Hello everyone,
do any one expirence problems with l2tp VPNs after today upgrade:
Upgrade NetworkManager-l2tp-1.20.14-1.fc40.x86_64 u/updates
Upgraded NetworkManager-l2tp-1.20.10-5.fc40.x86_64 @@System
Upgrade NetworkManager-l2tp-gnome-1.20.14-1.fc40.x86_64 u/updates
Upgraded NetworkManager-l2tp-gnome-1.20.10-5.fc40.x86_64 @@System
I cannot connect to VPN abymore with only this info in journalctl “kwi 23 07:55:09 fedora pppd[8031]: MPPE required but peer negotiation failed”
I know fedora 40 is coming today and im on beta, I saw no problems yet on git.
I’ve tried to downgrade but getting: “NetworkManager-l2tp is already installed in the lowest version, the previous version cannot be installed”
Thanks in advance for response.
I’m running Fedora 39 KDE spin - fully patched as of a few minutes ago. I experienced what sounds like a similar issue. The errors I’m getting in /var/log/messages (and journalctl) are:
MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed.
Connection terminated.
I downgraded from NetworkManager-l2tp-1.20.14-1.fc39.x86_64 (which will not connect) to NetworkManager-l2tp-1.20.10-2.fc39.x86_64, and I can connect again. (I only have one customer that’s still using L2TP.) Can someone please assist by describing exactly what information would be required to log a bug report?
NetworkManager-l2tp’s MPPE support has been broken for over 10 years when Compression Control Protocol (CCP) was disabled with the following commit:
MPPE negotiations need to happen within CCP. With NetworkManager-l2tp 1.20.14, CCP is now enabled if MPPE is enabled with the following commit:
If you are now getting a MPPE error, try disabling MPPE within the PPP options.
Generally there is no need for the very weak MPPE encryption to be enabled if you have the considerably stronger IPsec enabled.
Regarding MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed , it says MPPE is required is a clear indication that MPPE negotiation is now working with NetworkManager-l2tp-1.20.14, earlier versions would silently ignore MPPE as CCP was disabled. Back to the error, Microsoft Point-to-Point Encryption (MPPE) only works with MS-CHAP, MS-CHAPv2 and EAP-TLS, would mean PAP and CHAP need to be disabled in the authentication methods in the NetworkManager-l2tp GUI’s PPP properties, which may or may not break your existing authentication. Better to disable the very weak MPPE encryption in the GUI’s PPP properties if you are using IPsec for the encryption.
Thanks very much for your reply - and sorry for the long delay!
I can confirm that disabling “Use MPPE Encryption” has restored the required VPN connectivity. I’ve only tested this with NetworkManager-l2tp-1.20.16-1.fc39.x86_64, but this probably works with earlier versions as well.
Hovering over the MPPE option shows this message: “Note: MPPE encryption is only available with MSCHAP authentication methods. To enable this checkbox, select one or more of the MSCHAP authentication methods: MSCHAP or MSCHAPv2.”
I am using only the PAP and EAP authentication methods (as directed), so it appears that MPPE not should not be used (as you said). I wouldn’t expect it to break connectivity, however. Perhaps the checkbox should be disabled when neither MSCHAP is selected… Thanks again for the help!