Re: L2TP using Npppd and IPsec
On Thu, 26 Mar 2015 13:21:10 -0400 Predrag Punosevac punoseva...@gmail.com wrote: Hi Misc, I need to provide secure access to a web application running on my servers to handful typical desktop users. I am thinking of requiring them to have L2TP/IPSec VPN tunnel before they can browse my application. HTTPS is not good enough due to the nature of the application. Why L2TP? I am not a Windows uses but it seems that it should be trivial to setup client side https://www.hideipvpn.com/2010/03/howto-windows-7-ipsecl2tp-vpn-setup-tutorial/ and avoid customer service requests, on another hand I am reading man pages for npppd and ipsec on 5.7 and Giovanni's slides from two years ago http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Predrag P.S. I have quite a bit experience with OpenVPN server on OpenBSD but in my experience getting credentials to a Windows client is pain because a typical user knows only to double click and I don't know now to properly make Windows packages. This setup works for 2 years like charm: https://www.mimar.rs/sysadmin/2013/npppd-novi-openbsd-pptp-server PPTP though, not L2TP. -- Marko Cupać https://www.mimar.rs
Re: L2TP using Npppd and IPsec
Hi, for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. It is. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting. Very easy to configure (linux being the exception :p). You only need to change npppd.conf, npppd-users and ipsec.conf and you are in business. I wrote an up-to-date guide on how to do it, let me know if you want a copy. Caveats... yes. I'm currently seeing issues with some clients (might be a client software issue) sending multiple connect requests. The ip-address reserved for the client is being assigned to the first request, but it seems like the last request wins, but alas! no ip-address available (since it was assigned to the first request). But then again, I have some Windows clients connected for more than 2 weeks non-stop, before they disconnect (prob. a Windows update wanting to reboot ;) ). -- bsv
Re: L2TP using Npppd and IPsec
Dain Bentley wrote: I'd love a copy! Thanks +1 On Friday, March 27, 2015, Brian S. Vangsgaard b...@avalanic.dk wrote: Hi, for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. It is. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting. Very easy to configure (linux being the exception :p). You only need to change npppd.conf, npppd-users and ipsec.conf and you are in business. I wrote an up-to-date guide on how to do it, let me know if you want a copy. Caveats... yes. I'm currently seeing issues with some clients (might be a client software issue) sending multiple connect requests. I also got a very useful answer off the list. I am just going to quote a snipet [quote] You???ll have problems with NAT-T and clients coming from the same NAT-address. This problem is worked out currently. [/quote] I will post my configuration once when I am done but this topic seems to beg for an updated undeadly article. Thanks to everyone who responded to this thread! PredraG The ip-address reserved for the client is being assigned to the first request, but it seems like the last request wins, but alas! no ip-address available (since it was assigned to the first request). But then again, I have some Windows clients connected for more than 2 weeks non-stop, before they disconnect (prob. a Windows update wanting to reboot ;) ). -- bsv
Re: L2TP using Npppd and IPsec
I'd love a copy! Thanks On Friday, March 27, 2015, Brian S. Vangsgaard b...@avalanic.dk wrote: Hi, for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. It is. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Yes I am, with Windows, Mac, Linux and OpenBSD clients connecting. Very easy to configure (linux being the exception :p). You only need to change npppd.conf, npppd-users and ipsec.conf and you are in business. I wrote an up-to-date guide on how to do it, let me know if you want a copy. Caveats... yes. I'm currently seeing issues with some clients (might be a client software issue) sending multiple connect requests. The ip-address reserved for the client is being assigned to the first request, but it seems like the last request wins, but alas! no ip-address available (since it was assigned to the first request). But then again, I have some Windows clients connected for more than 2 weeks non-stop, before they disconnect (prob. a Windows update wanting to reboot ;) ). -- bsv
L2TP using Npppd and IPsec
Hi Misc, I need to provide secure access to a web application running on my servers to handful typical desktop users. I am thinking of requiring them to have L2TP/IPSec VPN tunnel before they can browse my application. HTTPS is not good enough due to the nature of the application. Why L2TP? I am not a Windows uses but it seems that it should be trivial to setup client side https://www.hideipvpn.com/2010/03/howto-windows-7-ipsecl2tp-vpn-setup-tutorial/ and avoid customer service requests, on another hand I am reading man pages for npppd and ipsec on 5.7 and Giovanni's slides from two years ago http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Predrag P.S. I have quite a bit experience with OpenVPN server on OpenBSD but in my experience getting credentials to a Windows client is pain because a typical user knows only to double click and I don't know now to properly make Windows packages.
Re: NPPPD and IPSec
Hi, On Mon, 2 Dec 2013 19:34:57 +0200 (IST) Or Elimelech o...@xwise.com wrote: I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret As far as my test with Windows 7, changing the main mode config to main auth hmac-sha1 enc aes group modp2048 or main auth hmac-sha1 enc 3des group modp1024 will fix the problem. --yasuoka
Re: NPPPD and IPSec
The mail I replied to was too old.. sorry. On Mon, 16 Dec 2013 18:52:25 +0900 (JST) YASUOKA Masahiko yasu...@yasuoka.net wrote: On Mon, 2 Dec 2013 19:34:57 +0200 (IST) Or Elimelech o...@xwise.com wrote: I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret As far as my test with Windows 7, changing the main mode config to main auth hmac-sha1 enc aes group modp2048 or main auth hmac-sha1 enc 3des group modp1024 will fix the problem. --yasuoka
Re: NPPPD and IPSec
Thanks, I fixed it using the same config I wrote The problem is my npppd server is behind NAT and my windows needed registry modification AssumeUDP Thank you again Sent from my iPhone On Dec 3, 2013, at 12:28 AM, Frans Haarman franshaar...@gmail.com wrote: I have used this with windows 7 and osx: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk 2013/12/2 Or Elimelech o...@xwise.com Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project _ __ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. _ __ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
NPPPD and IPSec
Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project ___ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Re: NPPPD and IPSec
I have used this with windows 7 and osx: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk 2013/12/2 Or Elimelech o...@xwise.com Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project ___ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Re: NPPPD and IPSec
This works with Windows 8, OSX, Android and iOS: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk $psk On 03 Dec 2013, at 00:28, Frans Haarman franshaar...@gmail.com wrote: I have used this with windows 7 and osx: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk 2013/12/2 Or Elimelech o...@xwise.com Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project _ __ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Re: npppd l2tp/ipsec - openbsd client
Hi, first of all, thanks @sthen for your answer (OP has no net access atm). We are to the point where the clients get ip (windows/linux/OpenBSD) and traffic is passing through the server as expected. There is a very strange problem with ssh service though. While internet traffic is being routed as expected, when we try to ssh, we can't connect (from OpenBSD clients) to any server. [..snip..] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102430728192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP and it just hangs there. Test time with windows, and with PuTTY, there is absolutely no problem. I can connect anywhere with absolutely no problem. At this point, I went with the crazy idea to try PuTTY on OpenBSD. And ssh with PuTTY works... We can't get our heads aroun this problem and why this is happening. ## pf.conf @ server ## NIC=interface set skip on {lo0} block # block stateless traffic pass# establish keep-state block in on ! lo0 proto tcp to port 6000:6010 block in on vic0 #vpn extip=ip pass in quick inet proto tcp from any to $NIC port {ports} flags S/SA keep state pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500} keep state pass quick on enc0 from any to any keep state (if-bound) pass out quick on egress inet from 10.0.10.0/24 to any nat-to (egress:0) pass out on vic0 Does anyone has a solution to this problem? Thanks. -- A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
What does /etc/ssh/ssh_config look like on the OpenBSD client? -- Jeff Goettsch Agricultural and Resource Economics University of California, Davis http://agecon.ucdavis.edu/ On Fri, November 22, 2013 6:52 am, haris wrote: Hi, first of all, thanks @sthen for your answer (OP has no net access atm). We are to the point where the clients get ip (windows/linux/OpenBSD) and traffic is passing through the server as expected. There is a very strange problem with ssh service though. While internet traffic is being routed as expected, when we try to ssh, we can't connect (from OpenBSD clients) to any server. [..snip..] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102430728192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP and it just hangs there. Test time with windows, and with PuTTY, there is absolutely no problem. I can connect anywhere with absolutely no problem. At this point, I went with the crazy idea to try PuTTY on OpenBSD. And ssh with PuTTY works... We can't get our heads aroun this problem and why this is happening. ## pf.conf @ server ## NIC=interface set skip on {lo0} block # block stateless traffic pass # establish keep-state block in on ! lo0 proto tcp to port 6000:6010 block in on vic0 #vpn extip=ip pass in quick inet proto tcp from any to $NIC port {ports} flags S/SA keep state pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500} keep state pass quick on enc0 from any to any keep state (if-bound) pass out quick on egress inet from 10.0.10.0/24 to any nat-to (egress:0) pass out on vic0 Does anyone has a solution to this problem? Thanks. -- A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
On Fri, Nov 22, 2013 at 06:41:37PM +0200, Jeff Goettsch wrote: What does /etc/ssh/ssh_config look like on the OpenBSD client? The file is the default that comes with OpenBSD. No change there... -- A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
On 2013-11-22, haris ha...@2f30.org wrote: Hi, first of all, thanks @sthen for your answer (OP has no net access atm). We are to the point where the clients get ip (windows/linux/OpenBSD) and traffic is passing through the server as expected. There is a very strange problem with ssh service though. While internet traffic is being routed as expected, when we try to ssh, we can't connect (from OpenBSD clients) to any server. This is very likely to be an MTU problem. Packets of certain sizes get through OK but packets larger than a certain size won't make it through. This is hitting OpenSSH rather than PuTTY because, with default settings, OpenSSH's negotiation packets are larger than PuTTY's (more options, more ciphers, etc). If you connect with PuTTY and start sending a bunch of bulk data over the connection (cat a large file or something), I am pretty sure that will stall too. Things you can try to fix it: - lower MTU on the ppp interface - tcp-mss-adjust yes in npppd - pf match ... scrub (max-mss $somevalue)
Re: npppd l2tp/ipsec - openbsd client
On 2013-11-20, anon ymous ramrunner0...@gmail.com wrote: Hello list! If anyone could shed some light to the following i would be thankful.. i have 2 5.4-current boxes, one acting as an npppd server over ipsec and the other one wishing to be a client. My understanding is that to accomplish that the client needs to use xl2tpd from ports. The problem is that although linux and windows clients connect ok with the same setup, i can't get the openbsd client to connect. I ported xl2tpd - fwiw I've only tested it against Firebrick's l2tp implementation which does not use IPsec, so I don't know if anything special is needed for this. tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes authentication-method mschapv2 pipex yes } Here you only accept mschapv2 authentication. the problem is that as we see from the logs the obsd client refuses to cope with mschap-v2 and various options from that last file. Mackeras pppd has new mschap code which supports mschap-v2; this was added in 2003, but unfortunately the last release with code for all arch other than Solaris/Linux was pppd-2.3.11 in 1999. I've looked at trying to update pppd before but it was a bit much for me.. if we remove all the offending options we end up with no authentication protocols are agreeable on npppd logs ideas? suggestions for other approaches?? You could try telling npppd to accept chap (not mschap), and tell pppd to use that..
npppd l2tp/ipsec - openbsd client
Hello list! If anyone could shed some light to the following i would be thankful.. i have 2 5.4-current boxes, one acting as an npppd server over ipsec and the other one wishing to be a client. My understanding is that to accomplish that the client needs to use xl2tpd from ports. The problem is that although linux and windows clients connect ok with the same setup, i can't get the openbsd client to connect. server /etc/ipsec.conf: local_ip=A.B.C.D ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth hmac-sha enc aes group modp2048 \ quick auth hmac-sha enc aes \ psk x obsd client /etc/ipsec.conf: remote_ip=A.B.C.D local_ip=E.F.G.H ike passive esp transport proto udp from $local_ip to $remote_ip port 1701 \ main auth hmac-sha enc aes group modp2048 \ quick auth hmac-sha enc aes \ psk x now when both endpoints run start isakmpd and run ipsecctl we see the flows being created. the same kinds of flows get created for the other windows and linux clients. server /etc/npppd/npppd.conf: authentication LOCAL type local { users-file /etc/npppd/npppd-users } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes authentication-method mschapv2 pipex yes } ipcp IPCP { pool-address 10.0.10.2-10.0.10.254 dns-servers 8.8.8.8 } # use tun(4) interface. multiple ppp sessions concentrate one interface. interface tun0 address 10.0.10.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0 obsd client's /etc/xl2tpd/xl2tpd.conf: [global] debug avp = yes debug network = yes debug state = yes debug tunnel = yes [lac foo] lns = A.B.C.D ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes autodial=yes obsd client's /etc/ppp/options.l2tpd.client: ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug lock name x password x the problem is that as we see from the logs the obsd client refuses to cope with mschap-v2 and various options from that last file. if we remove all the offending options we end up with no authentication protocols are agreeable on npppd logs ideas? suggestions for other approaches?? Help me misc@openbsd.org, you're my only hope... ;) thanks guys.
Re: NPPPD/L2TP IPsec problems
Hi, On Fri, 16 Dec 2011 15:38:14 +0200 lilit-aibolit lilit-aibo...@mail.ru wrote: 29.09.2011 16:30, YASUOKA Masahiko P?P8QP5Q: On Mon, 26 Sep 2011 15:20:50 +0200 Martin Poulsenmar...@dividebyzero.dk wrote: This is my setup: client (Windows XP) NAT - internet - OpenBSD (public IP) npppd L2TP/IPsec with NAT-T is not supported yet. We need 3 more hacks. 1. support FQDN identifier type on isakmpd 2. ignore UDP checksum to pass L2TP messages. (checksums is broken by IPsec transport mode) 3. npppd must be able to send a L2TP message to different peer behind NAT by socket API. (API is not fixed yet.) 1. and 2. are `just do it' task. But 3. may take time. I'll start to discuss this on tech@. Do you have any progress in that? 1. and 2. are fixed in -current. Now *one* Windows box from behind a NAT box can connect npppd. Please wait about 3. (Multiple clients still can not connect npppd from behind the same NAT box.) --yasuoka
Re: NPPPD/L2TP IPsec problems
29.09.2011 16:30, YASUOKA Masahiko P?P8QP5Q: On Mon, 26 Sep 2011 15:20:50 +0200 Martin Poulsenmar...@dividebyzero.dk wrote: I have been playing around a little with the npppd daemon having setup a L2TP server for test and learning purposes. The connection is running in an IPsec tunnel and it works great and runs very fine when used on a local network. But I'm having problems when it comes to NAT. This is my setup: client (Windows XP) NAT - internet - OpenBSD (public IP) npppd L2TP/IPsec with NAT-T is not supported yet. We need 3 more hacks. 1. support FQDN identifier type on isakmpd 2. ignore UDP checksum to pass L2TP messages. (checksums is broken by IPsec transport mode) 3. npppd must be able to send a L2TP message to different peer behind NAT by socket API. (API is not fixed yet.) 1. and 2. are `just do it' task. But 3. may take time. I'll start to discuss this on tech@. Thanks, --yasuoka . Do you have any progress in that?
Re: NPPPD/L2TP IPsec problems
On Mon, 26 Sep 2011 15:20:50 +0200 Martin Poulsen mar...@dividebyzero.dk wrote: I have been playing around a little with the npppd daemon having setup a L2TP server for test and learning purposes. The connection is running in an IPsec tunnel and it works great and runs very fine when used on a local network. But I'm having problems when it comes to NAT. This is my setup: client (Windows XP) NAT - internet - OpenBSD (public IP) npppd L2TP/IPsec with NAT-T is not supported yet. We need 3 more hacks. 1. support FQDN identifier type on isakmpd 2. ignore UDP checksum to pass L2TP messages. (checksums is broken by IPsec transport mode) 3. npppd must be able to send a L2TP message to different peer behind NAT by socket API. (API is not fixed yet.) 1. and 2. are `just do it' task. But 3. may take time. I'll start to discuss this on tech@. Thanks, --yasuoka
Re: NPPPD/L2TP IPsec problems
On Mon, Sep 26, 2011 at 7:45 PM, Matt S maschwa...@yahoo.com wrote: I think you have to enable NAT Traversal in your ipsec.conf file. Check the man page on that one. You could try this but I am not sure it will work. ike passive from any (public-ip) to any .. Thanks, tried it but unfortunately didn't work. Other ideas? -- Martin
NPPPD/L2TP IPsec problems
I have been playing around a little with the npppd daemon having setup a L2TP server for test and learning purposes. The connection is running in an IPsec tunnel and it works great and runs very fine when used on a local network. But I'm having problems when it comes to NAT. This is my setup: client (Windows XP) NAT - internet - OpenBSD (public IP) The OpenBSD machine is running on a snapshot: OpenBSD 5.0-current (GENERIC) #60: Thu Sep 22 11:33:48 MDT 2011 This is my ipsec.conf: # cat /etc/ipsec.conf # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ # # See ipsec.conf(5) for syntax and examples. ike passive \ from any to any \ main auth hmac-sha enc 3des group modp2048 \ quick auth hmac-sha enc 3des \ psk secret # (I'm using a psk for simplicity.) And this is the output from isakmpd -Kvd: # isakmpd -Kvd 135735.070170 Default isakmpd: starting [priv] 135745.894966 Default isakmpd: phase 1 done (as responder): initiator id LB-II.Landbjorn.local, responder id XXX.XXX.XXX.XXX, src: XXX.XXX.XXX.XXX dst: 87.56.249.90 135745.944132 Default dropped message from 87.56.249.90 port 18260 due to notification type INVALID_ID_INFORMATION 135746.518485 Default dropped message from 87.56.249.90 port 18260 due to notification type INVALID_ID_INFORMATION 135748.518811 Default dropped message from 87.56.249.90 port 18260 due to notification type INVALID_ID_INFORMATION 135750.294002 Default isakmpd: Peer 87.56.249.90 made us delete live SA peer-default for proto 1, initiator id: LB-II.Landbjorn.local, responder id: XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX is the public IP of the OpenBSD machine.) Phase 1 is completed successfully, but phase 2 fails. I have searched Google, and found this: http://tinyurl.com/5vsvvfq I have tried running isakmpd with the T-flag but no luck. Any idea what could be wrong? Best regards Martin
Re: NPPPD/L2TP IPsec problems
I think you have to enable NAT Traversal in your ipsec.conf file. Check the man page on that one. You could try this but I am not sure it will work. ike passive from any (public-ip) to any ..