I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users to
tunnel in to our office network.
I'm testing with the following setup
Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)
I'd like something reasonably robust, able to pass through most NAT a
user might find themselves behind. Our current cisco vpn handles that
part fairly well, but otherwise is unreliable and a pain to manage.
The connection process fails at stage 2 with the error message below
where X is the public IP of the box being connected to, and Y is the ip
of the firewall the win10 machine is behind 10...58 is the private ip of
the win10 machine.
Thanks,
Robert Szasz
error in the isakmpd log
---
010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed
invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
010420.423325 Default dropped message from y.y.y.y port 58544 due to
notification type INVALID_ID_INFORMATION
ipsec.conf
ike passive esp transport \
proto udp from x.x.x.x to any port 1701 \
main auth hmac-sha1 enc "aes" group modp2048\
quick auth hmac-sha1 enc "aes" group modp2048\
psk ""
