Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect tunnel peer IP #1177

Open
bartelsielski opened this issue Dec 8, 2023 · 8 comments
Open

Incorrect tunnel peer IP #1177

bartelsielski opened this issue Dec 8, 2023 · 8 comments

Comments

@bartelsielski
Copy link

openfortivpn version: 1.21.0
ppp version: 2.5.0
OS: arch linux

When attempting to make a connection the peer IP of the tunnel is set to the IP of the server. It works correctly on openfortivpn 1.20.5 with ppp 2.4.9.
@DimitriPapadopoulos
Copy link
Collaborator

That's pppd negotiating the IP address, I guess that's how the server is set.

https://github.com/adrienverge/openfortivpn/wiki#reporting-issues

@bartelsielski
Copy link
Author

bartelsielski commented Dec 12, 2023
edited by DimitriPapadopoulos
Loading

openfortivpn 1.21.0 output 
DEBUG:  openfortivpn 1.21.0
DEBUG:  Loaded configuration file "<REDACTED>".
DEBUG:  Loaded password from configuration file "<REDACTED>"
DEBUG:  Configuration host = "<REDACTED>"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "<REDACTED>"
DEBUG:  Configuration username = "<REDACTED>"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: <SERVER_IP>
DEBUG:  server_port: <REDACTED>
DEBUG:  gateway_ip: <SERVER_IP>
DEBUG:  gateway_port: <REDACTED>
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
DEBUG:  Cookie: SVPNCOOKIE=Qiuz77QBQXQq8Vf/ZMBi/wl60q5mmC2JwQk0fhShW+YsPD7eGSoGoG914LY8RzGZNxuF43n2kYp3Y3Xlh98h0ls6RKw3yk7ZMgcYu47IMy44ISVbGhEfllLFCjjKmT52Vly1/+G/Z7ayAQcGBkmDaEYGwv0OWEnPv+9C6jBLwp1j4pxGsnJvqhe4nRHvA1BeY0Cty3crNIFEqQxn+MgooyvZ4glITQhpn7Gcmn8KNF3OeVGz1ctPMLced0nwok7+T+VIoLlGGEEzSMvnp888RMaOHOwJ/pRKF4T+Xv6LCAPJjPGikrUI3MUSV87KFo88yGdwdyRysaqD0J1WwR1zxRVq6TIBxIs=
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=Qiuz77QBQXQq8Vf/ZMBi/wl60q5mmC2JwQk0fhShW+YsPD7eGSoGoG914LY8RzGZNxuF43n2kYp3Y3Xlh98h0ls6RKw3yk7ZMgcYu47IMy44ISVbGhEfllLFCjjKmT52Vly1/+G/Z7ayAQcGBkmDaEYGwv0OWEnPv+9C6jBLwp1j4pxGsnJvqhe4nRHvA1BeY0Cty3crNIFEqQxn+MgooyvZ4glITQhpn7Gcmn8KNF3OeVGz1ctPMLced0nwok7+T+VIoLlGGEEzSMvnp888RMaOHOwJ/pRKF4T+Xv6LCAPJjPGikrUI3MUSV87KFo88yGdwdyRysaqD0J1WwR1zxRVq6TIBxIs=
INFO:   Remote gateway has allocated a VPN.
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: <SERVER_IP>
DEBUG:  server_port: <REDACTED>
DEBUG:  gateway_ip: <SERVER_IP>
DEBUG:  gateway_port: <REDACTED>
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  Retrieving configuration
DEBUG:  Found dns server 172.16.10.49 in xml config
DEBUG:  Found dns server 172.16.10.11 in xml config
DEBUG:  Establishing the tunnel
DEBUG:  ppp_path: /usr/bin/pppd
DEBUG:  Switch to tunneling mode
DEBUG:  Starting IO through the tunnel
DEBUG:  pppd_read thread
DEBUG:  ssl_read thread
DEBUG:  if_config thread
DEBUG:  ssl_write thread
DEBUG:  pppd_write thread
DEBUG:  pppd ---> gateway (16 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  gateway ---> pppd (16 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  pppd ---> gateway (10 bytes)
DEBUG:  pppd ---> gateway (17 bytes)
DEBUG:  pppd ---> gateway (18 bytes)
DEBUG:  pppd ---> gateway (16 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (10 bytes)
DEBUG:  gateway ---> pppd (6 bytes)
DEBUG:  gateway ---> pppd (17 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  gateway ---> pppd (24 bytes)
DEBUG:  pppd ---> gateway (6 bytes)
DEBUG:  pppd ---> gateway (6 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (6 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
INFO:   Got addresses: [172.16.200.8], ns [172.16.10.49, 172.16.10.11]
INFO:   Negotiation complete.
DEBUG:  Got Address: 172.16.200.8
DEBUG:  if_config: not ready yet...
DEBUG:  pppd ---> gateway (42 bytes)
DEBUG:  pppd ---> gateway (124 bytes)
DEBUG:  pppd ---> gateway (206 bytes)
DEBUG:  pppd ---> gateway (288 bytes)
DEBUG:  pppd ---> gateway (370 bytes)
DEBUG:  pppd ---> gateway (452 bytes)
DEBUG:  pppd ---> gateway (534 bytes)
DEBUG:  pppd ---> gateway (616 bytes)
DEBUG:  pppd ---> gateway (698 bytes)
DEBUG:  pppd ---> gateway (780 bytes)
DEBUG:  pppd ---> gateway (862 bytes)
DEBUG:  pppd ---> gateway (944 bytes)
DEBUG:  pppd ---> gateway (42 bytes)
DEBUG:  pppd ---> gateway (185 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  Got Address: 172.16.200.8
DEBUG:  Interface Name: <REDACTED>
DEBUG:  Interface Addr: 172.16.200.8
INFO:   Interface <REDACTED> is UP.
INFO:   Adding VPN nameservers...
DEBUG:  Attempting to run /usr/bin/resolvconf.
DEBUG:  resolvconf_call: /usr/bin/resolvconf -a "<REDACTED>.openfortivpn"
Dropped protocol specifier '.openfortivpn' from '<REDACTED>.openfortivpn'. Using '<REDACTED>' (ifindex=29).
INFO:   Tunnel is up and running.
DEBUG:  pppd ---> gateway (66 bytes)
DEBUG:  pppd ---> gateway (1224 bytes)
DEBUG:  pppd ---> gateway (185 bytes)
DEBUG:  pppd ---> gateway (185 bytes)
DEBUG:  pppd ---> gateway (66 bytes)
DEBUG:  pppd ---> gateway (1224 bytes)
DEBUG:  pppd ---> gateway (167 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (66 bytes)
DEBUG:  pppd ---> gateway (1224 bytes)
DEBUG:  pppd ---> gateway (167 bytes)
DEBUG:  pppd ---> gateway (260 bytes)
DEBUG:  pppd ---> gateway (66 bytes)
DEBUG:  pppd ---> gateway (1224 bytes)
DEBUG:  pppd ---> gateway (167 bytes)
DEBUG:  pppd ---> gateway (66 bytes)
DEBUG:  pppd ---> gateway (1224 bytes)
DEBUG:  pppd ---> gateway (66 bytes)
DEBUG:  pppd ---> gateway (1224 bytes)
DEBUG:  pppd ---> gateway (66 bytes)
DEBUG:  pppd ---> gateway (10 bytes)
DEBUG:  pppd ---> gateway (1224 bytes)
^C
INFO:   Cancelling threads...
INFO:   Cleanup, joining threads...
DEBUG:  Disconnecting
INFO:   Setting <REDACTED> interface down.
INFO:   Removing VPN nameservers...
DEBUG:  resolvconf_call: /usr/bin/resolvconf -d "<REDACTED>.openfortivpn"
Dropped protocol specifier '.openfortivpn' from '<REDACTED>.openfortivpn'. Using '<REDACTED>' (ifindex=29).
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 16
INFO:   pppd: The link was terminated by the modem hanging up.
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: <SERVER_IP>
DEBUG:  server_port: <REDACTED>
DEBUG:  gateway_ip: <SERVER_IP>
DEBUG:  gateway_port: <REDACTED>
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.
pppd 2.5.0 log 
Warning: couldn't open ppp database /run/pppd/pppd2.tdb
using channel 19
Using interface <REDACTED>
Connect: <REDACTED> <--> /dev/pts/9
sent [LCP ConfReq id=0x1 <mru 1354> <magic 0xe56fa4ce>]
rcvd [LCP ConfReq id=0x1 <magic 0x7addf828>]
sent [LCP ConfAck id=0x1 <magic 0x7addf828>]
rcvd [LCP ConfAck id=0x1 <mru 1354> <magic 0xe56fa4ce>]
sent [LCP EchoReq id=0x0 magic=0xe56fa4ce]
sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
sent [IPV6CP ConfReq id=0x1 <addr fe80::ddab:65d5:717f:b286>]
rcvd [IPCP ConfReq id=0x1 <addr <SERVER_IP>>]
sent [IPCP ConfAck id=0x1 <addr <SERVER_IP>>]
rcvd [LCP EchoRep id=0x0 magic=0x7addf828]
rcvd [CCP ConfReq id=0x1]
sent [CCP ConfAck id=0x1]
rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
sent [CCP ConfReq id=0x2]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a dd ab 65 d5 71 7f b2 86 c8 08]
Protocol-Reject for 'IPv6 Control Protocol' (0x8057) received
rcvd [CCP ConfAck id=0x2]
rcvd [IPCP ConfNak id=0x2 <addr 172.16.200.8>]
sent [IPCP ConfReq id=0x3 <addr 172.16.200.8>]
rcvd [IPCP ConfAck id=0x3 <addr 172.16.200.8>]
Cannot determine ethernet address for proxy ARP
local  IP address 172.16.200.8
remote IP address <SERVER_IP>
Script /etc/ppp/ip-up started (pid 1135762)
Script /etc/ppp/ip-up finished (pid 1135762), status = 0x0
Hangup (SIGHUP)
Modem hangup
Connect time 0.7 minutes.
Sent 16638 bytes, received 0 bytes.
Script /etc/ppp/ip-down started (pid 1135914)
Connection terminated.
Script /etc/ppp/ip-down finished (pid 1135914), status = 0x0
ppp v2.4.9 log (started by openfortivpn 1.20.5) 
using channel 20
Renamed interface ppp0 to <REDACTED>
Using interface <REDACTED>
Connect: <REDACTED> <--> /dev/pts/9
sent [LCP ConfReq id=0x1 <mru 1354> <magic 0xf9af34b8>]
rcvd [LCP ConfReq id=0x1 <magic 0xc73b3307>]
sent [LCP ConfAck id=0x1 <magic 0xc73b3307>]
rcvd [LCP ConfAck id=0x1 <mru 1354> <magic 0xf9af34b8>]
sent [LCP EchoReq id=0x0 magic=0xf9af34b8]
sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
sent [IPV6CP ConfReq id=0x1 <addr fe80::7d2e:7a27:6baa:23d0>]
rcvd [IPCP ConfReq id=0x1 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x1 <addr 169.254.2.1>]
rcvd [LCP EchoRep id=0x0 magic=0xc73b3307]
rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 7d 2e 7a 27 6b aa 23 d0 c8 05]
Protocol-Reject for 'IPv6 Control Protocol' (0x8057) received
rcvd [CCP ConfReq id=0x1]
sent [CCP ConfAck id=0x1]
rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
sent [CCP ConfReq id=0x2]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x2 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x2 <addr 169.254.2.1>]
rcvd [CCP ConfAck id=0x2]
rcvd [IPCP ConfNak id=0x2 <addr 172.16.200.5>]
sent [IPCP ConfReq id=0x3 <addr 172.16.200.5>]
rcvd [IPCP ConfReq id=0x3 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x3 <addr 169.254.2.1>]
rcvd [IPCP ConfAck id=0x3 <addr 172.16.200.5>]
rcvd [IPCP ConfReq id=0x4 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x4 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x5 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x5 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x6 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x6 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x7 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x7 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x8 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x8 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x9 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x9 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0xa <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0xa <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0xb <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0xb <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0xc <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0xc <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0xd <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0xd <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0xe <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0xe <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0xf <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0xf <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x10 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x10 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x11 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x11 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x12 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x12 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x13 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x13 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x14 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x14 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x15 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x15 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x16 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x16 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x17 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x17 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x18 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x18 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x19 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x19 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x1a <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x1a <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x1b <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x1b <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x1c <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x1c <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x1d <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x1d <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x1e <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x1e <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x1f <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x1f <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x20 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x20 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x21 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x21 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x22 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x22 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x23 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x23 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x24 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x24 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x25 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x25 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x26 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x26 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x27 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x27 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x28 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x28 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x29 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x29 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x2a <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x2a <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x2b <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x2b <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x2c <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x2c <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x2d <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x2d <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x2e <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x2e <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x2f <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x2f <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x30 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x30 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x31 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x31 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x32 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x32 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x33 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x33 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x34 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x34 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x35 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x35 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x36 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x36 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x37 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x37 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x38 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x38 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x39 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x39 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x3a <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x3a <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x3b <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x3b <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x3c <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x3c <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x3d <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x3d <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x3e <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x3e <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x3f <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x3f <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x40 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x40 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x41 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x41 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x42 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x42 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x43 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x43 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x44 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x44 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x45 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x45 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x46 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x46 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x47 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x47 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x48 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x48 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x49 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x49 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x4a <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x4a <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x4b <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x4b <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x4c <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x4c <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x4d <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x4d <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x4e <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x4e <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x4f <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x4f <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x50 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x50 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x51 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x51 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x52 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x52 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x53 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x53 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x54 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x54 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x55 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x55 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x56 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x56 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x57 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x57 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x58 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x58 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x59 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x59 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x5a <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x5a <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x5b <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x5b <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x5c <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x5c <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x5d <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x5d <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x5e <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x5e <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x5f <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x5f <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x60 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x60 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x61 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x61 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x62 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x62 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x63 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x63 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x64 <addr <SERVER_IP>>]
sent [IPCP ConfNak id=0x64 <addr 169.254.2.1>]
rcvd [IPCP ConfReq id=0x65 <addr <SERVER_IP>>]
sent [IPCP ConfRej id=0x65 <addr <SERVER_IP>>]
rcvd [IPCP ConfReq id=0x66 <addrs <SERVER_IP> 172.16.200.5>]
sent [IPCP ConfRej id=0x66 <addrs <SERVER_IP> 172.16.200.5>]
rcvd [IPCP ConfReq id=0x67]
sent [IPCP ConfAck id=0x67]
Cannot determine ethernet address for proxy ARP
local  IP address 172.16.200.5
remote IP address 169.254.2.1
Script /etc/ppp/ip-up started (pid 1136334)
Script /etc/ppp/ip-up finished (pid 1136334), status = 0x0
Hangup (SIGHUP)
Modem hangup
Connect time 0.1 minutes.
Sent 1784 bytes, received 0 bytes.
Script /etc/ppp/ip-down started (pid 1136348)
Connection terminated.
Script /etc/ppp/ip-down finished (pid 1136348), status = 0x0

Replaced the server IP address in the logs with <SERVER_IP>.

@DimitriPapadopoulos
Copy link
Collaborator

So you believe the problem with pppd 2.5.0 lies here:

local  IP address 172.16.200.8
remote IP address <SERVER_IP>

as opposed to pppd 2.4.9:

local  IP address 172.16.200.5
remote IP address 169.254.2.1

However, this seems beyond the control of openfortivpn, that's a negotiation between pppd and the FortiGate. I am not sure how to fix that, this looks like a misconfiguration on the FortiGate or a bug in the version of pppd you are using.

@berenddeschouwer
Copy link

berenddeschouwer commented Jan 11, 2024
edited
Loading

I see the same problem on an older FortiGate.

169.254.0.0/16 is reserved for link-local addresses, according to https://en.wikipedia.org/wiki/Reserved_IP_addresses

That IP is set in src/tunnel.c, line 257.

The first time it shows up (ppp 2.4.9), is when the server sends
IPCP ConfReq id=0x2 <some-ip>
and ppp-2.4.9 responds
IPCP ConfNak id=0x2 <addr 169.254.2.1>
this then repeats a few times

Eventually ppp 2.4.9 and the fortigate agree to disagree, and the tunnel is configured with a link-local address anyway.
rcvd [IPCP ConfReq id=0x66 <some-ip>
sent [IPCP ConfRej id=0x66 <some-ip>
After 90 attempts, pppd 2.4.9 sends "confrej" instead of "confnak"

but negotiation is "complete", so the tunnel is set up with ppp 2.4.9

ppp 2.5.0 drops the tunnel.

The ipcp-accept-remote tells ppp to accept , as opposed to the link-local address. My fortigate server sends it's public IP as it's link IP.

If the fortigate is running a firewall, it will now receive private (vpn) traffic with public ips, and drop the packets.

So the bugs:

  • fortigate server shouldn't send it's public IP as a link IP
  • ppp 2.4.9 shouldn't ever have completed negotiation when rejecting the config
  • openfortivpn hardcodes both a link IP and ipcp-accept-remote

However, these bugs cancel each other out.

Next step: Remove the option ":169.254.2.1" from src/tunnel.c and try again.

@berenddeschouwer
Copy link

So removing option ":169.254.2.1" in src/tunnel.c also removes the need for "ipcp-accept-remote".

However, it does not fix connectivity to FortiGate servers where the FortiGate is giving an incorrect link-local IP address.

@DimitriPapadopoulos
Copy link
Collaborator

DimitriPapadopoulos commented Jan 12, 2024
edited
Loading

openfortivpn hardcodes both a link IP and ipcp-accept-remote

Is that a problem? From the pppd(8) man page:

<local_IP_address>:<remote_IP_address>

Set the local and/or remote interface IP addresses. Either one may be omitted. The IP addresses can be specified with a host name or in decimal dot notation (e.g. 150.234.56.78). The default local address is the (first) IP address of the system (unless the noipdefault option is given). The remote address will be obtained from the peer if not specified in any option. Thus, in simple cases, this option is not required. If a local and/or remote IP address is specified with this option, pppd will not accept a different value from the peer in the IPCP negotiation, unless the ipcp-accept-local and/or ipcp-accept-remote options are given, respectively.

ipcp-accept-remote

With this option, pppd will accept the peer's idea of its (remote) IP address, even if the remote IP address was specified in an option.

I have already tried omitting remote_IP_address, but (some version of) pppd fails without it.

@DimitriPapadopoulos
Copy link
Collaborator

I'm happy to apply a patch if you can work out a solution, but it has to work with 2.4.9 (when configured with --enable-legacy-pppd) and 2.5.0 (configured without --enable-legacy-pppd).

@berenddeschouwer
Copy link

No, I do think this is a mistake in the configuration on the server. I do not think it's possible to fix this inside openfortivpn with pppd 2.5.0.

pppd 2.4.9 worked by accident, because it configures a different remote IP than the remote wants. This is a mistake, but in this case two wrongs make a right.

pppd 2.5.0 won't work with the same server configuration. This is a behavioural change towards correctness. pppd would need to add an option "ipcp-override-remote" to restore the incorrect 2.4.9 behaviour.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@berenddeschouwer @DimitriPapadopoulos @bartelsielski