Re: VPN Between OpenBSD and iOS
On Mon, Dec 30, 2013 at 09:22:18PM -0500, Matt Carlson wrote: Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, At risk of replying off-topic and out of date, I'll ask the question anyway. Have you considered using OpenVPN, as there are working clients for iOS now? I've been using this successfully on my iPad for a year or so now. Tor
Re: VPN Between OpenBSD and iOS
Tor, I've considered it and would prefer to get the native OpenBSD VPN working. That being said, I may look into OpenVPN if I can't get this to work. Thanks, Matt On Jan 13, 2014, at 4:14 AM, Tor Houghton t...@bogus.net wrote: On Mon, Dec 30, 2013 at 09:22:18PM -0500, Matt Carlson wrote: Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, At risk of replying off-topic and out of date, I'll ask the question anyway. Have you considered using OpenVPN, as there are working clients for iOS now? I've been using this successfully on my iPad for a year or so now. Tor
Re: VPN Between OpenBSD and iOS
Em 13-01-2014 18:02, Matthew P. Carlson escreveu: Tor, I've considered it and would prefer to get the native OpenBSD VPN working. That being said, I may look into OpenVPN if I can't get this to work. Thanks, Matt Hi, I've used the OpenBSD native vpn, both with L2TP/IPSec and with PPTP and they work as expected. I've never made an iOS device to successfully connect with L2TP though. I kind of hit a wall. But I did not looked that much into it and went with OpenVPN. I've been using it for more than 10 years now and it get the job done, and there are some features of it that you can't accomplish with a simple L2TP/IPSec, plain IPSec or PPTP setup. At least not just with the vpn daemon itself. Anyway, back to the topic, a way wild guess, it is possible you are running into mtu issues? As far as I remember from IKE, phase 2 is more network intensive, and would explain your behavior if it were a mtu issue. This might be something worth looking into. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: VPN Between OpenBSD and iOS
Im doing RADIUS auth. Here is my npppd.conf: tunnel L2TP protocol l2tp { listen on my public IP l2tp-hostname myhostname.com l2tp-vendor-name OpenBSD l2tp-accept-dialin yes mru 1360 lcp-timeout 18 authentication-method mschapv2 tcp-mss-adjust yes pipex yes mppe no # ingress-filter yes } ipcp IPCP { pool-address 172.17.0.2-172.17.0.254 dns-servers 192.168.78.123 allow-user-selected-address no } interface tun0 address 172.17.0.1 ipcp IPCP authentication LOCAL type local { users-file /etc/npppd/npppd-users } authentication RADIUS type radius { authentication-server { address 192.168.78.125 secret my_radius_secret } accounting-server { address 192.168.78.125 secret my_radius_secret } } bind tunnel from L2TP authenticated by RADIUS to tun0 //mxb On 4 jan 2014, at 02:09, Matt Carlson obsda0...@mpcarlson.com wrote: mxb, I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? Thanks, Matt On Fri, Jan 3, 2014 at 8:03 AM, mxb m...@alumni.chalmers.se wrote: I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk ReallyweakPassword On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote: Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk “ReallyweakPassword” On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote: Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
mxb, Great. I'll try that this weekend. Thanks, Matt On Jan 3, 2014, at 8:03 AM, mxb m...@alumni.chalmers.se wrote: I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk “ReallyweakPassword” On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote: Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
mxb, I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? Thanks, Matt On Fri, Jan 3, 2014 at 8:03 AM, mxb m...@alumni.chalmers.se wrote: I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk ReallyweakPassword On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote: Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
What does your npppd.conf look like? -- Jeff Goettsch Agricultural and Resource Economics http://agecon.ucdavis.edu/ 530-752-2219 On 12/29/13 5:58 PM, Matt Carlson wrote: Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with snip, since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags=-Kv ftpproxy_flags= ntpd_flags= pppd_flags= route6d_flags= named_flags= # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 # cat /var/log/messages snip Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. snip Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488 mobile-166-d-e-f.mycingular.net.6885 c-69.g.h.i.hsd1.va.comcast.net.isakmp: [udp sum ok] isakmp
Re: VPN Between OpenBSD and iOS
Hi, On Sun, 29 Dec 2013 20:58:03 -0500 Matt Carlson obsda0...@mpcarlson.com wrote: # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 AFAIK, fixed IP address should be used for the source address. Does changing from any to any port 1701 \ to from 69.g.h.i to any port 1701 \ fix the problem? --yasuoka
Re: VPN Between OpenBSD and iOS
Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, Matt On Mon, Dec 30, 2013 at 7:34 PM, YASUOKA Masahiko yasu...@yasuoka.netwrote: Hi, On Sun, 29 Dec 2013 20:58:03 -0500 Matt Carlson obsda0...@mpcarlson.com wrote: # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 AFAIK, fixed IP address should be used for the source address. Does changing from any to any port 1701 \ to from 69.g.h.i to any port 1701 \ fix the problem? --yasuoka
Re: VPN Between OpenBSD and iOS
Jeff, Here you go: $ grep -v ^# /etc/npppd/npppd.conf authentication LOCAL type local { users-file /etc/npppd/npppd-users } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.0.2-10.0.0.254 dns-servers 8.8.8.8 } interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0 Thanks, Matt On Mon, Dec 30, 2013 at 4:10 PM, Jeff Goettsch j...@primal.ucdavis.eduwrote: What does your npppd.conf look like? -- Jeff Goettsch Agricultural and Resource Economics http://agecon.ucdavis.edu/ 530-752-2219 On 12/29/13 5:58 PM, Matt Carlson wrote: Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with snip, since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags=-Kv ftpproxy_flags= ntpd_flags= pppd_flags= route6d_flags= named_flags= # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 # cat /var/log/messages snip Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. snip Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]:
Re: VPN Between OpenBSD and iOS
Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
VPN Between OpenBSD and iOS
Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with snip, since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags=-Kv ftpproxy_flags= ntpd_flags= pppd_flags= route6d_flags= named_flags= # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 # cat /var/log/messages snip Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. snip Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488 mobile-166-d-e-f.mycingular.net.6885 c-69.g.h.i.hsd1.va.comcast.net.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 84d030732a69f98e- msgid: len: 500 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY
Re: VPN Between OpenBSD and iOS
Hi, On 12/29/13, Matt Carlson obsda0...@mpcarlson.com wrote: Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. I'm somewhat curious, about this. Can you verify if this is only an issue when AES cipher is used? --patrick Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with snip, since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags=-Kv ftpproxy_flags= ntpd_flags= pppd_flags= route6d_flags= named_flags= # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk 1 # cat /var/log/messages snip Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.pcap Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. snip Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488