Hi Robert,
Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz <rsz...@saxonco.com>:
> I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users to
>
> tunnel in to our office network.
>
> I'm testing with the following setup
>
> Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)
>
> I'd like something reasonably robust, able to pass through most NAT a
> user might find themselves behind. Our current cisco vpn handles that
> part fairly well, but otherwise is unreliable and a pain to manage.
>
> The connection process fails at stage 2 with the error message below
> where X is the public IP of the box being connected to, and Y is the
> ip
> of the firewall the win10 machine is behind 10...58 is the private ip
> of
> the win10 machine.
>
> Thanks,
>
> Robert Szasz
>
>
>
> error in the isakmpd log
>
> ---
>
> 010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed
> invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
> 010420.423325 Default dropped message from y.y.y.y port 58544 due to
> notification type INVALID_ID_INFORMATION
And I guess that's the problem: the client
goes "hi I'm 10.1.1.58 and I'd like to
connect" and isakmpd doesn't know no
10.1.1.58. IKEv1 is very picky about those
things: When it doesn't expect an ID no
peer presenting one will be allowed to
connect AFAIK.
>
> ipsec.conf
>
> ike passive esp transport \
> proto udp from x.x.x.x to any port 1701 \
> main auth hmac-sha1 enc "aes" group modp2048\
> quick auth hmac-sha1 enc "aes" group modp2048\
> psk ""
Maybe adding local/peer or srcid/dstid
will help. You can try with using the
clients current local IP of 10.1.1.58
as ID to expect.
Regards, Florian
