Re: Help with IPsec multiple transform policy

2016-04-16 Thread Vijay Sankar 
  Quoting Sly Midnight :

> I got it to work exactly as you suggested using isakmpd.conf.
>
> It took me quite a bit of searching to find the correct sort of syntax
> for that file to achieve what I wanted but it now allows me to connect.
>
> But I've run into another issue that I cannot resolve myself.
>
> Once I connect from ANY client, I can only move data on the VPN for a
> few seconds then it goes dead.
>
> I thought it might be an MTU issue, but I tried setting the MRU setting
> fairly low (such as 1200) in npppd and that didn't solve it.
>
> I tried setting skip on enc0 as well as pppx0 in pf rules and that
> didn't work either.
>
> What else could I be missing? Why would it work, but only briefly?
> Sly

Hi,

If appropriate/practical, it may be useful to provide some details about
your configuration to the list (ipsec.conf, isakmpd.conf, npppd.conf,
pf.conf, sysctl.conf, etc)..

 From your description I am assuming that phase 2 dies on you but of course
it is just a guess.

I am in the process of migrating my 5.7 infrastructure to 5.9 and do not
see any issues with npppd -- android, blackberry, and ios clients are able
to use IPSec, and access dovecot, opensmtpd, and apache-httpd-openbsd
without any problems. I tested native mobile device clients that use
ActiveSync as well as imap and smtp -- no issues to report so far. I am
also testing Windows clients from my home to my lab environment to test
Samba 4.3.8 this weekend and so far so good with the VPN.

I don't have "enterprise" type connections but have three ISP links at my
office (ADSL that uses PPPoE, vDSL, and Cable) and two links at the lab
(vDSL, Cable). Only place where I had to change MTU etc., was with ADSL and
I had to do a "match on pppoe0 scrub (no-df max-mss 1340)" in my pf.conf
re. ADSL for VPN to work properly.

Looking through my logs I see long-lived connections such as (changed IP
addresses but the rest are from the log):

Apr 14 04:51:29 mx2 npppd[19526]: ppp id=175 layer=base logtype=TUNNELUSAGE
user="xx" duration=58390sec layer2=L2TP_ipv4 layer2from=a.b.c.d:1701
auth=MS-CHAP-V2 data_in=277392bytes,3364packets
data_out=235270bytes,2576packets error_in=1 error_out=0 mppe=yes
mppe_in=128bits,stateless mppe_out=128bits,stateless iface=tun0

Vijay
-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

Re: Help with IPsec multiple transform policy

2016-04-16 Thread Sly Midnight 
I got it to work exactly as you suggested using isakmpd.conf.

It took me quite a bit of searching to find the correct sort of syntax
for that file to achieve what I wanted but it now allows me to connect.

But I've run into another issue that I cannot resolve myself.

Once I connect from ANY client, I can only move data on the VPN for a
few seconds then it goes dead.

I thought it might be an MTU issue, but I tried setting the MRU setting
fairly low (such as 1200) in npppd and that didn't solve it.

I tried setting skip on enc0 as well as pppx0 in pf rules and that
didn't work either.

What else could I be missing? Why would it work, but only briefly?

Sly

Re: Help with IPsec multiple transform policy

2016-04-15 Thread Sly Midnight 
I got it to work exactly as you suggested using isakmpd.conf.

It took me quite a bit of searching to find the correct sort of syntax
for that file to achieve what I wanted but it now allows me to connect.

But I've run into another issue that I cannot resolve myself.

Once I connect from ANY client, I can only move data on the VPN for a
few seconds then it goes dead.

I thought it might be an MTU issue, but I tried setting the MRU setting
fairly low in npppd and that didn't solve it.

I tried setting skip on enc0 as well as pppx0 in pf rules and that
didn't work either.
What else could I be missing? Why would it work, but only briefly?

Sly

On 04/03/2016 05:38 AM, Stuart Henderson wrote:
>> On 2016-04-01, Sly Midnight  wrote:
>>> I am wondering is there a way to allow either via /etc/ipsec.conf or
>>> /etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN
>>> access to my router that accomodates multiple types of IPsec clients that
>>> regrettably have limitations in the auth/enc/DH groups they support.
>> auth/enc: yes, but you will need isakmpd.conf, ipsec.conf is not flexible
>> enough.
>>
>> groups will be a problem: see BUGS in isakmpd.conf(5).

Re: Help with IPsec multiple transform policy

2016-04-15 Thread Sly Midnight 
I got it to work exactly as you suggested using isakmpd.conf

It took me quite a bit of searching to find the correct sort of syntax
for that file to achieve what I wanted but it now allows me to connect.

But I've run into another issue that I cannot resolve myself.

Once I connect from ANY client, I can only move data on the VPN for a
few seconds then it goes dead.

I thought it might be an MTU issue, but I tried setting the MRU setting
fairly low in npppd and that didn't solve it.  I tried setting skip on
enc0 as well as pppx0 in pf rules and that didn't work either.

What else could I be missing?  Why would it work, but only briefly?

Sly


On 04/03/2016 05:38 AM, Stuart Henderson wrote:
> On 2016-04-01, Sly Midnight  wrote:
>> I am wondering is there a way to allow either via /etc/ipsec.conf or
>> /etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN
>> access to my router that accomodates multiple types of IPsec clients that
>> regrettably have limitations in the auth/enc/DH groups they support.
> auth/enc: yes, but you will need isakmpd.conf, ipsec.conf is not flexible
> enough.
>
> groups will be a problem: see BUGS in isakmpd.conf(5).

Re: Help with IPsec multiple transform policy

2016-04-03 Thread Stuart Henderson 
On 2016-04-01, Sly Midnight  wrote:
> I am wondering is there a way to allow either via /etc/ipsec.conf or
> /etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN
> access to my router that accomodates multiple types of IPsec clients that
> regrettably have limitations in the auth/enc/DH groups they support.

auth/enc: yes, but you will need isakmpd.conf, ipsec.conf is not flexible
enough.

groups will be a problem: see BUGS in isakmpd.conf(5).

Help with IPsec multiple transform policy

2016-04-01 Thread Sly Midnight 
Good morning everyone,
I am wondering is there a way to allow either via /etc/ipsec.conf or
/etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN
access to my router that accomodates multiple types of IPsec clients that
regrettably have limitations in the auth/enc/DH groups they support.
For instance I am trying to get my IPsec/L2TP tunnel VPN working with two
separate clients that support it, but have weird limitations.
My Android phone only works when I set my ipsec.conf file to something like
the following:
ike passive esp transport \       proto udp from XXX.XXX.XXX.XXX to any
port 1701 \       main auth "hmac-sha" enc "aes" group "modp1024" \   
   quick auth "hmac-sha" enc "aes" group "modp1024" \       psk
"presharedkey"
But that won't work with my Chromebook which requires:
ike passive esp transport \       proto udp from XXX.XXX.XXX.XXX to any
port 1701 \       main auth "hmac-md5" enc "aes" group "modp2048" \   
   quick auth "hmac-md5" enc "aes" group "modp2048" \       psk
"presharedkey"
One requires md5 but only with modp2048 while the other might work with md5,
but only with modp1024.  If I don't specify these options than neither work
so I have to, but doing so seems to limit me to one or the other.
Is there any way I can specify both versions simultaneously?  I don't see
anything in the various manpages about being able to allow multiple
transforms.
Any help would be greatly appreciated.
Sly