Re: l2tp and openbsd 6.1

Wed, 04 Oct 2017 10:54:53 -0700 


Quoting Charles Amstutz <[email protected]>:


Yes,
I would like to know this as well, it seems annoying that Android 8/4.x and IOS can connect, but not windows 10 (I haven't tried earlier windows 10) and android 7.
Its either a user error (which I am willing to admit) or something very annoying. Especially when my l2tp PSK windows server can accept connections from anything it seems. 

I would like to get this figured out.
I appreciate all of the suggestions, but I still can't get android 7 to connect, no matter which encryption, authentication or modp I use. 

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of lilit-aibolit 
Sent: Wednesday, October 4, 2017 2:46 AM
To: [email protected]
Cc: Charles Amstutz <[email protected]>; [email protected]
Subject: Re: l2tp and openbsd 6.1

Hi,
with l2tp I have situation when iOS  and Android devices could connect but Windows 7 and Windows 10 couldn't.
Is it possible to adjust ipsec.conf somehow so it could accept connection from Windows clients too? Or is there a way to adjust some settings in Windows so it will work with current ipsec.conf? 

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" 

Here is npppd.conf:
authentication LOCAL type local {
     users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
     listen on x.x.y.y
}
ipcp IPCP {
         pool-address 192.168.222.2-192.168.222.254
         dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 

Log from Android:
Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000 Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind 
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. 
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_512, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) firm=0000 Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind 
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready. 
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:
Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx vendor=(no vendorname) firm=0000 Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind 
ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0 Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct  2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready. 

And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct  4 10:12:37 gw isakmpd[24211]: message_negotiate_sa: no compatible proposal found Oct  4 10:12:37 gw isakmpd[24211]: dropped message from 37.73.208.134 port 16884 due to notification type NO_PROPOSAL_CHOSEN 

On 02/10/17 23:03, Charles Amstutz wrote:

Hello everyone,
I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux knowledge). After searching the previous forum posts (and the internet) I have found a lot of information on l2tp ipsec.conf connection strings. However, I can't get android to connect. I keep getting IKE negotiation failed errors. 

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro
id-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb
sd-invalid_cookie/
https://man.openbsd.org/npppd.conf.5
https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-
ios-and-osx/
https://marc.info/?l=openbsd-misc&m=145922338026396&w=2
https://marc.info/?l=openbsd-misc&m=145614573528471&w=2
https://www.mail-archive.com/[email protected]/msg145747.html
... etc


I can get IOS to connect, but I can't get android 7 to connect.  I've
read that android has bugs with the vpn client in 6.x and 7.x (not
sure if it is fixed in 8 or not). However, what is confusing is it
connections just fine To my windows l2tp server.  Bug tracker:
https://issuetracker.google.com/issues/37074640#c35


My goal: Setup openbsd to work with IOS/android/windows/whatever.

My questions.
1) Can you have more than one ike line in ipsec.conf? from my presumption of looking at sites on the internet, you can, however, I am not sure. 

https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless
it is just two examples
2) Every time I read a site that says, "this configuration worked for me on android", it doesn't work for me. I presume it is my lack of understanding, though, I'm not ruling out the possible android bug. 


I appreciate any help.



Here is my ipsec.conf (this allows IOS to connect)

public_ip = "x.x.x.x"



ike passive esp transport \

   proto udp from $public_ip to any port 1701 \

   main auth "hmac-sha1" enc "aes" group modp1024\

   quick auth "hmac-sha1" enc "aes" \

   psk "PSK-GOES-HERE"

     Here is my npppd.conf



authentication LOCAL type local {

         users-file "/etc/npppd/npppd-users"

}



tunnel L2TP protocol l2tp {

         listen on 0.0.0.0

         listen on ::

}



ipcp IPCP {

         pool-address 10.0.0.101-10.0.0.254

         dns-servers x.x.x.x

}



# use pppx(4) interface.  use an interface per a ppp session.

interface pppx0 address 10.0.0.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0
Unfortunately I am not sure if what I am saying is correct or valid because maybe this stuff works for me only because I am using older versions of Android etc., plus I am using a slightly modified OpenBSD 5.5 kernel. But you may want to try the following.
The order is important -- doesn't seem to work if modp2048 is listed after modp1024. If I do something like 

ike passive esp transport proto udp from $local_ip to any port 1701 \
        main auth "hmac-sha1" enc "aes" group modp2048 \
        quick auth "hmac-sha1" enc "aes" \
        psk "mypsk"
ike passive esp transport proto udp from $local_ip to any port 1701 \
        main auth "hmac-sha1" enc "aes" group modp1024 \
        quick auth "hmac-sha1" enc "aes" \
        psk "mypsk"
in the order listed, it works, and it has been working for at least a few years. To make sure I am not posting wrong information, I have double-checked using Lenovo YogaPad (Android 4.4.2), Windows 7, Windows 8, Windows 10, iOS 10.3.3, and MacOS 10.13.
I will try the same thing with -current and report back to the list if it is useful. 

Hope this helps.

Vijay
--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
[email protected]

Reply via email to