Hey List,
I am trying to use OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX
10.9 native VPN clients, using L2TP / IPsec.
At the moment I am running the VPN end point on an internal server and
forwarding appropriate ports from the router:
- UDP 500 - Internet Key Exchange (IKE)
- UDP 1701 - L2TP traffic
- UDP 4500 - IPSec Network Address Translation (NAT-T)
(Long term plan is to replace the router with an OpenBSD box and
terminate the VPN there.)
It would seem that I am close, but can't over come this last issue.
When I attempt to connect from an iOS device, in /var/log/messages I see
this error message repeated several times:
--
Jul 20 17:51:52 access isakmpd[2979]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 25.1.65.61, responder id
XXX.XXX.XXX.XXX
Jul 20 17:51:52 access isakmpd[2979]: dropped message from
YYY.YYY.YYY.YYY port 16659 due to notification type
INVALID_ID_INFORMATION
--
Where XXX.XXX.XXX.XXX is the public ip address (in my case the cable
modem's external ip) and YYY.YYY.YYY.YYY is the iOS device attempting to
establish the vpn connection.
(The 25.1.65.61 address I don't recognize and appears to be UK Ministry
of Defence, so ah, wat? Assuming this is some weird
misconfiguration...)
The network topo looks like:
Internet - Cable Modem (XXX.XXX.XXX.XXX public ip) - Router Firewall
(forwarding ports) - OpenBSD
Any suggestions, even "You can't do that", would be appreciated.
Gord.
Details:
Internal network is 192.168.2.x
/etc/rc.conf.local
--
isakmpd_flags="-K"
ipsec=YES
--
/etc/npppd/npppd.conf
--
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 192.168.2.150-192.168.2.199
dns-servers 8.8.8.8
}
interface pppx0 address 192.168.2.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
--
/etc/npppd/npppd-users
--
juser:\
:password=SEEKRIT:\
:framed-ip-address=192.168.2.150:
--
/etc/ipsec.conf
--
public_ip = "192.168.2.232"
ike passive esp transport \
proto udp from $public_ip to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk "SEEKRIT"
--
/etc/pf.conf
--
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701}
keep state
pass on enc0 from any to any keep state (if-bound)
--
/etc/sysctl.conf
--
net.inet.ip.forwarding=1
net.pipex.enable=1
--
--
$ dmesg
OpenBSD 5.5 (GENERIC) #271: Wed Mar 5 09:31:16 MST 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 520081408 (495MB)
avail mem = 497725440 (474MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfd9c0 (10 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2007
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: QEMU Virtual CPU version 1.0, 3210.36 MHz
cpu0:
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,VMX,CX16,POPCNT,NXE,LONG,LAHF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 1.0> ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 10
iic0 at piixpm0
iic0: addr 0x4c 48=00 words 00=0000 01=0000 02=0000 03=0000 04=0000
05=0000 06=0000 07=0000
iic0: addr 0x4e 48=00 words 00=0000 01=0000 02=0000 03=0000 04=0000
05=0000 06=0000 07=0000
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00:
Virtio Network Device
vio0 at virtio0: address 52:54:00:9b:3b:bc
virtio0: irq 11
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00:
Virtio Block Device
vioblk0 at virtio1
scsibus1 at vioblk0: 2 targets
sd0 at scsibus1 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct
fixed
sd0: 2048MB, 512 bytes/sector, 4195456 sectors
virtio1: irq 11
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00:
Virtio Memory Balloon Device
viomb0 at virtio2
virtio2: irq 10
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
fd1 at fdc0 drive 1: density unknown
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (5113c722c25af8c4.a) swap on sd0b dump on sd0b
clock: unknown CMOS layout
--
