DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 31st December 2020
mbauhardt mbauhardt is offline
New User
 
Join Date: Dec 2020
Posts: 7
Default Can't connect to IKE1 VPN Server via OpenBsd 6.8 with IPSEC/L2TP

Hi,
I have a dell xps laptop with OpenBsd 6.8 running. I want to connect to an IKEv1 L2TP VPN Server.

I followed the steps on https://www.openbsd.org/faq/faq17.html#clientikev1
and /usr/local/share/doc/pkg-readmes/xl2tpd

I created the following config files

/etc/ipsec.conf
Code:
ike esp from $IP1 to $IP2 peer $VPNSERVER \
  main auth hmac-sha1 enc aes-128 group modp2048 \
  quick auth hmac-sha1 enc aes-128 \
  psk my-pre-sha-secr
/etc/xl2tpd/x2ltpd.conf
Code:
[global]
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
auth file = /etc/ppp/pap-secrets
port = 1701

[lac l2tp]
lns = vpn_server_ip
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tp
require authentication = yes
require pap = yes
require chap = no
length bit = yes
/etc/ppp/options.l2tp
Code:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
refuse-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
connect-delay 5000
usepeerdns
defaultroute
debug
lock
netmask 255.255.255.255
user myuser
password mypwd
/etc/ppp/pap-secrets
Code:
myuser * mypwd *

I added an interface ppp0. and started isakmpd, xl2tpd
ipsecctl -sa show flows and SAD's
But, when i try to connect via
Code:
'echo c l2tp | doas tee /var/run/xl2tpd/l2tp-control'
the /var/log/daemon show only

Code:
Dec 30 23:47:20 2147NFS xl2tpd[1160]: Connecting to host $VPNSERVER, port 1701
Dec 30 23:47:51 2147NFS xl2tpd[1160]: Maximum retries exceeded for tunnel 113.  Closing.
Dec 30 23:47:51 2147NFS xl2tpd[1160]: Connection 0 closed to VPNSERVERIP, port 1701 (Timeout)
I would expect to see more logging, but there is no pppd logging. Looks like the process won't start. Is this maybe the issue here?
Any hint how I can enable more logging?
Do I have to configure some package forwarding via sysctl?
Or do you see any mistake in my config pasted above?

Thanks
Marko
Reply With Quote
  #2   (View Single Post)  
Old 2nd January 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

It has been a very long time since I played with this stuff ;-)

Make sure that the pf rules are not blocking some of the traffic. If you use a default block policy you can check blocked packets by running tcpdump on the pflog0 interface.

BTW running the built-in OpenBSD version shows a lot of info about IPsec traffic when you run it with the verbose -vv option.

IIRC you need to enable IP forwarding with a sysctl. ( # sysctl -a | grep forward )
There is also a sysctl to enable esp # sysctl | grep esp

Only when you are member of the 'network' group you can start pppd.
You can automate checking whether it is running with something like:
Code:
while true ; do date ; pgrep pppd ; sleep 1 ; done
Just run this in a separate xterm.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 5th January 2021
mbauhardt mbauhardt is offline
New User
 
Join Date: Dec 2020
Posts: 7
Default

I'm now able to connect. I believe I did some misconfiguration.

Just for closing this thread, here are the configs

/etc/ipsec.conf
Code:
ike dynamic esp transport proto udp from egress to vpn_server port l2tp  \
  main auth "hmac-sha1" enc "aes-128" group modp2048  \  
  quick auth "hmac-sha1" enc "aes-128" \ 
  psk pre-shared-secret
/etc/xl2tpd/xl2tpd.conf
Code:
[global]
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
port = 1701

[lac office]
lns = vpn_server
ppp debug = yes
pppoptfile = /etc/ppp/options.office
/etc/ppp/options.office
Code:
ipcp-accept-local
ipcp-accept-remote
noccp
noauth
mtu 1400
mru 1400
debug
lock
user my_username
netmask 255.255.255.255
/etc/ppp/pap-secrets
Code:
my_username * my_pwd
Reply With Quote
Reply

Tags
ike1, ipsec, l2tp, vpn

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
L2TP-IPSec VPN on OpenBSD rdikarlus OpenBSD Security 3 25th August 2019 02:58 PM
L2TP IPSEC VPN connectivity toprank OpenBSD Security 2 30th March 2018 04:03 PM
IPSEC/L2TP VPN with Android joker72 OpenBSD General 1 13th August 2017 11:27 AM
L2TP/IPSEC configuration error chigurh OpenBSD Security 8 1st December 2016 02:41 PM
OpenBSD L2TP/IPSec VPN for road warriors / mobiles bsdnut82 Guides 0 12th August 2015 09:48 PM


All times are GMT. The time now is 12:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick