Android mobile - OpenBSD IPSEC
Hi christopher, After i figured out the npppd config setup (seems there were some recent syntax changes) it worked like charm. I post my config files here as soon as i am at home Jan
Re: Android mobile - OpenBSD IPSEC
Ohh i see. I totally missed the l2tp stuff. I thought android could do plain ipsec or ipsec with l2tp. I think things will flow now. Thank you
Re: Android mobile - OpenBSD IPSEC
On 2013-01-24, Jan Lambertz wrote: > Hi, > > Running OpenBSD 5.2 AMD64 release as homeserver. > Got Andoid 2.3 Samsung Mobile. > Want to connect via vpn IPSEC. > Config: > ike passive esp tunnel from any to any \ > main auth hmac-sha1 enc des \ > quick auth hmac-sha1 enc des \ > srcid dstid (testted different things here without effect) \ > psk "test123" > > > Also changed any to any to more concise settings, without effect. > local ip and peer any didnt help, too. > > > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:38 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:38 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:50 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:50 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:58 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:58 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > > > 89.204.138.90 seems to be the mobile > 10.166.112.90 ?? whats this ? > > btw. im using the standard vpn client built in android. before i can > connect i have to enter a username / pw (not psk). is ipsec about username > / pw stuff ? could find it anywhere in the manuals. > > > thanks > > The standard Android vpn client uses l2tp/ipsec. Here are some files from a working setup with Android 4.1.2; I'm pretty sure similar worked with Android 3.x, no idea about 2.x. >> /etc/ipsec.conf ike passive esp transport \ proto udp from $SERVER_IP to any port 1701 \ main auth "hmac-sha" enc "aes" group modp1024 \ quick auth "hmac-sha" enc "aes" \ psk "somepsk" . >> /etc/npppd/npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP_ipv4 protocol l2tp { listen on $SERVER_IP } ipcp IPCP { pool-address 172.28.15.128-172.28.15.255 dns-servers 172.28.15.2 } interface pppx0 address 172.28.15.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0 . >> /etc/npppd/npppd-users someuser:\ :password=blahblah:\ :framed-ip-address=172.28.15.50: . >> /etc/sysctl.conf net.pipex.enable=1 net.inet.ip.forwarding=1
Re: Android mobile - OpenBSD IPSEC
Are you using just ipsec, or L2TP? On Wed, Jan 23, 2013 at 11:48 PM, Jan Lambertz wrote: > Hi, > > Running OpenBSD 5.2 AMD64 release as homeserver. > Got Andoid 2.3 Samsung Mobile. > Want to connect via vpn IPSEC. > Config: > ike passive esp tunnel from any to any \ > main auth hmac-sha1 enc des \ > quick auth hmac-sha1 enc des \ > srcid dstid (testted different things here without effect) \ > psk "test123" > > > Also changed any to any to more concise settings, without effect. > local ip and peer any didnt help, too. > > > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:38 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:38 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:50 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:50 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:58 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:58 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > > > 89.204.138.90 seems to be the mobile > 10.166.112.90 ?? whats this ? > > btw. im using the standard vpn client built in android. before i can > connect i have to enter a username / pw (not psk). is ipsec about username > / pw stuff ? could find it anywhere in the manuals. > > > thanks
Android mobile - OpenBSD IPSEC
Hi, Running OpenBSD 5.2 AMD64 release as homeserver. Got Andoid 2.3 Samsung Mobile. Want to connect via vpn IPSEC. Config: ike passive esp tunnel from any to any \ main auth hmac-sha1 enc des \ quick auth hmac-sha1 enc des \ srcid dstid (testted different things here without effect) \ psk "test123" Also changed any to any to more concise settings, without effect. local ip and peer any didnt help, too. Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC Jan 24 08:41:38 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id 178.26.160.62 Jan 24 08:41:38 puffy isakmpd[10830]: dropped message from 89.204.138.90 port 51210 due to notification type INVALID_ID_INFORMATION Jan 24 08:41:50 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id 178.26.160.62 Jan 24 08:41:50 puffy isakmpd[10830]: dropped message from 89.204.138.90 port 51210 due to notification type INVALID_ID_INFORMATION Jan 24 08:41:58 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id 178.26.160.62 Jan 24 08:41:58 puffy isakmpd[10830]: dropped message from 89.204.138.90 port 51210 due to notification type INVALID_ID_INFORMATION 89.204.138.90 seems to be the mobile 10.166.112.90 ?? whats this ? btw. im using the standard vpn client built in android. before i can connect i have to enter a username / pw (not psk). is ipsec about username / pw stuff ? could find it anywhere in the manuals. thanks