Hi, > real.local.concentrate: tun0
this should be realm.local.concentrate: tun0 I hope this will help you. --yasuoka On Wed, 15 Aug 2012 09:11:06 -0700 Johan Beisser <j...@caustic.org> wrote: > I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. > > I've enabled pipex in kernel: > # sysctl -a | grep -E '(pipex|gre)' > net.inet.gre.allow=0 > net.inet.gre.wccp=0 > net.pipex.enable=1 > > Before anyone asks, yes, I had GRE enabled as well. But, I'm not > looking to run PPTP via npppd, only L2TP. I've tested with it > activated, and the config with pptpd.enabled: false > > I've configured a very basic npppd.conf, per the instructions in > http://www.undeadly.org/cgi?action=article&sid=20120427125048 and > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt?rev=1.8 > > Everything connects, it appears to authenticate fine, but after that > iOS attempts to negotiate ppp. I'm assuming this is the relevant part > of the npppd debugging output (for my own privacy, I've replaced > non-RFC addresses with A.B.C.D for the client and E.F.G.H for the > server, respectively): > > 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ > from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 > hostname=users-thing vendor=(no vendorname) firm=0000 > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN > session_id=948 calling_number= tx_conn_speed=1000000 framing=async > 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 > 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started > tunnel=L2TP(A.B.C.D:50002) > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB > 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened > mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b > 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 > logtype=Success username="user" realm=local > 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. > 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol > ip6cp, 32855(8057) > 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN > result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by > local PPP > 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind > 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE > user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 > auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets > error_in=1 error_out=0 mppe=no iface=(not binding) > 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in > unexpected state=cleanup-wait > 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 > error=UNKNOWN/28261 tunnel_id=21 message="cted" > 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB > 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished > 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad > control message: tunnelId=2 is not found. mestype=CDN > > > Isakmpd does throw some errors, but they don't seem to be related to > anything except protocol negotiation. > > Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as > responder): initiator id 10.70.108.213, responder id E.F.G.H, src: > A.B.C.D dst: A.B.C.D > Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as > responder): src: E.F.G.H dst: A.B.C.D > > > It acts the same if pf is enabled or disabled. I'm debating if I > should update to a snapshot or not, at this point. Due to the hardware > being weak, and kind of old, I'd rather not have the debugging flags, > etc, running a snapshot would entail. > > Any pointers on where to look would be appreciated. > > -jb > > > npppd.conf: > > interface_list: tun0 > interface.tun0.ip4addr: 172.23.0.1 > > # IP Address Pool > pool.dyna_pool: 172.23.0.0/25 > pool.pool: 172.23.0.128/25 > > # local file auth > auth.local.realm_list: local > auth.local.realm.acctlist: /etc/npppd/npppd-users.csv > real.local.concentrate: tun0 > > lcp.mru: 1400 > lcp.timeout: 18 > auth.method: mschapv2 > # auth.method: mschapv2 chap pap > ipcp.assign_fixed: true > ipcp.assign_userselect: true > > pptpd.enabled: false > pptpd.ip4_allow: 0.0.0.0/0 > #pptpd.listener_in: PPTP 192.168.0.1 > > # L2TP daemon > l2tpd.enabled: true > l2tpd.ip4_allow: 0.0.0.0/0 > #l2tpd.listener_in: L2TP 192.168.0.1 > l2tpd.purge_ipsec_sa: false > l2tpd.require_ipsec: true > l2tpd.accept_dialin: true > > pipex.enabled: true > > ipsec.conf: > > ike passive esp transport \ > proto udp from A.B.C.D to any port 1701 \ > main auth "hmac-sha1" enc "3des" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ > psk "PASSWORD"