L2TP\IPsec with npppd through PF firewall

Bastien Ceriani Thu, 25 Apr 2013 00:52:23 -0700

Hello,

I'm currently discovering NPPPD daemon and L2TP\Ipsec VPN.
My VPN server is in a DMZ an run with OpenBSD 5.3.


Client (192.168.1.137) ----- (192.168.1.233) OBSD FW (192.168.21.233) -----
VPN (192.168.21.14)

I correctly configured NPPPD and IPsec to let my client connect directly to
the VPN server (Windows configuration VPN Server : 192.168.21.14) with an
according PF configuration.

But after, my VPN will not be available from the Internet, so i tried to
configure my FW and PF to redirect incomming L2TP/Ipsec request on
192.168.1.233 to my VPN server with these rules :


*#pass in log on $lan0_if proto esp from 192.168.1.137 to 192.168.21.14*
*pass in log on $lan0_if proto esp from 192.168.1.137 to ($lan0_if) rdr-to
192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 500
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
500 rdr-to 192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 1701
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
1701 rdr-to 192.168.21.14*
*
*
*#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
port 4500
*
*pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
4500 rdr-to 192.168.21.14*

Seemingly, the first phase succeed but the second failed. The VPN server
try to respond to the FW and not the client :

VPN server's /var/log/messages :

*vpn isakmpd[15046]: isakmpd: phase 1 done (as responder): initiator id
192.168.1.137, responder id 192.168.21.14, src: 192.168.21.14 dst:
192.168.1.137*
*vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
*vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
notification type INVALID_ID_INFORMATION*
*vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
*vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
notification type INVALID_ID_INFORMATION*
*vpn isakmpd[15046]: isakmpd: Peer 192.168.1.137 made us delete live SA
peer-default for proto 1, initiator id: 192.168.1.137, responder id:
192.168.21.14*


You can find my npppd configuration below :

*authentication LOCAL type local {*
*        users-file "/etc/npppd/npppd-users"*
*}*
*#authentication RADIUS type radius {*
*#       authentication-server {*
*#               address 192.168.0.1 secret "hogehoge"*
*#       }*
*#       accounting-server {*
*#               address 192.168.0.1 secret "hogehoge"*
*#       }*
*#}*
*
*
*tunnel L2TP_ipv4 protocol l2tp {*
*        listen on 0.0.0.0*
*#      l2tp-require-ipsec yes*
*        l2tp-accept-dialin yes*
*        authentication-method mschapv2
*
*
*
*}*
*
*
*ipcp IPCP {*
*        pool-address 192.168.20.1-192.168.20.254*
*        dns-servers 192.168.21.16 8.8.8.8*
*}*
*
*
*# use pppx(4) interface.  use an interface per a ppp session.*
*interface pppx0 address 192.168.20.1 ipcp IPCP*
*bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0*

Did i forgot to configure something ?

Regards,

-- 

*Bastien CERIANI*

L2TP\IPsec with npppd through PF firewall

Reply via email to