I have been playing around a little with the npppd daemon having setup a
L2TP server for test and learning purposes. The connection is running in
an IPsec tunnel and it works great and runs very fine when used on a
local network.
But I'm having problems when it comes to NAT.
This is my setup:
client (Windows XP) NAT - internet - OpenBSD (public IP)
The OpenBSD machine is running on a snapshot: OpenBSD 5.0-current
(GENERIC) #60: Thu Sep 22 11:33:48 MDT 2011
This is my ipsec.conf:
# cat /etc/ipsec.conf
# $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
# See ipsec.conf(5) for syntax and examples.
ike passive \
from any to any \
main auth hmac-sha enc 3des group modp2048 \
quick auth hmac-sha enc 3des \
psk secret
#
(I'm using a psk for simplicity.)
And this is the output from isakmpd -Kvd:
# isakmpd -Kvd
135735.070170 Default isakmpd: starting [priv]
135745.894966 Default isakmpd: phase 1 done (as responder): initiator
id LB-II.Landbjorn.local, responder id XXX.XXX.XXX.XXX, src:
XXX.XXX.XXX.XXX dst: 87.56.249.90
135745.944132 Default dropped message from 87.56.249.90 port 18260 due
to notification type INVALID_ID_INFORMATION
135746.518485 Default dropped message from 87.56.249.90 port 18260 due
to notification type INVALID_ID_INFORMATION
135748.518811 Default dropped message from 87.56.249.90 port 18260 due
to notification type INVALID_ID_INFORMATION
135750.294002 Default isakmpd: Peer 87.56.249.90 made us delete live SA
peer-default for proto 1, initiator id: LB-II.Landbjorn.local, responder id:
XXX.XXX.XXX.XXX
(XXX.XXX.XXX.XXX is the public IP of the OpenBSD machine.)
Phase 1 is completed successfully, but phase 2 fails.
I have searched Google, and found this: http://tinyurl.com/5vsvvfq
I have tried running isakmpd with the T-flag but no luck.
Any idea what could be wrong?
Best regards
Martin