On 12/06/2016 11:04 AM, Florian Ermisch wrote:
And I guess that's the problem: the client
goes "hi I'm 10.1.1.58 and I'd like to
connect" and isakmpd doesn't know no
10.1.1.58. IKEv1 is very picky about those
things: When it doesn't expect an ID no
peer presenting one will be allowed to
connect AFAIK.
Maybe adding local/peer or srcid/dstid
will help. You can try with using the
clients current local IP of 10.1.1.58
as ID to expect.
Hi folks, I faced with same issue. Here are my details.
1) Win7 which is behind 3G wireless router(192.168.5.250)
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
Physical Address. . . . . . . . . : 00-1F-00-12-00-91
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.250
DNS Servers . . . . . . . . . . . : 192.168.5.250
NetBIOS over Tcpip. . . . . . . . : Enabled
Myip lookup in browser gives me 78.111.187.234 as my real
public IP in Internet.
VPN connection details:
Security: L2TP,
Advanced settings: Use preshared key (one from ipsec.conf),
Data encryption: Require encryption,
Authentication: Allow CHAP, MS-CHAP v2
2) OpenBSD side.
ipsec.conf:
ike passive esp transport \
proto udp from any to any port 1701 \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-sha1 enc 3des \
psk "secret"
pf.conf:
set skip on { lo0, tun0 }
pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 }
pass in on $ext_if proto { esp, ah } from any to re1
pass on enc0 from any to any keep state (if-bound)
npppd.conf:
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on 195.68.x.y
}
ipcp IPCP {
pool-address 192.168.222.2-192.168.222.254
dns-servers 192.168.8.254
}
interface tun0 address 192.168.222.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0
3) Action.
I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf
and then connect from Win7 client.
# npppd -d
2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0
2017-02-01 13:28:10:NOTICE: Load configuration
from='/etc/npppd/npppd.conf' successfully.
2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1
2017-02-01 13:28:10:INFO: ipcp=IPCP pool
dyn_pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32]
pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32]
2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses
2017-02-01 13:28:10:INFO: Loading pool config successfully.
2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS)
[L2TP]
# isakmpd -Kdv
133951.389348 Default isakmpd: starting [priv]
134008.194204 Default isakmpd: phase 1 done (as responder): initiator id
192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234
134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed
invalid phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y
134008.307509 Default dropped message from 78.111.187.234 port 4500 due
to notification type INVALID_ID_INFORMATION
^C134045.852435 Default isakmpd: shutting down...
134045.852621 Default isakmpd: exit
# tcpdump -i re1 -nvvv host 78.111.187.234
tcpdump: listening on re1, link-type EN10MB
13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0
exchange ID_PROT
cookie: f226e0502ef70be5->0000000000000000 msgid: 00000000 len: 384
payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412)
13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0
exchange ID_PROT
cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len: 188
payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad
ip cksum 0! -> 676d)
13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0
exchange ID_PROT
cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len: 388
payload: KEY_EXCH len: 260 [|isakmp] (ttl 123, id 6812, len 416)
13:40:08.045493 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0
exchange ID_PROT
cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len: 388
payload: KEY_EXCH len: 260 [|isakmp] (ttl 64, id 11204, len
416, bad ip cksum 0! -> bb64)
13:40:08.193866 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp
v1.0 exchange ID_PROT encrypted
cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len:
76 (ttl 122, id 6815, len 108)
13:40:08.194153 195.68.x.y.4500 > 78.111.187.234.4500: udpencap: isakmp
v1.0 exchange ID_PROT encrypted
cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len:
92 (ttl 64, id 31649, len 124, bad ip cksum 0! -> 6cab)
13:40:08.307177 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp
v1.0 exchange QUICK_MODE encrypted
cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000001 len:
332 (ttl 123, id 6816, len 364)
13:40:08.307699 195.68.x.y.4500 > 78.111.187.234.4500: udpencap: isakmp
v1.0 exchange INFO encrypted
cookie: f226e0502ef70be5->377d76144ad08a15 msgid: c2fa3631 len:
76 (ttl 64, id 41987, len 108, bad ip cksum 0! -> 4459)
I've also tried to connect directly from iphone by
adjusting a bit main and quick section in ipsec.conf
but got same result with "invalid phase 2".
When I change Win7 VPN Data encryption setting to
"Optional encryption" and don't use isakmpd on server
side then I could connect to npppd and get access to
resources behind server.
However I don't know if this gives good security level
(I mean data is secured from ManInMiddle) and this
is why I want to go further with Ipsec.
