Re: VPN Between OpenBSD and iOS
On Mon, Dec 30, 2013 at 09:22:18PM -0500, Matt Carlson wrote: Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, At risk of replying off-topic and out of date, I'll ask the question anyway. Have you considered using OpenVPN, as there are working clients for iOS now? I've been using this successfully on my iPad for a year or so now. Tor
Re: VPN Between OpenBSD and iOS
Tor, I've considered it and would prefer to get the native OpenBSD VPN working. That being said, I may look into OpenVPN if I can't get this to work. Thanks, Matt On Jan 13, 2014, at 4:14 AM, Tor Houghton t...@bogus.net wrote: On Mon, Dec 30, 2013 at 09:22:18PM -0500, Matt Carlson wrote: Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, At risk of replying off-topic and out of date, I'll ask the question anyway. Have you considered using OpenVPN, as there are working clients for iOS now? I've been using this successfully on my iPad for a year or so now. Tor
Re: VPN Between OpenBSD and iOS
Em 13-01-2014 18:02, Matthew P. Carlson escreveu: Tor, I've considered it and would prefer to get the native OpenBSD VPN working. That being said, I may look into OpenVPN if I can't get this to work. Thanks, Matt Hi, I've used the OpenBSD native vpn, both with L2TP/IPSec and with PPTP and they work as expected. I've never made an iOS device to successfully connect with L2TP though. I kind of hit a wall. But I did not looked that much into it and went with OpenVPN. I've been using it for more than 10 years now and it get the job done, and there are some features of it that you can't accomplish with a simple L2TP/IPSec, plain IPSec or PPTP setup. At least not just with the vpn daemon itself. Anyway, back to the topic, a way wild guess, it is possible you are running into mtu issues? As far as I remember from IKE, phase 2 is more network intensive, and would explain your behavior if it were a mtu issue. This might be something worth looking into. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: VPN Between OpenBSD and iOS
Im doing RADIUS auth. Here is my npppd.conf:
tunnel L2TP protocol l2tp {
listen on my public IP
l2tp-hostname myhostname.com
l2tp-vendor-name OpenBSD
l2tp-accept-dialin yes
mru 1360
lcp-timeout 18
authentication-method mschapv2
tcp-mss-adjust yes
pipex yes
mppe no
# ingress-filter yes
}
ipcp IPCP {
pool-address 172.17.0.2-172.17.0.254
dns-servers 192.168.78.123
allow-user-selected-address no
}
interface tun0 address 172.17.0.1 ipcp IPCP
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
authentication RADIUS type radius {
authentication-server {
address 192.168.78.125 secret my_radius_secret
}
accounting-server {
address 192.168.78.125 secret my_radius_secret
}
}
bind tunnel from L2TP authenticated by RADIUS to tun0
//mxb
On 4 jan 2014, at 02:09, Matt Carlson obsda0...@mpcarlson.com wrote:
mxb,
I tried that and I'm getting the same results. Any other ideas? What does
your npppd.conf look like?
Thanks,
Matt
On Fri, Jan 3, 2014 at 8:03 AM, mxb m...@alumni.chalmers.se wrote:
I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is
pre-release). My ipsec.conf for L2TP is this:
ike passive esp transport \
proto udp from $local_gw to any port 1701 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc aes \
psk ReallyweakPassword
On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote:
Strangely enough I am having the exact same problem. OPENBSD 5.4, etc.
Phase I works once I tweaked my isakmp settings to match IOS7's
capabilities
(no modp2048 mainly), but I get the same messages Matt does on phase II.
I have a npppd PPTP tunnel to the same server that works fine.
It is just L2TP/IPSEC that has the issues.
Mike
Re: VPN Between OpenBSD and iOS
I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk “ReallyweakPassword” On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote: Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
mxb, Great. I'll try that this weekend. Thanks, Matt On Jan 3, 2014, at 8:03 AM, mxb m...@alumni.chalmers.se wrote: I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk “ReallyweakPassword” On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote: Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
mxb, I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? Thanks, Matt On Fri, Jan 3, 2014 at 8:03 AM, mxb m...@alumni.chalmers.se wrote: I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk ReallyweakPassword On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote: Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
What does your npppd.conf look like? -- Jeff Goettsch Agricultural and Resource Economics http://agecon.ucdavis.edu/ 530-752-2219 On 12/29/13 5:58 PM, Matt Carlson wrote: Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with snip, since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags=-Kv ftpproxy_flags= ntpd_flags= pppd_flags= route6d_flags= named_flags= # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 # cat /var/log/messages snip Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. snip Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488 mobile-166-d-e-f.mycingular.net.6885 c-69.g.h.i.hsd1.va.comcast.net.isakmp: [udp sum ok] isakmp
Re: VPN Between OpenBSD and iOS
Hi, On Sun, 29 Dec 2013 20:58:03 -0500 Matt Carlson obsda0...@mpcarlson.com wrote: # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 AFAIK, fixed IP address should be used for the source address. Does changing from any to any port 1701 \ to from 69.g.h.i to any port 1701 \ fix the problem? --yasuoka
Re: VPN Between OpenBSD and iOS
Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, Matt On Mon, Dec 30, 2013 at 7:34 PM, YASUOKA Masahiko yasu...@yasuoka.netwrote: Hi, On Sun, 29 Dec 2013 20:58:03 -0500 Matt Carlson obsda0...@mpcarlson.com wrote: # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 AFAIK, fixed IP address should be used for the source address. Does changing from any to any port 1701 \ to from 69.g.h.i to any port 1701 \ fix the problem? --yasuoka
Re: VPN Between OpenBSD and iOS
Jeff,
Here you go:
$ grep -v ^# /etc/npppd/npppd.conf
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 8.8.8.8
}
interface pppx0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
Thanks,
Matt
On Mon, Dec 30, 2013 at 4:10 PM, Jeff Goettsch j...@primal.ucdavis.eduwrote:
What does your npppd.conf look like?
--
Jeff Goettsch
Agricultural and Resource Economics
http://agecon.ucdavis.edu/
530-752-2219
On 12/29/13 5:58 PM, Matt Carlson wrote:
Hello,
I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD
VPN server. If I understand the problem correctly, it's unable to
negotiate phase 2. I'd welcome any pointers.
Below, I've provided the output of uname, rc.conf.local, ipsec.conf,
messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs
(e.g. 10.a.b.c) and I removed some line from /var/log/messages and
replaced them with snip, since this is already fairly long.
I welcome any suggestions/recommendations.
Thanks,
Matt
# uname -a
OpenBSD carbon.my.domain 5.4 GENERIC#37 i386
# cat /etc/rc.conf.local
ipsec=YES
isakmpd_flags=-Kv
ftpproxy_flags=
ntpd_flags=
pppd_flags=
route6d_flags=
named_flags=
# grep -v ^# /etc/ipsec.conf
ike passive esp transport \
proto udp \
from any to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes-256 \
psk 1
# cat /var/log/messages
snip
Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2
Dec 29 16:31:24 carbon named[6427]: command channel listening on
127.0.0.1#953
Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953
Dec 29 16:31:24 carbon named[6427]: running
Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting
Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659
version=5.0.0
Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE
packet
capture to file /var/run/isakmpd.pcap
Dec 29 16:31:30 carbon npppd[22659]: Load configuration
from='/etc/npppd/npppd.conf' successfully.
snip
Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as
responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i
dst: 166.d.e.f
Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port
48970 due to notification type INVALID_ID_INFORMATION
Dec 29 16:33:29 carbon isakmpd[28467]:
Re: VPN Between OpenBSD and iOS
Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
VPN Between OpenBSD and iOS
Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with snip, since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags=-Kv ftpproxy_flags= ntpd_flags= pppd_flags= route6d_flags= named_flags= # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 # cat /var/log/messages snip Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. snip Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488 mobile-166-d-e-f.mycingular.net.6885 c-69.g.h.i.hsd1.va.comcast.net.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 84d030732a69f98e- msgid: len: 500 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY
Re: VPN Between OpenBSD and iOS
Hi, On 12/29/13, Matt Carlson obsda0...@mpcarlson.com wrote: Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. I'm somewhat curious, about this. Can you verify if this is only an issue when AES cipher is used? --patrick Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with snip, since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags=-Kv ftpproxy_flags= ntpd_flags= pppd_flags= route6d_flags= named_flags= # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 # cat /var/log/messages snip Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. snip Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488
