Re: L2TP\IPsec with npppd through PF firewall

Thu, 25 Apr 2013 02:55:52 -0700 

Why don't you run npppd directly on OBSD FW (192.168.21.233) ?

On 25 apr 2013, at 09:49, Bastien Ceriani <[email protected]> wrote:

> Hello,
> 
> I'm currently discovering NPPPD daemon and L2TP\Ipsec VPN.
> My VPN server is in a DMZ an run with OpenBSD 5.3.
> 
> Client (192.168.1.137) ----- (192.168.1.233) OBSD FW (192.168.21.233) -----
> VPN (192.168.21.14)
> 
> I correctly configured NPPPD and IPsec to let my client connect directly to
> the VPN server (Windows configuration VPN Server : 192.168.21.14) with an
> according PF configuration.
> 
> But after, my VPN will not be available from the Internet, so i tried to
> configure my FW and PF to redirect incomming L2TP/Ipsec request on
> 192.168.1.233 to my VPN server with these rules :
> 
> 
> *#pass in log on $lan0_if proto esp from 192.168.1.137 to 192.168.21.14*
> *pass in log on $lan0_if proto esp from 192.168.1.137 to ($lan0_if) rdr-to
> 192.168.21.14*
> *
> *
> *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
> port 500
> *
> *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
> 500 rdr-to 192.168.21.14*
> *
> *
> *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
> port 1701
> *
> *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
> 1701 rdr-to 192.168.21.14*
> *
> *
> *#pass in log on $lan0_if proto udp from 192.168.1.137 to 192.168.21.14
> port 4500
> *
> *pass in log on $lan0_if proto udp from 192.168.1.137 to ($lan0_if) port
> 4500 rdr-to 192.168.21.14*
> 
> Seemingly, the first phase succeed but the second failed. The VPN server
> try to respond to the FW and not the client :
> 
> VPN server's /var/log/messages :
> 
> *vpn isakmpd[15046]: isakmpd: phase 1 done (as responder): initiator id
> 192.168.1.137, responder id 192.168.21.14, src: 192.168.21.14 dst:
> 192.168.1.137*
> *vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
> *vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
> notification type INVALID_ID_INFORMATION*
> *vpn isakmpd[15046]: responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.1.137, responder id 192.168.1.233*
> *vpn isakmpd[15046]: dropped message from 192.168.1.137 port 4500 due to
> notification type INVALID_ID_INFORMATION*
> *vpn isakmpd[15046]: isakmpd: Peer 192.168.1.137 made us delete live SA
> peer-default for proto 1, initiator id: 192.168.1.137, responder id:
> 192.168.21.14*
> 
> 
> You can find my npppd configuration below :
> 
> *authentication LOCAL type local {*
> *        users-file "/etc/npppd/npppd-users"*
> *}*
> *#authentication RADIUS type radius {*
> *#       authentication-server {*
> *#               address 192.168.0.1 secret "hogehoge"*
> *#       }*
> *#       accounting-server {*
> *#               address 192.168.0.1 secret "hogehoge"*
> *#       }*
> *#}*
> *
> *
> *tunnel L2TP_ipv4 protocol l2tp {*
> *        listen on 0.0.0.0*
> *#      l2tp-require-ipsec yes*
> *        l2tp-accept-dialin yes*
> *        authentication-method mschapv2
> *
> *
> *
> *}*
> *
> *
> *ipcp IPCP {*
> *        pool-address 192.168.20.1-192.168.20.254*
> *        dns-servers 192.168.21.16 8.8.8.8*
> *}*
> *
> *
> *# use pppx(4) interface.  use an interface per a ppp session.*
> *interface pppx0 address 192.168.20.1 ipcp IPCP*
> *bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0*
> 
> Did i forgot to configure something ?
> 
> Regards,
> 
> -- 
> 
> *Bastien CERIANI*

Reply via email to