Re: VPN Between OpenBSD and iOS
Em 13-01-2014 18:02, Matthew P. Carlson escreveu: > Tor, > > I've considered it and would prefer to get the native OpenBSD VPN working. > That being said, I may look into OpenVPN if I can't get this to work. > > Thanks, > > Matt > > Hi, I've used the OpenBSD native vpn, both with L2TP/IPSec and with PPTP and they work as expected. I've never made an iOS device to successfully connect with L2TP though. I kind of hit a wall. But I did not looked that much into it and went with OpenVPN. I've been using it for more than 10 years now and it get the job done, and there are some features of it that you can't accomplish with a simple L2TP/IPSec, plain IPSec or PPTP setup. At least not just with the vpn daemon itself. Anyway, back to the topic, a way wild guess, it is possible you are running into mtu issues? As far as I remember from IKE, phase 2 is more network intensive, and would explain your behavior if it were a mtu issue. This might be something worth looking into. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: VPN Between OpenBSD and iOS
Tor, I've considered it and would prefer to get the native OpenBSD VPN working. That being said, I may look into OpenVPN if I can't get this to work. Thanks, Matt > On Jan 13, 2014, at 4:14 AM, Tor Houghton wrote: > >> On Mon, Dec 30, 2013 at 09:22:18PM -0500, Matt Carlson wrote: >> Yasuoka, >> >> I tried that just now and it doesn't seem to make a difference. >> >> Thanks, > > At risk of replying off-topic and out of date, I'll ask the question anyway. > > Have you considered using OpenVPN, as there are working clients for iOS now? > I've been using this successfully on my iPad for a year or so now. > > Tor
Re: VPN Between OpenBSD and iOS
On Mon, Dec 30, 2013 at 09:22:18PM -0500, Matt Carlson wrote: > Yasuoka, > > I tried that just now and it doesn't seem to make a difference. > > Thanks, > At risk of replying off-topic and out of date, I'll ask the question anyway. Have you considered using OpenVPN, as there are working clients for iOS now? I've been using this successfully on my iPad for a year or so now. Tor
Re: VPN Between OpenBSD and iOS
Im doing RADIUS auth. Here is my npppd.conf: tunnel L2TP protocol l2tp { listen on l2tp-hostname myhostname.com" l2tp-vendor-name "OpenBSD" l2tp-accept-dialin yes mru 1360 lcp-timeout 18 authentication-method mschapv2 tcp-mss-adjust yes pipex yes mppe no # ingress-filter yes } ipcp IPCP { pool-address 172.17.0.2-172.17.0.254 dns-servers 192.168.78.123 allow-user-selected-address no } interface tun0 address 172.17.0.1 ipcp IPCP authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } authentication RADIUS type radius { authentication-server { address 192.168.78.125 secret my_radius_secret" } accounting-server { address 192.168.78.125 secret "my_radius_secret" } } bind tunnel from L2TP authenticated by RADIUS to tun0 //mxb On 4 jan 2014, at 02:09, Matt Carlson wrote: > mxb, > > I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? > > Thanks, > > Matt > > > On Fri, Jan 3, 2014 at 8:03 AM, mxb wrote: > I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: > > ike passive esp transport \ > proto udp from $local_gw to any port 1701 \ > main auth "hmac-sha1" enc "3des" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ > psk ReallyweakPassword > > > > On 31 dec 2013, at 05:01, Mike Pistone wrote: > > > Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. > > > > Phase I works once I tweaked my isakmp settings to match IOS7's capabilities > > (no modp2048 mainly), but I get the same messages Matt does on phase II. > > > > > > I have a npppd PPTP tunnel to the same server that works fine. > > It is just L2TP/IPSEC that has the issues. > > > > > > Mike
Re: VPN Between OpenBSD and iOS
mxb, I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? Thanks, Matt On Fri, Jan 3, 2014 at 8:03 AM, mxb wrote: > I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is > pre-release). My ipsec.conf for L2TP is this: > > ike passive esp transport \ > proto udp from $local_gw to any port 1701 \ > main auth "hmac-sha1" enc "3des" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ > psk ReallyweakPassword > > > > On 31 dec 2013, at 05:01, Mike Pistone wrote: > > > Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. > > > > Phase I works once I tweaked my isakmp settings to match IOS7's > capabilities > > (no modp2048 mainly), but I get the same messages Matt does on phase II. > > > > > > I have a npppd PPTP tunnel to the same server that works fine. > > It is just L2TP/IPSEC that has the issues. > > > > > > Mike
Re: VPN Between OpenBSD and iOS
mxb, Great. I'll try that this weekend. Thanks, Matt > On Jan 3, 2014, at 8:03 AM, mxb wrote: > > I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is > pre-release). My ipsec.conf for L2TP is this: > > ike passive esp transport \ >proto udp from $local_gw to any port 1701 \ > main auth "hmac-sha1" enc "3des" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ >psk “ReallyweakPassword” > > > >> On 31 dec 2013, at 05:01, Mike Pistone wrote: >> >> Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. >> >> Phase I works once I tweaked my isakmp settings to match IOS7's capabilities >> (no modp2048 mainly), but I get the same messages Matt does on phase II. >> >> >> I have a npppd PPTP tunnel to the same server that works fine. >> It is just L2TP/IPSEC that has the issues. >> >> >> Mike
Re: VPN Between OpenBSD and iOS
I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk “ReallyweakPassword” On 31 dec 2013, at 05:01, Mike Pistone wrote: > Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. > > Phase I works once I tweaked my isakmp settings to match IOS7's capabilities > (no modp2048 mainly), but I get the same messages Matt does on phase II. > > > I have a npppd PPTP tunnel to the same server that works fine. > It is just L2TP/IPSEC that has the issues. > > > Mike
Re: VPN Between OpenBSD and iOS
Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. Phase I works once I tweaked my isakmp settings to match IOS7's capabilities (no modp2048 mainly), but I get the same messages Matt does on phase II. I have a npppd PPTP tunnel to the same server that works fine. It is just L2TP/IPSEC that has the issues. Mike
Re: VPN Between OpenBSD and iOS
Jeff, Here you go: $ grep -v ^# /etc/npppd/npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.0.2-10.0.0.254 dns-servers 8.8.8.8 } interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0 Thanks, Matt On Mon, Dec 30, 2013 at 4:10 PM, Jeff Goettsch wrote: > What does your npppd.conf look like? > > > > -- > Jeff Goettsch > Agricultural and Resource Economics > http://agecon.ucdavis.edu/ > 530-752-2219 > > > On 12/29/13 5:58 PM, Matt Carlson wrote: > >> Hello, >> >> I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD >> VPN server. If I understand the problem correctly, it's unable to >> negotiate phase 2. I'd welcome any pointers. >> >> Below, I've provided the output of uname, rc.conf.local, ipsec.conf, >> messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs >> (e.g. 10.a.b.c) and I removed some line from /var/log/messages and >> replaced them with "", since this is already fairly long. >> >> I welcome any suggestions/recommendations. >> >> Thanks, >> >> Matt >> >> # uname -a >> OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 >> # cat /etc/rc.conf.local >> >> >> ipsec=YES >> isakmpd_flags="-Kv" >> ftpproxy_flags="" >> ntpd_flags= >> pppd_flags="" >> route6d_flags="" >> named_flags="" >> # grep -v ^# /etc/ipsec.conf >> >> >> ike passive esp transport \ >> proto udp \ >> from any to any port 1701 \ >> main auth "hmac-sha1" enc "aes" group modp1024 \ >> quick auth "hmac-sha1" enc "aes-256" \ >> psk "1" >> # cat /var/log/messages >> >> Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 >> Dec 29 16:31:24 carbon named[6427]: command channel listening on >> 127.0.0.1#953 >> Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 >> Dec 29 16:31:24 carbon named[6427]: running >> Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting >> Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 >> version=5.0.0 >> Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE >> packet >> capture to file "/var/run/isakmpd.pcap" >> Dec 29 16:31:30 carbon npppd[22659]: Load configuration >> from='/etc/npppd/npppd.conf' successfully. >> >> Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as >> responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i >> dst: 166.d.e.f >> Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port >> 48970 due to notification type INVALID_ID_INFORMATION >> Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer >> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i >> Dec 2
Re: VPN Between OpenBSD and iOS
Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, Matt On Mon, Dec 30, 2013 at 7:34 PM, YASUOKA Masahiko wrote: > Hi, > > On Sun, 29 Dec 2013 20:58:03 -0500 > Matt Carlson wrote: > > # grep -v ^# /etc/ipsec.conf > > > > > > ike passive esp transport \ > >proto udp \ > >from any to any port 1701 \ > >main auth "hmac-sha1" enc "aes" group modp1024 \ > >quick auth "hmac-sha1" enc "aes-256" \ > >psk "1" > > AFAIK, fixed IP address should be used for the source address. > > Does changing > > from any to any port 1701 \ > > to > > from "69.g.h.i" to any port 1701 \ > > fix the problem? > > --yasuoka
Re: VPN Between OpenBSD and iOS
Hi, On Sun, 29 Dec 2013 20:58:03 -0500 Matt Carlson wrote: > # grep -v ^# /etc/ipsec.conf > > > ike passive esp transport \ >proto udp \ >from any to any port 1701 \ >main auth "hmac-sha1" enc "aes" group modp1024 \ >quick auth "hmac-sha1" enc "aes-256" \ >psk "1" AFAIK, fixed IP address should be used for the source address. Does changing from any to any port 1701 \ to from "69.g.h.i" to any port 1701 \ fix the problem? --yasuoka
Re: VPN Between OpenBSD and iOS
What does your npppd.conf look like? -- Jeff Goettsch Agricultural and Resource Economics http://agecon.ucdavis.edu/ 530-752-2219 On 12/29/13 5:58 PM, Matt Carlson wrote: Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with "", since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags="-Kv" ftpproxy_flags="" ntpd_flags= pppd_flags="" route6d_flags="" named_flags="" # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024 \ quick auth "hmac-sha1" enc "aes-256" \ psk "1" # cat /var/log/messages Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.pcap" Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488 mobile-166-d-e-f.mycingular.net.6885 > c-69.g.h.i.hsd1.va.comcast.net.isakmp: [udp sum o
Re: VPN Between OpenBSD and iOS
Hi, On 12/29/13, Matt Carlson wrote: > Hello, > > I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD > VPN server. If I understand the problem correctly, it's unable to > negotiate phase 2. I'd welcome any pointers. I'm somewhat curious, about this. Can you verify if this is only an issue when AES cipher is used? --patrick > Below, I've provided the output of uname, rc.conf.local, ipsec.conf, > messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs > (e.g. 10.a.b.c) and I removed some line from /var/log/messages and > replaced them with "", since this is already fairly long. > > I welcome any suggestions/recommendations. > > Thanks, > > Matt > > # uname -a > OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 > # cat /etc/rc.conf.local > > > ipsec=YES > isakmpd_flags="-Kv" > ftpproxy_flags="" > ntpd_flags= > pppd_flags="" > route6d_flags="" > named_flags="" > # grep -v ^# /etc/ipsec.conf > > > ike passive esp transport \ >proto udp \ >from any to any port 1701 \ >main auth "hmac-sha1" enc "aes" group modp1024 \ >quick auth "hmac-sha1" enc "aes-256" \ >psk "1" > # cat /var/log/messages > > Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 > Dec 29 16:31:24 carbon named[6427]: command channel listening on > 127.0.0.1#953 > Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 > Dec 29 16:31:24 carbon named[6427]: running > Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting > Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 > Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet > capture to file "/var/run/isakmpd.pcap" > Dec 29 16:31:30 carbon npppd[22659]: Load configuration > from='/etc/npppd/npppd.conf' successfully. > > Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as > responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i > dst: 166.d.e.f > Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i > Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port > 48970 due to notification type INVALID_ID_INFORMATION > Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us > delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder > id: 69.g.h.i > # tcpdump -vvr /var/run/isakmpd.pcap
VPN Between OpenBSD and iOS
Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with "", since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags="-Kv" ftpproxy_flags="" ntpd_flags= pppd_flags="" route6d_flags="" named_flags="" # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024 \ quick auth "hmac-sha1" enc "aes-256" \ psk "1" # cat /var/log/messages Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.pcap" Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488 mobile-166-d-e-f.mycingular.net.6885 > c-69.g.h.i.hsd1.va.comcast.net.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 84d030732a69f98e-> msgid: len: 500 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY