On Mon, 14 Oct 2019, Stefan Sperling wrote:
On Mon, Oct 14, 2019 at 05:55:58PM +1100, Damian McGuckin wrote:
Because I had a working L2TP server setup on $L2TP, I was not going to
go into its pf.conf, ipsec.conf, or anything else. But here is npppd.conf
ike passive esp transport \
proto udp from egress to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "3des" group modp1024 \
psk "MYSECRET"
As an aside, you should avoid use of 3des because it is effecively
plaintext.
I take your point about 3des but I was starting from a known configuration
which works (albiet with the external interface hacing a Public IP)
There are ways to make even Windows clients use actual crypto with IPsec if
needed, though last I checked it could not be done from the GUI but required
powershell commands. (I don't have a URL handy, sorry, but this information
wasn't very hard to find when I needed it.)
Thanks. I will investigate. This has to work with iPads as well. Yuk!
You could try to pin-point the problem a bit more, starting with diagnostics
at the IPsec layer. Check debug logs from isakmpd, check ipsectl -sa, etc.
OK.
I suspect getting IPsec SAs going with both peers behind NAT is tricky.
I agree.
See my subsequent post where I replaced 'egress' above with the external
IP (of the subsequently NAT'd npppd server). Closer. But not quite there.
Thanks - Damian
