Community discussions

MikroTik App
  4. RouterOS
  5. General

No ppp connection to RouterOS

Post Reply
 
peterdoo
just joined
Topic Author
Posts: 5
Joined: Mon Apr 11, 2011 3:32 pm

No ppp connection to RouterOS

Mon Apr 11, 2011 4:16 pm

I am not able to connect to Mikrotik (RouterOS 5.0) from some other clients via L2TP. There might be a problem in RouterOS implementation of ppp that seems not to be RFC conform.

Mikrotik ppp server seems to start sending IPCP and other packets of the Network-Layer Protocol phase before the Callback phase (CBCP) of ppp is finished.

As far as I could see, RFC 1332 instructs: "IPCP packets may not be exchanged until PPP has reached the Network-Layer Protocol phase. IPCP packets received before this phase is reached should be silently discarded."

The order according to RFC would be someting like this:

LCP/Authentication (the part until "sent PAP AuthAck" or "sent CHAP Success").
CBCP (CBCP CallbackReq, CBCP CallbackResp, CBCP CallbackAck).
Network-Layer Protocol phase (IPCP, IPV6CP,MPLSCP,...).

As you will see in the log above, Mikrotik does not wait to receive "CBCP CallbackResp" and sends "CBCP CallbackAck" before sending IPCP and other Network-Layer Protocol packets, but instead immediatelly starts sending IPCP and the rest. Client correctly ignores that packets according to RFC and therefore cannot establish the IP parameters of the link.

This means that ppp connection cannot be established to Mikrotik when a client sends <callback 0x06> as part of LCP ConfReq. There seem to be some cases where the connection ant the client are fast enough in order for "CBCP CallbackResp" and "CBCP CallbackAck" packets to be sent before Mikrotik sends the first IPCP packet. In such a case a connection is established. Also in the cases where the client does not send <callback 0x06>, the connection is established as in that case there is no CBCP phase. Probably there are also non RFC conform clients that accept IPCP packets before CBCP phase is finished and can establish the connection.

Unfortunatelly many clients today send <callback 0x06> as part of LCP ConfReq even when no callback is configured (Windows 2008, Windows 7), making it impossible to connect to Mikrotik ppp server.

Here is my example of a non working connection:
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: rcvd CHAP Response id=0x1
l2tp,ppp,debug,packet vpn-: <response len=31>
l2tp,ppp,debug,packet vpn-: <name Site1ToRB>
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent CHAP Success id=0x1
l2tp,ppp,debug,packet vpn-: S=24490415F9665BB643C12259A5B8179B76D7FF12
l2tp,ppp,debug,packet vpn-: <188.1.1.2>: sent CBCP CallbackReq id=0x0
l2tp,ppp,debug,packet ppp-: 01 02
l2tp,ppp,info ppp-: l2tp-in-site2: authenticated

l2tp,ppp,debug ppp-: <x.x.x.x>: IPCP lowerup <<<<< this should not start after CBCP phase finishes (if CBCP phase agreed in LCN)
l2tp,ppp,debug ppp-: <x.x.x.x>: IPCP open
l2tp,ppp,debug,packet ppp-: <x.x.x.x>: sent IPCP ConfReq id=0x1
l2tp,ppp,debug,packet ppp-: <addr 0.0.0.0>
l2tp,ppp,debug vpn-: <x.x.x.x>: IPV6CP lowerup
l2tp,ppp,debug vpn-: <x.x.x.x>: IPV6CP open
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent IPV6CP ConfReq id=0x1
l2tp,ppp,debug,packet vpn-: <interface-identifier 0:0:0:4c>
l2tp,ppp,debug vpn-: <x.x.x.x>: MPLSCP lowerup
l2tp,ppp,debug vpn-: <x.x.x.x>: MPLSCP open
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent MPLSCP ConfReq id=0x1
l2tp,ppp,debug vpn-: <x.x.x.x>: BCP open
l2tp,ppp,debug vpn-: <x.x.x.x>: CCP lowerup
l2tp,ppp,debug vpn-: <x.x.x.x>: CCP open
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent CCP ConfReq id=0x1
l2tp,ppp,debug,packet vpn-: <mppe 1000060>
l2tp,ppp,debug,packet ppp-: <x.x.x.x>: rcvd CBCP CallbackResp id=0x0
l2tp,ppp,debug,packet ppp-: 01 02
l2tp,ppp,debug,packet ppp-: <x.x.x.x>: sent CBCP CallbackAck id=0x1 <<<<< CBCP phase finishes here
l2tp,ppp,debug,packet ppp-: 01 02


The correct sequence would be in my opinion:
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: rcvd CHAP Response id=0x1
l2tp,ppp,debug,packet vpn-: <response len=31>
l2tp,ppp,debug,packet vpn-: <name Site1ToRB>
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent CHAP Success id=0x1
l2tp,ppp,debug,packet vpn-: S=24490415F9665BB643C12259A5B8179B76D7FF12
l2tp,ppp,debug,packet vpn-: <188.1.1.2>: sent CBCP CallbackReq id=0x0
l2tp,ppp,debug,packet ppp-: 01 02
l2tp,ppp,info ppp-: l2tp-in-site2: authenticated
l2tp,ppp,debug,packet ppp-: <x.x.x.x>: rcvd CBCP CallbackResp id=0x0
l2tp,ppp,debug,packet ppp-: 01 02
l2tp,ppp,debug,packet ppp-: <x.x.x.x>: sent CBCP CallbackAck id=0x1 <<<<< CBCP phase finishes here
l2tp,ppp,debug,packet ppp-: 01 02

l2tp,ppp,debug ppp-: <x.x.x.x>: IPCP lowerup <<<<< Network-Layer Protocol phase starts here
l2tp,ppp,debug ppp-: <x.x.x.x>: IPCP open
l2tp,ppp,debug,packet ppp-: <x.x.x.x>: sent IPCP ConfReq id=0x1
l2tp,ppp,debug,packet ppp-: <addr 0.0.0.0>
l2tp,ppp,debug vpn-: <x.x.x.x>: IPV6CP lowerup
l2tp,ppp,debug vpn-: <x.x.x.x>: IPV6CP open
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent IPV6CP ConfReq id=0x1
l2tp,ppp,debug,packet vpn-: <interface-identifier 0:0:0:4c>
l2tp,ppp,debug vpn-: <x.x.x.x>: MPLSCP lowerup
l2tp,ppp,debug vpn-: <x.x.x.x>: MPLSCP open
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent MPLSCP ConfReq id=0x1
l2tp,ppp,debug vpn-: <x.x.x.x>: BCP open
l2tp,ppp,debug vpn-: <x.x.x.x>: CCP lowerup
l2tp,ppp,debug vpn-: <x.x.x.x>: CCP open
l2tp,ppp,debug,packet vpn-: <x.x.x.x>: sent CCP ConfReq id=0x1
l2tp,ppp,debug,packet vpn-: <mppe 1000060>


I hope that Mikrotik can fix this problem soon.
Top
Post Reply

Who is online

Users browsing this forum: MauriceW and 102 guests
  4. RouterOS
  5. General