Why is MS-CHAP authentication failing connecting to Draytek L2TP/IPSec VPN from Linux?

Question

I'm attempting to connect to an L2TP/IPSec VPN provided by a Draytek router from a headless Ubuntu Linux AWS EC2 instance. This is a headless server, so I am setting it up manually (rather than using network manager). I'm using strongswan for the IPSec connection. The IPSec connection is successfully established, but the connection fails at the point of MS-CHAP authentication, specifically the log looks like this:

Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: Connecting to host <gateway IP redacted>, port 1701
Feb 14 00:03:04 ip-172-31-46-6 sudo[176939]: pam_unix(sudo:session): session closed for user root
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: Connection established to <gateway IP redacted>, 1701.  Local: 24268, Remote: 11 (ref=0/0).
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: Calling on tunnel 24268
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: Call established with <gateway IP redacted>, Local: 61356, Remote: 46, Serial: 3 (ref=0/0)
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: start_pppd: I'm running:
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: "/usr/sbin/pppd"
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: "/dev/pts/6"
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: "passive"
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: "nodetach"
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: ":"
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: "debug"
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: "file"
Feb 14 00:03:04 ip-172-31-46-6 xl2tpd[176607]: "/etc/ppp/options.myconn"
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: pppd 2.4.9 started by root, uid 0
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: using channel 19
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: Using interface ppp0
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: Connect: ppp0 <--> /dev/pts/6
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic 0xb15c4f6c>]
Feb 14 00:03:04 ip-172-31-46-6 systemd-udevd[176943]: Using default interface naming scheme 'v249'.
Feb 14 00:03:04 ip-172-31-46-6 networkd-dispatcher[406]: WARNING:Unknown index 124 seen, reloading interface list
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [LCP ConfReq id=0x0 <auth chap MS-v2> <magic 0x1>]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [LCP ConfAck id=0x0 <auth chap MS-v2> <magic 0x1>]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [LCP ConfReq id=0x2 <mru 1410> <magic 0xb15c4f6c>]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [LCP ConfNak id=0x2 <mru 1442>]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [LCP ConfReq id=0x3 <mru 1442> <magic 0xb15c4f6c>]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [LCP ConfAck id=0x3 <mru 1442> <magic 0xb15c4f6c>]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [LCP EchoReq id=0x0 magic=0xb15c4f6c]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [CHAP Challenge id=0x1 <91ed63fc4d8f5bbd454c577a44147602>, name = "<redacted>"]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: added response cache entry 0
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [CHAP Response id=0x1 <977c6456c814fbe8007087cad5cc7f750000000000000000cf0b49568e90469ef4948b18a45b7d1819038cf72f3a3c2400>, name = "<redacted>"]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [LCP EchoRep id=0x0 magic=0x1]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [CHAP Failure id=0x1 "E=691 R=1 C=91ED63FC4D8F5BBD454C577A44147602 V=0 M=Good luck!"]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: MS-CHAP authentication failed: Good luck!
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: CHAP authentication failed
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [LCP TermReq id=0x4 "Failed to authenticate ourselves to peer"]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [LCP TermReq id=0x1]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: sent [LCP TermAck id=0x1]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: rcvd [LCP TermAck id=0x4]
Feb 14 00:03:04 ip-172-31-46-6 pppd[176942]: Connection terminated.

So far my configuration looks like this:

/etc/ipsec.conf

config setup
    # Enable debugging if needed (adjust as desired)
    charondebug="ike 2, knl 2, cfg 2, enc 2"
conn myconn
    authby=secret
    auto=start

    keyexchange=ikev1
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1!
# Local settings
left=%defaultroute
leftid=&lt;public AWS elastic IP redacted&gt;

# Remote settings
right=&lt;gateway IP redacted&gt;
rightid=&lt;gateway IP redacted&gt;
# Set the group name as the identifier without the '@'

type=transport
dpdaction=clear
dpddelay=35s
dpdtimeout=200s

/etc/ipsec.secrets

# Use the group name and remote gateway to identify the PSK
%any <gateway IP redacted> : PSK "<redacted>"

/etc/xl2tpd/xl2tpd.conf

[lac myconn]
lns = <gateway IP redacted>
ppp debug = yes
pppoptfile = /etc/ppp/options.myconn
length bit = yes

/etc/ppp/options.myconn

ipcp-accept-local
ipcp-accept-remote
refuse-eap
refuse-chap 
require-mschap-v2
nopcomp
noaccomp
noauth
mtu 1410
mru 1410
nodefaultroute
ipparam myconn
debug
name <redacted>
password <redacted>

I want to understand why I get the message "MS-CHAP authentication failed: Good luck!". I'm pretty certain there is no issue with the username and password being incorrect. These have been tested in the Draytek SmartVPN windows client and successfully connected. So why is authentication failing on Linux, or how at least can I debug this further?

score 0 · Answer 1 · answered Feb 28 '25 at 16:09

Answer based on https://pptpclient.sourceforge.net/howto-diagnosis.phtml

Reasons for CHAP authentication failed error E=691 with pppd:

specifying the wrong domain
specifying the wrong password, (e.g. by not quoting special characters)
using spaces or blanks as part of your password

Why is MS-CHAP authentication failing connecting to Draytek L2TP/IPSec VPN from Linux?

1 Answers1