Hello list! If anyone could shed some light to the following i would be thankful.. i have 2 5.4-current boxes, one acting as an npppd server over ipsec and the other one wishing to be a client. My understanding is that to accomplish that the client needs to use xl2tpd from ports. The problem is that although linux and windows clients connect ok with the same setup, i can't get the openbsd client to connect.
server /etc/ipsec.conf: local_ip="A.B.C.D" ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth "hmac-sha" enc "aes" group modp2048 \ quick auth "hmac-sha" enc "aes" \ psk "xxxxxxxxx" obsd client /etc/ipsec.conf: remote_ip="A.B.C.D" local_ip="E.F.G.H" ike passive esp transport proto udp from $local_ip to $remote_ip port 1701 \ main auth "hmac-sha" enc "aes" group modp2048 \ quick auth "hmac-sha" enc "aes" \ psk "xxxxxxxxx" now when both endpoints run start isakmpd and run ipsecctl we see the flows being created. the same kinds of flows get created for the other windows and linux clients. server /etc/npppd/npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes authentication-method mschapv2 pipex yes } ipcp IPCP { pool-address 10.0.10.2-10.0.10.254 dns-servers 8.8.8.8 } # use tun(4) interface. multiple ppp sessions concentrate one interface. interface tun0 address 10.0.10.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0 obsd client's /etc/xl2tpd/xl2tpd.conf: [global] debug avp = yes debug network = yes debug state = yes debug tunnel = yes [lac foo] lns = A.B.C.D ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes autodial=yes obsd client's /etc/ppp/options.l2tpd.client: ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug lock name xxxxx password xxxxx the problem is that as we see from the logs the obsd client refuses to cope with mschap-v2 and various options from that last file. if we remove all the offending options we end up with "no authentication protocols are agreeable" on npppd logs.... ideas? suggestions for other approaches?? Help me misc@openbsd.org, you're my only hope... ;) thanks guys.