Re: npppd l2tp/ipsec - openbsd client
Hi,
first of all, thanks @sthen for your answer (OP has no net access atm).
We are to the point where the clients get ip (windows/linux/OpenBSD) and
traffic is passing through the server as expected.
There is a very strange problem with ssh service though. While internet
traffic
is being routed as expected, when we try to ssh, we can't connect (from
OpenBSD
clients) to any server.
[..snip..]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102430728192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
and it just hangs there.
Test time with windows, and with PuTTY, there is absolutely no problem. I can
connect anywhere with absolutely no problem. At this point, I went with the
crazy idea to try PuTTY on OpenBSD. And ssh with PuTTY works... We can't get
our heads aroun this problem and why this is happening.
## pf.conf @ server ##
NIC=interface
set skip on {lo0}
block # block stateless traffic
pass# establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block in on vic0
#vpn
extip=ip
pass in quick inet proto tcp from any to $NIC port {ports} flags S/SA keep
state
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500} keep state
pass quick on enc0 from any to any keep state (if-bound)
pass out quick on egress inet from 10.0.10.0/24 to any nat-to (egress:0)
pass out on vic0
Does anyone has a solution to this problem?
Thanks.
--
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
What does /etc/ssh/ssh_config look like on the OpenBSD client?
--
Jeff Goettsch
Agricultural and Resource Economics
University of California, Davis
http://agecon.ucdavis.edu/
On Fri, November 22, 2013 6:52 am, haris wrote:
Hi,
first of all, thanks @sthen for your answer (OP has no net access atm).
We are to the point where the clients get ip (windows/linux/OpenBSD) and
traffic is passing through the server as expected.
There is a very strange problem with ssh service though. While internet
traffic
is being routed as expected, when we try to ssh, we can't connect (from
OpenBSD
clients) to any server.
[..snip..]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102430728192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
and it just hangs there.
Test time with windows, and with PuTTY, there is absolutely no problem. I
can
connect anywhere with absolutely no problem. At this point, I went with
the
crazy idea to try PuTTY on OpenBSD. And ssh with PuTTY works... We can't
get
our heads aroun this problem and why this is happening.
## pf.conf @ server ##
NIC=interface
set skip on {lo0}
block # block stateless traffic
pass # establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block in on vic0
#vpn
extip=ip
pass in quick inet proto tcp from any to $NIC port {ports} flags S/SA
keep
state
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500} keep
state
pass quick on enc0 from any to any keep state (if-bound)
pass out quick on egress inet from 10.0.10.0/24 to any nat-to (egress:0)
pass out on vic0
Does anyone has a solution to this problem?
Thanks.
--
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
On Fri, Nov 22, 2013 at 06:41:37PM +0200, Jeff Goettsch wrote: What does /etc/ssh/ssh_config look like on the OpenBSD client? The file is the default that comes with OpenBSD. No change there... -- A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
On 2013-11-22, haris ha...@2f30.org wrote: Hi, first of all, thanks @sthen for your answer (OP has no net access atm). We are to the point where the clients get ip (windows/linux/OpenBSD) and traffic is passing through the server as expected. There is a very strange problem with ssh service though. While internet traffic is being routed as expected, when we try to ssh, we can't connect (from OpenBSD clients) to any server. This is very likely to be an MTU problem. Packets of certain sizes get through OK but packets larger than a certain size won't make it through. This is hitting OpenSSH rather than PuTTY because, with default settings, OpenSSH's negotiation packets are larger than PuTTY's (more options, more ciphers, etc). If you connect with PuTTY and start sending a bunch of bulk data over the connection (cat a large file or something), I am pretty sure that will stall too. Things you can try to fix it: - lower MTU on the ppp interface - tcp-mss-adjust yes in npppd - pf match ... scrub (max-mss $somevalue)
Re: npppd l2tp/ipsec - openbsd client
On 2013-11-20, anon ymous ramrunner0...@gmail.com wrote:
Hello list!
If anyone could shed some light to the following i would be thankful..
i have 2 5.4-current boxes, one acting as an npppd server over ipsec
and the other one wishing to be a client.
My understanding is that to accomplish that the client needs
to use xl2tpd from ports.
The problem is that although linux and windows clients connect
ok with the same setup, i can't get the openbsd client to connect.
I ported xl2tpd - fwiw I've only tested it against Firebrick's l2tp
implementation
which does not use IPsec, so I don't know if anything special is needed for
this.
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
l2tp-accept-dialin yes
authentication-method mschapv2
pipex yes
}
Here you only accept mschapv2 authentication.
the problem is that as we see from the logs the obsd client refuses
to cope with mschap-v2 and various options from that last file.
Mackeras pppd has new mschap code which supports mschap-v2; this was added
in 2003, but unfortunately the last release with code for all arch other than
Solaris/Linux was pppd-2.3.11 in 1999. I've looked at trying to update pppd
before but it was a bit much for me..
if we remove all the offending options we end up with no authentication
protocols are agreeable on npppd logs ideas? suggestions for other
approaches??
You could try telling npppd to accept chap (not mschap), and tell pppd to use
that..
npppd l2tp/ipsec - openbsd client
Hello list!
If anyone could shed some light to the following i would be thankful..
i have 2 5.4-current boxes, one acting as an npppd server over ipsec
and the other one wishing to be a client.
My understanding is that to accomplish that the client needs
to use xl2tpd from ports.
The problem is that although linux and windows clients connect
ok with the same setup, i can't get the openbsd client to connect.
server /etc/ipsec.conf:
local_ip=A.B.C.D
ike passive esp transport proto udp from $local_ip to any port 1701 \
main auth hmac-sha enc aes group modp2048 \
quick auth hmac-sha enc aes \
psk x
obsd client /etc/ipsec.conf:
remote_ip=A.B.C.D
local_ip=E.F.G.H
ike passive esp transport proto udp from $local_ip to $remote_ip port 1701 \
main auth hmac-sha enc aes group modp2048 \
quick auth hmac-sha enc aes \
psk x
now when both endpoints run start isakmpd and run ipsecctl we see the flows
being created.
the same kinds of flows get created for the other windows and linux clients.
server /etc/npppd/npppd.conf:
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
l2tp-accept-dialin yes
authentication-method mschapv2
pipex yes
}
ipcp IPCP {
pool-address 10.0.10.2-10.0.10.254
dns-servers 8.8.8.8
}
# use tun(4) interface. multiple ppp sessions concentrate one interface.
interface tun0 address 10.0.10.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0
obsd client's /etc/xl2tpd/xl2tpd.conf:
[global]
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
[lac foo]
lns = A.B.C.D
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
autodial=yes
obsd client's /etc/ppp/options.l2tpd.client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
name x
password x
the problem is that as we see from the logs the obsd client refuses
to cope with mschap-v2 and various options from that last file.
if we remove all the offending options we end up with no authentication
protocols are agreeable on npppd logs ideas? suggestions for other
approaches??
Help me misc@openbsd.org, you're my only hope... ;)
thanks guys.
