Ubuntu
pptp-linux package

VPNs to hosts resolving to multiple IPs often fail

Bug #579168 reported by Aurélien Dominguez
38
This bug affects 7 people
Affects Status Importance Assigned to Milestone
network-manager-pptp (Ubuntu)
Triaged
Medium
Unassigned
pptp-linux (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: network-manager

I tried to set up ipredator VPN via the network manager on ubuntu lucid lynx 10.04 64 bit and like a few other users as I could see on several forum, if I store password in keyring, it just don't try to connect.
Knowing that I disabled the keyring, and then was prompter for password, then it tried to connect but failed with a connection timed out error...
I had to put the IP adress of vpn.ipredator.se instead of the hostname for it to work...
I checked, it is not a problem with my ISP dns server:

doki@doki-desktop:~$ nslookup vpn.ipredator.se
Server: 93.182.182.85
Address: 93.182.182.85#53

Non-authoritative answer:
Name: vpn.ipredator.se
Address: 93.182.146.2
Name: vpn.ipredator.se
Address: 93.182.147.2
Name: vpn.ipredator.se
Address: 93.182.148.2
Name: vpn.ipredator.se
Address: 93.182.149.2
Name: vpn.ipredator.se
Address: 93.182.150.2
Name: vpn.ipredator.se
Address: 93.182.151.2
Name: vpn.ipredator.se
Address: 93.182.152.2
Name: vpn.ipredator.se
Address: 93.182.153.2
Name: vpn.ipredator.se
Address: 93.182.164.2
Name: vpn.ipredator.se
Address: 93.182.179.2
Name: vpn.ipredator.se
Address: 93.182.180.2
Name: vpn.ipredator.se
Address: 93.182.181.2
Name: vpn.ipredator.se
Address: 93.182.185.2
Name: vpn.ipredator.se
Address: 93.182.186.2
Name: vpn.ipredator.se
Address: 93.182.187.2
Name: vpn.ipredator.se
Address: 93.182.188.2
Name: vpn.ipredator.se
Address: 93.182.189.2
Name: vpn.ipredator.se
Address: 93.182.190.2
Name: vpn.ipredator.se
Address: 93.182.130.2
Name: vpn.ipredator.se
Address: 93.182.132.2
Name: vpn.ipredator.se
Address: 93.182.133.2

So I don't know if it's a problem with network manager, or with pptp layer, but still, it doesn't seem to be able to resolve this hostname...

If you want me to run some tests/command or if you need more details, just ask :)

Revision history for this message
Luke Faraone (lfaraone) wrote :

I'm able to reproduce this bug under Lucid.

Changed in network-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Luke Faraone (lfaraone) wrote :

This also occurs in Ubuntu Maverick as of the current archives. Logs attached.

Changed in network-manager (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Luke Faraone (lfaraone) wrote :
Revision history for this message
Thomas Praill (thomaspraill) wrote :

This is not a Ubuntu issue. It is also producable in Windows 7 and the fix is the same (use IP instead of domain name).

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Aurélien, Luke,

Can you still reproduce the issue? I'm not sure what's up exactly with the ipredator.se systems but the syslog looks fine.

If you could reproduce the issue by following the steps at http://live.gnome.org/NetworkManager/Debugging , it would perhaps give a little more information to figure out what happens. Thanks in advance!

Changed in network-manager (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Luke Faraone (lfaraone) wrote : Re: [Bug 579168] Re: Connection time out to vpn.ipredator.se

On Fri, Jan 07, 2011 at 04:33:30PM -0000, Mathieu Trudel-Lapierre wrote:
> Can you still reproduce the issue? I'm not sure what's up exactly with
> the ipredator.se systems but the syslog looks fine.

I stoped using ipredator.se, or I'd test.

--
Luke Faraone;; Debian & Ubuntu Developer; Sugar Labs, Systems
lfaraone on irc.[freenode,oftc].net -- http://luke.faraone.cc
PGP fprint: 5189 2A7D 16D0 49BB 046B DC77 9732 5DD8 F9FD D506

Revision history for this message
Aurélien Dominguez (tenkaistar) wrote :

I'll try it during the week-end, I'll set a reminder ^^

Aurélien Dominguez

On Fri, Jan 7, 2011 at 5:33 PM, Mathieu Trudel-Lapierre <mathieu.tl@
gmail.com> wrote:

> Aurélien, Luke,
>
> Can you still reproduce the issue? I'm not sure what's up exactly with
> the ipredator.se systems but the syslog looks fine.
>
> If you could reproduce the issue by following the steps at
> http://live.gnome.org/NetworkManager/Debugging , it would perhaps give a
> little more information to figure out what happens. Thanks in advance!
>
> ** Changed in: network-manager (Ubuntu)
> Status: Triaged => Incomplete
>
> --
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/579168
>
> Title:
> Connection time out to vpn.ipredator.se
>

Revision history for this message
Aurélien Dominguez (tenkaistar) wrote :

So here is the /var/log/messages output when attempting to connect using
vpn.iprdator.se instead of ip address

Jan 9 20:10:24 doki-desktop pppd[3979]: Plugin
/usr/lib/pppd/2.4.5//nm-pptp-pppd-plugin.so loaded.
Jan 9 20:10:24 doki-desktop pppd[3979]: pppd 2.4.5 started by root, uid 0
Jan 9 20:10:24 doki-desktop pppd[3979]: Using interface ppp0
Jan 9 20:10:24 doki-desktop pppd[3979]: Connect: ppp0 <--> /dev/pts/1
Jan 9 20:10:26 doki-desktop pppd[3979]: CHAP authentication succeeded
Jan 9 20:10:26 doki-desktop pppd[3979]: MPPE 128-bit stateless compression
enabled
Jan 9 20:10:26 doki-desktop pppd[3979]: local IP address 93.182.181.186
Jan 9 20:10:26 doki-desktop pppd[3979]: remote IP address 93.182.181.2
Jan 9 20:10:26 doki-desktop pppd[3979]: primary DNS address 93.182.182.85
Jan 9 20:10:26 doki-desktop pppd[3979]: secondary DNS address 93.182.182.85
Jan 9 20:11:06 doki-desktop pppd[3979]: Terminating on signal 15
Jan 9 20:11:06 doki-desktop pppd[3979]: Connect time 0.7 minutes.
Jan 9 20:11:06 doki-desktop pppd[3979]: Sent 0 bytes, received 11313 bytes

Revision history for this message
Aurélien Dominguez (tenkaistar) wrote : Re: Connection time out to vpn.ipredator.se
Download full text (9.1 KiB)

 It seems that a part of my mail reply was lost by the post office ^^ Here it is again, full size :)

So here is the /var/log/messages output when attempting to connect using vpn.iprdator.se instead of ip address

Jan 9 20:10:24 doki-desktop pppd[3979]: Plugin /usr/lib/pppd/2.4.5//nm-pptp-pppd-plugin.so loaded.
Jan 9 20:10:24 doki-desktop pppd[3979]: pppd 2.4.5 started by root, uid 0
Jan 9 20:10:24 doki-desktop pppd[3979]: Using interface ppp0
Jan 9 20:10:24 doki-desktop pppd[3979]: Connect: ppp0 <--> /dev/pts/1
Jan 9 20:10:26 doki-desktop pppd[3979]: CHAP authentication succeeded
Jan 9 20:10:26 doki-desktop pppd[3979]: MPPE 128-bit stateless compression enabled
Jan 9 20:10:26 doki-desktop pppd[3979]: local IP address 93.182.181.186
Jan 9 20:10:26 doki-desktop pppd[3979]: remote IP address 93.182.181.2
Jan 9 20:10:26 doki-desktop pppd[3979]: primary DNS address 93.182.182.85
Jan 9 20:10:26 doki-desktop pppd[3979]: secondary DNS address 93.182.182.85
Jan 9 20:11:06 doki-desktop pppd[3979]: Terminating on signal 15
Jan 9 20:11:06 doki-desktop pppd[3979]: Connect time 0.7 minutes.
Jan 9 20:11:06 doki-desktop pppd[3979]: Sent 0 bytes, received 11313 bytes.
Jan 9 20:11:06 doki-desktop pppd[3979]: Child process /usr/sbin/pptp vpn.ipredator.se --nolaunchpppd --loglevel 0 --logstring nm-pptp-service-3976 (pid 3981) terminated with signal 15
Jan 9 20:11:06 doki-desktop pppd[3979]: Connection terminated.
Jan 9 20:11:06 doki-desktop pppd[3979]: Exit.

And /var/log/daemon :

Jan 9 20:10:24 doki-desktop NetworkManager[1497]: <info> Starting VPN service 'org.freedesktop.NetworkManager.pptp'...
Jan 9 20:10:24 doki-desktop NetworkManager[1497]: <info> VPN service 'org.freedesktop.NetworkManager.pptp' started (org.freedesktop.NetworkManager.pptp), PID 3976
Jan 9 20:10:24 doki-desktop NetworkManager[1497]: <info> VPN service 'org.freedesktop.NetworkManager.pptp' appeared, activating connections
Jan 9 20:10:24 doki-desktop NetworkManager[1497]: <info> VPN plugin state changed: 1
Jan 9 20:10:24 doki-desktop NetworkManager[1497]: <info> VPN plugin state changed: 3
Jan 9 20:10:24 doki-desktop NetworkManager[1497]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Jan 9 20:10:24 doki-desktop modem-manager: (net/ppp0): could not get port's parent device
Jan 9 20:10:24 doki-desktop NetworkManager[1497]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Jan 9 20:10:24 doki-desktop NetworkManager[1497]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
Jan 9 20:10:24 doki-desktop pptp[3983]: nm-pptp-service-3976 log[main:pptp.c:314]: The synchronous pptp option is NOT activated
Jan 9 20:10:24 doki-desktop pptp[3997]: nm-pptp-service-3976 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Jan 9 20:10:24 doki-desktop pptp[3997]: nm-pptp-service-3976 log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Jan 9 20:10:24 doki-desktop pptp[3997]: nm-pptp-service-3976 log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Jan 9 20:10:25 doki-desktop...

Read more...

Revision history for this message
malheum (maxheise) wrote :

I marked my bug #681739 as a duplicate of this one.

Revision history for this message
malheum (maxheise) wrote :

I have two different laptops with 10.10 installed:

1. New laptop is amd64

2. Old laptop is i386

Putting the FQDN of vpn.ipredator.se in the gateway field of network-manager-pptp works on the second laptop, which is i386. It does not work on the first one. Otherwise the network configurations are the same.

Could it be that network-manager-pptp has a problem resolving the (multiple) IP addresses on 64 bit amd64 ?

What Thomas Praill wrote in #4 is total crap. That is no solution, but only a bad quick fix.

Revision history for this message
malheum (maxheise) wrote :

There is a thread about this topic here
http://ubuntuforums.org/showthread.php?p=10575345#post10575345

This thread report that the problem exists with a VPN service from relakks.com, too.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Since we know what the issue is (pptp can choose any IP of the group, and NM isn't aware of which was choosen so the gateway address can't necessarily be correct), I'm marking this Triaged / Medium.

BTW, this bug will need to be opened upstream as well.

Patches welcome, of course. If you want to look into it, it should be something to modify in src/nm-pptp-service.c around line 997, and requires finding a way to ask pptp or have it tell us which gateway address gets used.

affects: network-manager (Ubuntu) → network-manager-pptp (Ubuntu)
Changed in network-manager-pptp (Ubuntu):
status: Incomplete → Triaged
summary: - Connection time out to vpn.ipredator.se
+ VPNs to hosts resolving to multiple IPs often fail
Revision history for this message
Wladimir Mutel (mwg) wrote :

I would attach this bug to pptp-linux package
Also I will initiate a discussion about RFC8305 support on pptpclient-devel, expect it to appear in their November 2018 archives soon.

Revision history for this message
Wladimir Mutel (mwg) wrote :

please watch the unfolding discussion (or crickets chirping) -
https://sourceforge.net/p/pptpclient/mailman/pptpclient-devel/?viewmonth=201811

Revision history for this message
Wladimir Mutel (mwg) wrote :

well, the discussion has unfolded quickly with a negative response from James Cameron (probably the only remaining/active author of pptpclient).
from there, I would see these options of what to do next :
- send more responses voicing user concerns and interest in this feature to the started discussion;
- propose our own patch for get_ip_address function in pptp.c (not sure I am capable enough as a C programmer, but I would start from OpenSSH patch posted at https://groups.google.com/forum/#!topic/opensshunixdev/lErxlPk_MnA as a source for inspiration );
- create some external wrapper for quickly scanning a list of IPs and returning the fastest-responding one to be substituted into pptp command line. For a start, I would use nmap with arguments like these:
nmap --script resolveall --script-args newtargets -PS1723 -sn vpn.server.name # as described at https://serverfault.com/questions/843304/can-nmap-scan-test-all-answers-from-round-robin-dns or at https://security.stackexchange.com/questions/141480/nmap-to-scan-all-resolved-ip-addresses-for-a-given-domain-name
and then process its output in some automated way (I only used it manually and interpreted visually).
this substitution can be usable with pppd configs stored in /etc/ppp/peers but I am unsure if it could be easily integrated into Network Manager setup.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.