response id=0x18 <de5861c0f4009dc81e025457924a91a80000000000000000b2f777b87d2e6f9080658f8695a93ecdf7f76bea2d6ccf6800>, name = "francesco"]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [CHAP Success id=0x18 "S=469AE82D1A5BB2133DA584D684BA3DD3698DF8D1 M=Access granted"]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [IPV6CP ConfReq id=0x5 <addr fe80::1014:1fd1:5e08:301a>]
Oct  1 14:26:52 lanmaster pppd[2342]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Oct  1 14:26:52 lanmaster pppd[2342]: sent [LCP ProtRej id=0x2 80 57 01 05 00 0e 01 0a 10 14 1f d1 5e 08 30 1a]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [CCP ConfReq id=0x6 <mppe +H -M -S -L -D -C>]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [CCP ConfNak id=0x6 <mppe +H -M +S -L -D -C>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [IPCP ConfReq id=0x7 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [IPCP TermAck id=0x7]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [CCP ConfReq id=0x8 <mppe +H -M +S -L -D -C>]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [CCP ConfAck id=0x8 <mppe +H -M +S -L -D -C>]
Oct  1 14:26:52 lanmaster pppd[2342]: MPPE 128-bit stateless compression enabled
Oct  1 14:26:52 lanmaster pppd[2342]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.101.26>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Oct  1 14:26:52 lanmaster pppd[2342]: sent [IPCP ConfReq id=0x2 <addr 192.168.101.26>]
Oct  1 14:26:52 lanmaster pppd[2342]: rcvd [IPCP ConfAck id=0x2 <addr 192.168.101.26>]
Oct  1 14:26:54 lanmaster pppd[2342]: rcvd [IPCP ConfReq id=0x9 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
Oct  1 14:26:54 lanmaster pppd[2342]: sent [IPCP ConfRej id=0x9 <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
Oct  1 14:26:54 lanmaster pppd[2342]: rcvd [IPCP ConfReq id=0xa <addr 0.0.0.0>]
Oct  1 14:26:54 lanmaster pppd[2342]: sent [IPCP ConfNak id=0xa <addr 192.168.101.200>]
Oct  1 14:26:54 lanmaster pppd[2342]: rcvd [IPCP ConfReq id=0xb <addr 192.168.101.200>]
Oct  1 14:26:54 lanmaster pppd[2342]: sent [IPCP ConfAck id=0xb <addr 192.168.101.200>]
Oct  1 14:26:54 lanmaster pppd[2342]: found interface eth0 for proxy arp
Oct  1 14:26:54 lanmaster pppd[2342]: local  IP address 192.168.101.26
Oct  1 14:26:54 lanmaster pppd[2342]: remote IP address 192.168.101.200
Oct  1 14:26:54 lanmaster pppd[2342]: Script /etc/ppp/ip-up started (pid 2362)
Oct  1 14:26:54 lanmaster pppd[2342]: Script /etc/ppp/ip-up finished (pid 2362), status = 0x0
Oct  1 14:26:54 lanmaster dnsmasq-dhcp[1164]: DHCPINFORM(ppp0) 192.168.101.200 00:33:a9:52:3d:30:f0:34:40:bc:8e:63:24:56:ff:aa:1e
Oct  1 14:26:54 lanmaster dnsmasq-dhcp[1164]: DHCPACK(ppp0) 192.168.101.200 00:33:a9:52:3d:30:f0:34:40:bc:8e:63:24:56:ff:aa:1e laptop-bbk

[-- Attachment #5: ppp.xl2tpd --]
[-- Type: application/octet-stream, Size: 332 bytes --]

name l2tpd
auth
crtscts
hide-password
modem
#debug
#dump

proxyarp
nodefaultroute

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2

nobsdcomp
# The following dosn't work
require-mppe-128
#nomppe

lcp-echo-interval 30
lcp-echo-failure 4

# Tweak
#mtu 1280 # ipv6 minimum
#mru 1280
mtu 1400
mru 1400