diff options
-rw-r--r-- | docs/configuration/vpn/sstp.rst | 606 |
1 files changed, 415 insertions, 191 deletions
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index e3f0d32d..b9caa1b3 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -19,50 +19,43 @@ local and RADIUS authentication. As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required. -.. note:: All certificates should be stored on VyOS under ``/config/auth``. If - certificates are not stored in the ``/config`` directory they will not be - migrated during a software update. +*********************** +Configuring SSTP Server +*********************** Certificates ============ -Self Signed CA --------------- - -To generate the CA, the server private key and certificates the following -commands can be used. +Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate .. code-block:: none - vyos@vyos:~$ mkdir -p /config/user-data/sstp - vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt - - Generating a 4096 bit RSA private key - .........................++ - ...............................................................++ - writing new private key to 'server.key' - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: - - vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: + vyos@vyos:~$ generate pki ca install CA + +.. code-block:: none + vyos@vyos:~$ generate pki certificate sign CA install Server Configuration ============= +.. code-block:: none + + set vpn sstp authentication local-users username test password 'test' + set vpn sstp authentication mode 'local' + set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100' + set vpn sstp default-pool 'SSTP-POOL' + set vpn sstp gateway-address '10.0.0.1' + set vpn sstp ssl ca-certificate 'CA1' + set vpn sstp ssl certificate 'Server' + +.. cfgcmd:: set vpn sstp authentication mode <local | radius> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. .. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass> @@ -70,137 +63,185 @@ Configuration Create `<user>` for local authentication on this system. The users password will be set to `<pass>`. -.. cfgcmd:: set vpn sstp authentication local-users username <user> disable +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> - Disable `<user>` account. + Use this command to define the first IP address of a pool of + addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. -.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip - <address> +.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> - Assign static IP address to `<user>` account. + Use this command to define default address pool name. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - download <bandwidth> +.. cfgcmd:: set vpn sstp gateway-address <gateway> - Download bandwidth limit in kbit/s for `<user>`. + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - upload <bandwidth> +.. cfgcmd:: set vpn sstp ssl ca-certificate <file> - Upload bandwidth limit in kbit/s for `<user>`. + Name of installed certificate authority certificate. -.. cfgcmd:: set vpn sstp authentication protocols - <pap | chap | mschap | mschap-v2> +.. cfgcmd:: set vpn sstp ssl certificate <file> - Require the peer to authenticate itself using one of the following protocols: - pap, chap, mschap, mschap-v2. + Name of installed server certificate. -.. cfgcmd:: set vpn sstp authentication mode <local | radius> +********************************* +Configuring RADIUS authentication +********************************* - Set authentication backend. The configured authentication backend is used - for all queries. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. - * **radius**: All authentication queries are handled by a configured RADIUS - server. - * **local**: All authentication queries are handled locally. +.. code-block:: none + set vpn sstp authentication mode radius -.. cfgcmd:: set vpn sstp gateway-address <gateway> +.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> - Specifies single `<gateway>` IP address to be used as local address of PPP - interfaces. + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: -.. cfgcmd:: set vpn sstp port <port> +.. code-block:: none - Specifies the port `<port>` that the SSTP port will listen on (default 443). + set vpn sstp authentication radius server 10.0.0.1 key 'foo' + set vpn sstp authentication radius server 10.0.0.2 key 'foo' +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> +RADIUS source address +===================== - Use this command to define the first IP address of a pool of - addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> +.. cfgcmd:: set vpn sstp authentication radius source-address <address> - Use this command to define the next address pool name. + Source IPv4 address used in all RADIUS server queires. -.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. - Use this command to define default address pool name. +RADIUS advanced options +======================= +.. cfgcmd:: set vpn sstp authentication radius server <server> port <port> -.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> - mask <number-of-bits> + Configure RADIUS `<server>` and its required port for authentication requests. - Use this comand to set the IPv6 address pool from which an SSTP client - will get an IPv6 prefix of your defined length (mask) to terminate the - SSTP endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. +.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> + Mark RADIUS server as offline for this given `<time>` in seconds. -.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> - delegation-prefix <number-of-bits> +.. cfgcmd:: set vpn sstp authentication radius server <server> disable - Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - SSTP. You will have to set your IPv6 pool and the length of the - delegation prefix. From the defined IPv6 pool you will be handing out - networks of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Temporary disable this RADIUS server. +.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> -.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + Timeout to wait reply for Interim-Update packets. (default 3 seconds) - Use this command to define default IPv6 address pool name. +.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address> + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) -.. cfgcmd:: set vpn sstp name-server <address> +.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port> - Connected client should use `<address>` as their DNS server. This - command accepts both IPv4 and IPv6 addresses. Up to two nameservers - can be configured for IPv4, up to three for IPv6. + Port for Dynamic Authorization Extension server (DM/CoA) -Maximum number of IPv4 nameservers +.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret> -SSL Certificates ----------------- + Secret for Dynamic Authorization Extension server (DM/CoA) -.. cfgcmd:: set vpn sstp ssl ca-cert-file <file> +.. cfgcmd:: set vpn sstp authentication radius max-try <number> - Path to `<file>` pointing to the certificate authority certificate. + Maximum number of tries to send Access-Request/Accounting-Request queries -.. cfgcmd:: set vpn sstp ssl cert-file <file> +.. cfgcmd:: set vpn sstp authentication radius timeout <timeout> - Path to `<file>` pointing to the servers certificate (public portion). + Timeout to wait response from server (seconds) +.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier> -PPP Settings ------------- + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. -.. cfgcmd:: set vpn sstp ppp-options disable-ccp +.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address> - Disable Compression Control Protocol (CCP). - CCP is enabled by default. + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. -.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> +.. cfgcmd:: set vpn sstp authentication radius source-address <address> - Specifies number of interfaces to keep in cache. It means that don’t - destroy interface after corresponding session is destroyed, instead - place it to cache and use it later for new sessions repeatedly. - This should reduce kernel-level interface creation/deletion rate lack. - Default value is **0**. + Source IPv4 address used in all RADIUS server queires. -.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> +.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute> - Specifies IPv4 negotiation preference. + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. - * **require** - Require IPv4 negotiation - * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects - * **allow** - Negotiate IPv4 only if client requests (Default value) - * **deny** - Do not negotiate IPv4 +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set vpn sstp authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + + +**** +IPv6 +**** .. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny> Specifies IPv6 negotiation preference. @@ -210,6 +251,48 @@ PPP Settings * **allow** - Negotiate IPv6 only if client requests * **deny** - Do not negotiate IPv6 (default value) +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an SSTP client + will get an IPv6 prefix of your defined length (mask) to terminate the + SSTP endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + SSTP. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. + +.. code-block:: none + +<<<<<<< HEAD + set vpn sstp authentication local-users username vyos password vyos + set vpn sstp authentication mode local + set vpn sstp gateway-address 192.0.2.254 + set vpn sstp client-ip-pool subnet 192.0.2.0/25 + set vpn sstp name-server 10.0.0.1 + set vpn sstp name-server 10.0.0.2 + set vpn sstp ssl ca-cert-file /config/auth/ca.crt + set vpn sstp ssl cert-file /config/auth/server.crt + set vpn sstp ssl key-file /config/auth/server.key +======= + set vpn sstp ppp-options ipv6 allow + set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn sstp default-ipv6-pool IPv6-POOL +>>>>>>> d71c4607 (Rewritten the SSTP server documentation) + +IPv6 Advanced Options +===================== .. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id Accept peer interface identifier. By default is not defined. @@ -231,6 +314,90 @@ PPP Settings * **ipv4-addr** - Calculate interface identifier from IPv4 address. * **calling-sid** - Calculate interface identifier from calling-station-id. +********* +Scripting +********* + +.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn sstp ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number> Defines the maximum `<number>` of unanswered echo requests. Upon reaching the @@ -271,111 +438,61 @@ PPP Settings Defines preferred MRU. By default is not defined. +Global Advanced options +======================= -RADIUS ------- +.. cfgcmd:: set vpn sstp description <description> -Server -^^^^^^ + Set description. -.. cfgcmd:: set vpn sstp authentication radius server <server> port <port> +.. cfgcmd:: set vpn sstp limits burst <value> - Configure RADIUS `<server>` and its required port for authentication requests. + Burst count -.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> +.. cfgcmd:: set vpn sstp limits connection-limit <value> - Configure RADIUS `<server>` and its required shared `<secret>` for - communicating with the RADIUS server. - -.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> - - Mark RADIUS server as offline for this given `<time>` in seconds. - -.. cfgcmd:: set vpn sstp authentication radius server <server> disable - - Temporary disable this RADIUS server. - -Options -^^^^^^^ - -.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> - - Timeout to wait reply for Interim-Update packets. (default 3 seconds) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address> - - Specifies IP address for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port> - - Port for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret> - - Secret for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius max-try <number> - - Maximum number of tries to send Access-Request/Accounting-Request queries - -.. cfgcmd:: set vpn sstp authentication radius timeout <timeout> - - Timeout to wait response from server (seconds) - -.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier> - - Value to send to RADIUS server in NAS-Identifier attribute and to be matched - in DM/CoA requests. - -.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address> + Acceptable rate of connections (e.g. 1/min, 60/sec) - Value to send to RADIUS server in NAS-IP-Address attribute and to be matched - in DM/CoA requests. Also DM/CoA server will bind to that address. +.. cfgcmd:: set vpn sstp limits timeout <value> -.. cfgcmd:: set vpn sstp authentication radius source-address <address> + Timeout in seconds - Source IPv4 address used in all RADIUS server queires. +.. cfgcmd:: set vpn sstp mtu -.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute> + Maximum Transmission Unit (MTU) (default: **1500**) - Specifies which RADIUS server attribute contains the rate limit information. - The default attribute is `Filter-Id`. +.. cfgcmd:: set vpn sstp max-concurrent-sessions -.. cfgcmd:: set vpn sstp authentication radius rate-limit enable + Maximum number of concurrent session start attempts - Enables bandwidth shaping via RADIUS. +.. cfgcmd:: set vpn sstp name-server <address> -.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. - Specifies the vendor dictionary, dictionary needs to be in - /usr/share/accel-ppp/radius. +.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647> + Match firewall mark value -Example -======= +.. cfgcmd:: set vpn sstp snmp master-agent -* Use local user `foo` with password `bar` -* Client IP addresses will be provided from pool `192.0.2.0/25` + Enable SNMP -.. code-block:: none +.. cfgcmd:: set vpn sstp wins-server <address> - set vpn sstp authentication local-users username vyos password vyos - set vpn sstp authentication mode local - set vpn sstp gateway-address 192.0.2.254 - set vpn sstp client-ip-pool subnet 192.0.2.0/25 - set vpn sstp name-server 10.0.0.1 - set vpn sstp name-server 10.0.0.2 - set vpn sstp ssl ca-cert-file /config/auth/ca.crt - set vpn sstp ssl cert-file /config/auth/server.crt - set vpn sstp ssl key-file /config/auth/server.key + Windows Internet Name Service (WINS) servers propagated to client -Testing SSTP -============ +*********************** +Configuring SSTP client +*********************** Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file. +If you use a self-signed certificate, do not forget to install CA on the client side. + The following PPP configuration tests MSCHAP-v2: .. code-block:: none @@ -428,8 +545,115 @@ A connection attempt will be shown as: inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0 valid_lft forever preferred_lft forever +********** +Monitoring +********** +.. opcmd:: show sstp-server sessions -.. _sstpc: https://github.com/reliablehosting/sstp-client + Use this command to locally check the active sessions in the SSTP + server. +.. code-block:: none + + vyos@vyos:~$ show sstp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B + +.. code-block:: none + + vyos@vyos:~$ show sstp-server statistics + uptime: 0.01:21:54 + cpu: 0% + mem(rss/virt): 6688/100464 kB + core: + mempool_allocated: 149420 + mempool_available: 146092 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 7 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + sstp: + starting: 0 + active: 1 + +*************** +Troubleshooting +*************** + +.. code-block:: none + + vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0 + + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852 + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9 + Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>] + Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852) + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0' + Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started + +.. _sstpc: https://github.com/reliablehosting/sstp-client +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel .. include:: /_include/common-references.txt |