Mikrotik -> Linux xl2tp fails to negotiate mppe

ucs75 · May 2, 2014, 10:40pm

I’ve spent hours on this now and made very little headway.

If I ‘require’ Encryption on the MT Client, the resulting pppd log shows:

...
May  2 17:29:01 ubuntu pppd[1367]: rcvd [LCP TermReq id=0x18 "Encryption negotiation rejected\000"]
May  2 17:29:01 ubuntu pppd[1367]: LCP terminated by peer (Encryption negotiation rejected^@)
...

If I set Encryption to ‘yes’ instead, the resulting log is a bit more forthcoming:

May  2 17:36:13 ubuntu pppd[1433]: pppd 2.4.5 started by root, uid 0
May  2 17:36:13 ubuntu pppd[1433]: using channel 9
May  2 17:36:13 ubuntu pppd[1433]: Using interface ppp0
May  2 17:36:13 ubuntu pppd[1433]: Connect: ppp0 <--> /dev/pts/1
May  2 17:36:13 ubuntu pppd[1433]: sent [LCP ConfReq id=0x1 <mru 1460> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1aa1971c> <pcomp> <accomp>]
May  2 17:36:13 ubuntu pppd[1433]: rcvd [LCP ConfReq id=0x1b <mru 1460> <magic 0x7e89f023>]
May  2 17:36:13 ubuntu pppd[1433]: sent [LCP ConfAck id=0x1b <mru 1460> <magic 0x7e89f023>]
May  2 17:36:13 ubuntu pppd[1433]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
May  2 17:36:13 ubuntu pppd[1433]: sent [LCP ConfReq id=0x2 <mru 1460> <auth chap MS-v2> <magic 0x1aa1971c>]
May  2 17:36:13 ubuntu pppd[1433]: rcvd [LCP ConfAck id=0x2 <mru 1460> <auth chap MS-v2> <magic 0x1aa1971c>]
May  2 17:36:13 ubuntu pppd[1433]: sent [LCP EchoReq id=0x0 magic=0x1aa1971c]
May  2 17:36:13 ubuntu pppd[1433]: sent [CHAP Challenge id=0x63 <f4e2d3637a9c93bd673cd173db6baa5c>, name = "ubuntu"]
May  2 17:36:13 ubuntu pppd[1433]: rcvd [LCP EchoRep id=0x0 magic=0x7e89f023]
May  2 17:36:13 ubuntu pppd[1433]: rcvd [CHAP Response id=0x63 <614ad88dff48e754689ef98d2d8e64da000000000000000059fca8d79550ffc69a115fd357a5a536c219356b02d1fa4b00>, name = "**********"]
May  2 17:36:13 ubuntu pppd[1433]: sent [CHAP Success id=0x63 "S=5B29B1607747F8064C382E4F575C977393B597A1 M=Access granted"]
May  2 17:36:13 ubuntu pppd[1433]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.254.254.1>]
May  2 17:36:13 ubuntu pppd[1433]: rcvd [IPCP ConfReq id=0x0 <addr 0.0.0.0> <compress VJ 0f 01>]
May  2 17:36:13 ubuntu pppd[1433]: sent [IPCP ConfNak id=0x0 <addr 10.254.254.20>]

*************** (Added for emphasis) ****************

May  2 17:36:13 ubuntu pppd[1433]: rcvd [CCP ConfReq id=0x67 <mppe +H -M +S +L -D -C>]
May  2 17:36:13 ubuntu pppd[1433]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received[/b]
May  2 17:36:13 ubuntu pppd[1433]: sent [LCP ProtRej id=0x3 80 fd 01 67 00 0a 12 06 01 00 00 60]

*************** (Added for emphasis) ****************

May  2 17:36:13 ubuntu pppd[1433]: rcvd [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr 10.254.254.1>]
May  2 17:36:13 ubuntu pppd[1433]: rcvd [IPCP ConfReq id=0x1 <addr 10.254.254.20> <compress VJ 0f 01>]
May  2 17:36:13 ubuntu pppd[1433]: sent [IPCP ConfAck id=0x1 <addr 10.254.254.20> <compress VJ 0f 01>]
May  2 17:36:13 ubuntu pppd[1433]: Cannot determine ethernet address for proxy ARP
May  2 17:36:13 ubuntu pppd[1433]: local  IP address 10.254.254.1
May  2 17:36:13 ubuntu pppd[1433]: remote IP address 10.254.254.20
May  2 17:36:13 ubuntu pppd[1433]: Script /etc/ppp/ip-up started (pid 1436)
May  2 17:36:13 ubuntu pppd[1433]: Script /etc/ppp/ip-up finished (pid 1436), status = 0x0

My pppd (ver 2.4.5 on Ubuntu 12.04) related options for l2tp are:

ipcp-accept-local
ipcp-accept-remote
noccp
mtu 1460
mru 1460
debug
nodefaultroute
lock
proxyarp
connect-delay 5000
require-mschap-v2
nomppe-stateful
require-mppe

And I’ve verified that the required loadable modules don’t error on manual modprobe.

So I’m at the point where I’m thinking something is incompatible between these two implementations, and looking for some much needed advice. I can connect without mppe, but I want to use it in lieu of IPSec which would consume much higher cpu overhead on a large number of concurrent streams. I don’t need bullet-proof encryption for the application – and this SHOULD work!

So why doesn’t it?

ucs75 · May 3, 2014, 1:24am

Update:

I found one problem in my config. I had noccp set in the pppd config, blocking mppe from being supported.

So now it’s coming up but telling me that the Mikrotik is failing to negotiate.

May  2 20:18:06 ubuntu pppd[1791]: rcvd [CCP ConfReq id=0x84 <mppe +H -M +S +L -D -C>]
May  2 20:18:06 ubuntu pppd[1791]: sent [CCP ConfNak id=0x84 <mppe +H -M +S -L -D -C>]
May  2 20:18:06 ubuntu pppd[1791]: rcvd [LCP ProtRej id=0x68 80 fd 01 01 00 0a 12 06 01 00 00 60]
May  2 20:18:06 ubuntu pppd[1791]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
May  2 20:18:06 ubuntu pppd[1791]: MPPE required but peer negotiation failed
May  2 20:18:06 ubuntu pppd[1791]: sent [LCP TermReq id=0x3 "MPPE required but peer negotiation failed"]
May  2 20:18:06 ubuntu pppd[1791]: rcvd [LCP TermAck id=0x3]
May  2 20:18:06 ubuntu pppd[1791]: Connection terminated.

The NACK is for “-L” i.e. Server will not do 40-Bit.
This should not be a problem as the +S (128-bit) is in agreement – as are all other options.

So why is MT not responding with a new, matching Request and establishing the tunnel?

ucs75 · May 3, 2014, 2:03am

Well, I’m glad I could have this conversation with myself!

Hope this helps someone in the future…

RouterOS Version was the problem.
The trouble occurred on v5.24

So RouterOS v5.24 has a serious bug in the l2tp client, which prevents it from negotiating mppe encryption is a perfect match is not had on the very first attempt.

I tested on a 6.5 and it worked perfectly.

May  2 21:00:09 ubuntu pppd[2714]: sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: rcvd [IPCP ConfReq id=0x4 <addr 0.0.0.0>]
May  2 21:00:09 ubuntu pppd[2714]: sent [IPCP TermAck id=0x4]
May  2 21:00:09 ubuntu pppd[2714]: rcvd [CCP ConfReq id=0x3 <mppe +H -M +S +L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: sent [CCP ConfNak id=0x3 <mppe +H -M +S -L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: rcvd [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: rcvd [CCP ConfReq id=0x4 <mppe +H -M +S -L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: sent [CCP ConfAck id=0x4 <mppe +H -M +S -L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: rcvd [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
May  2 21:00:09 ubuntu pppd[2714]: MPPE 128-bit stateless compression enabled

nashon · April 29, 2018, 8:58pm

Unfortunately now it does not work for me.

RouterBOARD 962UiGS-5HacT2HnT
Current firmware: 6.42.1

The Mikrotik can not establish a connection with mppe encryption (w/o IPSEC, because it is very difficult in our case to redirect the entire local network to the Internet through a third-party gateway, to circumvent censorship in our country ). I spent almost all day today. Believe me, I just did not do with the config server and profile settings in Microtics. Including led config server to the form above.

Apr 29 23:34:46 host pppd[15876]: MPPE required but peer negotiation failed
...
Apr 29 23:34:46 host xl2tpd[15718]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Apr 29 23:34:46 host xl2tpd[15718]: Connection 1514 closed to xx.xx.xx.xx, port 1701 (Result Code: expected at least 10, got 8)

CentOS Linux 6.9
Kernel and CPU Linux 2.6.32-696.23.1.el6.x86_64 on x86_64

Plugin pppol2tp.so loaded. (was checked including without him)

xl2tpd version: xl2tpd-1.3.8
pppd version 2.4.5

Is there any hope that this will be repaired for Microtics? For example, a connection with the encryption requirement, on the same server with the same parameters from the Windows client passes without problems.

p.s.
From Windows just now, on the current server config:

Apr 30 00:11:28 host xl2tpd[16226]: Call established with xx.xx.xx.xx, Local: 18539, Remote: 1, Serial: 0
Apr 30 00:11:28 host pppd[16331]: Plugin pppol2tp.so loaded.
Apr 30 00:11:28 host pppd[16331]: pppd 2.4.5 started by root, uid 0
Apr 30 00:11:28 host pppd[16331]: Using interface ppp0
Apr 30 00:11:28 host pppd[16331]: Connect: ppp0 <-->
Apr 30 00:11:28 host pppd[16331]: Overriding mtu 1500 to 1450
Apr 30 00:11:28 host pppd[16331]: Overriding mru 1500 to mtu value 1450
Apr 30 00:11:28 host pppd[16331]: MPPE 128-bit stateless compression enabled
Apr 30 00:11:30 host pppd[16331]: Cannot determine ethernet address for proxy ARP
Apr 30 00:11:30 host pppd[16331]: local  IP address 10.99.96.1
Apr 30 00:11:30 host pppd[16331]: remote IP address 10.99.96.12

From Microtics does not work.