openfortivpn connection is broken with ppp 2.5.0

Question

openfortivpn connection is broken with ppp 2.5.0

tobip opened this issue a year ago · comments

I am using openfortivpn to connect to my workplace.
Since ppp 2.5.0 the connection stopped working, giving the output:
Peer refused to agree to his IP address.
Downgrade back to 2.4.9 works for me.

Paul Mackerras · Answer 1 · Thu Oct 12 2023 19:10:03 GMT+0800 (China Standard Time)

Sorry, crystal ball is a bit cloudy at the moment, and I'm no good at reading minds. Could you run both the non-working and working cases with the 'debug' option and post the logs here?

Tobias Paar · Answer 2 · Thu Oct 12 2023 21:21:57 GMT+0800 (China Standard Time)

pppd-log-2.5.0.log
pppd-log-2.4.9.log

Declan Morbey · Answer 3 · Wed Oct 25 2023 04:44:29 GMT+0800 (China Standard Time)

in /etc/ppp/options, un-comment ipcp-accept-remote. - worked for me.

Jaco Kroon · Answer 4 · Fri Oct 27 2023 03:51:34 GMT+0800 (China Standard Time)

I'm assuming the fortinet hasn't changed?

Both log files looks pretty disturbing if you ask me, I'm surprised 2.4.9 works.

What's the carrier for ppp here? Are we talking l2tp? pptp? serial?

Paul Mackerras · Answer 5 · Tue Oct 31 2023 17:56:21 GMT+0800 (China Standard Time)

In both negotiations, the peers are unable to agree on an IP address, so in both cases ipcp-accept-remote is the right thing to use.

The behaviour in this situation, when the peers don't agree, was changed by commit 9fe8923 ("pppd: Fix enforcing peer IP address (#235)", 2021-01-26), with the comments:

    pppd: Fix enforcing peer IP address (#235)
    
    If peer address is specified and ipcp-accept-remote is not set then peer
    address is enforced.
    
    But there is bug in pppd which allows peer to not use supplied address when
    it reply with empty IPCP ConfReq. In this case pppd thinks that peer
    accepted its idea of remote/peer address even it is not truth.

So the new behaviour of failing to bring up the link when the two ends can't agree on an IP address and the ipcp-accept-remote option is not used is deliberate, and I think correct.

Tobias Paar · Answer 6 · Thu Nov 16 2023 11:59:18 GMT+0800 (China Standard Time)

I'm assuming the fortinet hasn't changed?

Yes, nothing in the network has changed.

What's the carrier for ppp here? Are we talking l2tp? pptp? serial?

Unfortunately I don't know how to answer these questions...

Jaco Kroon · Answer 7 · Tue Nov 21 2023 14:39:42 GMT+0800 (China Standard Time)

I'm assuming the fortinet hasn't changed?

Yes, nothing in the network has changed.

"in the network" - that's quite a bold statement really. How do you definte "the network"? I specifically asked about fortinet.

What's the carrier for ppp here? Are we talking l2tp? pptp? serial?

Unfortunately I don't know how to answer these questions...

OK. That makes things harder.

Have you tried with ipcp-accept-remote option set?

Martin Sucha · Answer 8 · Tue Dec 05 2023 17:48:12 GMT+0800 (China Standard Time)

See adrienverge/openfortivpn#1141 (comment)

Paul Mackerras · Answer 9 · Mon Apr 22 2024 13:17:49 GMT+0800 (China Standard Time)

@tobip did the discussion referred to in the previous comment help? Is this still an issue?

Tobias Paar · Answer 10 · Mon Apr 22 2024 13:26:14 GMT+0800 (China Standard Time)

Yes thanks, I got it.