Reply
New Member
Posts: 9
Registered: ‎03-12-2013
Kudos: 7
Solutions: 1
Accepted Solution

PPTP/L2TP Radius Problem

Hi all,

I have an issue connecting to my remote access VPN using authentication against the NPS role on Windows 2008. The configuration works fine with "mode local" and a statically created user. 

The same Radius settings (except Shared Secret) was used with the old firewall.

The Windows 2008 event log shows the following messages:

Network Policy Server granted full access to a user because the host met the defined health policy.
&
Network Policy Server granted access to a user.

 The ERL on the other hand says:

Nov 18 19:56:32 veinaascrt01 pluto[17741]: packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 18 19:56:32 veinaascrt01 pluto[17741]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 18 19:56:32 veinaascrt01 pluto[17741]: packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Nov 18 19:56:32 veinaascrt01 pluto[17741]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[25] xxx.xxx.xxx.xxx #29: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[25] xxx.xxx.xxx.xxx #29: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[25] xxx.xxx.xxx.xxx #29: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[25] xxx.xxx.xxx.xxx #29: Peer ID is ID_FQDN: 'XXXXXXXXXXXXX'
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx #29: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx:4500 #29: sent MR3, ISAKMP SA established
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx:4500 #30: IPSec Transform [3DES_CBC (192), HMAC_MD5] refused due to strict flag
Nov 18 19:56:32 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx:4500 #30: responding to Quick Mode
Nov 18 19:56:32 veinaascrt01 kernel: cavium_delete_hndl : NULL Sa/SA Handle : with x a800000419af5400 x->sa_handle (null)
Nov 18 19:56:33 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx:4500 #30: IPsec SA established {ESP=>0xccc031ed <0xc37f4c62 NATOA=10.0.60.10}
Nov 18 19:56:34 veinaascrt01 xl2tpd[18163]: Connection established to xxx.xxx.xxx.xxx, 1701.  Local: 51256, Remote: 13 (ref=0/0).  LNS session is 'default'
Nov 18 19:56:34 veinaascrt01 xl2tpd[18163]: Call established with xxx.xxx.xxx.xxx, Local: 29298, Remote: 1, Serial: 0
Nov 18 19:56:34 veinaascrt01 pppd[20320]: pppd 2.4.4 started by root, uid 0
Nov 18 19:56:34 veinaascrt01 zebra[436]: interface ppp1 index 34 <POINTOPOINT,NOARP,MULTICAST> added.
Nov 18 19:56:34 veinaascrt01 Keepalived_vrrp: Netlink: filter function error
Nov 18 19:56:34 veinaascrt01 pppd[20320]: Connect: ppp1 <--> /dev/pts/1
Nov 18 19:56:37 veinaascrt01 pppd[20320]: rc_check_reply: received invalid reply digest from RADIUS server
Nov 18 19:56:37 veinaascrt01 pppd[20320]: Peer XXX failed CHAP authentication
Nov 18 19:56:37 veinaascrt01 pppd[20320]: Modem hangup
Nov 18 19:56:37 veinaascrt01 pppd[20320]: Connection terminated: no multilink.
Nov 18 19:56:37 veinaascrt01 Keepalived_vrrp: Netlink: filter function error
Nov 18 19:56:37 veinaascrt01 zebra[436]: interface ppp1 index 34 deleted.
Nov 18 19:56:37 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx:4500 #29: received Delete SA(0xccc031ed) payload: deleting IPSEC State #30
Nov 18 19:56:37 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx:4500 #29: received Delete SA payload: deleting ISAKMP State #29
Nov 18 19:56:37 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[26] xxx.xxx.xxx.xxx:4500: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}

 Same issue using PPTP or L2TP and firmware 1.2 or 1.3 doesn't matter. The Windows logs point towards an issue with the ERL. 


Accepted Solutions
New Member
Posts: 9
Registered: ‎03-12-2013
Kudos: 7
Solutions: 1

Re: PPTP/L2TP Radius Problem

Thanks for your reply. 

The password was correct, but it was to long. The EdgeRouter only supports passwords up to 48 Characters, Windows however by default produces 64 character values. The solution to my problem was shorten the secret. 

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5457
Solutions: 1656
Contributions: 2

Re: PPTP/L2TP Radius Problem


benno16 wrote:
Nov 18 19:56:37 veinaascrt01 pppd[20320]: rc_check_reply: received invalid reply digest from RADIUS server

This message could mean that the shared secret may not be matching on the two sides. Could you verify if that is the case?

New Member
Posts: 9
Registered: ‎03-12-2013
Kudos: 7
Solutions: 1

Re: PPTP/L2TP Radius Problem

Nov 19 08:01:36 veinaascrt01 pluto[17741]: "remote-access-mac-zzz"[38] xxx.xxx.xxx.xxx #45: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet

 This is the eventlog message I receive when using an incorrect preshared key. As stated: Authentication with mode local is working fine and so is local with PPTP. Just Radius is missbehaving. 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5457
Solutions: 1656
Contributions: 2

Re: PPTP/L2TP Radius Problem


UBNT-ancheng wrote:

benno16 wrote:
Nov 18 19:56:37 veinaascrt01 pppd[20320]: rc_check_reply: received invalid reply digest from RADIUS server

This message could mean that the shared secret may not be matching on the two sides. Could you verify if that is the case?


Actually I meant the shared secret between the router and the RADIUS server, i.e., the one that is set with "set vpn l2tp remote-access authentication radius-server <server-ip> key <secret-key>", for example. Could you verify if that is matching the RADIUS server setting?

New Member
Posts: 9
Registered: ‎03-12-2013
Kudos: 7
Solutions: 1

Re: PPTP/L2TP Radius Problem

Thanks for your reply. 

The password was correct, but it was to long. The EdgeRouter only supports passwords up to 48 Characters, Windows however by default produces 64 character values. The solution to my problem was shorten the secret. 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5457
Solutions: 1656
Contributions: 2

Re: PPTP/L2TP Radius Problem

That is good information! Yeah looks like the RADIUS client library we use limits it to 48. Perhaps we should add an explicit validation to prevent this issue. Thanks.

Highlighted
Member
Posts: 185
Registered: ‎10-10-2014
Kudos: 39
Solutions: 10

Re: PPTP/L2TP Radius Problem

You guys need to fix that. I wasted a lot of time because of this. Finding such important information after googling is not fun.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5457
Solutions: 1656
Contributions: 2

Re: PPTP/L2TP Radius Problem

Yes we should add the validation. Thanks for the feedback.

Emerging Member
Posts: 100
Registered: ‎02-17-2014
Kudos: 46
Solutions: 3

Re: PPTP/L2TP Radius Problem

Thank you for this thread. I wasted a day on this.

 

+1 for either adding validation or better yet patch the library to accept longer secrets.

Member
Posts: 185
Registered: ‎10-10-2014
Kudos: 39
Solutions: 10

Re: PPTP/L2TP Radius Problem

It sucked wasting so much time. A warning would have been sufficient.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5457
Solutions: 1656
Contributions: 2

Re: PPTP/L2TP Radius Problem

Yeah this was already added to the v1.7.0alpha1 release currently available in the beta forum.

Emerging Member
Posts: 100
Registered: ‎02-17-2014
Kudos: 46
Solutions: 3

Re: PPTP/L2TP Radius Problem

Thank you

Emerging Member
Posts: 43
Registered: ‎03-05-2014
Kudos: 6
Solutions: 2

Re: PPTP/L2TP Radius Problem

Thanks for solution ... had 50 letters ... sight

Emerging Member
Posts: 47
Registered: ‎03-04-2014
Kudos: 2

Re: PPTP/L2TP Radius Problem

More time wasted on this - even checked that the full password was visible on the entry box. 

 

This is with a USG, so much for making things simple. 

Reply