Bug 1570457

Summary: NetworkManager adds parameters breaking connection when editing VPN
Product: [Fedora] Fedora Reporter: Erik Indresovde <erikindre>
Component: NetworkManager-l2tpAssignee: Douglas Kosovic <doug>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 28CC: alexl, bgalvani, code, dcbw, doug, drizt72, fgiudici, john.j5live, lkundrak, mclasen, rhughes, rstrode, sandmann
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-10 14:38:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Erik Indresovde 2018-04-23 00:57:48 UTC 
Description of problem:
When editing PPP settings of existing VPN connection, NetworkManager adds refuse-chap=yes to config file resulting in a non-working connection.

Version-Release number of selected component (if applicable):
1.10.6-2.fc28


How reproducible:
1. Create L2TP VPN connection with NetworkManager. 

2. config file contains:
[vpn]
gateway=no.hma.rocks
ipsec-enabled=yes
ipsec-psk=xxxx
mppe-stateful=yes
mru=1460
mtu=1460
no-vj-comp=yes
noaccomp=yes
nobsdcomp=yes
nodeflate=yes
nopcomp=yes
password-flags=1
require-mppe-128=yes
user=xxxx
service-type=org.freedesktop.NetworkManager.l2tp
 
3. Use NetworkManager to edit PPP parameters (e.g changing MTU values).

4. Config file now has 3 additional lines breaking chap:
refuse-chap=yes
refuse-eap=yes
refuse-pap=yes

Removing the 3 added refuse-lines and restarting NetworkManager fixes issue.
Comment 1 Erik Indresovde 2018-04-23 01:12:57 UTC 
Since the connection is supposed to only have MSCHAP and MSCHAPv2, I'm not sure why these 3 lines make a difference, but as soon as I remove them, the connection works again.
Comment 2 Douglas Kosovic 2018-04-24 11:37:41 UTC 
Changed component to NetworkManager-l2tp as it is not NetworkManager that is generating the L2TP config file.

Extract from pppd man page ( https://ppp.samba.org/pppd.html ) :

refuse-chap
    With this option, pppd will not agree to authenticate itself to the peer using CHAP. 
refuse-eap
    With this option, pppd will not agree to authenticate itself to the peer using EAP.
refuse-pap
    With this option, pppd will not agree to authenticate itself to the peer using PAP.

Those 3 pppd config lines are generated after CHAP, EAP and PAP are unticked in the NetworkManager-l2tp PPP Options dialog box.

I'm not able to reproduce the issue with those 3 lines on Fedora 28 with 3 different L2TP/IPsec VPN servers I just tested against.

Is there any useful debugging output in the journalctl output? 
https://github.com/nm-l2tp/network-manager-l2tp#debugging
Comment 3 Douglas Kosovic 2018-06-11 03:12:00 UTC 
Forgot to mention.

Sometimes MSCHAP and MSCHAPv2 authentication options require the "NT Domain" (i.e. Windows Domain) field to be filled in, while the other auth options don't. So can fail if "NT Domain" is not filled in, but other auth options succeed.