On Tue, 29 Mar 2016 11:37:14 +0200 Mattieu Baptiste <mattie...@gmail.com> wrote: > On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight <slymidni...@yahoo.com> wrote: >> I don't mean to bring up an old thread, but I was wondering if anyone >> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1 >> (preferably the version on the Nexus line of devices) connecting to >> ipsec/l2tp. >> >> I had this working late last year some time and hadn't used it in a few >> months. When I went to use it again a few days ago it didn't work at >> all. After rebooting my phone and even trying it on my tablet that >> coincidentally runs the exact same version of stock Android 6.0.1, it >> too didn't work there. > > I have the very same problem. > To me, It's caused by some Android updates. I saw this since 6.0, but > some security updates near 5.1.1 seems to trigger the same behavior. > I've tried to tweak ipsec.conf like you without luck. Unfortunately, I > did not have the time to dig further...
My colleague and I also hit this issue. This issue is caused by Android, it sends ESP packets with wrong padding size when SHA2-256 is selected for HMAC. It seems that Android is using an old ietf draft for SHA2-256, but OpenBSD is using RFC 4868. When the issue occurs, XXX packets with bad payload size or padding received counter in "netstat -sp esp" will be incremented. We can force using MD5 or SHA for HMAC to workaround this issue. To do this, put the text below to /etc/isakmpd/isakmpd.policy and remove "-K" from isakmpd_flags. Authorizer: "POLICY" Comment: This is test Licensees: "passphrase:PASSPHRASE" conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true"; --yasuoka
