Re: l2tp and openbsd 6.1

[Sterling Archer]

On Fri, Oct 6, 2017 at 5:25 PM, Charles Amstutz
<charl...@infinitesys.com> wrote:
> Should've also mentioned this oddity:
>
> So, if the firewall rules are uncommented (where I get the below error)
>
> no IP address found for pppx:network
> /etc/pf.conf:102: could not parse host specification no IP address found for 
> pppx:network
> /etc/pf.conf:103: could not parse host specification no IP address found for 
> pppx:network
> /etc/pf.conf:106: could not parse host specification
>
>
> And reboot, I can't connect. However, if I comment out those lines and then 
> save/reload then uncomment,  I can connect just fine.
>
>
>
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
> Charles Amstutz
> Sent: Friday, October 6, 2017 10:04 AM
> To: 'misc@openbsd.org' <misc@openbsd.org>
> Subject: Re: l2tp and openbsd 6.1
>
> Hello Noth,
>
>
> "Try pppx instead of pppx0, it'll work in pf.conf, including as a macro."
>
> I did!! I found another article that talked about the group.  After reading 
> this: 
> http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/
>
> However,  I still get this error if I try to reload the firewall and no vpn 
> client is established (thus the pppx group or pppx0 interface doesn't exist 
> yet)... this is the same if I use pppx or pppx0
>
>
> no IP address found for pppx:network
> /etc/pf.conf:102: could not parse host specification no IP address found for 
> pppx:network
> /etc/pf.conf:103: could not parse host specification no IP address found for 
> pppx:network
> /etc/pf.conf:106: could not parse host specification
>
> If I remove :network,  the same errors:
>
> no IP address found for pppx
> /etc/pf.conf:102: could not parse host specification no IP address found for 
> pppx
> /etc/pf.conf:103: could not parse host specification no IP address found for 
> pppx
> /etc/pf.conf:106: could not parse host specification
>
>
> However,  if I comment out those lines, connect, then uncomment out the 
> lines, things work as they should (it appears)
>
> It also seems as if I can't connect if I have those lines uncommented after a 
> reboot.
>
> Many strange things.
>
> Thanks for the help everyone, I'm going to continue to research.


You can't use :network for interface groups like pppx.
If you want to filter on IP or subnet, why don't you just type the actual IP
or subnet in pf.conf?


-- 
:wq!

Re: l2tp and openbsd 6.1

[Charles Amstutz]

Should've also mentioned this oddity:

So, if the firewall rules are uncommented (where I get the below error)

no IP address found for pppx:network
/etc/pf.conf:102: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:103: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:106: could not parse host specification


And reboot, I can't connect. However, if I comment out those lines and then 
save/reload then uncomment,  I can connect just fine.




-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Charles Amstutz
Sent: Friday, October 6, 2017 10:04 AM
To: 'misc@openbsd.org' <misc@openbsd.org>
Subject: Re: l2tp and openbsd 6.1

Hello Noth,


"Try pppx instead of pppx0, it'll work in pf.conf, including as a macro."

I did!! I found another article that talked about the group.  After reading 
this: 
http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/

However,  I still get this error if I try to reload the firewall and no vpn 
client is established (thus the pppx group or pppx0 interface doesn't exist 
yet)... this is the same if I use pppx or pppx0


no IP address found for pppx:network
/etc/pf.conf:102: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:103: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:106: could not parse host specification

If I remove :network,  the same errors:

no IP address found for pppx
/etc/pf.conf:102: could not parse host specification no IP address found for 
pppx
/etc/pf.conf:103: could not parse host specification no IP address found for 
pppx
/etc/pf.conf:106: could not parse host specification


However,  if I comment out those lines, connect, then uncomment out the lines, 
things work as they should (it appears)

It also seems as if I can't connect if I have those lines uncommented after a 
reboot.

Many strange things.  

Thanks for the help everyone, I'm going to continue to research. 

Re: l2tp and openbsd 6.1

[Charles Amstutz]

Hello Noth,


"Try pppx instead of pppx0, it'll work in pf.conf, including as a macro."

I did!! I found another article that talked about the group.  After reading 
this: 
http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/

However,  I still get this error if I try to reload the firewall and no vpn 
client is established (thus the pppx group or pppx0 interface doesn't exist 
yet)... this is the same if I use pppx or pppx0


no IP address found for pppx:network
/etc/pf.conf:102: could not parse host specification
no IP address found for pppx:network
/etc/pf.conf:103: could not parse host specification
no IP address found for pppx:network
/etc/pf.conf:106: could not parse host specification

If I remove :network,  the same errors:

no IP address found for pppx
/etc/pf.conf:102: could not parse host specification
no IP address found for pppx
/etc/pf.conf:103: could not parse host specification
no IP address found for pppx
/etc/pf.conf:106: could not parse host specification


However,  if I comment out those lines, connect, then uncomment out the lines, 
things work as they should (it appears)

It also seems as if I can't connect if I have those lines uncommented after a 
reboot.

Many strange things.  

Thanks for the help everyone, I'm going to continue to research. 

Re: l2tp and openbsd 6.1

[Noth]

Try pppx instead of pppx0, it'll work in pf.conf, including as a macro.


On 05/10/17 18:35, Charles Amstutz wrote:

This works as well:

Pass  in quick on pppx0
Pass out quick on pppx0


This doesn't work

Pass in quick on pppx0 from pppx0  as it complains there is no IP.  Assigning 
pppx0 to a variable doesn't work either. Neither does setting it to be dynamic.


-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Charles Amstutz
Sent: Thursday, October 5, 2017 10:44 AM
To: 'misc@openbsd.org' <misc@openbsd.org>
Subject: Re: l2tp and openbsd 6.1

Here is a related but new question,


If pppx0 only exists when someone is vpn'ed in.  How do people handle this in 
pf?  If you don't define rules, packets get blocked on it. But if there is no 
connect, pf complains about pppx0 not having a firewall.

The only thing that seems to work is set skip on pppx0. But then no rules 
process on it.


Has anyone ran into this? how did you handle it.
  

Re: l2tp and openbsd 6.1

[Noth]

5.5, apart from no longer being supported, allows by default for weaker 
ciphers that aren't since 5.9. This was the release that broke android 
6.x/7.x configs if you didn't specify which mod group you wanted.



On 05/10/17 06:51, Vivek Vinod wrote:

I do not understand the question ‎but this may be connected...

My Wi-Fi uses AD (LDAP) auth with certificates‎. I set this up using some 
"guide" without understanding a thing. My IOS, Android and Mac clients connect 
without a hitch. Windows 10 do not.

To get my windows 10 to work, I have to copy over and install the ce‎rtificates 
from a previously connected Mac machine's keychain.

‎In your setup, can you check in your windows 10 certificate store if the necessary 
certificates (if any) have been installed? If not, try copying the certificates. This is 
windows 10 behaviour. It may or may not be related to "self signed 
certificates".

Again, I do not understand a thing. Sorry for the noise.

Please excuse my brevity. Sent from my handphone.
   Original Message
From: Vijay Sankar
Sent: Wednesday 4 October 2017 23:42
To: misc@openbsd.org
Subject: Re: l2tp and openbsd 6.1


Quoting Charles Amstutz <charl...@infinitesys.com>:


Yes,

I would like to know this as well, it seems annoying that Android
8/4.x and IOS can connect, but not windows 10 (I haven't tried
earlier windows 10) and android 7.

Its either a user error (which I am willing to admit) or something
very annoying. Especially when my l2tp PSK windows server can accept
connections from anything it seems.

I would like to get this figured out.

I appreciate all of the suggestions, but I still can't get android 7
to connect, no matter which encryption, authentication or modp I use.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On
Behalf Of lilit-aibolit
Sent: Wednesday, October 4, 2017 2:46 AM
To: misc@openbsd.org
Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net
Subject: Re: l2tp and openbsd 6.1

Hi,
with l2tp I have situation when iOS  and Android devices could
connect but Windows 7 and Windows 10 couldn't.

Is it possible to adjust ipsec.conf somehow so it could accept
connection from Windows clients too?
Or is there a way to adjust some settings in Windows so it will work
with current ipsec.conf?

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc
aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password"

Here is npppd.conf:
authentication LOCAL type local {
     users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
     listen on x.x.y.y
}
ipcp IPCP {
     pool-address 192.168.222.2-192.168.222.254
     dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP bind tunnel from
L2TP authenticated by LOCAL to tun0

Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started
RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667
protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname)
firm= Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962
logtype=PPPBind
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base
logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP
layer2from=192.38.129.182:41634
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:22:41 gw
/bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready.
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw
isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  2 16:13:13
gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_512, expected SHA Oct  2 16:13:13 gw
isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw
isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct  2 16:13:13
gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:14 gw
npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ
from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4
hostname=xxx-iPhone vendor=(no vendorname) firm= Oct  2 16:13:14
gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base
logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP
layer2from=192.38.129.182:65367
auth=MS-CHAP-V2  ip=192.168.222.110 ifac

Re: l2tp and openbsd 6.1

[Charles Amstutz]

This works as well:

Pass  in quick on pppx0 
Pass out quick on pppx0 


This doesn't work 

Pass in quick on pppx0 from pppx0  as it complains there is no IP.  Assigning 
pppx0 to a variable doesn't work either. Neither does setting it to be dynamic. 


-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Charles Amstutz
Sent: Thursday, October 5, 2017 10:44 AM
To: 'misc@openbsd.org' <misc@openbsd.org>
Subject: Re: l2tp and openbsd 6.1

Here is a related but new question,


If pppx0 only exists when someone is vpn'ed in.  How do people handle this in 
pf?  If you don't define rules, packets get blocked on it. But if there is no 
connect, pf complains about pppx0 not having a firewall. 

The only thing that seems to work is set skip on pppx0. But then no rules 
process on it. 


Has anyone ran into this? how did you handle it. 
 

Re: l2tp and openbsd 6.1

[Charles Amstutz]

Here is a related but new question,


If pppx0 only exists when someone is vpn'ed in.  How do people handle this in 
pf?  If you don't define rules, packets get blocked on it. But if there is no 
connect, pf complains about pppx0 not having a firewall. 

The only thing that seems to work is set skip on pppx0. But then no rules 
process on it. 


Has anyone ran into this? how did you handle it. 
 

Re: l2tp and openbsd 6.1

[Vijay Sankar]

Quoting lilit-aibolit :


On 05/10/17 09:17, lilit-aibolit wrote:

Hi,
I've just try your suggestion and IPhone could connect but Windows
gives new errors in log:


##here is Windows attempt
Oct  5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid  
next payload type  in payload of type 5
Oct  5 09:08:16 gw isakmpd[19354]: dropped message from  
37.73.208.173 port 2715 due to notification type INVALID_PAYLOAD_TYPE



I've testes one more time and it seems that
INVALID_PAYLOAD_TYPE means wrong PSK in windows vpn client.

So after correction I was able to establish vpn
both from IPhone, Android and from Windows (at least version 7)
with this ipsec.conf:

ike passive esp transport \
proto udp from a.b.s.d to any port 1701 \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-sha1 enc aes \
psk "psk"

ike passive esp transport \
proto udp from a.b.s.d to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk "psk"


Glad that changing the order is working for you.

Yes, for whatever reason, I found IPSec/L2TP works when ike with  
modp2048 is listed first and then modp1024. I read Stuart Henderson's  
email carefully again and think that my suggestion re. the order of  
IKE statements may be wrong. Probably the only reason this works for  
me is because I am not simultaneously trying to connect with both  
Windows and Android clients. Will try to test that this weekend but  
please read his reply in this thread.

--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

Re: l2tp and openbsd 6.1

[lilit-aibolit]

On 05/10/17 09:17, lilit-aibolit wrote:

Hi,
I've just try your suggestion and IPhone could connect but Windows
gives new errors in log:


##here is Windows attempt
Oct  5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid 
next payload type  in payload of type 5
Oct  5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 
port 2715 due to notification type INVALID_PAYLOAD_TYPE



I've testes one more time and it seems that
INVALID_PAYLOAD_TYPE means wrong PSK in windows vpn client.

So after correction I was able to establish vpn
both from IPhone, Android and from Windows (at least version 7)
with this ipsec.conf:

ike passive esp transport \
proto udp from a.b.s.d to any port 1701 \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-sha1 enc aes \
psk "psk"

ike passive esp transport \
proto udp from a.b.s.d to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk "psk"

Re: l2tp and openbsd 6.1

[lilit-aibolit]

Hi,
I've just try your suggestion and IPhone could connect but Windows
gives new errors in log:

Oct  5 09:05:44 gw isakmpd[19354]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048
Oct  5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 logtype=Started RecvSCCRQ 
from=37.73.214.69:57298/udp tunnel_id=6/17 protocol=1.0 winsize=4 
hostname=imuca vendor=(no vendorname) firm=
Oct  5 09:05:46 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPBind 
ppp=5
Oct  5 09:05:49 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELSTART 
user="xxx" duration=3sec layer2=L2TP layer2from=37.73.214.69:57298 
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0
Oct  5 09:05:49 gw /bsd: pipex: ppp=5 iface=tun0 protocol=L2TP id=12298 
PIPEX is ready.

Oct  5 09:05:49 gw npppd[10826]: ppp id=5 layer=base Using pipex=yes
Oct  5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 call=12298 logtype=PPPUnbind
Oct  5 09:06:59 gw npppd[10826]: ppp id=5 layer=base logtype=TUNNELUSAGE 
user="ppo" duration=72sec layer2=L2TP layer2from=37.73.214.69:57298 
auth=MS-CHAP-V2 data_in=167613bytes,1911packets 
data_out=2819616bytes,2540packets error_in=1 error_out=0 mppe=no iface=tun0

Oct  5 09:06:59 gw npppd[10826]: l2tpd ctrl=6 logtype=Finished

##here is Windows attempt
Oct  5 09:08:16 gw isakmpd[19354]: message_parse_payloads: invalid next 
payload type  in payload of type 5
Oct  5 09:08:16 gw isakmpd[19354]: dropped message from 37.73.208.173 
port 2715 due to notification type INVALID_PAYLOAD_TYPE


After I removed first ike config line with modp2048
then log returned to this:

Oct  5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  5 09:16:08 gw isakmpd[12442]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  5 09:16:08 gw isakmpd[12442]: message_negotiate_sa: no compatible 
proposal found
Oct  5 09:16:08 gw isakmpd[12442]: dropped message from 37.73.208.173 
port 10552 due to notification type NO_PROPOSAL_CHOSEN




On 04/10/17 20:54, Vijay Sankar wrote:


Unfortunately I am not sure if what I am saying is correct or valid 
because maybe this stuff works for me only because I am using older 
versions of Android etc., plus I am using a slightly modified OpenBSD 
5.5 kernel. But you may want to try the following.


The order is important -- doesn't seem to work if modp2048 is listed 
after modp1024. If I do something like


ike passive esp transport proto udp from $local_ip to any port 1701 \
    main auth "hmac-sha1" enc "aes" group modp2048 \
    quick auth "hmac-sha1" enc "aes" \
    psk "mypsk"
ike passive esp transport proto udp from $local_ip to any port 1701 \
    main auth "hmac-sha1" enc "aes" group modp1024 \
    quick auth "hmac-sha1" enc "aes" \
    psk "mypsk"

in the order listed, it works, and it has been working for at least a 
few years. To make sure I am not posting wrong information, I have 
double-checked using Lenovo YogaPad (Android 4.4.2), Windows 7, 
Windows 8, Windows 10, iOS 10.3.3, and MacOS 10.13.


I will try the same thing with -current and report back to the list if 
it is useful.


Hope this helps.

Vijay

Re: l2tp and openbsd 6.1

[Vivek Vinod]

I do not understand the question ‎but this may be connected...

My Wi-Fi uses AD (LDAP) auth with certificates‎. I set this up using some 
"guide" without understanding a thing. My IOS, Android and Mac clients connect 
without a hitch. Windows 10 do not. 

To get my windows 10 to work, I have to copy over and install the ce‎rtificates 
from a previously connected Mac machine's keychain. 

‎In your setup, can you check in your windows 10 certificate store if the 
necessary certificates (if any) have been installed? If not, try copying the 
certificates. This is windows 10 behaviour. It may or may not be related to 
"self signed certificates".

Again, I do not understand a thing. Sorry for the noise.

Please excuse my brevity. Sent from my handphone.
  Original Message  
From: Vijay Sankar
Sent: Wednesday 4 October 2017 23:42
To: misc@openbsd.org
Subject: Re: l2tp and openbsd 6.1


Quoting Charles Amstutz <charl...@infinitesys.com>:

> Yes,
>
> I would like to know this as well, it seems annoying that Android 
> 8/4.x and IOS can connect, but not windows 10 (I haven't tried 
> earlier windows 10) and android 7.
>
> Its either a user error (which I am willing to admit) or something 
> very annoying. Especially when my l2tp PSK windows server can accept 
> connections from anything it seems.
>
> I would like to get this figured out.
>
> I appreciate all of the suggestions, but I still can't get android 7 
> to connect, no matter which encryption, authentication or modp I use.
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On 
> Behalf Of lilit-aibolit
> Sent: Wednesday, October 4, 2017 2:46 AM
> To: misc@openbsd.org
> Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net
> Subject: Re: l2tp and openbsd 6.1
>
> Hi,
> with l2tp I have situation when iOS  and Android devices could 
> connect but Windows 7 and Windows 10 couldn't.
>
> Is it possible to adjust ipsec.conf somehow so it could accept 
> connection from Windows clients too?
> Or is there a way to adjust some settings in Windows so it will work 
> with current ipsec.conf?
>
> I also noticed that I have to add pass rule for tun0 to PF explicitly:
> - pass on tun0 all
> instead of having just:
> - set skip on  { lo0, tun0 }
>
> Here is ipsec.conf:
>
> ike passive esp transport \
> proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc 
> aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password"
>
> Here is npppd.conf:
> authentication LOCAL type local {
>     users-file "/etc/npppd/npppd-users"
> }
> tunnel L2TP protocol l2tp {
>     listen on x.x.y.y
> }
> ipcp IPCP {
>     pool-address 192.168.222.2-192.168.222.254
>     dns-servers 192.168.a.b
> }
> interface tun0  address 192.168.222.1 ipcp IPCP bind tunnel from 
> L2TP authenticated by LOCAL to tun0
>
> Log from Android:
>
> Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started 
> RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 
> protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) 
> firm= Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 
> logtype=PPPBind
> ppp=3
> Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base 
> logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP 
> layer2from=192.38.129.182:41634
> auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:22:41 gw 
> /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready.
> Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes
>
> Log from IPhone6s:
>
> Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw 
> isakmpd[24211]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  2 16:13:13 
> gw isakmpd[24211]: attribute_unacceptable:
> HASH_ALGORITHM: got MD5, expected SHA
> Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_512, expected SHA Oct  2 16:13:13 gw 
> isakmpd[24211]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw 
> isakmpd[24211]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct  2 16:13:13 
> gw isakmpd[24211]: attribute_unacceptable:
> HASH_ALGORITHM: got MD5, expected SHA
> Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:14 gw 
> npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ 
> from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 
> hostname=xxx-iPhone vendor=(no vendorname) firm= Oct  2 16:13:14 
> gw npppd[10826]: l2tpd ctrl=

Re: l2tp and openbsd 6.1

[Vijay Sankar]

Quoting Charles Amstutz <charl...@infinitesys.com>:


Yes,

I would like to know this as well, it seems annoying that Android  
8/4.x  and IOS can connect, but not windows 10 (I haven't tried  
earlier windows 10)  and android 7.


Its either a user error (which I am willing to admit) or something  
very annoying. Especially when my l2tp PSK windows server can accept  
connections from anything it seems.


I would like to get this figured out.

I appreciate all of the suggestions, but I still can't get android 7  
to connect, no matter which encryption, authentication or modp I use.


-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On  
Behalf Of lilit-aibolit

Sent: Wednesday, October 4, 2017 2:46 AM
To: misc@openbsd.org
Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net
Subject: Re: l2tp and openbsd 6.1

Hi,
with l2tp I have situation when iOS  and Android devices could  
connect but Windows 7 and Windows 10 couldn't.


Is it possible to adjust ipsec.conf somehow so it could accept  
connection from Windows clients too?
Or is there a way to adjust some settings in Windows so it will work  
with current ipsec.conf?


I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc  
aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password"


Here is npppd.conf:
authentication LOCAL type local {
     users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
     listen on x.x.y.y
}
ipcp IPCP {
     pool-address 192.168.222.2-192.168.222.254
     dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP bind tunnel from  
L2TP authenticated by LOCAL to tun0


Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started  
RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667  
protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname)  
firm= Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962  
logtype=PPPBind

ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base  
logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP  
layer2from=192.38.129.182:41634
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:22:41 gw  
/bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready.

Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw  
isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  2 16:13:13  
gw isakmpd[24211]: attribute_unacceptable:

HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_512, expected SHA Oct  2 16:13:13 gw  
isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw  
isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct  2 16:13:13  
gw isakmpd[24211]: attribute_unacceptable:

HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:14 gw  
npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ  
from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4  
hostname=xxx-iPhone vendor=(no vendorname) firm= Oct  2 16:13:14  
gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind

ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base  
logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP  
layer2from=192.38.129.182:65367
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:13:18 gw  
/bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready.

Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:

Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started  
RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0  
winsize=4 hostname=xxx vendor=(no vendorname) firm= Oct  2  
15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind

ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base  
logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP  
layer2from=37.73.241.124:59028
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0 Oct  2 15:55:58 gw  
npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct  2 15:55:58 gw  
/bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready.


And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  4 10:12:37  
gw isakmpd[24211]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_C

Re: l2tp and openbsd 6.1

[Charles Amstutz]

Yes,

I would like to know this as well, it seems annoying that Android 8/4.x  and 
IOS can connect, but not windows 10 (I haven't tried earlier windows 10)  and 
android 7.

Its either a user error (which I am willing to admit) or something very 
annoying. Especially when my l2tp PSK windows server can accept connections 
from anything it seems. 

I would like to get this figured out. 

I appreciate all of the suggestions, but I still can't get android 7 to 
connect, no matter which encryption, authentication or modp I use.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
lilit-aibolit
Sent: Wednesday, October 4, 2017 2:46 AM
To: misc@openbsd.org
Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net
Subject: Re: l2tp and openbsd 6.1

Hi,
with l2tp I have situation when iOS  and Android devices could connect but 
Windows 7 and Windows 10 couldn't.

Is it possible to adjust ipsec.conf somehow so it could accept connection from 
Windows clients too?
Or is there a way to adjust some settings in Windows so it will work with 
current ipsec.conf?

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group 
modp1024 \ quick auth hmac-sha1 enc aes \ psk "password"

Here is npppd.conf:
authentication LOCAL type local {
     users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
     listen on x.x.y.y
}
ipcp IPCP {
     pool-address 192.168.222.2-192.168.222.254
     dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP bind tunnel from L2TP 
authenticated by LOCAL to tun0

Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ 
from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 
hostname=anonymous vendor=(no vendorname) firm= Oct  2 16:22:40 gw 
npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART 
user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:22:41 gw /bsd: pipex: 
ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready.
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: 
attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  2 16:13:13 gw 
isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_512, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: 
attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: 
attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct  2 16:13:13 gw 
isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:14 gw npppd[10826]: 
l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp 
tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) 
firm= Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 
logtype=PPPBind
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART 
user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:13:18 gw /bsd: pipex: 
ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready.
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:

Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ 
from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx 
vendor=(no vendorname) firm= Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 
call=5660 logtype=PPPBind
ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART 
user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0 Oct  2 15:55:58 gw npppd[10826]: 
ppp id=0 layer=base Using pipex=yes Oct  2 15:55:58 gw /bsd: pipex: ppp=0 
iface=tun0 protocol=L2TP id=5660 PIPEX is ready.

And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  4 10:12:37 gw 
isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct  4 10:12:37 gw 
isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES

Re: l2tp and openbsd 6.1

[lilit-aibolit]

Hi,
with l2tp I have situation when iOS  and Android devices could connect
but Windows 7 and Windows 10 couldn't.

Is it possible to adjust ipsec.conf somehow so it could accept
connection from Windows clients too?
Or is there a way to adjust some settings in Windows so it
will work with current ipsec.conf?

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk "password"

Here is npppd.conf:
authentication LOCAL type local {
    users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
    listen on x.x.y.y
}
ipcp IPCP {
    pool-address 192.168.222.2-192.168.222.254
    dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ 
from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 
hostname=anonymous vendor=(no vendorname) firm=
Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind 
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART 
user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0
Oct  2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 
PIPEX is ready.

Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_512, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ 
from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 
hostname=xxx-iPhone vendor=(no vendorname) firm=
Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind 
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART 
user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0
Oct  2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 
PIPEX is ready.

Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:

Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ 
from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 
hostname=xxx vendor=(no vendorname) firm=
Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind 
ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART 
user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0

Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes
Oct  2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 
PIPEX is ready.


And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  4 10:12:37 gw isakmpd[24211]: message_negotiate_sa: no compatible 
proposal found
Oct  4 10:12:37 gw isakmpd[24211]: dropped message from 37.73.208.134 
port 16884 due to notification type NO_PROPOSAL_CHOSEN


On 02/10/17 23:03, Charles Amstutz wrote:

Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
knowledge).  After searching the previous forum posts (and the internet) I have 
found a lot of information on l2tp ipsec.conf connection strings. However, I 
can't get android to connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/

Re: l2tp and openbsd 6.1

[Noth]

The problem is on Android 6.x/7.x that need to be rooted to change their 
ipsec settings to allow for higher encryption. The following works on 
those OSes:


cat ipsec.conf:

ike passive esp transport \
    proto udp from "publicip" to any port l2tp \
    main group "modp1024" \
    quick group "modp1024" \
    psk "yourpass"

It's bad, but what can you do? Google won't deal with it, and the 
vendors claim it would break current solutions. I've seen in debug that 
after a few tries Android would give the right aes2-256 keying but by 
then isakmpd was having none of it...


Cheers,

Noth


On 03/10/17 00:49, Charles Amstutz wrote:

Hello Sterling,

Thanks for the response. I changed it to

ike passive esp transport \
proto udp from $public_ip to any port 1701 \
main auth "hmac-sha1" enc "aes-256" group modp1024\
quick auth "hmac-sha1" enc "aes-256" \
PSK "PSK-GOES-HERE"

and still no luck. I found out that Android 8 will connect (using aes).   I am 
dumpping pflog0 and seeing no blocks. However, that doesn't mean it still isn't 
a potential pf problem I guess. However, if IOS and android 8 would connect, I 
would think that would rule a pf problem?

Is there a way to turn on additional debugging?  I'm using isakmpd -K in 
rc.conf.local, so not using isakmpd.policy/.conf  (from my understanding)
Everything in /var/log/messages is just from npppd. Unless I'm reading it 
wrong, there doesn't appear to be any errors.



-Original Message-
From: Sterling Archer [mailto:deb...@gmail.com]
Sent: Monday, October 2, 2017 5:35 PM
To: Charles Amstutz <charl...@infinitesys.com>
Cc: misc@openbsd.org
Subject: Re: l2tp and openbsd 6.1

On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutz <charl...@infinitesys.com> 
wrote:

Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
knowledge).  After searching the previous forum posts (and the internet) I have 
found a lot of information on l2tp ipsec.conf connection strings. However, I 
can't get android to connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro
id-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb
sd-invalid_cookie/
https://man.openbsd.org/npppd.conf.5
https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-
ios-and-osx/
https://marc.info/?l=openbsd-misc=145922338026396=2
https://marc.info/?l=openbsd-misc=145614573528471=2
https://www.mail-archive.com/misc@openbsd.org/msg145747.html
... etc


I can get IOS to connect, but I can't get android 7 to connect.  I've
read that android has bugs with the vpn client in 6.x and 7.x (not
sure if it is fixed in 8 or not). However, what is confusing is it
connections just fine To my windows l2tp server.  Bug tracker:
https://issuetracker.google.com/issues/37074640#c35


My goal: Setup openbsd to work with IOS/android/windows/whatever.

My questions.


1)  Can you have more than one ike line in ipsec.conf? from my presumption 
of looking at sites on the internet, you can, however, I am not sure.

https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless
it is just two examples


2)  Every time I read a site that says, "this configuration worked for me on 
android", it doesn't work for me. I presume it is my lack of understanding, though, 
I'm not ruling out the possible android bug.


I appreciate any help.



Here is my ipsec.conf (this allows IOS to connect)

public_ip = "x.x.x.x"



ike passive esp transport \

   proto udp from $public_ip to any port 1701 \

   main auth "hmac-sha1" enc "aes" group modp1024\

   quick auth "hmac-sha1" enc "aes" \

   psk "PSK-GOES-HERE"

 Here is my npppd.conf



authentication LOCAL type local {

 users-file "/etc/npppd/npppd-users"

}



tunnel L2TP protocol l2tp {

 listen on 0.0.0.0

 listen on ::

}



ipcp IPCP {

 pool-address 10.0.0.101-10.0.0.254

 dns-servers x.x.x.x

}



# use pppx(4) interface.  use an interface per a ppp session.

interface pppx0 address 10.0.0.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0

I'm able to connect using a similar setup, but using aes-256 instead of aes as 
encoding in ipsec.conf.

--
:wq!

Re: l2tp and openbsd 6.1

[Vijay Sankar]

Quoting Stuart Henderson :


On 2017-10-02, Charles Amstutz  wrote:

Hello Sterling,

Thanks for the response. I changed it to

ike passive esp transport \
   proto udp from $public_ip to any port 1701 \
   main auth "hmac-sha1" enc "aes-256" group modp1024\
   quick auth "hmac-sha1" enc "aes-256" \
   PSK "PSK-GOES-HERE"

and still no luck. I found out that Android 8 will connect (using  
aes).   I am dumpping pflog0 and seeing no blocks. However, that  
doesn't mean it still isn't a potential pf problem I guess.  
However, if IOS and android 8 would connect, I would think that  
would rule a pf problem?


Is there a way to turn on additional debugging?  I'm using isakmpd  
-K in rc.conf.local, so not using isakmpd.policy/.conf  (from my  
understanding)
Everything in /var/log/messages is just from npppd. Unless I'm  
reading it wrong, there doesn't appear to be any errors.


I have "isakmpd_flags=-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30
-D8=30 -D9=30 -D10=20" in rc.conf.local as a general-purpose debugging
config, then if there's a particular area I look at isakmpd source to
see if I need to bump one of them up a little. These end up in
/var/log/daemon (or start it by hand to run in the foreground
using -d).

1)  Can you have more than one ike line in ipsec.conf? from my  
presumption of looking at sites on the internet, you can, however,  
I am not sure.


You can, *but* only one "default peer" ("to any" line) will take effect.


https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless
it is just two examples


That site makes it look like you can use the two, but it won't work  
like that.

One config will override the other.


I don't know about Android 8 but have been able to use iPhones as well  
as Android tablets with the following on an older version on OpenBSD.  
Hope this is helpful and not sending the OP in the wrong direction.


In npppd.conf, I am using

interface tun0  address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0

instead of

interface pppx0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0

and in pf.conf, I have

pass in quick on tun0 inet proto tcp from 10.0.0.0/24







--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

Re: l2tp and openbsd 6.1

[Stuart Henderson]

On 2017-10-02, Charles Amstutz  wrote:
> Hello Sterling,
>
> Thanks for the response. I changed it to 
>
> ike passive esp transport \
>proto udp from $public_ip to any port 1701 \
>main auth "hmac-sha1" enc "aes-256" group modp1024\
>quick auth "hmac-sha1" enc "aes-256" \
>PSK "PSK-GOES-HERE"
>
> and still no luck. I found out that Android 8 will connect (using aes).   I 
> am dumpping pflog0 and seeing no blocks. However, that doesn't mean it still 
> isn't a potential pf problem I guess. However, if IOS and android 8 would 
> connect, I would think that would rule a pf problem? 
>
> Is there a way to turn on additional debugging?  I'm using isakmpd -K in 
> rc.conf.local, so not using isakmpd.policy/.conf  (from my understanding) 
> Everything in /var/log/messages is just from npppd. Unless I'm reading it 
> wrong, there doesn't appear to be any errors. 

I have "isakmpd_flags=-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30
-D8=30 -D9=30 -D10=20" in rc.conf.local as a general-purpose debugging
config, then if there's a particular area I look at isakmpd source to
see if I need to bump one of them up a little. These end up in
/var/log/daemon (or start it by hand to run in the foreground
using -d).

>> 1)  Can you have more than one ike line in ipsec.conf? from my 
>> presumption of looking at sites on the internet, you can, however, I am not 
>> sure.

You can, *but* only one "default peer" ("to any" line) will take effect.

>> https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless 
>> it is just two examples

That site makes it look like you can use the two, but it won't work like that.
One config will override the other.

Re: l2tp and openbsd 6.1

[Charles Amstutz]

Hello Sterling,

Thanks for the response. I changed it to 

ike passive esp transport \
   proto udp from $public_ip to any port 1701 \
   main auth "hmac-sha1" enc "aes-256" group modp1024\
   quick auth "hmac-sha1" enc "aes-256" \
   PSK "PSK-GOES-HERE"

and still no luck. I found out that Android 8 will connect (using aes).   I am 
dumpping pflog0 and seeing no blocks. However, that doesn't mean it still isn't 
a potential pf problem I guess. However, if IOS and android 8 would connect, I 
would think that would rule a pf problem? 

Is there a way to turn on additional debugging?  I'm using isakmpd -K in 
rc.conf.local, so not using isakmpd.policy/.conf  (from my understanding) 
Everything in /var/log/messages is just from npppd. Unless I'm reading it 
wrong, there doesn't appear to be any errors. 



-Original Message-
From: Sterling Archer [mailto:deb...@gmail.com] 
Sent: Monday, October 2, 2017 5:35 PM
To: Charles Amstutz <charl...@infinitesys.com>
Cc: misc@openbsd.org
Subject: Re: l2tp and openbsd 6.1

On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutz <charl...@infinitesys.com> 
wrote:
> Hello everyone,
>
> I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
> knowledge).  After searching the previous forum posts (and the internet) I 
> have found a lot of information on l2tp ipsec.conf connection strings. 
> However, I can't get android to connect. I keep getting IKE negotiation 
> failed errors.
>
> I've looked at sites such as:
>
> http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro
> id-601-ios.html
> https://www.authbsd.com/blog/?p=20
> http://daemonforums.org/showthread.php?t=10326
> https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb
> sd-invalid_cookie/
> https://man.openbsd.org/npppd.conf.5
> https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-
> ios-and-osx/
> https://marc.info/?l=openbsd-misc=145922338026396=2
> https://marc.info/?l=openbsd-misc=145614573528471=2
> https://www.mail-archive.com/misc@openbsd.org/msg145747.html
> ... etc
>
>
> I can get IOS to connect, but I can't get android 7 to connect.  I've 
> read that android has bugs with the vpn client in 6.x and 7.x (not 
> sure if it is fixed in 8 or not). However, what is confusing is it 
> connections just fine To my windows l2tp server.  Bug tracker: 
> https://issuetracker.google.com/issues/37074640#c35
>
>
> My goal: Setup openbsd to work with IOS/android/windows/whatever.
>
> My questions.
>
>
> 1)  Can you have more than one ike line in ipsec.conf? from my 
> presumption of looking at sites on the internet, you can, however, I am not 
> sure.
>
> https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless 
> it is just two examples
>
>
> 2)  Every time I read a site that says, "this configuration worked for me 
> on android", it doesn't work for me. I presume it is my lack of 
> understanding, though, I'm not ruling out the possible android bug.
>
>
> I appreciate any help.
>
>
>
> Here is my ipsec.conf (this allows IOS to connect)
>
> public_ip = "x.x.x.x"
>
>
>
> ike passive esp transport \
>
>   proto udp from $public_ip to any port 1701 \
>
>   main auth "hmac-sha1" enc "aes" group modp1024\
>
>   quick auth "hmac-sha1" enc "aes" \
>
>   psk "PSK-GOES-HERE"
>
> Here is my npppd.conf
>
>
>
> authentication LOCAL type local {
>
> users-file "/etc/npppd/npppd-users"
>
> }
>
>
>
> tunnel L2TP protocol l2tp {
>
> listen on 0.0.0.0
>
> listen on ::
>
> }
>
>
>
> ipcp IPCP {
>
> pool-address 10.0.0.101-10.0.0.254
>
> dns-servers x.x.x.x
>
> }
>
>
>
> # use pppx(4) interface.  use an interface per a ppp session.
>
> interface pppx0 address 10.0.0.1 ipcp IPCP
>
> bind tunnel from L2TP authenticated by LOCAL to pppx0

I'm able to connect using a similar setup, but using aes-256 instead of aes as 
encoding in ipsec.conf.

--
:wq!

Re: l2tp and openbsd 6.1

[Sterling Archer]

On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutz
 wrote:
> Hello everyone,
>
> I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
> knowledge).  After searching the previous forum posts (and the internet) I 
> have found a lot of information on l2tp ipsec.conf connection strings. 
> However, I can't get android to connect. I keep getting IKE negotiation 
> failed errors.
>
> I've looked at sites such as:
>
> http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
> https://www.authbsd.com/blog/?p=20
> http://daemonforums.org/showthread.php?t=10326
> https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/
> https://man.openbsd.org/npppd.conf.5
> https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/
> https://marc.info/?l=openbsd-misc=145922338026396=2
> https://marc.info/?l=openbsd-misc=145614573528471=2
> https://www.mail-archive.com/misc@openbsd.org/msg145747.html
> ... etc
>
>
> I can get IOS to connect, but I can't get android 7 to connect.  I've read 
> that android has bugs with the vpn client in 6.x and 7.x (not sure if it is 
> fixed in 8 or not). However, what is confusing is it connections just fine
> To my windows l2tp server.  Bug tracker: 
> https://issuetracker.google.com/issues/37074640#c35
>
>
> My goal: Setup openbsd to work with IOS/android/windows/whatever.
>
> My questions.
>
>
> 1)  Can you have more than one ike line in ipsec.conf? from my 
> presumption of looking at sites on the internet, you can, however, I am not 
> sure.
>
> https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is 
> just two examples
>
>
> 2)  Every time I read a site that says, "this configuration worked for me 
> on android", it doesn't work for me. I presume it is my lack of 
> understanding, though, I'm not ruling out the possible android bug.
>
>
> I appreciate any help.
>
>
>
> Here is my ipsec.conf (this allows IOS to connect)
>
> public_ip = "x.x.x.x"
>
>
>
> ike passive esp transport \
>
>   proto udp from $public_ip to any port 1701 \
>
>   main auth "hmac-sha1" enc "aes" group modp1024\
>
>   quick auth "hmac-sha1" enc "aes" \
>
>   psk "PSK-GOES-HERE"
>
> Here is my npppd.conf
>
>
>
> authentication LOCAL type local {
>
> users-file "/etc/npppd/npppd-users"
>
> }
>
>
>
> tunnel L2TP protocol l2tp {
>
> listen on 0.0.0.0
>
> listen on ::
>
> }
>
>
>
> ipcp IPCP {
>
> pool-address 10.0.0.101-10.0.0.254
>
> dns-servers x.x.x.x
>
> }
>
>
>
> # use pppx(4) interface.  use an interface per a ppp session.
>
> interface pppx0 address 10.0.0.1 ipcp IPCP
>
> bind tunnel from L2TP authenticated by LOCAL to pppx0

I'm able to connect using a similar setup, but using aes-256 instead of
aes as encoding in ipsec.conf.

-- 
:wq!

l2tp and openbsd 6.1

[Charles Amstutz]

Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
knowledge).  After searching the previous forum posts (and the internet) I have 
found a lot of information on l2tp ipsec.conf connection strings. However, I 
can't get android to connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/
https://man.openbsd.org/npppd.conf.5
https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/
https://marc.info/?l=openbsd-misc=145922338026396=2
https://marc.info/?l=openbsd-misc=145614573528471=2
https://www.mail-archive.com/misc@openbsd.org/msg145747.html
... etc


I can get IOS to connect, but I can't get android 7 to connect.  I've read that 
android has bugs with the vpn client in 6.x and 7.x (not sure if it is fixed in 
8 or not). However, what is confusing is it connections just fine
To my windows l2tp server.  Bug tracker: 
https://issuetracker.google.com/issues/37074640#c35


My goal: Setup openbsd to work with IOS/android/windows/whatever.

My questions.


1)  Can you have more than one ike line in ipsec.conf? from my presumption 
of looking at sites on the internet, you can, however, I am not sure.

https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is 
just two examples


2)  Every time I read a site that says, "this configuration worked for me 
on android", it doesn't work for me. I presume it is my lack of understanding, 
though, I'm not ruling out the possible android bug.


I appreciate any help.



Here is my ipsec.conf (this allows IOS to connect)

public_ip = "x.x.x.x"



ike passive esp transport \

  proto udp from $public_ip to any port 1701 \

  main auth "hmac-sha1" enc "aes" group modp1024\

  quick auth "hmac-sha1" enc "aes" \

  psk "PSK-GOES-HERE"

Here is my npppd.conf



authentication LOCAL type local {

users-file "/etc/npppd/npppd-users"

}



tunnel L2TP protocol l2tp {

listen on 0.0.0.0

listen on ::

}



ipcp IPCP {

pool-address 10.0.0.101-10.0.0.254

dns-servers x.x.x.x

}



# use pppx(4) interface.  use an interface per a ppp session.

interface pppx0 address 10.0.0.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0