Re: npppd l2tp/ipsec - openbsd client
Hi, first of all, thanks @sthen for your answer (OP has no net access atm). We are to the point where the clients get ip (windows/linux/OpenBSD) and traffic is passing through the server as expected. There is a very strange problem with ssh service though. While internet traffic is being routed as expected, when we try to ssh, we can't connect (from OpenBSD clients) to any server. [..snip..] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102430728192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP and it just hangs there. Test time with windows, and with PuTTY, there is absolutely no problem. I can connect anywhere with absolutely no problem. At this point, I went with the crazy idea to try PuTTY on OpenBSD. And ssh with PuTTY works... We can't get our heads aroun this problem and why this is happening. ## pf.conf @ server ## NIC=interface set skip on {lo0} block # block stateless traffic pass# establish keep-state block in on ! lo0 proto tcp to port 6000:6010 block in on vic0 #vpn extip=ip pass in quick inet proto tcp from any to $NIC port {ports} flags S/SA keep state pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500} keep state pass quick on enc0 from any to any keep state (if-bound) pass out quick on egress inet from 10.0.10.0/24 to any nat-to (egress:0) pass out on vic0 Does anyone has a solution to this problem? Thanks. -- A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
What does /etc/ssh/ssh_config look like on the OpenBSD client? -- Jeff Goettsch Agricultural and Resource Economics University of California, Davis http://agecon.ucdavis.edu/ On Fri, November 22, 2013 6:52 am, haris wrote: Hi, first of all, thanks @sthen for your answer (OP has no net access atm). We are to the point where the clients get ip (windows/linux/OpenBSD) and traffic is passing through the server as expected. There is a very strange problem with ssh service though. While internet traffic is being routed as expected, when we try to ssh, we can't connect (from OpenBSD clients) to any server. [..snip..] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102430728192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP and it just hangs there. Test time with windows, and with PuTTY, there is absolutely no problem. I can connect anywhere with absolutely no problem. At this point, I went with the crazy idea to try PuTTY on OpenBSD. And ssh with PuTTY works... We can't get our heads aroun this problem and why this is happening. ## pf.conf @ server ## NIC=interface set skip on {lo0} block # block stateless traffic pass # establish keep-state block in on ! lo0 proto tcp to port 6000:6010 block in on vic0 #vpn extip=ip pass in quick inet proto tcp from any to $NIC port {ports} flags S/SA keep state pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500} keep state pass quick on enc0 from any to any keep state (if-bound) pass out quick on egress inet from 10.0.10.0/24 to any nat-to (egress:0) pass out on vic0 Does anyone has a solution to this problem? Thanks. -- A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
On Fri, Nov 22, 2013 at 06:41:37PM +0200, Jeff Goettsch wrote: What does /etc/ssh/ssh_config look like on the OpenBSD client? The file is the default that comes with OpenBSD. No change there... -- A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? [demime 1.01d removed an attachment of type application/pgp-signature]
Re: npppd l2tp/ipsec - openbsd client
On 2013-11-22, haris ha...@2f30.org wrote: Hi, first of all, thanks @sthen for your answer (OP has no net access atm). We are to the point where the clients get ip (windows/linux/OpenBSD) and traffic is passing through the server as expected. There is a very strange problem with ssh service though. While internet traffic is being routed as expected, when we try to ssh, we can't connect (from OpenBSD clients) to any server. This is very likely to be an MTU problem. Packets of certain sizes get through OK but packets larger than a certain size won't make it through. This is hitting OpenSSH rather than PuTTY because, with default settings, OpenSSH's negotiation packets are larger than PuTTY's (more options, more ciphers, etc). If you connect with PuTTY and start sending a bunch of bulk data over the connection (cat a large file or something), I am pretty sure that will stall too. Things you can try to fix it: - lower MTU on the ppp interface - tcp-mss-adjust yes in npppd - pf match ... scrub (max-mss $somevalue)
Re: npppd l2tp/ipsec - openbsd client
On 2013-11-20, anon ymous ramrunner0...@gmail.com wrote: Hello list! If anyone could shed some light to the following i would be thankful.. i have 2 5.4-current boxes, one acting as an npppd server over ipsec and the other one wishing to be a client. My understanding is that to accomplish that the client needs to use xl2tpd from ports. The problem is that although linux and windows clients connect ok with the same setup, i can't get the openbsd client to connect. I ported xl2tpd - fwiw I've only tested it against Firebrick's l2tp implementation which does not use IPsec, so I don't know if anything special is needed for this. tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes authentication-method mschapv2 pipex yes } Here you only accept mschapv2 authentication. the problem is that as we see from the logs the obsd client refuses to cope with mschap-v2 and various options from that last file. Mackeras pppd has new mschap code which supports mschap-v2; this was added in 2003, but unfortunately the last release with code for all arch other than Solaris/Linux was pppd-2.3.11 in 1999. I've looked at trying to update pppd before but it was a bit much for me.. if we remove all the offending options we end up with no authentication protocols are agreeable on npppd logs ideas? suggestions for other approaches?? You could try telling npppd to accept chap (not mschap), and tell pppd to use that..
npppd l2tp/ipsec - openbsd client
Hello list! If anyone could shed some light to the following i would be thankful.. i have 2 5.4-current boxes, one acting as an npppd server over ipsec and the other one wishing to be a client. My understanding is that to accomplish that the client needs to use xl2tpd from ports. The problem is that although linux and windows clients connect ok with the same setup, i can't get the openbsd client to connect. server /etc/ipsec.conf: local_ip=A.B.C.D ike passive esp transport proto udp from $local_ip to any port 1701 \ main auth hmac-sha enc aes group modp2048 \ quick auth hmac-sha enc aes \ psk x obsd client /etc/ipsec.conf: remote_ip=A.B.C.D local_ip=E.F.G.H ike passive esp transport proto udp from $local_ip to $remote_ip port 1701 \ main auth hmac-sha enc aes group modp2048 \ quick auth hmac-sha enc aes \ psk x now when both endpoints run start isakmpd and run ipsecctl we see the flows being created. the same kinds of flows get created for the other windows and linux clients. server /etc/npppd/npppd.conf: authentication LOCAL type local { users-file /etc/npppd/npppd-users } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes authentication-method mschapv2 pipex yes } ipcp IPCP { pool-address 10.0.10.2-10.0.10.254 dns-servers 8.8.8.8 } # use tun(4) interface. multiple ppp sessions concentrate one interface. interface tun0 address 10.0.10.1 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0 obsd client's /etc/xl2tpd/xl2tpd.conf: [global] debug avp = yes debug network = yes debug state = yes debug tunnel = yes [lac foo] lns = A.B.C.D ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes autodial=yes obsd client's /etc/ppp/options.l2tpd.client: ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug lock name x password x the problem is that as we see from the logs the obsd client refuses to cope with mschap-v2 and various options from that last file. if we remove all the offending options we end up with no authentication protocols are agreeable on npppd logs ideas? suggestions for other approaches?? Help me misc@openbsd.org, you're my only hope... ;) thanks guys.