|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Can't connect to IKE1 VPN Server via OpenBsd 6.8 with IPSEC/L2TP
Hi,
I have a dell xps laptop with OpenBsd 6.8 running. I want to connect to an IKEv1 L2TP VPN Server. I followed the steps on https://www.openbsd.org/faq/faq17.html#clientikev1 and /usr/local/share/doc/pkg-readmes/xl2tpd I created the following config files /etc/ipsec.conf Code:
ike esp from $IP1 to $IP2 peer $VPNSERVER \ main auth hmac-sha1 enc aes-128 group modp2048 \ quick auth hmac-sha1 enc aes-128 \ psk my-pre-sha-secr Code:
[global] debug avp = yes debug network = yes debug state = yes debug tunnel = yes auth file = /etc/ppp/pap-secrets port = 1701 [lac l2tp] lns = vpn_server_ip ppp debug = yes pppoptfile = /etc/ppp/options.l2tp require authentication = yes require pap = yes require chap = no length bit = yes Code:
ipcp-accept-local ipcp-accept-remote refuse-eap refuse-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 connect-delay 5000 usepeerdns defaultroute debug lock netmask 255.255.255.255 user myuser password mypwd Code:
myuser * mypwd * I added an interface ppp0. and started isakmpd, xl2tpd ipsecctl -sa show flows and SAD's But, when i try to connect via Code:
'echo c l2tp | doas tee /var/run/xl2tpd/l2tp-control' Code:
Dec 30 23:47:20 2147NFS xl2tpd[1160]: Connecting to host $VPNSERVER, port 1701 Dec 30 23:47:51 2147NFS xl2tpd[1160]: Maximum retries exceeded for tunnel 113. Closing. Dec 30 23:47:51 2147NFS xl2tpd[1160]: Connection 0 closed to VPNSERVERIP, port 1701 (Timeout) Any hint how I can enable more logging? Do I have to configure some package forwarding via sysctl? Or do you see any mistake in my config pasted above? Thanks Marko |
|
|||
It has been a very long time since I played with this stuff ;-)
Make sure that the pf rules are not blocking some of the traffic. If you use a default block policy you can check blocked packets by running tcpdump on the pflog0 interface. BTW running the built-in OpenBSD version shows a lot of info about IPsec traffic when you run it with the verbose -vv option. IIRC you need to enable IP forwarding with a sysctl. ( # sysctl -a | grep forward )There is also a sysctl to enable esp # sysctl | grep esp Only when you are member of the 'network' group you can start pppd. You can automate checking whether it is running with something like: Code:
while true ; do date ; pgrep pppd ; sleep 1 ; done
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I'm now able to connect. I believe I did some misconfiguration.
Just for closing this thread, here are the configs /etc/ipsec.conf Code:
ike dynamic esp transport proto udp from egress to vpn_server port l2tp \ main auth "hmac-sha1" enc "aes-128" group modp2048 \ quick auth "hmac-sha1" enc "aes-128" \ psk pre-shared-secret Code:
[global] debug avp = yes debug network = yes debug state = yes debug tunnel = yes port = 1701 [lac office] lns = vpn_server ppp debug = yes pppoptfile = /etc/ppp/options.office Code:
ipcp-accept-local ipcp-accept-remote noccp noauth mtu 1400 mru 1400 debug lock user my_username netmask 255.255.255.255 Code:
my_username * my_pwd |
Tags |
ike1, ipsec, l2tp, vpn |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
L2TP-IPSec VPN on OpenBSD | rdikarlus | OpenBSD Security | 3 | 25th August 2019 02:58 PM |
L2TP IPSEC VPN connectivity | toprank | OpenBSD Security | 2 | 30th March 2018 04:03 PM |
IPSEC/L2TP VPN with Android | joker72 | OpenBSD General | 1 | 13th August 2017 11:27 AM |
L2TP/IPSEC configuration error | chigurh | OpenBSD Security | 8 | 1st December 2016 02:41 PM |
OpenBSD L2TP/IPSec VPN for road warriors / mobiles | bsdnut82 | Guides | 0 | 12th August 2015 09:48 PM |