Description of problem:
When editing PPP settings of existing VPN connection, NetworkManager adds refuse-chap=yes to config file resulting in a non-working connection.
Version-Release number of selected component (if applicable):
1. Create L2TP VPN connection with NetworkManager.
2. config file contains:
3. Use NetworkManager to edit PPP parameters (e.g changing MTU values).
4. Config file now has 3 additional lines breaking chap:
Removing the 3 added refuse-lines and restarting NetworkManager fixes issue.
Since the connection is supposed to only have MSCHAP and MSCHAPv2, I'm not sure why these 3 lines make a difference, but as soon as I remove them, the connection works again.
Changed component to NetworkManager-l2tp as it is not NetworkManager that is generating the L2TP config file.
Extract from pppd man page ( https://ppp.samba.org/pppd.html ) :
With this option, pppd will not agree to authenticate itself to the peer using CHAP.
With this option, pppd will not agree to authenticate itself to the peer using EAP.
With this option, pppd will not agree to authenticate itself to the peer using PAP.
Those 3 pppd config lines are generated after CHAP, EAP and PAP are unticked in the NetworkManager-l2tp PPP Options dialog box.
I'm not able to reproduce the issue with those 3 lines on Fedora 28 with 3 different L2TP/IPsec VPN servers I just tested against.
Is there any useful debugging output in the journalctl output?
Forgot to mention.
Sometimes MSCHAP and MSCHAPv2 authentication options require the "NT Domain" (i.e. Windows Domain) field to be filled in, while the other auth options don't. So can fail if "NT Domain" is not filled in, but other auth options succeed.