Take a look on router config. Some routers you need enable "VPN passthrough" "ipsec" something like that, get the router manual. In the worst case perform DMZ pointing everything to OpenBSD box ( I particularly prefer this one )
2016-08-06 16:43 GMT-03:00 Sebastian Wain <[email protected]>: > That ipsec.conf works perfectly if I am connecting to the VPN from the LAN > but doesn't work if I put the VPN behind a router doing NAT and redirecting > ports 500 and 4500 to the VPN server. In this case this is logged: > > 192.168.1.35 is the IP of the machine behind the router at 221.12.3.4 which > is trying to connect to the VPN through the router at 200.1.32.22) > > Aug 6 10:10:19 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id > 200.1.32.22 > Aug 6 10:10:19 fw isakmpd[7947]: dropped message from 221.12.3.4 port > 4500 due to notification type INVALID_ID_INFORMATION > Aug 6 10:10:34 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id > 200.1.32.22 > Aug 6 10:10:34 fw isakmpd[7947]: dropped message from 221.12.3.4 port > 4500 due to notification type INVALID_ID_INFORMATION > Aug 6 10:11:16 fw isakmpd[7947]: transport_send_messages: giving up > on > exchange peer-default, no response from peer 221.12.3.4:500 > > Thanks, > Sebastian > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > R0me0 *** > Sent: Thursday, August 4, 2016 1:57 PM > To: Sebastian Wain <[email protected]> > Cc: OpenBSD misc <[email protected]> > Subject: Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows > 10? > > ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \ > main auth hmac-sha1 enc 3des group modp2048 \ > quick auth hmac-sha1 enc 3des psk "YOURSECRET" > > > You are welcome > > (: > > 2016-08-04 13:15 GMT-03:00 Sebastian Wain <[email protected]>: > > > I can't figure out how to make an OpenBSD VPN work. I followed the > > guide at [1] to set up a VPN, modified the network interface there to > > tun0 instead of pppoe0, and didn't configure the pf.conf. When I tried > > to connect from Win10 using the "L2TP/IPsec with pre-shared key" VPN > > type I see the issues below in phase > > 2: > > > > Thanks > > Sebastian > > > > [1] http://blog.fuckingwith.it/2015/08/openbsd-l2tpipsec-vpn- > > works-with.html > > > > Aug 3 responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 > IDs: > > initiator id 192.168.0.129, responder id 192.168.0.253 > > Aug 3 11:17:13 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:14 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:14 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:15 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:15 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:18 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:18 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:25 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:25 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:40 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:40 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:17:55 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129, > > responder id > > 192.168.0.253 > > Aug 3 11:17:55 fw isakmpd[7947]: dropped message from > > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION > > Aug 3 11:18:38 fw isakmpd[7947]: transport_send_messages: giving > > up on exchange peer-default, no response from peer 192.168.0.129:500
