С переодичностью в 5-10 минут рвется pptp сессия с анонимизатором, пробовал ругаться с владельцем сервера — говорит, что проблема на моей стороне с машины под управлением centos соединение устанавливается и работает стабильно, логи с mkt:
Код: Выделить всё
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: LCP receiveid ProtRej for unsupported protocol 0xf605
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: CCP close
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: CCP closed
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: sent CCP TermReq id=0x2
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: Encryption got out of sync
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 37 bb 5f 46 20 fa d3...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 38 eb 38 d7 6d e6 e1...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 39 48 90 3c 5c 79 20...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 3a 09 e8 3e 6e 34 95...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 3b 6a 98 dc e1 a0 b2...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 3c 9b 0f 02 b0 03 52...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 3d ba 21 74 2d 41 f7...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd proto=0xfd 9a 3e 79 81 56 fa f9 74...
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: rcvd LCP TermReq id=0x5
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: MPPE disabled
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: LCP closed
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: CCP lowerdown
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: BCP lowerdown
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: BCP down event in starting state
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: IPCP lowerdown
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: IPCP closed
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: IPV6CP lowerdown
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: IPV6CP down event in starting state
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: MPLSCP lowerdown
Sep/29/2015 10:22:16 pptp,ppp,debug,packet pptp_log: pptp-vpn: sent LCP TermAck id=0x5
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: LCP lowerdown
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: LCP lowerdown
Sep/29/2015 10:22:16 pptp,ppp,debug pptp_log: pptp-vpn: LCP down event in starting stateЯ так понимаю сбоит шифрование, mkt отключает MPPE но т.к. с другой стороны соединения без шифрования запрещены, то соединение разрывается и переустанавливается. Проблема началась после обновления до RoS6.30.2, железяка RB1100, в другом офисе RB951+RoS6.32.1, соединение с теми-же серверами(через того-же провайдера, даже подсеть у провайдера одина) подобных проблем нет. На что еще можно обратить внимание?
На чтение 14 мин Просмотров 70.5к. Опубликовано 18.11.2020
Содержание
- Before enabling encryption¶
- Enabling encryption¶
- Sharing encrypted files¶
- Encrypting external mountpoints¶
- Enabling users file recovery keys¶
- occ encryption commands¶
- Disabling encryption¶
- Files not encrypted¶
- LDAP and other external user back-ends¶
What’s new in 6.30 (2015-Jul-08 09:07):
- wireless — added WMM power save suport for mobile devices;
- firewall — sip helper improved, large packets no longer dropped;
- fixed encryption ‘out of order’ problem on SMP systems;
- email — fix sending multiple consecutive emails;
- fixed router lockup on leap seconds with installed ntp package;
- ccr — made hardware watchdog work again (was broken since v6.26);
- console — allow users with ‘policy’ policy to change script owner;
- icmp — use receive interface address when responding with icmp errors;
- ipsec — fail ph2 negitioation when initiator proposed key length
does not match proposal configuration;
- timezone — updated timezone information to 2015e release;
- ssh — added option ‘/ip ssh stong-crypto’
- wireless — improve ac radio coexistence with other wireless clients, optimized
transmit times to not interfere with other devices;
- console — values of $».id», $».nextid» and $».dead» are avaliable for
use in ‘print where’ expressions;
- console — ‘:execute’ command now accepts script source in «<>» braces,
like ‘/system scripts add source=’ does;
- console — ‘:execute’ command now returns internal number of running job,
that can be used to check and stop execution. For example:
local j [:execute ] delay 10s do < /system script job remove $j >on-error=<>
- console — firewall ‘print’ commands now show all entries including
dynamic, ‘all’ argument now has no effect;
- ipsec — increase replay window to 128;
- fixed file transfer on devices with large RAM memory;
- pptp — fixed «encryption got out of sync» problem;
- ppp — disable vj tcp header compression;
- api — reduce api tcp connection keepalive delay to 30 seconds,
will timeout idle connections in about 5 minutes;
- pptp & l2tp & sstp client: support the case were server issues its tunnel
ip address the same as its public one;
- removed wireless package from routeros bundle package,
new wireless-fp is left in place and wireless-cm2 added as option;
- pptp & l2tp client: when adding default route, add special exception route for
a tunnel itself (no need to add it manually anymore);
- improved connection list: added connection packet/byte counters,
added separate counters for fasttrack, added current rate display, added flag wheather connection is fasttracked/srcnated/dstnated, removed 2048 connection entry limit;
- tunnels — eoip, eoipv6, gre,gre6, ipip, ipipv6, 6to4 tunnels
have new property — ipsec-secret — for easy setup of ipsec encryption and authentication;
- firewall — added ipsec-policy matcher to check wheather packet
was/will be ipsec processed or not;
- possibility to disable route cache — improves DDOS attack
handling performance up to 2x (note that ipv4 fastpath depends on route cache);
- fasttrack — added dummy firewall rule in filter and mangle tables
to show packets/bytes that get processed in fasttrack and bypass firewall;
- fastpath — vlan interfaces support fastpath;
- fastpath — partial support for bonding interfaces (rx only);
- fastpath — vrrp interfaces support fastpath;
- fixed memory leak on CCR devices (introduced in 6.28);
- lte — improved modem identification to better support multiple identical modems;
- snmp — fix system scripts table;
The primary purpose of the Nextcloud server-side encryption is to protect users’ files on remote storage, such as Dropbox and Google Drive, and to do it easily and seamlessly from within Nextcloud.
In Nextcloud 9.0 the server-side encryption separates encryption of local and remote storage. This allows you to encrypt remote storage, such as Dropbox and Google, without having to also encrypt your home storage on your Nextcloud server.
Starting with Nextcloud 9.0 we support Authenticated Encryption for all newly encrypted files. See https://hackerone.com/reports/108082 for more technical information about the impact.
For maximum security make sure to configure external storage with “Check for changes: Never”. This will let Nextcloud ignore new files not added via Nextcloud, so a malicious external storage administrator could not add new files to the storage without your knowledge. Of course, this is not wise if your external storage is subject to legitimate external changes.
Nextcloud server-side encryption encrypts files stored on the Nextcloud server, and files on remote storage that is connected to your Nextcloud server. Encryption and decryption are performed on the Nextcloud server. All files sent to remote storage will be encrypted by the Nextcloud server, and upon retrieval, decrypted before serving them to you and anyone you have shared them with.
Encrypting files increases their size by roughly 35%, so you must take this into account when you are provisioning storage and setting storage quotas. User’s quotas are based on the unencrypted file size, and not the encrypted file size.
When files on external storage are encrypted in Nextcloud, you cannot share them directly from the external storage services, but only through Nextcloud sharing because the key to decrypt the data never leaves the Nextcloud server.
Nextcloud’s server-side encryption generates a strong encryption key, which is unlocked by user’s passwords. Your users don’t need to track an extra password, but simply log in as they normally do. It encrypts only the contents of files, and not filenames and directory structures.
You should regularly backup all encryption keys to prevent permanent data loss. The encryption keys are stored in the following directories:
data/ /files_encryption Users’ private keys and all other keys necessary to decrypt the users’ files data/files_encryption private keys and all other keys necessary to decrypt the files stored on a system wide external storage
When encryption is enabled, all files are encrypted and decrypted by the Nextcloud application, and stored encrypted on your remote storage. This protects your data on externally hosted storage. The Nextcloud admin and the storage admin will see only encrypted files when browsing backend storage.
Encryption keys are stored only on the Nextcloud server, eliminating exposure of your data to third-party storage providers. The encryption app does not protect your data if your Nextcloud server is compromised, and it does not prevent Nextcloud administrators from reading user’s files. This would require client-side encryption, which this app does not provide. If your Nextcloud server is not connected to any external storage services then it is better to use other encryption tools, such as file-level or whole-disk encryption.
Note also that SSL terminates at or before Apache on the Nextcloud server, and all files will exist in an unencrypted state between the SSL connection termination and the Nextcloud code that encrypts and decrypts files. This is also potentially exploitable by anyone with administrator access to your server. Read How Nextcloud uses encryption to protect your data for more information.
Before enabling encryption¶
Plan very carefully before enabling encryption because it is not reversible via the Nextcloud Web interface. If you lose your encryption keys your files are not recoverable. Always have backups of your encryption keys stored in a safe location, and consider enabling all recovery options.
You have more options via the occ command (see occ encryption commands )
Enabling encryption¶
Nextcloud encryption consists of two parts. The base encryption system is enabled and disabled on your Admin page. First you must enable this, and then select an encryption module to load. Currently the only available encryption module is the Nextcloud Default Encryption Module.
First go to the Server-side encryption section of your Admin page and check Enable server-side encryption. You have one last chance to change your mind.
After clicking the Enable Encryption button you see the message “No encryption module loaded, please load a encryption module in the app menu”, so go to your Apps page to enable the Nextcloud Default Encryption Module.
Return to your Admin page to see the Nextcloud Default Encryption Module added to the module selector, and automatically selected. Now you must log out and then log back in to initialize your encryption keys.
When you log back in, there is a checkbox for enabling encryption on your home storage. This is checked by default. Un-check to avoid encrypting your home storage.
Sharing encrypted files¶
After encryption is enabled your users must also log out and log back in to generate their personal encryption keys. They will see a yellow warning banner that says “Encryption App is enabled but your keys are not initialized, please log-out and log-in again.”
Share owners may need to re-share files after encryption is enabled; users trying to access the share will see a message advising them to ask the share owner to re-share the file with them. For individual shares, un-share and re-share the file. For group shares, share with any individuals who can’t access the share. This updates the encryption, and then the share owner can remove the individual shares.
Encrypting external mountpoints¶
You and your users can encrypt individual external mountpoints. You must have external storage enabled on your Admin page, and enabled for your users.
Encryption settings can be configured in the mount options for an external storage mount, see Mount options ( Configuring External Storage (GUI) )
Enabling users file recovery keys¶
If you lose your Nextcloud password, then you lose access to your encrypted files. If one of your users loses their Nextcloud password their files are unrecoverable. You cannot reset their password in the normal way; you’ll see a yellow banner warning “Please provide an admin recovery password, otherwise all user data will be lost”.
To avoid all this, create a Recovery Key. Go to the Encryption section of your Admin page and set a recovery key password.
Then your users have the option of enabling password recovery on their Personal pages. If they do not do this, then the Recovery Key won’t work for them.
For users who have enabled password recovery, give them a new password and recover access to their encrypted files by supplying the Recovery Key on the Users page.
You may change your Recovery Key password.
occ encryption commands¶
If you have shell access you may use the occ command to perform encryption operations, and you have additional options such as decryption and creating a single master encryption key. See Encryption for detailed instructions on using occ .
Get the current status of encryption and the loaded encryption module:
This is equivalent to checking Enable server-side encryption on your Admin page:
List the available encryption modules:
Select a different default Encryption module (currently the only available module is OC_DEFAULT_MODULE):
The [module > encryption:list-modules command.
Encrypt all data files for all users. For performance reasons, when you enable encryption on a Nextcloud server only new and changed files are encrypted. This command gives you the option to encrypt all files.
When you type y it creates a key pair for each of your users, and then encrypts their files, displaying progress until all user files are encrypted.
Decrypt all user data files, or optionally a single user:
View current location of keys:
Move keys to a different folder, either locally or on a different server. The folder must already exist, be owned by root and your HTTP group, and be restricted to root and your HTTP group. Further the folder needs to be located somewhere in your Nextcloud data folder, either physically, or as a mount. This example is for Ubuntu Linux. Note that the new folder is relative to your occ directory:
Create a new master key. Use this when you have a single-sign on infrastructure. Use this only on fresh installations with no existing data, or on systems where encryption has not already been enabled. It is not possible to disable it:
Disabling encryption¶
You may disable encryption only with occ . Make sure you have backups of all encryption keys, including users’. Put your Nextcloud server into maintenance mode, and then disable your encryption module with this command:
Take it out of maintenance mode when you are finished:
Files not encrypted¶
Only the data in the files in data/user/files are encrypted, and not the filenames or folder structures. These files are never encrypted:
- Existing files in the trash bin & Versions. Only new and changed files after encryption is enabled are encrypted.
- Existing files in Versions
- Image thumbnails from the Gallery app
- Previews from the Files app
- The search index from the full text search app
- Third-party app data
There may be other files that are not encrypted; only files that are exposed to third-party storage providers are guaranteed to be encrypted.
LDAP and other external user back-ends¶
If you use an external user back-end, such as an LDAP or Samba server, and you change a user’s password on the back-end, the user will be prompted to change their Nextcloud login to match on their next Nextcloud login. The user will need both their old and new passwords to do this. If you have enabled the Recovery Key then you can change a user’s password in the Nextcloud Users panel to match their back-end password, and then, of course, notify the user and give them their new password.
Все работало прекрасно! Теоретически на mikrotik’е (сервер VPN) изменений не было. На VPN-клиенте 100% изменений не было. Но на микротике в логе все время появляется сообщение tcp connection established from *.*.*.* Каждую секунду. Эмпирическим путем выявили что это стучится тот самый клиент, он не может поднять pptp-сессию.
В логе с дэбагом:
TCP connection established from *.*.*.*
: LCP lowerdown
: LCP down event in initial state
: rcvd LCP EchoReq > .
Но один раз в сутки он все же поднимает сессию. В 6 утра, иногда в 4, на короткий промежуток времени. Потом опять отваливается. Ребут Микротика или клиента не помогает. Остальные клиенты работают как раньше без сбоев.
- Вопрос задан более двух лет назад
- 5872 просмотра
«Проблема», если её можно так назвать, решена. Клиент pptp был камера на столбе + TL-MR3220 (с OpenWRT) + Мегафоновский свисток E3372h в HiLink.
В один прекрасный момент камера выжрала свой лимит в 30 Гб в месяц, трафик перестал ходить, но мегафон не просто отрубает интернеты, а как я понял снижает скорость до минимальной, так что HELLO-пакеты приходят, но на большее не хватает.
Начался новый месяц, добавили трафик на аккаунт, и все прекрасно заработало.
I have MediaTek 7620N-based router and have built a custom image for it, built from Chaos Calmer 15.05 sources with xl2tpd package responsible for L2TP connections. When connecting to Mikrotik server with router as a client, L2TP works fine, and shows following log on startup:
Fri Nov 17 06:24:26 2017 daemon.info pppd[24303]: Plugin pppol2tp.so loaded.
Fri Nov 17 06:24:26 2017 daemon.notice pppd[24303]: pppd 2.4.7 started by root, uid 0
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: using channel 106
Fri Nov 17 06:24:26 2017 kern.info kernel: [ 8805.760000] l2tp-vpn: renamed from ppp0
Fri Nov 17 06:24:26 2017 daemon.info pppd[24303]: Using interface l2tp-vpn
Fri Nov 17 06:24:26 2017 daemon.notice pppd[24303]: Connect: l2tp-vpn <-->
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: PPPoL2TP options: debugmask 0
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7872e558>]
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: sent [LCP ConfReq id=0x2 <magic 0x7872e558>]
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: rcvd [LCP ConfAck id=0x2 <magic 0x7872e558>]
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: rcvd [LCP ConfReq id=0x2 <auth chap MS-v2> <mru 1462> <magic 0xdc900d23>]
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: sent [LCP ConfAck id=0x2 <auth chap MS-v2> <mru 1462> <magic 0xdc900d23>]
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: PPPoL2TP options: debugmask 0
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: sent [LCP EchoReq id=0x0 magic=0x7872e558]
Fri Nov 17 06:24:26 2017 daemon.debug pppd[24303]: rcvd [CHAP Challenge id=0x1 <28bdc5fc67b38242f821425b4b94a422>, name = "MikroTik"]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: added response cache entry 0
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: sent [CHAP Response id=0x1 <8722d010e077633dfe80a3131f19401200000000000000001124688346fc4ed8b1b57897e7da7becf2892061a29e72e800>, name = "admin"]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: rcvd [LCP EchoRep id=0x0 magic=0xdc900d23]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: rcvd [CHAP Success id=0x1 "S=A48E289301FE5053261061B8088F221A8466A68D"]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: response found in cache (entry 0)
Fri Nov 17 06:24:27 2017 daemon.notice pppd[24303]: CHAP authentication succeeded
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: rcvd [IPCP ConfReq id=0x1 <addr 10.10.0.193>]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: sent [IPCP TermAck id=0x1]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: rcvd [proto=0x8281] 01 01 00 04
Fri Nov 17 06:24:27 2017 daemon.warn pppd[24303]: Unsupported protocol 0x8281 received
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: rcvd [IPCP ConfReq id=0x2 <addr 10.10.0.193>]
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: sent [IPCP ConfAck id=0x2 <addr 10.10.0.193>]
Fri Nov 17 06:24:27 2017 daemon.notice pppd[24303]: local IP address 10.10.0.244
Fri Nov 17 06:24:27 2017 daemon.notice pppd[24303]: remote IP address 10.10.0.193
Fri Nov 17 06:24:27 2017 daemon.notice pppd[24303]: primary DNS address 8.8.8.8
Fri Nov 17 06:24:27 2017 daemon.notice pppd[24303]: secondary DNS address 109.71.32.10
Fri Nov 17 06:24:27 2017 daemon.debug pppd[24303]: Script /lib/netifd/ppp-up started (pid 24335)
Fri Nov 17 06:24:28 2017 daemon.notice netifd: Network device 'l2tp-vpn' link is up
Fri Nov 17 06:24:28 2017 daemon.notice netifd: Interface 'vpn' is now up
Fri Nov 17 06:24:28 2017 daemon.info dnsmasq[23609]: reading /tmp/resolv.conf.auto
Fri Nov 17 06:24:28 2017 daemon.info dnsmasq[23609]: using local addresses only for domain lan
Fri Nov 17 06:24:28 2017 daemon.info dnsmasq[23609]: using nameserver 8.8.8.8#53
Fri Nov 17 06:24:28 2017 daemon.info dnsmasq[23609]: using nameserver 109.71.32.10#53
Fri Nov 17 06:24:28 2017 daemon.info dnsmasq[23609]: using nameserver 10.10.1.1#53
Fri Nov 17 06:24:28 2017 daemon.debug pppd[24303]: Script /lib/netifd/ppp-up finished (pid 24335), status = 0x0But then connection is constantly terminating with following messages shown in log:
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0x1ac2] 68 39 cc c0 eb db bb 71 32 b5 88 35 1d 0c 51 b5 71 5a 4f bc 66 56 b7 b3 b0 2c 2d 19 aa 45 04 a4 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0x1ac2 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x4 1a c2 68 39 cc c0 eb db bb 71 32 b5 88 35 1d 0c 51 b5 71 5a 4f bc 66 56 b7 b3 b0 2c 2d 19 aa 45 ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0x7] c5 a1 75 f3 a6 81 d7 fb a7 21 95 6c 81 c9 2c d3 9f 66 46 04 01 98 6b b7 f1 74 c9 1c d0 df 26 f6 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0x7 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x5 00 07 c5 a1 75 f3 a6 81 d7 fb a7 21 95 6c 81 c9 2c d3 9f 66 46 04 01 98 6b b7 f1 74 c9 1c d0 df ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xf9] 58 fe 81 b5 41 9c f3 1e cb b5 f4 b2 6e f4 8c 00 db 00 bb 14 dc e7 3d 69 d3 3d dc 24 ac 64 af 05 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xf9 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x6 00 f9 58 fe 81 b5 41 9c f3 1e cb b5 f4 b2 6e f4 8c 00 db 00 bb 14 dc e7 3d 69 d3 3d dc 24 ac 64 ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0x41] f6 eb bf 71 ae 6d 13 ae 38 c7 7b cb 1d e7 76 2e 5a 63 07 e4 ad 1f c5 b0 73 93 83 0b 12 4d b0 79 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0x41 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x7 00 41 f6 eb bf 71 ae 6d 13 ae 38 c7 7b cb 1d e7 76 2e 5a 63 07 e4 ad 1f c5 b0 73 93 83 0b 12 4d ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0x6482] 6c 2d 49 b9 24 64 c9 f9 14 43 d4 cf bd c3 f6 2f 38 bb d0 79 46 9e 92 b9 54 3c 20 f4 c3 5f 90 f4 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0x6482 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x8 64 82 6c 2d 49 b9 24 64 c9 f9 14 43 d4 cf bd c3 f6 2f 38 bb d0 79 46 9e 92 b9 54 3c 20 f4 c3 5f ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0x8f] 63 3c 90 eb 63 4b e9 ba c9 d5 46 e5 01 5a 23 a6 32 69 ad 99 a6 f5 e0 59 e7 5a 86 01 88 fd f6 8f ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0x8f received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x9 00 8f 63 3c 90 eb 63 4b e9 ba c9 d5 46 e5 01 5a 23 a6 32 69 ad 99 a6 f5 e0 59 e7 5a 86 01 88 fd ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0x1655] f6 c6 56 ab 16 66 2b 45 d7 c5 c0 7d 3a be 86 46 52 e8 79 09 5b fd 49 3b 9f b7 c2 e5 3e c2 9a 69 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0x1655 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0xa 16 55 f6 c6 56 ab 16 66 2b 45 d7 c5 c0 7d 3a be 86 46 52 e8 79 09 5b fd 49 3b 9f b7 c2 e5 3e c2 ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xaac3] 1c 5a 97 0c 4c a5 fc b0 83 b8 19 2a a0 dc 90 15 74 1d 25 1b 72 64 9b 6f 70 cc 7e 92 99 3b cb d3 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xaac3 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0xb aa c3 1c 5a 97 0c 4c a5 fc b0 83 b8 19 2a a0 dc 90 15 74 1d 25 1b 72 64 9b 6f 70 cc 7e 92 99 3b ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xdf] 96 dc a7 d6 7e 83 cb d9 b7 38 52 ad 5b f5 79 15 d5 71 76 c0 70 3a 14 c2 de 0a 48 12 21 19 13 d4 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xdf received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0xc 00 df 96 dc a7 d6 7e 83 cb d9 b7 38 52 ad 5b f5 79 15 d5 71 76 c0 70 3a 14 c2 de 0a 48 12 21 19 ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xceb4] 9a d4 95 b8 ad 02 88 6a 41 af bb 23 0a b0 06 1c e5 e0 60 55 ee bd 74 79 f4 c9 50 a1 8a ed d1 fd ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xceb4 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xfe13] 73 d4 7f a9 b6 38 c0 fc 84 b7 d9 d0 63 ce be 56 9b 11 e3 58 c1 e6 3f ad 14 6a 8d e1 88 16 6e 30 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xfe13 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x17 fe 13 73 d4 7f a9 b6 38 c0 fc 84 b7 d9 d0 63 ce be 56 9b 11 e3 58 c1 e6 3f ad 14 6a 8d e1 88 16 ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xe816] 0a ca 25 2a fb 17 98 82 84 f0 89 6e ba 55 34 07 80 15 6a 3d 23 11 dd e7 e2 24 7e 51 1e 0b 5b 2b ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xe816 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x18 e8 16 0a ca 25 2a fb 17 98 82 84 f0 89 6e ba 55 34 07 80 15 6a 3d 23 11 dd e7 e2 24 7e 51 1e 0b ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xd7] 14 94 7b 52 0d 41 23 80 d7 b9 f4 86 2a cd 3c fa 80 77 15 88 fe 8c a5 51 3d fd ca a0 77 c1 ef ac ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xd7 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x19 00 d7 14 94 7b 52 0d 41 23 80 d7 b9 f4 86 2a cd 3c fa 80 77 15 88 fe 8c a5 51 3d fd ca a0 77 c1 ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0x5d] 34 8b 6c d0 79 33 ba 49 af c9 dd 41 57 89 05 2f b3 64 66 71 a2 93 98 be 80 d2 58 64 ca a7 d0 f0 ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0x5d received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x1a 00 5d 34 8b 6c d0 79 33 ba 49 af c9 dd 41 57 89 05 2f b3 64 66 71 a2 93 98 be 80 d2 58 64 ca a7 ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [proto=0xa1] 35 83 8a af 16 ba 98 bb b7 c1 d4 23 8e 32 60 4c bd 6e 3c 5d 0f 47 3e 5b dd 20 ca 7c 36 ee 29 ca ...
Fri Nov 17 06:29:13 2017 daemon.warn pppd[25557]: Unsupported protocol 0xa1 received
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: sent [LCP ProtRej id=0x1b 00 a1 35 83 8a af 16 ba 98 bb b7 c1 d4 23 8e 32 60 4c bd 6e 3c 5d 0f 47 3e 5b dd 20 ca 7c 36 ee ...]
Fri Nov 17 06:29:13 2017 daemon.debug pppd[25557]: rcvd [CCP TermReq id=0x2"Encryption got out of sync"]
[b]Fri Nov 17 06:29:13 2017 daemon.info pppd[25557]: CCP terminated by peer (Encryption got out of sync)
Fri Nov 17 06:29:13 2017 daemon.err pppd[25557]: MPPE disabled[/b]
Fri Nov 17 06:29:13 2017 daemon.info pppd[25557]: Connect time 0.2 minutes.
Fri Nov 17 06:29:13 2017 daemon.info pppd[25557]: Sent 26602 bytes, received 1084491 bytes.
[b]Fri Nov 17 06:29:13 2017 daemon.notice netifd: Network device 'l2tp-vpn' link is down[/b]And then L2TP reconnects. These constant reconnections make Internet connection very unstable.
PPP options are default, and L2TP options are created by /lib/netifd/proto/l2tp.sh., where I added a few lines to default options:
mppe required,no56,no40,stateless
novj
novjccomp
nopcomp
noaccompSo the main problem is that PPP receives a lot of unsupported protocol requests from server, and then CCP compression ‘gets out of sync’, and after that MPPE gets disabed and the connection is terminated.
On the other hand, PPTP works absolutely fine using MPPE encryption and CCP compression.
When I disable MPPE and CCP with ‘noccp’ option, L2TP works fine. but without encryption it is unsafe.
So can anyone help me fixing this trouble? Any help is appreciated.
Такие посты лучше в твиттер писать, ни релиз нотес под катом, ни расшифровки релиз нотес. Зачем?
*) wireless — added WMM power save suport for mobile devices;
*) firewall — sip helper improved, large packets no longer dropped;
*) fixed encryption ‘out of order’ problem on SMP systems;
*) email — fix sending multiple consecutive emails;
*) fixed router lockup on leap seconds with installed ntp package;
*) ccr — made hardware watchdog work again (was broken since v6.26);
*) console — allow users with ‘policy’ policy to change script owner;
*) icmp — use receive interface address when responding with icmp errors;
*) ipsec — fail ph2 negitioation when initiator proposed key length
does not match proposal configuration;
*) timezone — updated timezone information to 2015e release;
*) ssh — added option ‘/ip ssh stong-crypto’
*) wireless — improve ac radio coexistence with other wireless clients, optimized
transmit times to not interfere with other devices;
*) console — values of $».id», $».nextid» and $».dead» are avaliable for
use in ‘print where’ expressions;
*) console — ‘:execute’ command now accepts script source in «{}» braces,
like ‘/system scripts add source=’ does;
*) console — ‘:execute’ command now returns internal number of running job,
that can be used to check and stop execution. For example:
:local j [:execute {/interface print follow where [:log info «$name»]}]
:delay 10s
:do { /system script job remove $j } on-error={}
*) console — firewall ‘print’ commands now show all entries including
dynamic, ‘all’ argument now has no effect;
*) ipsec — increase replay window to 128;
*) fixed file transfer on devices with large RAM memory;
*) pptp — fixed «encryption got out of sync» problem;
*) ppp — disable vj tcp header compression;
*) api — reduce api tcp connection keepalive delay to 30 seconds,
will timeout idle connections in about 5 minutes;
*) pptp & l2tp & sstp client: support the case were server issues its tunnel
ip address the same as its public one;
*) removed wireless package from routeros bundle package,
new wireless-fp is left in place and wireless-cm2 added as option;
*) pptp & l2tp client: when adding default route, add special exception route for
a tunnel itself (no need to add it manually anymore); — эту вещь они рожали столько лет….
*) improved connection list: added connection packet/byte counters,
added separate counters for fasttrack, added current rate display,
added flag wheather connection is fasttracked/srcnated/dstnated,
removed 2048 connection entry limit;
*) tunnels — eoip, eoipv6, gre,gre6, ipip, ipipv6, 6to4 tunnels
have new property — ipsec-secret — for easy setup of ipsec
encryption and authentication;
*) firewall — added ipsec-policy matcher to check wheather packet
was/will be ipsec processed or not;
*) possibility to disable route cache — improves DDOS attack
handling performance up to 2x (note that ipv4 fastpath depends on route cache);
*) fasttrack — added dummy firewall rule in filter and mangle tables
to show packets/bytes that get processed in fasttrack and bypass firewall;
*) fastpath — vlan interfaces support fastpath;
*) fastpath — partial support for bonding interfaces (rx only);
*) fastpath — vrrp interfaces support fastpath;
*) fixed memory leak on CCR devices (introduced in 6.28);
*) lte — improved modem identification to better support multiple identical modems;
*) snmp — fix system scripts table;