Re: l2tp and openbsd 6.1
On Fri, Oct 6, 2017 at 5:25 PM, Charles Amstutz <charl...@infinitesys.com> wrote: > Should've also mentioned this oddity: > > So, if the firewall rules are uncommented (where I get the below error) > > no IP address found for pppx:network > /etc/pf.conf:102: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:103: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:106: could not parse host specification > > > And reboot, I can't connect. However, if I comment out those lines and then > save/reload then uncomment, I can connect just fine. > > > > > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > Charles Amstutz > Sent: Friday, October 6, 2017 10:04 AM > To: 'misc@openbsd.org' <misc@openbsd.org> > Subject: Re: l2tp and openbsd 6.1 > > Hello Noth, > > > "Try pppx instead of pppx0, it'll work in pf.conf, including as a macro." > > I did!! I found another article that talked about the group. After reading > this: > http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/ > > However, I still get this error if I try to reload the firewall and no vpn > client is established (thus the pppx group or pppx0 interface doesn't exist > yet)... this is the same if I use pppx or pppx0 > > > no IP address found for pppx:network > /etc/pf.conf:102: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:103: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:106: could not parse host specification > > If I remove :network, the same errors: > > no IP address found for pppx > /etc/pf.conf:102: could not parse host specification no IP address found for > pppx > /etc/pf.conf:103: could not parse host specification no IP address found for > pppx > /etc/pf.conf:106: could not parse host specification > > > However, if I comment out those lines, connect, then uncomment out the > lines, things work as they should (it appears) > > It also seems as if I can't connect if I have those lines uncommented after a > reboot. > > Many strange things. > > Thanks for the help everyone, I'm going to continue to research. You can't use :network for interface groups like pppx. If you want to filter on IP or subnet, why don't you just type the actual IP or subnet in pf.conf? -- :wq!
Re: l2tp and openbsd 6.1
Should've also mentioned this oddity: So, if the firewall rules are uncommented (where I get the below error) no IP address found for pppx:network /etc/pf.conf:102: could not parse host specification no IP address found for pppx:network /etc/pf.conf:103: could not parse host specification no IP address found for pppx:network /etc/pf.conf:106: could not parse host specification And reboot, I can't connect. However, if I comment out those lines and then save/reload then uncomment, I can connect just fine. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Charles Amstutz Sent: Friday, October 6, 2017 10:04 AM To: 'misc@openbsd.org' <misc@openbsd.org> Subject: Re: l2tp and openbsd 6.1 Hello Noth, "Try pppx instead of pppx0, it'll work in pf.conf, including as a macro." I did!! I found another article that talked about the group. After reading this: http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/ However, I still get this error if I try to reload the firewall and no vpn client is established (thus the pppx group or pppx0 interface doesn't exist yet)... this is the same if I use pppx or pppx0 no IP address found for pppx:network /etc/pf.conf:102: could not parse host specification no IP address found for pppx:network /etc/pf.conf:103: could not parse host specification no IP address found for pppx:network /etc/pf.conf:106: could not parse host specification If I remove :network, the same errors: no IP address found for pppx /etc/pf.conf:102: could not parse host specification no IP address found for pppx /etc/pf.conf:103: could not parse host specification no IP address found for pppx /etc/pf.conf:106: could not parse host specification However, if I comment out those lines, connect, then uncomment out the lines, things work as they should (it appears) It also seems as if I can't connect if I have those lines uncommented after a reboot. Many strange things. Thanks for the help everyone, I'm going to continue to research.
Re: l2tp and openbsd 6.1
Hello Noth, "Try pppx instead of pppx0, it'll work in pf.conf, including as a macro." I did!! I found another article that talked about the group. After reading this: http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/ However, I still get this error if I try to reload the firewall and no vpn client is established (thus the pppx group or pppx0 interface doesn't exist yet)... this is the same if I use pppx or pppx0 no IP address found for pppx:network /etc/pf.conf:102: could not parse host specification no IP address found for pppx:network /etc/pf.conf:103: could not parse host specification no IP address found for pppx:network /etc/pf.conf:106: could not parse host specification If I remove :network, the same errors: no IP address found for pppx /etc/pf.conf:102: could not parse host specification no IP address found for pppx /etc/pf.conf:103: could not parse host specification no IP address found for pppx /etc/pf.conf:106: could not parse host specification However, if I comment out those lines, connect, then uncomment out the lines, things work as they should (it appears) It also seems as if I can't connect if I have those lines uncommented after a reboot. Many strange things. Thanks for the help everyone, I'm going to continue to research.
Re: l2tp and openbsd 6.1
Try pppx instead of pppx0, it'll work in pf.conf, including as a macro. On 05/10/17 18:35, Charles Amstutz wrote: This works as well: Pass in quick on pppx0 Pass out quick on pppx0 This doesn't work Pass in quick on pppx0 from pppx0 as it complains there is no IP. Assigning pppx0 to a variable doesn't work either. Neither does setting it to be dynamic. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Charles Amstutz Sent: Thursday, October 5, 2017 10:44 AM To: 'misc@openbsd.org' <misc@openbsd.org> Subject: Re: l2tp and openbsd 6.1 Here is a related but new question, If pppx0 only exists when someone is vpn'ed in. How do people handle this in pf? If you don't define rules, packets get blocked on it. But if there is no connect, pf complains about pppx0 not having a firewall. The only thing that seems to work is set skip on pppx0. But then no rules process on it. Has anyone ran into this? how did you handle it.
Re: l2tp and openbsd 6.1
5.5, apart from no longer being supported, allows by default for weaker ciphers that aren't since 5.9. This was the release that broke android 6.x/7.x configs if you didn't specify which mod group you wanted. On 05/10/17 06:51, Vivek Vinod wrote: I do not understand the question but this may be connected... My Wi-Fi uses AD (LDAP) auth with certificates. I set this up using some "guide" without understanding a thing. My IOS, Android and Mac clients connect without a hitch. Windows 10 do not. To get my windows 10 to work, I have to copy over and install the certificates from a previously connected Mac machine's keychain. In your setup, can you check in your windows 10 certificate store if the necessary certificates (if any) have been installed? If not, try copying the certificates. This is windows 10 behaviour. It may or may not be related to "self signed certificates". Again, I do not understand a thing. Sorry for the noise. Please excuse my brevity. Sent from my handphone. Original Message From: Vijay Sankar Sent: Wednesday 4 October 2017 23:42 To: misc@openbsd.org Subject: Re: l2tp and openbsd 6.1 Quoting Charles Amstutz <charl...@infinitesys.com>: Yes, I would like to know this as well, it seems annoying that Android 8/4.x and IOS can connect, but not windows 10 (I haven't tried earlier windows 10) and android 7. Its either a user error (which I am willing to admit) or something very annoying. Especially when my l2tp PSK windows server can accept connections from anything it seems. I would like to get this figured out. I appreciate all of the suggestions, but I still can't get android 7 to connect, no matter which encryption, authentication or modp I use. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of lilit-aibolit Sent: Wednesday, October 4, 2017 2:46 AM To: misc@openbsd.org Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net Subject: Re: l2tp and openbsd 6.1 Hi, with l2tp I have situation when iOS and Android devices could connect but Windows 7 and Windows 10 couldn't. Is it possible to adjust ipsec.conf somehow so it could accept connection from Windows clients too? Or is there a way to adjust some settings in Windows so it will work with current ipsec.conf? I also noticed that I have to add pass rule for tun0 to PF explicitly: - pass on tun0 all instead of having just: - set skip on { lo0, tun0 } Here is ipsec.conf: ike passive esp transport \ proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" Here is npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on x.x.y.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.a.b } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 Log from Android: Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm= Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind ppp=3 Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes Log from IPhone6s: Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) firm= Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind ppp=2 Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 auth=MS-CHAP-V2 ip=192.168.222.110 ifac
Re: l2tp and openbsd 6.1
This works as well: Pass in quick on pppx0 Pass out quick on pppx0 This doesn't work Pass in quick on pppx0 from pppx0 as it complains there is no IP. Assigning pppx0 to a variable doesn't work either. Neither does setting it to be dynamic. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Charles Amstutz Sent: Thursday, October 5, 2017 10:44 AM To: 'misc@openbsd.org' <misc@openbsd.org> Subject: Re: l2tp and openbsd 6.1 Here is a related but new question, If pppx0 only exists when someone is vpn'ed in. How do people handle this in pf? If you don't define rules, packets get blocked on it. But if there is no connect, pf complains about pppx0 not having a firewall. The only thing that seems to work is set skip on pppx0. But then no rules process on it. Has anyone ran into this? how did you handle it.
Re: l2tp and openbsd 6.1
Here is a related but new question, If pppx0 only exists when someone is vpn'ed in. How do people handle this in pf? If you don't define rules, packets get blocked on it. But if there is no connect, pf complains about pppx0 not having a firewall. The only thing that seems to work is set skip on pppx0. But then no rules process on it. Has anyone ran into this? how did you handle it.
Re: l2tp and openbsd 6.1
Quoting lilit-aibolit: On 05/10/17 09:17, lilit-aibolit wrote: Hi, I've just try your suggestion and IPhone could connect but Windows gives new errors in log: ##here is Windows attempt Oct 5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid next payload type in payload of type 5 Oct 5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 port 2715 due to notification type INVALID_PAYLOAD_TYPE I've testes one more time and it seems that INVALID_PAYLOAD_TYPE means wrong PSK in windows vpn client. So after correction I was able to establish vpn both from IPhone, Android and from Windows (at least version 7) with this ipsec.conf: ike passive esp transport \ proto udp from a.b.s.d to any port 1701 \ main auth hmac-sha1 enc aes group modp2048 \ quick auth hmac-sha1 enc aes \ psk "psk" ike passive esp transport \ proto udp from a.b.s.d to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "psk" Glad that changing the order is working for you. Yes, for whatever reason, I found IPSec/L2TP works when ike with modp2048 is listed first and then modp1024. I read Stuart Henderson's email carefully again and think that my suggestion re. the order of IKE statements may be wrong. Probably the only reason this works for me is because I am not simultaneously trying to connect with both Windows and Android clients. Will try to test that this weekend but please read his reply in this thread. -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca
Re: l2tp and openbsd 6.1
On 05/10/17 09:17, lilit-aibolit wrote: Hi, I've just try your suggestion and IPhone could connect but Windows gives new errors in log: ##here is Windows attempt Oct 5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid next payload type in payload of type 5 Oct 5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 port 2715 due to notification type INVALID_PAYLOAD_TYPE I've testes one more time and it seems that INVALID_PAYLOAD_TYPE means wrong PSK in windows vpn client. So after correction I was able to establish vpn both from IPhone, Android and from Windows (at least version 7) with this ipsec.conf: ike passive esp transport \ proto udp from a.b.s.d to any port 1701 \ main auth hmac-sha1 enc aes group modp2048 \ quick auth hmac-sha1 enc aes \ psk "psk" ike passive esp transport \ proto udp from a.b.s.d to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "psk"
Re: l2tp and openbsd 6.1
Hi, I've just try your suggestion and IPhone could connect but Windows gives new errors in log: Oct 5 09:05:44 gw isakmpd[19354]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048 Oct 5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 logtype=Started RecvSCCRQ from=37.73.214.69:57298/udp tunnel_id=6/17 protocol=1.0 winsize=4 hostname=imuca vendor=(no vendorname) firm= Oct 5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPBind ppp=5 Oct 5 09:05:49 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.214.69:57298 auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 5 09:05:49 gw /bsd: pipex: ppp=5 iface=tun0 protocol=L2TP id=12298 PIPEX is ready. Oct 5 09:05:49 gw npppd[10826]: ppp id=5 layer=base Using pipex=yes Oct 5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPUnbind Oct 5 09:06:59 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELUSAGE user="ppo" duration=72sec layer2=L2TP layer2from=37.73.214.69:57298 auth=MS-CHAP-V2 data_in=167613bytes,1911packets data_out=2819616bytes,2540packets error_in=1 error_out=0 mppe=no iface=tun0 Oct 5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 logtype=Finished ##here is Windows attempt Oct 5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid next payload type in payload of type 5 Oct 5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 port 2715 due to notification type INVALID_PAYLOAD_TYPE After I removed first ike config line with modp2048 then log returned to this: Oct 5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 5 09:16:08 gw isakmpd[12442]: message_negotiate_sa: no compatible proposal found Oct 5 09:16:08 gw isakmpd[12442]: dropped message from 37.73.208.173 port 10552 due to notification type NO_PROPOSAL_CHOSEN On 04/10/17 20:54, Vijay Sankar wrote: Unfortunately I am not sure if what I am saying is correct or valid because maybe this stuff works for me only because I am using older versions of Android etc., plus I am using a slightly modified OpenBSD 5.5 kernel. But you may want to try the following. The order is important -- doesn't seem to work if modp2048 is listed after modp1024. If I do something like ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp2048 \ quick auth "hmac-sha1" enc "aes" \ psk "mypsk" ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "mypsk" in the order listed, it works, and it has been working for at least a few years. To make sure I am not posting wrong information, I have double-checked using Lenovo YogaPad (Android 4.4.2), Windows 7, Windows 8, Windows 10, iOS 10.3.3, and MacOS 10.13. I will try the same thing with -current and report back to the list if it is useful. Hope this helps. Vijay
Re: l2tp and openbsd 6.1
I do not understand the question but this may be connected... My Wi-Fi uses AD (LDAP) auth with certificates. I set this up using some "guide" without understanding a thing. My IOS, Android and Mac clients connect without a hitch. Windows 10 do not. To get my windows 10 to work, I have to copy over and install the certificates from a previously connected Mac machine's keychain. In your setup, can you check in your windows 10 certificate store if the necessary certificates (if any) have been installed? If not, try copying the certificates. This is windows 10 behaviour. It may or may not be related to "self signed certificates". Again, I do not understand a thing. Sorry for the noise. Please excuse my brevity. Sent from my handphone. Original Message From: Vijay Sankar Sent: Wednesday 4 October 2017 23:42 To: misc@openbsd.org Subject: Re: l2tp and openbsd 6.1 Quoting Charles Amstutz <charl...@infinitesys.com>: > Yes, > > I would like to know this as well, it seems annoying that Android > 8/4.x and IOS can connect, but not windows 10 (I haven't tried > earlier windows 10) and android 7. > > Its either a user error (which I am willing to admit) or something > very annoying. Especially when my l2tp PSK windows server can accept > connections from anything it seems. > > I would like to get this figured out. > > I appreciate all of the suggestions, but I still can't get android 7 > to connect, no matter which encryption, authentication or modp I use. > > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf Of lilit-aibolit > Sent: Wednesday, October 4, 2017 2:46 AM > To: misc@openbsd.org > Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net > Subject: Re: l2tp and openbsd 6.1 > > Hi, > with l2tp I have situation when iOS and Android devices could > connect but Windows 7 and Windows 10 couldn't. > > Is it possible to adjust ipsec.conf somehow so it could accept > connection from Windows clients too? > Or is there a way to adjust some settings in Windows so it will work > with current ipsec.conf? > > I also noticed that I have to add pass rule for tun0 to PF explicitly: > - pass on tun0 all > instead of having just: > - set skip on { lo0, tun0 } > > Here is ipsec.conf: > > ike passive esp transport \ > proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc > aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" > > Here is npppd.conf: > authentication LOCAL type local { > users-file "/etc/npppd/npppd-users" > } > tunnel L2TP protocol l2tp { > listen on x.x.y.y > } > ipcp IPCP { > pool-address 192.168.222.2-192.168.222.254 > dns-servers 192.168.a.b > } > interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from > L2TP authenticated by LOCAL to tun0 > > Log from Android: > > Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started > RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 > protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) > firm= Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 > logtype=PPPBind > ppp=3 > Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base > logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP > layer2from=192.38.129.182:41634 > auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw > /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. > Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes > > Log from IPhone6s: > > Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw > isakmpd[24211]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 > gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got MD5, expected SHA > Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw > isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw > isakmpd[24211]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 > gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got MD5, expected SHA > Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw > npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ > from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 > hostname=xxx-iPhone vendor=(no vendorname) firm= Oct 2 16:13:14 > gw npppd[10826]: l2tpd ctrl=
Re: l2tp and openbsd 6.1
Quoting Charles Amstutz <charl...@infinitesys.com>: Yes, I would like to know this as well, it seems annoying that Android 8/4.x and IOS can connect, but not windows 10 (I haven't tried earlier windows 10) and android 7. Its either a user error (which I am willing to admit) or something very annoying. Especially when my l2tp PSK windows server can accept connections from anything it seems. I would like to get this figured out. I appreciate all of the suggestions, but I still can't get android 7 to connect, no matter which encryption, authentication or modp I use. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of lilit-aibolit Sent: Wednesday, October 4, 2017 2:46 AM To: misc@openbsd.org Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net Subject: Re: l2tp and openbsd 6.1 Hi, with l2tp I have situation when iOS and Android devices could connect but Windows 7 and Windows 10 couldn't. Is it possible to adjust ipsec.conf somehow so it could accept connection from Windows clients too? Or is there a way to adjust some settings in Windows so it will work with current ipsec.conf? I also noticed that I have to add pass rule for tun0 to PF explicitly: - pass on tun0 all instead of having just: - set skip on { lo0, tun0 } Here is ipsec.conf: ike passive esp transport \ proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" Here is npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on x.x.y.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.a.b } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 Log from Android: Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm= Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind ppp=3 Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes Log from IPhone6s: Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) firm= Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind ppp=2 Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready. Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes Log from IPhone4s: Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx vendor=(no vendorname) firm= Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind ppp=0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct 2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready. And unsuccessful connection from Win7: Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_C
Re: l2tp and openbsd 6.1
Yes, I would like to know this as well, it seems annoying that Android 8/4.x and IOS can connect, but not windows 10 (I haven't tried earlier windows 10) and android 7. Its either a user error (which I am willing to admit) or something very annoying. Especially when my l2tp PSK windows server can accept connections from anything it seems. I would like to get this figured out. I appreciate all of the suggestions, but I still can't get android 7 to connect, no matter which encryption, authentication or modp I use. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of lilit-aibolit Sent: Wednesday, October 4, 2017 2:46 AM To: misc@openbsd.org Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net Subject: Re: l2tp and openbsd 6.1 Hi, with l2tp I have situation when iOS and Android devices could connect but Windows 7 and Windows 10 couldn't. Is it possible to adjust ipsec.conf somehow so it could accept connection from Windows clients too? Or is there a way to adjust some settings in Windows so it will work with current ipsec.conf? I also noticed that I have to add pass rule for tun0 to PF explicitly: - pass on tun0 all instead of having just: - set skip on { lo0, tun0 } Here is ipsec.conf: ike passive esp transport \ proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" Here is npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on x.x.y.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.a.b } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 Log from Android: Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm= Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind ppp=3 Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes Log from IPhone6s: Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) firm= Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind ppp=2 Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready. Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes Log from IPhone4s: Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx vendor=(no vendorname) firm= Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind ppp=0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct 2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready. And unsuccessful connection from Win7: Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES
Re: l2tp and openbsd 6.1
Hi, with l2tp I have situation when iOS and Android devices could connect but Windows 7 and Windows 10 couldn't. Is it possible to adjust ipsec.conf somehow so it could accept connection from Windows clients too? Or is there a way to adjust some settings in Windows so it will work with current ipsec.conf? I also noticed that I have to add pass rule for tun0 to PF explicitly: - pass on tun0 all instead of having just: - set skip on { lo0, tun0 } Here is ipsec.conf: ike passive esp transport \ proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" Here is npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on x.x.y.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.a.b } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 Log from Android: Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm= Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind ppp=3 Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes Log from IPhone6s: Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) firm= Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind ppp=2 Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready. Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes Log from IPhone4s: Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx vendor=(no vendorname) firm= Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind ppp=0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct 2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready. And unsuccessful connection from Win7: Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 gw isakmpd[24211]: message_negotiate_sa: no compatible proposal found Oct 4 10:12:37 gw isakmpd[24211]: dropped message from 37.73.208.134 port 16884 due to notification type NO_PROPOSAL_CHOSEN On 02/10/17 23:03, Charles Amstutz wrote: Hello everyone, I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux knowledge). After searching the previous forum posts (and the internet) I have found a lot of information on l2tp ipsec.conf connection strings. However, I can't get android to connect. I keep getting IKE negotiation failed errors. I've looked at sites such as: http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html https://www.authbsd.com/blog/?p=20 http://daemonforums.org/showthread.php?t=10326 https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/
Re: l2tp and openbsd 6.1
The problem is on Android 6.x/7.x that need to be rooted to change their ipsec settings to allow for higher encryption. The following works on those OSes: cat ipsec.conf: ike passive esp transport \ proto udp from "publicip" to any port l2tp \ main group "modp1024" \ quick group "modp1024" \ psk "yourpass" It's bad, but what can you do? Google won't deal with it, and the vendors claim it would break current solutions. I've seen in debug that after a few tries Android would give the right aes2-256 keying but by then isakmpd was having none of it... Cheers, Noth On 03/10/17 00:49, Charles Amstutz wrote: Hello Sterling, Thanks for the response. I changed it to ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth "hmac-sha1" enc "aes-256" group modp1024\ quick auth "hmac-sha1" enc "aes-256" \ PSK "PSK-GOES-HERE" and still no luck. I found out that Android 8 will connect (using aes). I am dumpping pflog0 and seeing no blocks. However, that doesn't mean it still isn't a potential pf problem I guess. However, if IOS and android 8 would connect, I would think that would rule a pf problem? Is there a way to turn on additional debugging? I'm using isakmpd -K in rc.conf.local, so not using isakmpd.policy/.conf (from my understanding) Everything in /var/log/messages is just from npppd. Unless I'm reading it wrong, there doesn't appear to be any errors. -Original Message- From: Sterling Archer [mailto:deb...@gmail.com] Sent: Monday, October 2, 2017 5:35 PM To: Charles Amstutz <charl...@infinitesys.com> Cc: misc@openbsd.org Subject: Re: l2tp and openbsd 6.1 On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutz <charl...@infinitesys.com> wrote: Hello everyone, I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux knowledge). After searching the previous forum posts (and the internet) I have found a lot of information on l2tp ipsec.conf connection strings. However, I can't get android to connect. I keep getting IKE negotiation failed errors. I've looked at sites such as: http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro id-601-ios.html https://www.authbsd.com/blog/?p=20 http://daemonforums.org/showthread.php?t=10326 https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb sd-invalid_cookie/ https://man.openbsd.org/npppd.conf.5 https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for- ios-and-osx/ https://marc.info/?l=openbsd-misc=145922338026396=2 https://marc.info/?l=openbsd-misc=145614573528471=2 https://www.mail-archive.com/misc@openbsd.org/msg145747.html ... etc I can get IOS to connect, but I can't get android 7 to connect. I've read that android has bugs with the vpn client in 6.x and 7.x (not sure if it is fixed in 8 or not). However, what is confusing is it connections just fine To my windows l2tp server. Bug tracker: https://issuetracker.google.com/issues/37074640#c35 My goal: Setup openbsd to work with IOS/android/windows/whatever. My questions. 1) Can you have more than one ike line in ipsec.conf? from my presumption of looking at sites on the internet, you can, however, I am not sure. https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is just two examples 2) Every time I read a site that says, "this configuration worked for me on android", it doesn't work for me. I presume it is my lack of understanding, though, I'm not ruling out the possible android bug. I appreciate any help. Here is my ipsec.conf (this allows IOS to connect) public_ip = "x.x.x.x" ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024\ quick auth "hmac-sha1" enc "aes" \ psk "PSK-GOES-HERE" Here is my npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on 0.0.0.0 listen on :: } ipcp IPCP { pool-address 10.0.0.101-10.0.0.254 dns-servers x.x.x.x } # use pppx(4) interface. use an interface per a ppp session. interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0 I'm able to connect using a similar setup, but using aes-256 instead of aes as encoding in ipsec.conf. -- :wq!
Re: l2tp and openbsd 6.1
Quoting Stuart Henderson: On 2017-10-02, Charles Amstutz wrote: Hello Sterling, Thanks for the response. I changed it to ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth "hmac-sha1" enc "aes-256" group modp1024\ quick auth "hmac-sha1" enc "aes-256" \ PSK "PSK-GOES-HERE" and still no luck. I found out that Android 8 will connect (using aes). I am dumpping pflog0 and seeing no blocks. However, that doesn't mean it still isn't a potential pf problem I guess. However, if IOS and android 8 would connect, I would think that would rule a pf problem? Is there a way to turn on additional debugging? I'm using isakmpd -K in rc.conf.local, so not using isakmpd.policy/.conf (from my understanding) Everything in /var/log/messages is just from npppd. Unless I'm reading it wrong, there doesn't appear to be any errors. I have "isakmpd_flags=-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 -D10=20" in rc.conf.local as a general-purpose debugging config, then if there's a particular area I look at isakmpd source to see if I need to bump one of them up a little. These end up in /var/log/daemon (or start it by hand to run in the foreground using -d). 1) Can you have more than one ike line in ipsec.conf? from my presumption of looking at sites on the internet, you can, however, I am not sure. You can, *but* only one "default peer" ("to any" line) will take effect. https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is just two examples That site makes it look like you can use the two, but it won't work like that. One config will override the other. I don't know about Android 8 but have been able to use iPhones as well as Android tablets with the following on an older version on OpenBSD. Hope this is helpful and not sending the OP in the wrong direction. In npppd.conf, I am using interface tun0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0 instead of interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0 and in pf.conf, I have pass in quick on tun0 inet proto tcp from 10.0.0.0/24 -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca
Re: l2tp and openbsd 6.1
On 2017-10-02, Charles Amstutzwrote: > Hello Sterling, > > Thanks for the response. I changed it to > > ike passive esp transport \ >proto udp from $public_ip to any port 1701 \ >main auth "hmac-sha1" enc "aes-256" group modp1024\ >quick auth "hmac-sha1" enc "aes-256" \ >PSK "PSK-GOES-HERE" > > and still no luck. I found out that Android 8 will connect (using aes). I > am dumpping pflog0 and seeing no blocks. However, that doesn't mean it still > isn't a potential pf problem I guess. However, if IOS and android 8 would > connect, I would think that would rule a pf problem? > > Is there a way to turn on additional debugging? I'm using isakmpd -K in > rc.conf.local, so not using isakmpd.policy/.conf (from my understanding) > Everything in /var/log/messages is just from npppd. Unless I'm reading it > wrong, there doesn't appear to be any errors. I have "isakmpd_flags=-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 -D10=20" in rc.conf.local as a general-purpose debugging config, then if there's a particular area I look at isakmpd source to see if I need to bump one of them up a little. These end up in /var/log/daemon (or start it by hand to run in the foreground using -d). >> 1) Can you have more than one ike line in ipsec.conf? from my >> presumption of looking at sites on the internet, you can, however, I am not >> sure. You can, *but* only one "default peer" ("to any" line) will take effect. >> https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless >> it is just two examples That site makes it look like you can use the two, but it won't work like that. One config will override the other.
Re: l2tp and openbsd 6.1
Hello Sterling, Thanks for the response. I changed it to ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth "hmac-sha1" enc "aes-256" group modp1024\ quick auth "hmac-sha1" enc "aes-256" \ PSK "PSK-GOES-HERE" and still no luck. I found out that Android 8 will connect (using aes). I am dumpping pflog0 and seeing no blocks. However, that doesn't mean it still isn't a potential pf problem I guess. However, if IOS and android 8 would connect, I would think that would rule a pf problem? Is there a way to turn on additional debugging? I'm using isakmpd -K in rc.conf.local, so not using isakmpd.policy/.conf (from my understanding) Everything in /var/log/messages is just from npppd. Unless I'm reading it wrong, there doesn't appear to be any errors. -Original Message- From: Sterling Archer [mailto:deb...@gmail.com] Sent: Monday, October 2, 2017 5:35 PM To: Charles Amstutz <charl...@infinitesys.com> Cc: misc@openbsd.org Subject: Re: l2tp and openbsd 6.1 On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutz <charl...@infinitesys.com> wrote: > Hello everyone, > > I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux > knowledge). After searching the previous forum posts (and the internet) I > have found a lot of information on l2tp ipsec.conf connection strings. > However, I can't get android to connect. I keep getting IKE negotiation > failed errors. > > I've looked at sites such as: > > http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro > id-601-ios.html > https://www.authbsd.com/blog/?p=20 > http://daemonforums.org/showthread.php?t=10326 > https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb > sd-invalid_cookie/ > https://man.openbsd.org/npppd.conf.5 > https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for- > ios-and-osx/ > https://marc.info/?l=openbsd-misc=145922338026396=2 > https://marc.info/?l=openbsd-misc=145614573528471=2 > https://www.mail-archive.com/misc@openbsd.org/msg145747.html > ... etc > > > I can get IOS to connect, but I can't get android 7 to connect. I've > read that android has bugs with the vpn client in 6.x and 7.x (not > sure if it is fixed in 8 or not). However, what is confusing is it > connections just fine To my windows l2tp server. Bug tracker: > https://issuetracker.google.com/issues/37074640#c35 > > > My goal: Setup openbsd to work with IOS/android/windows/whatever. > > My questions. > > > 1) Can you have more than one ike line in ipsec.conf? from my > presumption of looking at sites on the internet, you can, however, I am not > sure. > > https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless > it is just two examples > > > 2) Every time I read a site that says, "this configuration worked for me > on android", it doesn't work for me. I presume it is my lack of > understanding, though, I'm not ruling out the possible android bug. > > > I appreciate any help. > > > > Here is my ipsec.conf (this allows IOS to connect) > > public_ip = "x.x.x.x" > > > > ike passive esp transport \ > > proto udp from $public_ip to any port 1701 \ > > main auth "hmac-sha1" enc "aes" group modp1024\ > > quick auth "hmac-sha1" enc "aes" \ > > psk "PSK-GOES-HERE" > > Here is my npppd.conf > > > > authentication LOCAL type local { > > users-file "/etc/npppd/npppd-users" > > } > > > > tunnel L2TP protocol l2tp { > > listen on 0.0.0.0 > > listen on :: > > } > > > > ipcp IPCP { > > pool-address 10.0.0.101-10.0.0.254 > > dns-servers x.x.x.x > > } > > > > # use pppx(4) interface. use an interface per a ppp session. > > interface pppx0 address 10.0.0.1 ipcp IPCP > > bind tunnel from L2TP authenticated by LOCAL to pppx0 I'm able to connect using a similar setup, but using aes-256 instead of aes as encoding in ipsec.conf. -- :wq!
Re: l2tp and openbsd 6.1
On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutzwrote: > Hello everyone, > > I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux > knowledge). After searching the previous forum posts (and the internet) I > have found a lot of information on l2tp ipsec.conf connection strings. > However, I can't get android to connect. I keep getting IKE negotiation > failed errors. > > I've looked at sites such as: > > http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html > https://www.authbsd.com/blog/?p=20 > http://daemonforums.org/showthread.php?t=10326 > https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/ > https://man.openbsd.org/npppd.conf.5 > https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/ > https://marc.info/?l=openbsd-misc=145922338026396=2 > https://marc.info/?l=openbsd-misc=145614573528471=2 > https://www.mail-archive.com/misc@openbsd.org/msg145747.html > ... etc > > > I can get IOS to connect, but I can't get android 7 to connect. I've read > that android has bugs with the vpn client in 6.x and 7.x (not sure if it is > fixed in 8 or not). However, what is confusing is it connections just fine > To my windows l2tp server. Bug tracker: > https://issuetracker.google.com/issues/37074640#c35 > > > My goal: Setup openbsd to work with IOS/android/windows/whatever. > > My questions. > > > 1) Can you have more than one ike line in ipsec.conf? from my > presumption of looking at sites on the internet, you can, however, I am not > sure. > > https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is > just two examples > > > 2) Every time I read a site that says, "this configuration worked for me > on android", it doesn't work for me. I presume it is my lack of > understanding, though, I'm not ruling out the possible android bug. > > > I appreciate any help. > > > > Here is my ipsec.conf (this allows IOS to connect) > > public_ip = "x.x.x.x" > > > > ike passive esp transport \ > > proto udp from $public_ip to any port 1701 \ > > main auth "hmac-sha1" enc "aes" group modp1024\ > > quick auth "hmac-sha1" enc "aes" \ > > psk "PSK-GOES-HERE" > > Here is my npppd.conf > > > > authentication LOCAL type local { > > users-file "/etc/npppd/npppd-users" > > } > > > > tunnel L2TP protocol l2tp { > > listen on 0.0.0.0 > > listen on :: > > } > > > > ipcp IPCP { > > pool-address 10.0.0.101-10.0.0.254 > > dns-servers x.x.x.x > > } > > > > # use pppx(4) interface. use an interface per a ppp session. > > interface pppx0 address 10.0.0.1 ipcp IPCP > > bind tunnel from L2TP authenticated by LOCAL to pppx0 I'm able to connect using a similar setup, but using aes-256 instead of aes as encoding in ipsec.conf. -- :wq!
l2tp and openbsd 6.1
Hello everyone, I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux knowledge). After searching the previous forum posts (and the internet) I have found a lot of information on l2tp ipsec.conf connection strings. However, I can't get android to connect. I keep getting IKE negotiation failed errors. I've looked at sites such as: http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html https://www.authbsd.com/blog/?p=20 http://daemonforums.org/showthread.php?t=10326 https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/ https://man.openbsd.org/npppd.conf.5 https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/ https://marc.info/?l=openbsd-misc=145922338026396=2 https://marc.info/?l=openbsd-misc=145614573528471=2 https://www.mail-archive.com/misc@openbsd.org/msg145747.html ... etc I can get IOS to connect, but I can't get android 7 to connect. I've read that android has bugs with the vpn client in 6.x and 7.x (not sure if it is fixed in 8 or not). However, what is confusing is it connections just fine To my windows l2tp server. Bug tracker: https://issuetracker.google.com/issues/37074640#c35 My goal: Setup openbsd to work with IOS/android/windows/whatever. My questions. 1) Can you have more than one ike line in ipsec.conf? from my presumption of looking at sites on the internet, you can, however, I am not sure. https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is just two examples 2) Every time I read a site that says, "this configuration worked for me on android", it doesn't work for me. I presume it is my lack of understanding, though, I'm not ruling out the possible android bug. I appreciate any help. Here is my ipsec.conf (this allows IOS to connect) public_ip = "x.x.x.x" ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024\ quick auth "hmac-sha1" enc "aes" \ psk "PSK-GOES-HERE" Here is my npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on 0.0.0.0 listen on :: } ipcp IPCP { pool-address 10.0.0.101-10.0.0.254 dns-servers x.x.x.x } # use pppx(4) interface. use an interface per a ppp session. interface pppx0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0