Reply
New Member
Posts: 2
Registered: ‎09-12-2018

Android disconnects from L2TP/IPSec VPN

I have configured a VPN server, on my new edgerouter.

 

My linux PC have no problems, but my Android phone will not stay connected, for more than a few minutes.

From my linux PC I get these log-messages:

pppd[23527]: remote IP address 192.168.2.100
pppd[23527]: local IP address 10.255.255.0
pppd[23527]: Cannot determine ethernet address for proxy ARP
pppd[23527]: Connect: ppp0 <-->
pppd[23527]: pppd 2.4.4 started by root, uid 0
xl2tpd[2510]: Call established with 129.142.xxx.xxx, PID: 23527, Local: 15244, Remote: 48613, Serial: 1
xl2tpd[2510]: Connection established to 129.142.xxx.xxx, 49478. Local: 8080, Remote: 13861 (ref=0/0). LNS session is 'default'

From my Android phone I get these log-messages:

 

pppd[21484]: Modem hangup
pppd[21484]: Connection terminated: no multilink.
xl2tpd[2510]: Maximum retries exceeded for tunnel 21110. Closing.pppd[21484]: remote IP address 192.168.2.100
pppd[21484]: local IP address 10.255.255.0
pppd[21484]: Cannot determine ethernet address for proxy ARP
pppd[21484]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
pppd[21484]: Connect: ppp0 <-->
pppd[21484]: pppd 2.4.4 started by root, uid 0
xl2tpd[2510]: Call established with 129.142.xxx.xxx, PID: 21484, Local: 48533, Remote: 51583, Serial: -1676132061
xl2tpd[2510]: Connection established to 129.142.xxx.xxx, 39979. Local: 21110, Remote: 21032 (ref=0/0). LNS session is 'default'

I don't know what the:

Unsupported protocol 'Compression Control Protocol' (0x80fd) received  

 Refers to, although I've been reading about it, in other forum posts.

 

Here is my config

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
:
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 30 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.0.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description "Local 2"
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description VPN-nas
        forward-to {
            address 192.168.1.106
        }
        original-port 1194
        protocol udp
    }
    rule 2 {
        description SMTP
        forward-to {
            address 192.168.1.129
        }
        original-port 25
        protocol tcp
    }
    rule 3 {
        description SSMTP
        forward-to {
            address 192.168.1.129
        }
        original-port 465
        protocol tcp
    }
    rule 4 {
        description IMAPS
        forward-to {
            address 192.168.1.129
        }
        original-port 993
        protocol tcp
    }
    rule 5 {
        description TVH
        forward-to {
            address 192.168.1.127
        }
        original-port 9981-9982
        protocol tcp_udp
    }
    rule 6 {
        description Deluge
        forward-to {
            address 192.168.1.127
        }
        original-port 16881-16891
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                lease 86400
                start 192.168.0.38 {
                    stop 192.168.0.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                domain-name workgroup.lan
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.149
                }     
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth2
            listen-on eth3
            listen-on l2tp0
            name-server 8.8.8.8
            name-server 8.8.4.4
            options listen-address=192.168.1.1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    domain-name workgroup.lan
    host-name gatekeeper
    ip {
        override-hostname-ip 192.168.1.1
    }
    login {
        user skumposen {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host bravo95 {
            facility all {
                level err
            }
        }
    }
    time-zone Europe/Copenhagen
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 192.168.1.1/24 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username xxxxxxxx {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.2.100
                stop 192.168.2.110
            }
            dhcp-interface eth0
            dns-servers {
                server-1 192.168.1.1
                server-2 8.8.8.8
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
                lifetime 3600
            }
        }
    }
}

I hope someone can help me debug the issue, and guide me through, to a fully functional VPN.

 

Best regards

 

Christian

Highlighted
New Member
Posts: 6
Registered: ‎04-18-2016

Re: Android disconnects from L2TP/IPSec VPN

Having the same issue .

 

Using ONE+6 latest version of Android OS 

 

VPN connects and is usable for around 60sec then drops out . 

New Member
Posts: 4
Registered: ‎07-24-2018

Re: Android disconnects from L2TP/IPSec VPN

I too just switched to One Plus 6t and have the same problem. I have two l2tp servers running at different locations and found these to randomly disconnect from phone. From my experience, rebuilding this server "may" correct this but, I don't believe this is the issue. I'm thinking this may be a power setting or configuration in the phone. 


@MattLoveITVI wrote:

Having the same issue .

 

Using ONE+6 latest version of Android OS 

 

VPN connects and is usable for around 60sec then drops out . 


 

New Member
Posts: 4
Registered: ‎07-24-2018

Re: Android disconnects from L2TP/IPSec VPN

I confirmed PPTP does not disconnect. It may have something to do with encryption in l2tp. 

New Member
Posts: 2
Registered: ‎09-12-2018

Re: Android disconnects from L2TP/IPSec VPN

[ Edited ]

Thanks for replying, and sharing your experience.

 

After digging around the Oneplus forum, I've found this post, that makes me think it's an issue with Oneplus kernel?

 

https://forums.oneplus.com/threads/l2tp-ipsec-psk-vpn-is-getting-disconnected-automatically-after-30...

 

I need to test with another Android phone.

New Member
Posts: 8
Registered: ‎06-24-2018
Kudos: 4
Solutions: 2

Re: Android disconnects from L2TP/IPSec VPN

I have a OP5T, was able  to get PPTP to work, but L2TP/IPsec never worked for me. I ended up setting up the OpenVPN server.

New Member
Posts: 4
Registered: ‎07-24-2018

Re: Android disconnects from L2TP/IPSec VPN

Update: I set the VPN to always on and it stayed connected to my remote L2TP server. 

Does anyone have input on their wireguard experience?

I'm currently using an edgerouter 4 and have had great experiences with it so far.

New Member
Posts: 4
Registered: ‎07-24-2018

Re: Android disconnects from L2TP/IPSec VPN

I noticed your eth0 is DHCP. 

 

interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update

Are you using the external IP address? If this address changes this would be a problem of course. 

 

Also, try setting - allowed networks to 0.0.0.0/0 

I believe this can correct some issues like this.

Reply