Yes on the diagram, I should have noted that I just deleted the psk
rather than sending it out on email, pf.conf and npppd.conf follow
Thanks,
Robert Szasz
npppd.conf
-----
# $OpenBSD: npppd.conf,v 1.2 2014/03/22 04:32:39 yasuoka Exp $
# sample npppd configuration file. see npppd.conf(5)
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
#authentication RADIUS type radius {
# authentication-server {
# address 192.168.0.1 secret "hogehoge"
# }
# accounting-server {
# address 192.168.0.1 secret "hogehoge"
# }
#}
tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}
ipcp IPCP {
pool-address 10.216.196.150-10.216.196.200
dns-servers 10.216.194.254
}
# use pppx(4) interface. use an interface per a ppp session.
#interface pppx0 address 10.0.0.1 ipcp IPCP
#bind tunnel from L2TP authenticated by LOCAL to pppx0
# use tun(4) interface. multiple ppp sessions concentrate one interface.
interface tun0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0
-------------------------------------------------------
pf.conf
---
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
IntIF="em0"
ExtIF="em3"
CarpInt="carp0"
CarpExt="carp1"
icmp_types="echoreq"
udp_services="{isakmp, ipsec-nat-t}"
tcp_services="{ 22,500,4500,1701 }"
set skip on lo
set block-policy drop
block drop all
match out on $ExtIF inet from !($CarpExt:network) to any nat-to ($CarpExt)
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
#pass icmmp
pass in inet proto icmp all icmp-type $icmp_types
#pass IPSec
pass quick proto { esp, ah } from any to any
pass in on $ExtIF proto udp from any to any port {isakmp,ipsec-nat-t}
#pass CARP and pfsync
pass quick proto carp
pass quick proto pfsync
#pass services
pass in on $ExtIF proto udp from any to ($ExtIF) port {22, 500, 4500,
1701} keep state
pass out on $ExtIF proto {tcp,udp,icmp} from any to any flags S/SA keep
state
pass on $IntIF
pass on $IntIF inet proto tcp from any to ($CarpInt)
pass in on $ExtIF inet proto tcp from any to ($ExtIF) port $tcp_services
pass in on $ExtIF inet proto udp from any to ($ExtIF) port $udp_services
pass out on $ExtIF inet from any to $CarpExt keep state
pass on $ExtIF proto carp keep state (no-sync)
pass in on $ExtIF inet proto tcp from any to ($CarpExt) port $tcp_services
pass in on $ExtIF inet proto udp from any to ($CarpExt) port $udp_services
On 12/5/2016 6:16 PM, Damian McGuckin wrote:
Robert,
On Mon, 5 Dec 2016, Robert Szasz wrote:
I'm testing with the following setup
Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)
Do you mean?
Win10 ->obsd5.9(firewall doing nat)->{INTERNET}->obsd5.9(IPSEC)
The connection process fails at stage 2 with the error message below
where X is the public IP of the box being connected to, and Y is the
ip of the firewall the win10 machine is behind 10...58 is the private
ip of the win10 machine.
I can try to help but as you probably read a week or so ago, am a bit
of a learner with L2TP myself.
error in the isakmpd log
010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed
invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
010420.423325 Default dropped message from y.y.y.y port 58544 due to
notification type INVALID_ID_INFORMATION
ipsec.conf
ike passive esp transport \
proto udp from x.x.x.x to any port 1701 \
main auth hmac-sha1 enc "aes" group modp2048\
quick auth hmac-sha1 enc "aes" group modp2048\
psk ""
Why no pre-shared key?
Come versions of Windows 10 L2TP client, i.e. certain the one on my
Windows 10 HOME box, only use 3DES, i.e. replace "aes" by "3des"
above. Also, some only use modp1024 or maybe I am getting confused by
those Apples.
I wouled also need to look at a copy of 'pf.conf' because that can be
where the problem lies. That was where I made a mistake.
What about 'npppdf.conf'. Make sure that the sandbox network that it
uses, or what some documentation called the VPN network, is different
from the IPs of the 2 networks at each end of your link.
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW
2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not
wanted here
Views & opinions here are mine and not those of any past or present
employer
