Re: IPSEC from behind NAT stage 2 failure

Tue, 06 Dec 2016 05:08:54 -0800

I'll try it, but that would be a problem if I have to add the local address for any machine that wants to connect. I assume there is a way to work through NAT because picked up nat-t and works for phase 1. I was hoping I had just missed a parameter in the ipsec.conf to get phase 2 working. 

Thanks


On 12/6/2016 1:17 AM, Florian Ermisch wrote:


Am 6. Dezember 2016 10:04:34 MEZ, schrieb Florian Ermisch 
<florian.ermi...@alumni.tu-berlin.de>:

Hi Robert,

Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz
<rsz...@saxonco.com>:

I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users

to

tunnel in to our office network.

I'm testing with the following setup

Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)

I'd like something reasonably robust, able to pass through most NAT

a

user might find themselves behind. Our current cisco vpn handles

that

part fairly well, but otherwise is unreliable and a pain to manage.

  The connection process fails at stage 2 with the error message

below

where X is the public IP of the box being connected to, and Y is the
ip
of the firewall the win10 machine is behind 10...58 is the private

ip

of
the win10 machine.

Thanks,

Robert Szasz



error in the isakmpd log

---

010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed
invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
010420.423325 Default dropped message from y.y.y.y port 58544 due to
notification type INVALID_ID_INFORMATION

And I guess that's the problem: the client
goes "hi I'm 10.1.1.58 and I'd like to
connect" and isakmpd doesn't know no
10.1.1.58. IKEv1 is very picky about those
things: When it doesn't expect an ID no
peer presenting one will be allowed to
connect AFAIK.

Little correction: the client comes from
y.y.y.y but probably says it's 10.1.1.58
thus presented ID doesn't match the
one taken from the src address as your
ipsec.conf doesn't specify one.


ipsec.conf

ike passive esp transport \
   proto udp from x.x.x.x to any port 1701 \
   main auth hmac-sha1 enc "aes" group modp2048\
   quick auth hmac-sha1 enc "aes" group modp2048\
   psk ""

Maybe adding local/peer or srcid/dstid
will help. You can try with using the
clients current local IP of 10.1.1.58
as ID to expect.

Regards, Florian

Reply via email to