ppp icon indicating copy to clipboard operation
ppp copied to clipboard

Published 20 hours ago verified publisher icon ppp-project

openfortivpn connection is broken with ppp 2.5.0

Open tobip opened this issue 2 years ago • 10 comments
trafficstars

I am using openfortivpn to connect to my workplace. Since ppp 2.5.0 the connection stopped working, giving the output: Peer refused to agree to his IP address. Downgrade back to 2.4.9 works for me.

tobip avatar Sep 29 '23 06:09 tobip

Sorry, crystal ball is a bit cloudy at the moment, and I'm no good at reading minds. Could you run both the non-working and working cases with the 'debug' option and post the logs here?

paulusmack avatar Oct 12 '23 11:10 paulusmack

pppd-log-2.5.0.log pppd-log-2.4.9.log

tobip avatar Oct 12 '23 13:10 tobip

in /etc/ppp/options, un-comment ipcp-accept-remote. - worked for me.

DeclanMorbey avatar Oct 24 '23 20:10 DeclanMorbey

I'm assuming the fortinet hasn't changed?

Both log files looks pretty disturbing if you ask me, I'm surprised 2.4.9 works.

What's the carrier for ppp here? Are we talking l2tp? pptp? serial?

jkroonza avatar Oct 26 '23 19:10 jkroonza

In both negotiations, the peers are unable to agree on an IP address, so in both cases ipcp-accept-remote is the right thing to use.

The behaviour in this situation, when the peers don't agree, was changed by commit 9fe8923419a9 ("pppd: Fix enforcing peer IP address (#235)", 2021-01-26), with the comments:

    pppd: Fix enforcing peer IP address (#235)
    
    If peer address is specified and ipcp-accept-remote is not set then peer
    address is enforced.
    
    But there is bug in pppd which allows peer to not use supplied address when
    it reply with empty IPCP ConfReq. In this case pppd thinks that peer
    accepted its idea of remote/peer address even it is not truth.

So the new behaviour of failing to bring up the link when the two ends can't agree on an IP address and the ipcp-accept-remote option is not used is deliberate, and I think correct.

paulusmack avatar Oct 31 '23 09:10 paulusmack

I'm assuming the fortinet hasn't changed?

Yes, nothing in the network has changed.

What's the carrier for ppp here? Are we talking l2tp? pptp? serial?

Unfortunately I don't know how to answer these questions...

tobip avatar Nov 16 '23 03:11 tobip

I'm assuming the fortinet hasn't changed?

Yes, nothing in the network has changed.

"in the network" - that's quite a bold statement really. How do you definte "the network"? I specifically asked about fortinet.

What's the carrier for ppp here? Are we talking l2tp? pptp? serial?

Unfortunately I don't know how to answer these questions...

OK. That makes things harder.

Have you tried with ipcp-accept-remote option set?

jkroonza avatar Nov 21 '23 06:11 jkroonza

See https://github.com/adrienverge/openfortivpn/issues/1141#issuecomment-1806834236

martin-sucha avatar Dec 05 '23 09:12 martin-sucha

@tobip did the discussion referred to in the previous comment help? Is this still an issue?

paulusmack avatar Apr 22 '24 05:04 paulusmack

Yes thanks, I got it.

tobip avatar Apr 22 '24 05:04 tobip