Bug 1570457 - NetworkManager adds parameters breaking connection when editing VPN
Summary: NetworkManager adds parameters breaking connection when editing VPN
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-l2tp
Version: 28
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Douglas Kosovic
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-23 00:57 UTC by Erik Indresovde
Modified: 2018-06-11 03:12 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-10 14:38:15 UTC
Type: Bug


Attachments (Terms of Use)

Description Erik Indresovde 2018-04-23 00:57:48 UTC
Description of problem:
When editing PPP settings of existing VPN connection, NetworkManager adds refuse-chap=yes to config file resulting in a non-working connection.

Version-Release number of selected component (if applicable):
1.10.6-2.fc28


How reproducible:
1. Create L2TP VPN connection with NetworkManager. 

2. config file contains:
[vpn]
gateway=no.hma.rocks
ipsec-enabled=yes
ipsec-psk=xxxx
mppe-stateful=yes
mru=1460
mtu=1460
no-vj-comp=yes
noaccomp=yes
nobsdcomp=yes
nodeflate=yes
nopcomp=yes
password-flags=1
require-mppe-128=yes
user=xxxx
service-type=org.freedesktop.NetworkManager.l2tp
 
3. Use NetworkManager to edit PPP parameters (e.g changing MTU values).

4. Config file now has 3 additional lines breaking chap:
refuse-chap=yes
refuse-eap=yes
refuse-pap=yes

Removing the 3 added refuse-lines and restarting NetworkManager fixes issue.

Comment 1 Erik Indresovde 2018-04-23 01:12:57 UTC
Since the connection is supposed to only have MSCHAP and MSCHAPv2, I'm not sure why these 3 lines make a difference, but as soon as I remove them, the connection works again.

Comment 2 Douglas Kosovic 2018-04-24 11:37:41 UTC
Changed component to NetworkManager-l2tp as it is not NetworkManager that is generating the L2TP config file.

Extract from pppd man page ( https://ppp.samba.org/pppd.html ) :

refuse-chap
    With this option, pppd will not agree to authenticate itself to the peer using CHAP. 
refuse-eap
    With this option, pppd will not agree to authenticate itself to the peer using EAP.
refuse-pap
    With this option, pppd will not agree to authenticate itself to the peer using PAP.

Those 3 pppd config lines are generated after CHAP, EAP and PAP are unticked in the NetworkManager-l2tp PPP Options dialog box.

I'm not able to reproduce the issue with those 3 lines on Fedora 28 with 3 different L2TP/IPsec VPN servers I just tested against.

Is there any useful debugging output in the journalctl output? 
https://github.com/nm-l2tp/network-manager-l2tp#debugging

Comment 3 Douglas Kosovic 2018-06-11 03:12:00 UTC
Forgot to mention.

Sometimes MSCHAP and MSCHAPv2 authentication options require the "NT Domain" (i.e. Windows Domain) field to be filled in, while the other auth options don't. So can fail if "NT Domain" is not filled in, but other auth options succeed.


Note You need to log in before you can comment on or make changes to this bug.