I do not understand the question but this may be connected... My Wi-Fi uses AD (LDAP) auth with certificates. I set this up using some "guide" without understanding a thing. My IOS, Android and Mac clients connect without a hitch. Windows 10 do not.
To get my windows 10 to work, I have to copy over and install the certificates from a previously connected Mac machine's keychain. In your setup, can you check in your windows 10 certificate store if the necessary certificates (if any) have been installed? If not, try copying the certificates. This is windows 10 behaviour. It may or may not be related to "self signed certificates". Again, I do not understand a thing. Sorry for the noise. Please excuse my brevity. Sent from my handphone. Original Message From: Vijay Sankar Sent: Wednesday 4 October 2017 23:42 To: misc@openbsd.org Subject: Re: l2tp and openbsd 6.1 Quoting Charles Amstutz <charl...@infinitesys.com>: > Yes, > > I would like to know this as well, it seems annoying that Android > 8/4.x and IOS can connect, but not windows 10 (I haven't tried > earlier windows 10) and android 7. > > Its either a user error (which I am willing to admit) or something > very annoying. Especially when my l2tp PSK windows server can accept > connections from anything it seems. > > I would like to get this figured out. > > I appreciate all of the suggestions, but I still can't get android 7 > to connect, no matter which encryption, authentication or modp I use. > > -----Original Message----- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf Of lilit-aibolit > Sent: Wednesday, October 4, 2017 2:46 AM > To: misc@openbsd.org > Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net > Subject: Re: l2tp and openbsd 6.1 > > Hi, > with l2tp I have situation when iOS and Android devices could > connect but Windows 7 and Windows 10 couldn't. > > Is it possible to adjust ipsec.conf somehow so it could accept > connection from Windows clients too? > Or is there a way to adjust some settings in Windows so it will work > with current ipsec.conf? > > I also noticed that I have to add pass rule for tun0 to PF explicitly: > - pass on tun0 all > instead of having just: > - set skip on { lo0, tun0 } > > Here is ipsec.conf: > > ike passive esp transport \ > proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc > aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" > > Here is npppd.conf: > authentication LOCAL type local { > users-file "/etc/npppd/npppd-users" > } > tunnel L2TP protocol l2tp { > listen on x.x.y.y > } > ipcp IPCP { > pool-address 192.168.222.2-192.168.222.254 > dns-servers 192.168.a.b > } > interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from > L2TP authenticated by LOCAL to tun0 > > Log from Android: > > Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started > RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 > protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) > firm=0000 Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 > logtype=PPPBind > ppp=3 > Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base > logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP > layer2from=192.38.129.182:41634 > auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw > /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. > Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes > > Log from IPhone6s: > > Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw > isakmpd[24211]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 > gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got MD5, expected SHA > Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw > isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw > isakmpd[24211]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 > gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got MD5, expected SHA > Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw > npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ > from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 > hostname=xxx-iPhone vendor=(no vendorname) firm=0000 Oct 2 16:13:14 > gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind > ppp=2 > Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base > logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP > layer2from=192.38.129.182:65367 > auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:13:18 gw > /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready. > Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes > > Log from IPhone4s: > > Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started > RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 > winsize=4 hostname=xxx vendor=(no vendorname) firm=0000 Oct 2 > 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind > ppp=0 > Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base > logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP > layer2from=37.73.241.124:59028 > auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 2 15:55:58 gw > npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct 2 15:55:58 gw > /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready. > > And unsuccessful connection from Win7: > > Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 4 10:12:37 > gw isakmpd[24211]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 > gw isakmpd[24211]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 > gw isakmpd[24211]: message_negotiate_sa: no compatible proposal > found Oct 4 10:12:37 gw isakmpd[24211]: dropped message from > 37.73.208.134 port 16884 due to notification type NO_PROPOSAL_CHOSEN > > On 02/10/17 23:03, Charles Amstutz wrote: >> Hello everyone, >> >> I'm new to this list and l2tp/openbsd (but do have working >> UNIX/Linux knowledge). After searching the previous forum posts >> (and the internet) I have found a lot of information on l2tp >> ipsec.conf connection strings. However, I can't get android to >> connect. I keep getting IKE negotiation failed errors. >> >> I've looked at sites such as: >> >> http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro >> id-601-ios.html >> https://www.authbsd.com/blog/?p=20 >> http://daemonforums.org/showthread.php?t=10326 >> https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb >> sd-invalid_cookie/ >> https://man.openbsd.org/npppd.conf.5 >> https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for- >> ios-and-osx/ >> https://marc.info/?l=openbsd-misc&m=145922338026396&w=2 >> https://marc.info/?l=openbsd-misc&m=145614573528471&w=2 >> https://www.mail-archive.com/misc@openbsd.org/msg145747.html >> ... etc >> >> >> I can get IOS to connect, but I can't get android 7 to connect. I've >> read that android has bugs with the vpn client in 6.x and 7.x (not >> sure if it is fixed in 8 or not). However, what is confusing is it >> connections just fine To my windows l2tp server. Bug tracker: >> https://issuetracker.google.com/issues/37074640#c35 >> >> >> My goal: Setup openbsd to work with IOS/android/windows/whatever. >> >> My questions. >> >> >> 1) Can you have more than one ike line in ipsec.conf? from my >> presumption of looking at sites on the internet, you can, however, >> I am not sure. >> >> https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless >> it is just two examples >> >> >> 2) Every time I read a site that says, "this configuration >> worked for me on android", it doesn't work for me. I presume it is >> my lack of understanding, though, I'm not ruling out the possible >> android bug. >> >> >> I appreciate any help. >> >> >> >> Here is my ipsec.conf (this allows IOS to connect) >> >> public_ip = "x.x.x.x" >> >> >> >> ike passive esp transport \ >> >> proto udp from $public_ip to any port 1701 \ >> >> main auth "hmac-sha1" enc "aes" group modp1024\ >> >> quick auth "hmac-sha1" enc "aes" \ >> >> psk "PSK-GOES-HERE" >> >> Here is my npppd.conf >> >> >> >> authentication LOCAL type local { >> >> users-file "/etc/npppd/npppd-users" >> >> } >> >> >> >> tunnel L2TP protocol l2tp { >> >> listen on 0.0.0.0 >> >> listen on :: >> >> } >> >> >> >> ipcp IPCP { >> >> pool-address 10.0.0.101-10.0.0.254 >> >> dns-servers x.x.x.x >> >> } >> >> >> >> # use pppx(4) interface. use an interface per a ppp session. >> >> interface pppx0 address 10.0.0.1 ipcp IPCP >> >> bind tunnel from L2TP authenticated by LOCAL to pppx0 >> Unfortunately I am not sure if what I am saying is correct or valid because maybe this stuff works for me only because I am using older versions of Android etc., plus I am using a slightly modified OpenBSD 5.5 kernel. But you may want to try the following. The order is important -- doesn't seem to work if modp2048 is listed after modp1024. If I do something like ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp2048 \ quick auth "hmac-sha1" enc "aes" \ psk "mypsk" ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "mypsk" in the order listed, it works, and it has been working for at least a few years. To make sure I am not posting wrong information, I have double-checked using Lenovo YogaPad (Android 4.4.2), Windows 7, Windows 8, Windows 10, iOS 10.3.3, and MacOS 10.13. I will try the same thing with -current and report back to the list if it is useful. Hope this helps. Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca
