|
|||
L2TP IPSEC VPN connectivity
I'm able to connect to the VPN with the following setup, but am unable to reach the Internet through the VPN.
/etc/rc.conf.local Code:
isakmpd_flags="-K" ipsec=YES npppd_flags="" Code:
ike passive esp tunnel \ from sub.domain.tld to any \ main group "modp1024" \ quick group "modp1024" \ psk "key" Code:
$user:\ :password=$passwd: Code:
pubIF = "vio0" vpnIF = "pppx" vpnNET = "10.0.0.0/24" pass in on $pubIF proto esp pass in on $pubIF proto udp to port { isakmp, ipsec-nat-t } pass on enc0 keep state (if-bound) pass on $vpnIF from $vpnNET pass on $vpnIF to $vpnNET match out on $pubIF from $vpnNET nat-to ($pubIF) set prio (3,4) Code:
# /etc/rc.d/isakmpd start isakmpd(ok) root@vpx:~# ipsecctl -f /etc/ipsec.conf root@vpx:~# sysctl net.pipex.enable=1 net.pipex.enable: 0 -> 1 root@vpx:~# sysctl net.pipex.enable net.pipex.enable=1 root@vpx:~# /etc/rc.d/npppd start npppd(ok) ifconfig shows client is connected. Code:
root@vpx:~# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500 lladdr mac index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect status: active inet pubIP netmask 0xfffffe00 broadcast gateway inet6 ip6ip%vio0 prefixlen 64 scopeid 0x1 <snip(inet6)> vio1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 lladdr mac index 2 priority 0 llprio 3 media: Ethernet autoselect status: no carrier enc0: flags=0<> index 3 priority 0 llprio 3 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33172 index 5 priority 0 llprio 3 groups: pflog pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1360 description: $user index 6 priority 0 llprio 3 groups: pppx inet 10.0.0.1 --> 10.0.0.73 netmask 0xffffffff Code:
root@vpx:~# tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG ^C 0 packets received by filter 0 packets dropped by kernel Code:
root@vpx:~# ipsecctl -m sadb_delflow: satype esp vers 2 len 16 seq 6 pid 47859 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type require direction out src_flow: VPN port 1701 dst_flow: client port 56642 sadb_delflow: satype esp vers 2 len 16 seq 6 pid 47859 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type require direction out src_flow: VPN port 1701 dst_flow: client port 56642 sadb_delete: satype esp vers 2 len 10 seq 7 pid 47859 sa: spi 0x... auth none enc none state larval replay 0 flags 0<> address_src: VPN address_dst: client sadb_delete: satype esp vers 2 len 10 seq 7 pid 47859 sa: spi 0x... auth none enc none state larval replay 0 flags 0<> address_src: VPN address_dst: client sadb_delflow: satype esp vers 2 len 16 seq 8 pid 47859 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type use direction in src_flow: client port 56642 dst_flow: VPN port 1701 sadb_delflow: satype esp vers 2 len 16 seq 8 pid 47859 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type use direction in src_flow: client port 56642 dst_flow: VPN port 1701 sadb_delete: satype esp vers 2 len 10 seq 9 pid 47859 sa: spi 0x... auth none enc none state larval replay 0 flags 0<> address_src: client address_dst: VPN sadb_delete: satype esp vers 2 len 10 seq 9 pid 47859 sa: spi 0x... auth none enc none state larval replay 0 flags 0<> address_src: client address_dst: VPN sadb_getspi: satype esp vers 2 len 10 seq 10 pid 47859 address_src: client address_dst: VPN spirange: min 0x00000100 max 0xffffffff sadb_getspi: satype esp vers 2 len 10 seq 10 pid 47859 sa: spi 0x... auth none enc none state mature replay 0 flags 0<> address_src: client address_dst: VPN sadb_add: satype esp vers 2 len 51 seq 11 pid 47859 sa: spi 0x... auth hmac-sha1 enc aes state mature replay 16 flags 0x200<udpencap> lifetime_hard: alloc 0 bytes 0 add 3600 first 0 lifetime_soft: alloc 0 bytes 0 add 3240 first 0 address_src: VPN address_dst: client key_auth: bits 160: hash key_encrypt: bits 256: hash identity_src: type prefix id 0: vpn/32 identity_dst: type prefix id 0: 10.0.0.37/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type unknown direction out src_flow: VPN port 1701 dst_flow: client port 64265 udpencap: udpencap port 4500 sadb_add: satype esp vers 2 len 42 seq 11 pid 47859 sa: spi 0x... auth hmac-sha1 enc aes state mature replay 16 flags 0x200<udpencap> lifetime_hard: alloc 0 bytes 0 add 3600 first 0 lifetime_soft: alloc 0 bytes 0 add 3240 first 0 address_src: VPN address_dst: client identity_src: type prefix id 0: VPN/32 identity_dst: type prefix id 0: 10.0.0.37/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type unknown direction out src_flow: VPN port 1701 dst_flow: client port 64265 udpencap: udpencap port 4500 sadb_update: satype esp vers 2 len 51 seq 12 pid 47859 sa: spi 0x... auth hmac-sha1 enc aes state mature replay 16 flags 0x200<udpencap> lifetime_hard: alloc 0 bytes 0 add 3600 first 0 lifetime_soft: alloc 0 bytes 0 add 3240 first 0 address_src: client address_dst: VPN key_auth: bits 160: hash key_encrypt: bits 256: hash identity_src: type prefix id 0: 10.0.0.37/32 identity_dst: type prefix id 0: VPN/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type unknown direction in src_flow: client port 64265 dst_flow: VPN port 1701 udpencap: udpencap port 4500 sadb_update: satype esp vers 2 len 42 seq 12 pid 47859 sa: spi 0x... auth hmac-sha1 enc aes state mature replay 16 flags 0x200<udpencap> lifetime_hard: alloc 0 bytes 0 add 3600 first 0 lifetime_soft: alloc 0 bytes 0 add 3240 first 0 address_src: client address_dst: VPN identity_src: type prefix id 0: 10.0.0.37/32 identity_dst: type prefix id 0: VPN/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type unknown direction in src_flow: client port 64265 dst_flow: VPN port 1701 udpencap: udpencap port 4500 sadb_addflow: satype esp vers 2 len 28 seq 13 pid 47859 address_dst: client identity_src: type prefix id 0: VPN/32 identity_dst: type prefix id 0: 10.0.0.37/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type require direction out src_flow: VPN port 1701 dst_flow: client port 64265 sadb_addflow: satype esp vers 2 len 28 seq 13 pid 47859 address_dst: client identity_src: type prefix id 0: VPN/32 identity_dst: type prefix id 0: 10.0.0.37/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type require direction out src_flow: VPN port 1701 dst_flow: client port 64265 sadb_addflow: satype esp vers 2 len 28 seq 14 pid 47859 address_dst: client identity_src: type prefix id 0: VPN/32 identity_dst: type prefix id 0: 10.0.0.37/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type use direction in src_flow: client port 64265 dst_flow: VPN port 1701 sadb_addflow: satype esp vers 2 len 28 seq 14 pid 47859 address_dst: client identity_src: type prefix id 0: VPN/32 identity_dst: type prefix id 0: 10.0.0.37/32 src_mask: 255.255.255.255 port 65535 dst_mask: 255.255.255.255 port 65535 protocol: proto 17 flags 0 flow_type: type use direction in src_flow: client port 64265 dst_flow: VPN port 1701 ^C Code:
root@vpx:~# ipsecctl -s all FLOWS: flow esp in proto udp from client port 61418 to VPN port l2tp peer client srcid VPN/32 dstid 10.0.0.37/32 type use flow esp out proto udp from VPN port l2tp to client port 61418 peer client srcid VPN/32 dstid 10.0.0.37/32 type require SAD: esp transport from VPN to client spi 0x... auth hmac-sha1 enc aes-256 esp transport from client to VPN spi 0x... auth hmac-sha1 enc aes-256 Code:
root@vpx:~# pfctl -s rules block drop log quick from <vilain_bruteforce> to any block return all pass all flags S/SA block return in on ! lo0 proto tcp from any to any port 6000:6010 pass in on vio0 proto udp from any to any port = 500 pass in on vio0 proto udp from any to any port = 4500 pass in on vio0 proto esp all pass on enc0 all flags S/SA keep state (if-bound) pass on pppx inet from 10.0.0.0/24 to any flags S/SA pass on pppx inet from any to 10.0.0.0/24 flags S/SA match out on vio0 inet from 10.0.0.0/24 to any set ( prio(3, 4) ) nat-to (vio0) round-robin root@vpx:~# Last edited by toprank; 30th March 2018 at 04:05 PM. |
|
|||
I don't know how I overlooked that! Thanks, jggimi. It is now lol
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IPSEC/L2TP VPN with Android | joker72 | OpenBSD General | 1 | 13th August 2017 11:27 AM |
L2TP/IPSEC configuration error | chigurh | OpenBSD Security | 8 | 1st December 2016 02:41 PM |
ipv6 connectivity | 22decembre | OpenBSD General | 3 | 11th October 2015 08:59 AM |
OpenBSD L2TP/IPSec VPN for road warriors / mobiles | bsdnut82 | Guides | 0 | 12th August 2015 09:48 PM |
Connectivity Drop | alpha202ej | OpenBSD Security | 1 | 19th April 2012 04:58 PM |