Hi,
On Mon, 22 Feb 2016 00:26:11 +0800
Jiahao Dai <jiahao.da...@gmail.com> wrote:
> I am a new openBSD user and I found it's extramly difficult to setup a
> L2TP/IPSec(IKEv1) Road Warrior server to getting work with Android devices.
>
> I followed the tutorial here Configuring L2TP Over IPSec on OpenBSD for Mac
> OS X
> Clients [1], deployed on fresh openBSD 5.8 and found out that iOS9.x ipad
> works like a
> charm.
>
> But the android devices I had won't work by all means. I found out that
> Android 5.x
> L2TP/IPSec VPN client works in:
> hash algorithm: hmac-sha2-256
> encrypt method: aes_cbc
> life time: 28800
>
> The ipsec.conf with:
> ``
> ike passive esp tunnel \
> from "IP_ADDRESS" to any \
> main auth "hmac-sha2-256" enc "aes" group "modp1024" lifetime 2880\
> quick group "modp1024" \
> psk "SECRET_KEY"
> '' didn't make a chage.(after `ipsecctl -f /etc/ipsec.conf`)
>
> The /var/log/messages didn't report anything as the VPN connection failed
> on
> Android device.
>
> When debugging at the foreground with `isakmpd -v -K -d`
In this case, you should do "ipsecctl -f /etc/ipsec.conf" again after
start the isakmpd.
> It still reported that:
> ``
> 002212.657833 Default isakmpd: starting [priv]
> 002219.561051 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> AES_CBC, expected 3DES_CBC
> 002219.561236 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> AES_CBC, expected 3DES_CBC
> 002219.561386 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> AES_CBC, expected 3DES_CBC
> 002219.561546 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> AES_CBC, expected 3DES_CBC
> 002219.561664 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> AES_CBC, expected 3DES_CBC
> 002219.561746 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> AES_CBC, expected 3DES_CBC
> 002219.561832 Default attribute_unacceptable: AUTHENTICATION_METHOD: got
> PRE_SHARED, expected RSA_SIG
> 002219.561916 Default attribute_unacceptable: AUTHENTICATION_METHOD: got
> PRE_SHARED, expected RSA_SIG
> 002219.562003 Default attribute_unacceptable: AUTHENTICATION_METHOD: got
> PRE_SHARED, expected RSA_SIG
> 002219.562085 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> DES_CBC, expected 3DES_CBC
> 002219.562189 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> DES_CBC, expected 3DES_CBC
> 002219.562308 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got
> DES_CBC, expected 3DES_CBC
> 002219.562385 Default message_negotiate_sa: no compatible proposal found
> 002219.562459 Default dropped message from 139.227.237.86 port 500 due to
> notification type NO_PROPOSAL_CHOSEN
> ^C002221.748476 Default isakmpd: shutting down...
> 002221.748562 Default isakmpd: exit
>
> ""
>
> I am trying to use aes and encryption algorithm but it seems that it keep
> using 3des, what can I do?
This seems that the "ike" line in ipsec.conf wasn't appied to the
received packets.
I think you should:
- make sure to do "ipsectl" after iksampd starts
(ipsec=YES in rc.conf.local does this)
- check the "ike" line (especially the IP address of "from")
> Please help. I have spent all my weekends on it, still no idea. Other idea
> on VPN
> type with setup (except OpenVPN which needs additional software implement)
> are
> welcome.
> Jiahao Dai
