Re: Help with IPsec multiple transform policy
Quoting Sly Midnight: > I got it to work exactly as you suggested using isakmpd.conf. > > It took me quite a bit of searching to find the correct sort of syntax > for that file to achieve what I wanted but it now allows me to connect. > > But I've run into another issue that I cannot resolve myself. > > Once I connect from ANY client, I can only move data on the VPN for a > few seconds then it goes dead. > > I thought it might be an MTU issue, but I tried setting the MRU setting > fairly low (such as 1200) in npppd and that didn't solve it. > > I tried setting skip on enc0 as well as pppx0 in pf rules and that > didn't work either. > > What else could I be missing? Why would it work, but only briefly? > Sly Hi, If appropriate/practical, it may be useful to provide some details about your configuration to the list (ipsec.conf, isakmpd.conf, npppd.conf, pf.conf, sysctl.conf, etc).. From your description I am assuming that phase 2 dies on you but of course it is just a guess. I am in the process of migrating my 5.7 infrastructure to 5.9 and do not see any issues with npppd -- android, blackberry, and ios clients are able to use IPSec, and access dovecot, opensmtpd, and apache-httpd-openbsd without any problems. I tested native mobile device clients that use ActiveSync as well as imap and smtp -- no issues to report so far. I am also testing Windows clients from my home to my lab environment to test Samba 4.3.8 this weekend and so far so good with the VPN. I don't have "enterprise" type connections but have three ISP links at my office (ADSL that uses PPPoE, vDSL, and Cable) and two links at the lab (vDSL, Cable). Only place where I had to change MTU etc., was with ADSL and I had to do a "match on pppoe0 scrub (no-df max-mss 1340)" in my pf.conf re. ADSL for VPN to work properly. Looking through my logs I see long-lived connections such as (changed IP addresses but the rest are from the log): Apr 14 04:51:29 mx2 npppd[19526]: ppp id=175 layer=base logtype=TUNNELUSAGE user="xx" duration=58390sec layer2=L2TP_ipv4 layer2from=a.b.c.d:1701 auth=MS-CHAP-V2 data_in=277392bytes,3364packets data_out=235270bytes,2576packets error_in=1 error_out=0 mppe=yes mppe_in=128bits,stateless mppe_out=128bits,stateless iface=tun0 Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca
Re: Help with IPsec multiple transform policy
I got it to work exactly as you suggested using isakmpd.conf. It took me quite a bit of searching to find the correct sort of syntax for that file to achieve what I wanted but it now allows me to connect. But I've run into another issue that I cannot resolve myself. Once I connect from ANY client, I can only move data on the VPN for a few seconds then it goes dead. I thought it might be an MTU issue, but I tried setting the MRU setting fairly low (such as 1200) in npppd and that didn't solve it. I tried setting skip on enc0 as well as pppx0 in pf rules and that didn't work either. What else could I be missing? Why would it work, but only briefly? Sly
Re: Help with IPsec multiple transform policy
I got it to work exactly as you suggested using isakmpd.conf. It took me quite a bit of searching to find the correct sort of syntax for that file to achieve what I wanted but it now allows me to connect. But I've run into another issue that I cannot resolve myself. Once I connect from ANY client, I can only move data on the VPN for a few seconds then it goes dead. I thought it might be an MTU issue, but I tried setting the MRU setting fairly low in npppd and that didn't solve it. I tried setting skip on enc0 as well as pppx0 in pf rules and that didn't work either. What else could I be missing? Why would it work, but only briefly? Sly On 04/03/2016 05:38 AM, Stuart Henderson wrote: >> On 2016-04-01, Sly Midnightwrote: >>> I am wondering is there a way to allow either via /etc/ipsec.conf or >>> /etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN >>> access to my router that accomodates multiple types of IPsec clients that >>> regrettably have limitations in the auth/enc/DH groups they support. >> auth/enc: yes, but you will need isakmpd.conf, ipsec.conf is not flexible >> enough. >> >> groups will be a problem: see BUGS in isakmpd.conf(5).
Re: Help with IPsec multiple transform policy
I got it to work exactly as you suggested using isakmpd.conf It took me quite a bit of searching to find the correct sort of syntax for that file to achieve what I wanted but it now allows me to connect. But I've run into another issue that I cannot resolve myself. Once I connect from ANY client, I can only move data on the VPN for a few seconds then it goes dead. I thought it might be an MTU issue, but I tried setting the MRU setting fairly low in npppd and that didn't solve it. I tried setting skip on enc0 as well as pppx0 in pf rules and that didn't work either. What else could I be missing? Why would it work, but only briefly? Sly On 04/03/2016 05:38 AM, Stuart Henderson wrote: > On 2016-04-01, Sly Midnightwrote: >> I am wondering is there a way to allow either via /etc/ipsec.conf or >> /etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN >> access to my router that accomodates multiple types of IPsec clients that >> regrettably have limitations in the auth/enc/DH groups they support. > auth/enc: yes, but you will need isakmpd.conf, ipsec.conf is not flexible > enough. > > groups will be a problem: see BUGS in isakmpd.conf(5).
Re: Help with IPsec multiple transform policy
On 2016-04-01, Sly Midnightwrote: > I am wondering is there a way to allow either via /etc/ipsec.conf or > /etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN > access to my router that accomodates multiple types of IPsec clients that > regrettably have limitations in the auth/enc/DH groups they support. auth/enc: yes, but you will need isakmpd.conf, ipsec.conf is not flexible enough. groups will be a problem: see BUGS in isakmpd.conf(5).
Help with IPsec multiple transform policy
Good morning everyone, I am wondering is there a way to allow either via /etc/ipsec.conf or /etc/isakmpd/isakmpd.policy to configure a road warrior type of IPsec VPN access to my router that accomodates multiple types of IPsec clients that regrettably have limitations in the auth/enc/DH groups they support. For instance I am trying to get my IPsec/L2TP tunnel VPN working with two separate clients that support it, but have weird limitations. My Android phone only works when I set my ipsec.conf file to something like the following: ike passive esp transport \Â Â Â Â proto udp from XXX.XXX.XXX.XXX to any port 1701 \Â Â Â Â main auth "hmac-sha" enc "aes" group "modp1024" \Â Â Â Â quick auth "hmac-sha" enc "aes" group "modp1024" \Â Â Â Â psk "presharedkey" But that won't work with my Chromebook which requires: ike passive esp transport \Â Â Â Â proto udp from XXX.XXX.XXX.XXX to any port 1701 \Â Â Â Â main auth "hmac-md5" enc "aes" group "modp2048" \Â Â Â Â quick auth "hmac-md5" enc "aes" group "modp2048" \Â Â Â Â psk "presharedkey" One requires md5 but only with modp2048 while the other might work with md5, but only with modp1024. Â If I don't specify these options than neither work so I have to, but doing so seems to limit me to one or the other. Is there any way I can specify both versions simultaneously? Â I don't see anything in the various manpages about being able to allow multiple transforms. Any help would be greatly appreciated. Sly