On Thu, Aug 18, 2016 at 07:57:40PM +0000, Justin Mayes wrote: > Hello all - > > I was also recently trying to do a simple ipsec/l2tp vpn. I found that it > works fine for everything except my android 5.1.1 device.
This problem and a workaround were already discussed here: http://marc.info/?l=openbsd-misc&m=145931891921713&w=2 Quote: [[[ This issue is caused by Android, it sends ESP packets with wrong padding size when SHA2-256 is selected for HMAC. It seems that Android is using an old ietf draft for SHA2-256, but OpenBSD is using RFC 4868. When the issue occurs, XXX packets with bad payload size or padding received counter in "netstat -sp esp" will be incremented. We can force using MD5 or SHA for HMAC to workaround this issue. To do this, put the text below to /etc/isakmpd/isakmpd.policy and remove "-K" from isakmpd_flags. Authorizer: "POLICY" Comment: This is test Licensees: "passphrase:PASSPHRASE" conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == "yes" \ && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true"; --yasuoka ]]]
