Thread: L2TP/IPSEC configuration error
View Single Post
  #3   (View Single Post)  
Old 1st December 2016
chigurh chigurh is offline
Port Guard
  
Join Date: Jul 2014
Posts: 38
Default
Quote:
Originally Posted by jggimi View Post
Disclaimer: I don't run L2TP/IPSec, so this may be unintentionally misleading.

There are several more modern "howto" documents floating around the Internet since the first 2012 article on L2TP/IPSec was published at the OpenBSD Journal. This one recommends enc "3des" for your ipsec.conf, and therefore there may be something to it, as isakmpd(8) complains that it was expecting 3DES_CBC in your log.
Made the changes in ipsec.conf but it isn't connecting yet -
Code:
# tail -f /var/log/daemon      
Dec  1 04:13:06 ireland2 npppd[52928]: Starting npppd pid=52928 version=5.0.0
Dec  1 04:13:06 ireland2 npppd[52928]: pptpd GRE protocol not allowed
Dec  1 04:13:06 ireland2 npppd[52928]: Load configuration from='/etc/npppd/npppd.conf' successfully.
Dec  1 04:13:07 ireland2 npppd[52928]: tun0 Started ip4addr=10.0.0.1
Dec  1 04:13:07 ireland2 npppd[52928]: ipcp=IPCP pool dyn_pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32]
Dec  1 04:13:07 ireland2 npppd[52928]: Added 13 routes for new pool addresses
Dec  1 04:13:07 ireland2 npppd[52928]: Loading pool config successfully.
Dec  1 04:13:07 ireland2 npppd[52928]: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP]
Dec  1 04:13:07 ireland2 npppd[52928]: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP]
Dec  1 04:13:17 ireland2 isakmpd[50851]: isakmpd: starting
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 04:13:45 ireland2 last message repeated 5 times
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA
Dec  1 04:13:45 ireland2 isakmpd[8721]: message_negotiate_sa: no compatible proposal found
Dec  1 04:13:45 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 743 due to notification type NO_PROPOSAL_CHOSEN
Dec  1 04:14:17 ireland2 npppd[52928]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=xxx.xxx.xxx.xx:7416/udp tunnel_id=1/35377 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000
Dec  1 04:14:17 ireland2 npppd[52928]: l2tpd ctrl=1 SendSCCRP
Dec  1 04:14:17 ireland2 npppd[52928]: l2tpd Received from=xxx.xxx.xxx.xx:7416: bad control message: tunnelId=0 is not found.  mestype=StopCCN
Dec  1 04:14:29 ireland2 npppd[52928]: l2tpd ctrl=1 timeout waiting ack for ctrl packets.
Dec  1 04:14:29 ireland2 npppd[52928]: l2tpd ctrl=1 logtype=Finished
I got OpenVPN tunnel running but just want to see why ipsec tunnel is dysfunctional on OpenBSD. You can suggest some more and I will give it a try.
Reply With Quote