|
|||
L2TP/IPSEC configuration error
Hi,
I tried configuring IPSEC road-warriror tunnel between OpenBSD & Android but for some reason it can not establish a connection. Configuration files listed below - 1. /etc/ipsec.conf Code:
# cat /etc/ipsec.conf ext_if="re0" key="XXXXXXXXXXXXXXX" ike passive esp transport proto udp from $ext_if to any port 1701 main auth "hmac-sha1" enc "aes" group modp2048 quick auth "hmac-sha1" enc "aes" psk $key Code:
authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on 0.0.0.0 listen on :: } ipcp IPCP { pool-address 10.0.0.2-10.0.0.254 dns-servers 8.8.8.8 } interface tun0 address 10.0.0.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 Code:
block drop in quick on egress proto tcp from <sshguard> to any port = 22 label "ssh bruteforce" match out on egress inet from ! (egress:network) to any nat-to (egress:0) round-robin block return all pass quick proto esp all pass quick proto ah all pass in inet proto udp from any to 172.31.38.214 port = 500 pass in inet proto udp from any to 172.31.38.214 port = 4500 pass all flags S/SA block return in on ! lo0 proto tcp from any to any port 6000:6010 Code:
net.inet.ip.forwarding=1 net.inet.esp.enable=1 net.inet.ah.enable=1 net.inet.ipcomp.enable=1 Code:
# netstat -f inet -an | grep udp . . udp 0 0 10.0.0.1.4500 *.* udp 0 0 *.514 *.* udp 0 0 *.4500 *.* udp 0 0 *.500 *.* udp 0 0 10.0.0.1.500 *.* udp 0 0 172.31.38.214.4500 *.* udp 0 0 172.31.38.214.500 *.* udp 0 0 127.0.0.1.4500 *.* udp 0 0 127.0.0.1.500 *.* udp 0 0 *.1701 *.* Code:
Nov 29 12:02:50 ireland2 npppd[30421]: Starting npppd pid=30421 version=5.0.0 Nov 29 12:02:50 ireland2 npppd[30421]: pptpd GRE protocol not allowed Nov 29 12:02:50 ireland2 npppd[30421]: Load configuration from='/etc/npppd/npppd.conf' successfully. Nov 29 12:02:50 ireland2 npppd[30421]: tun0 Started ip4addr=10.0.0.1 Nov 29 12:02:50 ireland2 npppd[30421]: ipcp=IPCP pool dyn_pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] Nov 29 12:02:50 ireland2 npppd[30421]: Added 13 routes for new pool addresses Nov 29 12:02:50 ireland2 npppd[30421]: Loading pool config successfully. Nov 29 12:02:50 ireland2 npppd[30421]: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP] Nov 29 12:02:50 ireland2 npppd[30421]: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP] Nov 29 12:03:01 ireland2 isakmpd[45551]: isakmpd: starting Nov 29 12:05:02 ireland2 isakmpd[46343]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Nov 29 12:05:02 ireland2 last message repeated 5 times Nov 29 12:05:02 ireland2 isakmpd[46343]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Nov 29 12:05:02 ireland2 last message repeated 2 times Nov 29 12:05:02 ireland2 isakmpd[46343]: message_negotiate_sa: no compatible proposal found Nov 29 12:05:02 ireland2 isakmpd[46343]: dropped message from 176.XXX.XX.XXX port 60878 due to notification type NO_PROPOSAL_CHOSEN Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=176.XXX.XX.XXX:56419/udp tunnel_id=1/46652 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000 Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd ctrl=1 SendSCCRP Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd Received from=176.XXX.XX.XXX:56419: bad control message: tunnelId=0 is not found. mestype=StopCCN Nov 29 12:05:44 ireland2 npppd[30421]: l2tpd ctrl=1 timeout waiting ack for ctrl packets. Nov 29 12:05:44 ireland2 npppd[30421]: l2tpd ctrl=1 logtype=Finished |
|
||||
Disclaimer: I don't run L2TP/IPSec, so this may be unintentionally misleading.
There are several more modern "howto" documents floating around the Internet since the first 2012 article on L2TP/IPSec was published at the OpenBSD Journal. This one recommends enc "3des" for your ipsec.conf, and therefore there may be something to it, as isakmpd(8) complains that it was expecting 3DES_CBC in your log. |
|
|||
Quote:
Code:
# tail -f /var/log/daemon Dec 1 04:13:06 ireland2 npppd[52928]: Starting npppd pid=52928 version=5.0.0 Dec 1 04:13:06 ireland2 npppd[52928]: pptpd GRE protocol not allowed Dec 1 04:13:06 ireland2 npppd[52928]: Load configuration from='/etc/npppd/npppd.conf' successfully. Dec 1 04:13:07 ireland2 npppd[52928]: tun0 Started ip4addr=10.0.0.1 Dec 1 04:13:07 ireland2 npppd[52928]: ipcp=IPCP pool dyn_pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] Dec 1 04:13:07 ireland2 npppd[52928]: Added 13 routes for new pool addresses Dec 1 04:13:07 ireland2 npppd[52928]: Loading pool config successfully. Dec 1 04:13:07 ireland2 npppd[52928]: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP] Dec 1 04:13:07 ireland2 npppd[52928]: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP] Dec 1 04:13:17 ireland2 isakmpd[50851]: isakmpd: starting Dec 1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 04:13:45 ireland2 last message repeated 5 times Dec 1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Dec 1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048 Dec 1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Dec 1 04:13:45 ireland2 isakmpd[8721]: message_negotiate_sa: no compatible proposal found Dec 1 04:13:45 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 743 due to notification type NO_PROPOSAL_CHOSEN Dec 1 04:14:17 ireland2 npppd[52928]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=xxx.xxx.xxx.xx:7416/udp tunnel_id=1/35377 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000 Dec 1 04:14:17 ireland2 npppd[52928]: l2tpd ctrl=1 SendSCCRP Dec 1 04:14:17 ireland2 npppd[52928]: l2tpd Received from=xxx.xxx.xxx.xx:7416: bad control message: tunnelId=0 is not found. mestype=StopCCN Dec 1 04:14:29 ireland2 npppd[52928]: l2tpd ctrl=1 timeout waiting ack for ctrl packets. Dec 1 04:14:29 ireland2 npppd[52928]: l2tpd ctrl=1 logtype=Finished |
|
|||
Some progress after minor changes in ipsec.conf but still can't connect -
Code:
ext_if="re0" key="XXXXXXX" ike passive esp transport proto udp from $ext_if to any port 1701 main auth "hmac-md5" enc "3des" group modp1024 quick auth "hmac-md5" enc "3des" psk $key Code:
Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 05:07:54 ireland2 last message repeated 17 times Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048 Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected MD5 Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048 Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected SHA2_256 Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected MD5 Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Dec 1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA2_256 Dec 1 05:07:57 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:07:57 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:00 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:00 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:04 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:04 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:06 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:06 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:09 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:09 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:13 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:13 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:18 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:18 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:19 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:19 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:20 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:20 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:24 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx Dec 1 05:08:24 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION Dec 1 05:08:27 ireland2 npppd[52928]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=xxx.xxx.xxx.xx:8061/udp tunnel_id=4/61333 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000 Dec 1 05:08:27 ireland2 npppd[52928]: l2tpd ctrl=4 SendSCCRP Dec 1 05:08:27 ireland2 npppd[52928]: l2tpd Received from=xxx.xxx.xxx.xx:8061: bad control message: tunnelId=0 is not found. mestype=StopCCN Dec 1 05:08:39 ireland2 npppd[52928]: l2tpd ctrl=4 timeout waiting ack for ctrl packets. Dec 1 05:08:39 ireland2 npppd[52928]: l2tpd ctrl=4 logtype=Finished |
|
|||
Quote:
Quote:
|
|
|||
Quote:
Code:
root@ireland2:~ # isakmpd -Kvd 121149.650921 Default isakmpd: starting [priv] 121230.595132 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 121230.595297 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 121230.595403 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 121230.595486 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 121230.595569 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 121230.595652 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 121230.595735 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 121230.595845 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 121230.595928 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 121230.595994 Default message_negotiate_sa: no compatible proposal found 121230.596057 Default dropped message from xxx.xx.xx.xxx port 301 due to notification type NO_PROPOSAL_CHOSEN |
|
|||
Yup, trying different things here, will update the thread.
|
Tags |
android client, ipsec, road-warrior, vpn |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD L2TP/IPSec VPN for road warriors / mobiles | bsdnut82 | Guides | 0 | 12th August 2015 09:48 PM |
Atheros Wifi Configuration Error | Peter_APIIT | OpenBSD General | 2 | 27th June 2015 07:59 AM |
IPSec VPN configuration? | polken | OpenBSD Security | 8 | 29th May 2012 08:48 PM |
shc unistd.h:239: error: syntax error before '&' token | laraaj | OpenBSD General | 3 | 11th September 2010 07:21 AM |
postfix aliases configuration error | xiphias | FreeBSD Ports and Packages | 5 | 5th June 2010 05:35 PM |