Hi all! I know (saw) this has come up numerous times, and someone has been successful, others weren't. I thought I'd try this out myself, and not surprisingly it wasn't successful :) I've been using these howtos [1] -- I know these can be outdated and/or simply wrong, I just wanted to get the general idea on how to tackle this. I've made it through a couple of hurdles but now I'm stuck and thought I'd ask some questions here.
So this is my configuration:
OpenBSD 6.5-stable
/etc/ipsec.conf:
ike passive esp transport \
proto udp \
from any to any port l2tp \
main auth "hmac-sha2" enc "aes-256" group modp1024 \
quick auth "hmac-sha2" enc "aes-256" \
psk "thisismykey"
(I found that some howtos specified the group attribute for the line `quick` as
well, but that didn't work for me, then it seemed this whole thing just
wouldn't match my connection)
I'm starting isakmpd(8) as
/sbin/isakmpd -d -v -K
Then doing an:
/sbin/ipsecctl -vf /etc/ipsec.conf
=====================8<=====================
C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=thisismykey force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
C add
[phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:HASH_ALGORITHM=SHA2_256
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:KEY_LENGTH=256,256:256
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:Life=LIFE_MAIN_MODE
force
C set [from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:Phase=2 force
C set [from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:ISAKMP-peer=peer-default force
C set
[from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:Configuration=phase2-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701
force
C set [from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:Local-ID=from-0.0.0.0/0=17 force
C set [from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:Remote-ID=to-0.0.0.0/0=17:1701
force
C set [phase2-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:EXCHANGE_TYPE=QUICK_MODE
force
C set
[phase2-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:Suites=phase2-suite-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701
force
C set
[phase2-suite-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:Protocols=phase2-protocol-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701
force
C set
[phase2-protocol-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:PROTOCOL_ID=IPSEC_ESP
force
C set
[phase2-protocol-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701]:Transforms=phase2-transform-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT
force
C set
[phase2-transform-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:TRANSFORM_ID=AES
force
C set
[phase2-transform-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:KEY_LENGTH=256,256:256
force
C set
[phase2-transform-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:ENCAPSULATION_MODE=TRANSPORT
force
C set
[phase2-transform-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256
force
C set
[phase2-transform-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:GROUP_DESCRIPTION=MODP_3072
force
C set
[phase2-transform-from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:Life=LIFE_QUICK_MODE
force
C set [from-0.0.0.0/0=17]:ID-type=IPV4_ADDR_SUBNET force
C set [from-0.0.0.0/0=17]:Network=0.0.0.0 force
C set [from-0.0.0.0/0=17]:Netmask=0.0.0.0 force
C set [to-0.0.0.0/0=17:1701]:ID-type=IPV4_ADDR_SUBNET force
C set [to-0.0.0.0/0=17:1701]:Network=0.0.0.0 force
C set [to-0.0.0.0/0=17:1701]:Netmask=0.0.0.0 force
C set [from-0.0.0.0/0=17]:Protocol=17 force
C set [to-0.0.0.0/0=17:1701]:Protocol=17 force
C set [to-0.0.0.0/0=17:1701]:Port=1701 force
C add [Phase 2]:Passive-Connections=from-0.0.0.0/0=17-to-0.0.0.0/0=17:1701
C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Authentication=thisismykey force
C set [peer-default]:Configuration=phase1-peer-default force
C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
C add
[phase1-peer-default]:Transforms=phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:HASH_ALGORITHM=SHA2_256
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:KEY_LENGTH=256,256:256
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:GROUP_DESCRIPTION=MODP_1024
force
C set
[phase1-transform-peer-default-PRE_SHARED-SHA2_256-AES256-MODP_1024]:Life=LIFE_MAIN_MODE
force
C set [from-::/0=17-to-::/0=17:1701]:Phase=2 force
C set [from-::/0=17-to-::/0=17:1701]:ISAKMP-peer=peer-default force
C set
[from-::/0=17-to-::/0=17:1701]:Configuration=phase2-from-::/0=17-to-::/0=17:1701
force
C set [from-::/0=17-to-::/0=17:1701]:Local-ID=from-::/0=17 force
C set [from-::/0=17-to-::/0=17:1701]:Remote-ID=to-::/0=17:1701 force
C set [phase2-from-::/0=17-to-::/0=17:1701]:EXCHANGE_TYPE=QUICK_MODE force
C set
[phase2-from-::/0=17-to-::/0=17:1701]:Suites=phase2-suite-from-::/0=17-to-::/0=17:1701
force
C set
[phase2-suite-from-::/0=17-to-::/0=17:1701]:Protocols=phase2-protocol-from-::/0=17-to-::/0=17:1701
force
C set [phase2-protocol-from-::/0=17-to-::/0=17:1701]:PROTOCOL_ID=IPSEC_ESP force
C set
[phase2-protocol-from-::/0=17-to-::/0=17:1701]:Transforms=phase2-transform-from-::/0=17-to-::/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT
force
C set
[phase2-transform-from-::/0=17-to-::/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:TRANSFORM_ID=AES
force
C set
[phase2-transform-from-::/0=17-to-::/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:KEY_LENGTH=256,256:256
force
C set
[phase2-transform-from-::/0=17-to-::/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:ENCAPSULATION_MODE=TRANSPORT
force
C set
[phase2-transform-from-::/0=17-to-::/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256
force
C set
[phase2-transform-from-::/0=17-to-::/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:GROUP_DESCRIPTION=MODP_3072
force
C set
[phase2-transform-from-::/0=17-to-::/0=17:1701-AES256-SHA2_256-MODP_3072-TRANSPORT]:Life=LIFE_QUICK_MODE
force
C set [from-::/0=17]:ID-type=IPV6_ADDR_SUBNET force
C set [from-::/0=17]:Network=:: force
C set [from-::/0=17]:Netmask=:: force
C set [to-::/0=17:1701]:ID-type=IPV6_ADDR_SUBNET force
C set [to-::/0=17:1701]:Network=:: force
C set [to-::/0=17:1701]:Netmask=:: force
C set [from-::/0=17]:Protocol=17 force
C set [to-::/0=17:1701]:Protocol=17 force
C set [to-::/0=17:1701]:Port=1701 force
C add [Phase 2]:Passive-Connections=from-::/0=17-to-::/0=17:1701
=====================8<=====================
/etc/npppd/npppd.conf:
=====================8<=====================
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}
ipcp IPCP {
pool-address 192.168.100.2-192.168.100.254
dns-servers 8.8.8.8
}
# use pppx(4) interface. use an interface per a ppp session.
interface pppx0 address 192.168.100.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0
=====================8<=====================
So now when I connect from my Android 9 phone, set up as an L2TP/IPsec PSK
connection, specifying the Server address as my internal LAN IP on the OpenBSD
router (no NAT, just direct connection on the local network), setting the IPSec
preshared key to the real key, and entering my username and password I've set
for npppd(8), I'm getting this output from isakmpd(8):
=====================8<=====================
190048.505560 Default attribute_unacceptable: HASH_ALGORITHM: got SHA2_384,
expected SHA2_256
190048.505768 Default attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024,
expected MODP_3072
190048.505943 Default attribute_unacceptable: HASH_ALGORITHM: got SHA2_384,
expected SHA2_256
190048.530050 Default isakmpd: phase 1 done (as responder): initiator id
192.168.5.17, responder id 192.168.0.1, src: 192.168.0.1 dst: 192.168.5.17
190049.556596 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190049.556699 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190052.571991 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190052.572093 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190055.594500 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190055.594593 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190058.615783 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190058.615909 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190101.642382 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190101.642478 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190104.674817 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190104.674885 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190107.702932 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190107.703001 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190110.728935 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190110.729004 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190113.760991 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190113.761061 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
190116.770799 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase
2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
190116.770869 Default dropped message from 192.168.5.17 port 500 due to
notification type INVALID_ID_INFORMATION
=====================8<=====================
Now I'm stuck here. I don't really know why it wouldn't accept these "IDs", I
thought I've covered all my bases with "from any/to any" in ipsec.conf(5).
As for the attribute_unacceptable lines, I've tried to change the 'auth'
attributes to "hmac-sha2-384", and I actually got the same messages.. I also
tried to set the 'group' option for the 'main' and 'quick' lines to modp3072,
no luck there either.
What also doesn't help is that every time my phone does an unsuccessful
connection, I must restart it, because "something gets stuck there", and every
subsequent connection attempt just doesn't do anything -- no packets are coming
in from the phone anymore... Anyway.
I hope someone has had success with this and could point me in some kind of
direction I'm not seeing.
Thanks in advance,
Dani
[1]:
http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn-for-android.html
http://openbsd-archive.7691.n7.nabble.com/L2TP-IPSec-via-npppd-won-t-work-with-Android-5-x-td290194.html
--
Lévai, Dániel
publickey - leva@ecentrum.hu - 0x66E1F716.asc
Description: application/pgp-keys
