Hi,
I tried configuring IPSEC road-warriror tunnel between OpenBSD & Android but for some reason it can not establish a connection.
Configuration files listed below -
1. /etc/ipsec.conf
Code:
# cat /etc/ipsec.conf
ext_if="re0"
key="XXXXXXXXXXXXXXX"
ike passive esp transport proto udp from $ext_if to any port 1701 main auth "hmac-sha1" enc "aes" group modp2048 quick auth "hmac-sha1" enc "aes" psk $key
2. /etc/npppd/npppd.conf
Code:
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 8.8.8.8
}
interface tun0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0
3. pf rules
Code:
block drop in quick on egress proto tcp from <sshguard> to any port = 22 label "ssh bruteforce"
match out on egress inet from ! (egress:network) to any nat-to (egress:0) round-robin
block return all
pass quick proto esp all
pass quick proto ah all
pass in inet proto udp from any to 172.31.38.214 port = 500
pass in inet proto udp from any to 172.31.38.214 port = 4500
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
4. /etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
net.inet.esp.enable=1
net.inet.ah.enable=1
net.inet.ipcomp.enable=1
5. netstat output (if useful)
Code:
# netstat -f inet -an | grep udp
.
.
udp 0 0 10.0.0.1.4500 *.*
udp 0 0 *.514 *.*
udp 0 0 *.4500 *.*
udp 0 0 *.500 *.*
udp 0 0 10.0.0.1.500 *.*
udp 0 0 172.31.38.214.4500 *.*
udp 0 0 172.31.38.214.500 *.*
udp 0 0 127.0.0.1.4500 *.*
udp 0 0 127.0.0.1.500 *.*
udp 0 0 *.1701 *.*
6. /var/log/daemon.log output after connection attempt -
Code:
Nov 29 12:02:50 ireland2 npppd[30421]: Starting npppd pid=30421 version=5.0.0
Nov 29 12:02:50 ireland2 npppd[30421]: pptpd GRE protocol not allowed
Nov 29 12:02:50 ireland2 npppd[30421]: Load configuration from='/etc/npppd/npppd.conf' successfully.
Nov 29 12:02:50 ireland2 npppd[30421]: tun0 Started ip4addr=10.0.0.1
Nov 29 12:02:50 ireland2 npppd[30421]: ipcp=IPCP pool dyn_pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32]
Nov 29 12:02:50 ireland2 npppd[30421]: Added 13 routes for new pool addresses
Nov 29 12:02:50 ireland2 npppd[30421]: Loading pool config successfully.
Nov 29 12:02:50 ireland2 npppd[30421]: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP]
Nov 29 12:02:50 ireland2 npppd[30421]: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP]
Nov 29 12:03:01 ireland2 isakmpd[45551]: isakmpd: starting
Nov 29 12:05:02 ireland2 isakmpd[46343]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Nov 29 12:05:02 ireland2 last message repeated 5 times
Nov 29 12:05:02 ireland2 isakmpd[46343]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Nov 29 12:05:02 ireland2 last message repeated 2 times
Nov 29 12:05:02 ireland2 isakmpd[46343]: message_negotiate_sa: no compatible proposal found
Nov 29 12:05:02 ireland2 isakmpd[46343]: dropped message from 176.XXX.XX.XXX port 60878 due to notification type NO_PROPOSAL_CHOSEN
Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=176.XXX.XX.XXX:56419/udp tunnel_id=1/46652 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000
Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd ctrl=1 SendSCCRP
Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd Received from=176.XXX.XX.XXX:56419: bad control message: tunnelId=0 is not found. mestype=StopCCN
Nov 29 12:05:44 ireland2 npppd[30421]: l2tpd ctrl=1 timeout waiting ack for ctrl packets.
Nov 29 12:05:44 ireland2 npppd[30421]: l2tpd ctrl=1 logtype=Finished
I am able to run OpenVPN without any hassle but just wondering why ipsec isn't working. I can use ipsec on FreeBSD with racoon for same client and it connects.