Re: IPSEC from behind NAT stage 2 failure

Wed, 01 Feb 2017 12:22:53 -0800 

Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE
identifier (IDi/initiator id) to be able to establish the SA. IMHO, the
better option for your remote clients would be a use of different ID type
like ID_RFC822_ADDR.

On Wed, Feb 1, 2017 at 4:19 AM, lilit-aibolit <lilit-aibo...@mail.ru> wrote:

> On 12/06/2016 11:04 AM, Florian Ermisch wrote:
>
>> And I guess that's the problem: the client
>> goes "hi I'm 10.1.1.58 and I'd like to
>> connect" and isakmpd doesn't know no
>> 10.1.1.58. IKEv1 is very picky about those
>> things: When it doesn't expect an ID no
>> peer presenting one will be allowed to
>> connect AFAIK.
>>
>> Maybe adding local/peer or srcid/dstid
>> will help. You can try with using the
>> clients current local IP of 10.1.1.58
>> as ID to expect.
>>
>> Hi folks, I faced with same issue. Here are my details.
>
> 1) Win7 which is behind 3G wireless router(192.168.5.250)
>
>    Connection-specific DNS Suffix  . :
>    Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
>    Physical Address. . . . . . . . . : 00-1F-00-12-00-91
>    DHCP Enabled. . . . . . . . . . . : No
>    Autoconfiguration Enabled . . . . : Yes
>    IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>    Default Gateway . . . . . . . . . : 192.168.5.250
>    DNS Servers . . . . . . . . . . . : 192.168.5.250
>    NetBIOS over Tcpip. . . . . . . . : Enabled
>
> Myip lookup in browser gives me 78.111.187.234 as my real
> public IP in Internet.
>
> VPN connection details:
> Security: L2TP,
> Advanced settings: Use preshared key (one from ipsec.conf),
> Data encryption: Require encryption,
> Authentication: Allow CHAP, MS-CHAP v2
>
> 2) OpenBSD side.
>
> ipsec.conf:
>
> ike passive esp transport \
> proto udp from any to any port 1701 \
> main auth hmac-sha1 enc aes group modp2048 \
> quick auth hmac-sha1 enc 3des \
> psk "secret"
>
> pf.conf:
>
> set skip on  { lo0, tun0 }
> pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 }
> pass in on $ext_if proto { esp, ah } from any to re1
> pass on enc0 from any to any keep state (if-bound)
>
> npppd.conf:
>
> authentication LOCAL type local {
>     users-file "/etc/npppd/npppd-users"
> }
> tunnel L2TP protocol l2tp {
>     listen on 195.68.x.y
> }
> ipcp IPCP {
>         pool-address 192.168.222.2-192.168.222.254
>         dns-servers 192.168.8.254
> }
> interface tun0  address 192.168.222.1 ipcp IPCP
> bind tunnel from L2TP authenticated by LOCAL to tun0
>
> 3) Action.
> I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf
> and then connect from Win7 client.
>
> # npppd -d
> 2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0
> 2017-02-01 13:28:10:NOTICE: Load configuration
> from='/etc/npppd/npppd.conf' successfully.
> 2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1
> 2017-02-01 13:28:10:INFO: ipcp=IPCP pool dyn_pool=[192.168.222.2/31,192
> .168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.
> 222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222
> .192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.
> 248/30,192.168.222.252/31,192.168.222.254/32] pool=[
> 192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192
> .168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.
> 222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.
> 222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32]
> 2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses
> 2017-02-01 13:28:10:INFO: Loading pool config successfully.
> 2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS)
> [L2TP]
>
> # isakmpd -Kdv
> 133951.389348 Default isakmpd: starting [priv]
> 134008.194204 Default isakmpd: phase 1 done (as responder): initiator id
> 192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234
> 134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y
> 134008.307509 Default dropped message from 78.111.187.234 port 4500 due to
> notification type INVALID_ID_INFORMATION
> ^C134045.852435 Default isakmpd: shutting down...
> 134045.852621 Default isakmpd: exit
>
> # tcpdump -i re1 -nvvv host 78.111.187.234
> tcpdump: listening on re1, link-type EN10MB
> 13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0
> exchange ID_PROT
>         cookie: f226e0502ef70be5->0000000000000000 msgid: 00000000 len:
> 384
>         payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412)
> 13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0
> exchange ID_PROT
>         cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len:
> 188
>         payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad ip
> cksum 0! -> 676d)
> 13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0
> exchange ID_PROT
>         cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len:
> 388
>         payload: KEY_EXCH len: 260 [|isakmp] (ttl 123, id 6812, len 416)
> 13:40:08.045493 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0
> exchange ID_PROT
>         cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len:
> 388
>         payload: KEY_EXCH len: 260 [|isakmp] (ttl 64, id 11204, len 416,
> bad ip cksum 0! -> bb64)
> 13:40:08.193866 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp
> v1.0 exchange ID_PROT encrypted
>         cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len:
> 76 (ttl 122, id 6815, len 108)
> 13:40:08.194153 195.68.x.y.4500 > 78.111.187.234.4500: udpencap: isakmp
> v1.0 exchange ID_PROT encrypted
>         cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000000 len:
> 92 (ttl 64, id 31649, len 124, bad ip cksum 0! -> 6cab)
> 13:40:08.307177 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp
> v1.0 exchange QUICK_MODE encrypted
>         cookie: f226e0502ef70be5->377d76144ad08a15 msgid: 00000001 len:
> 332 (ttl 123, id 6816, len 364)
> 13:40:08.307699 195.68.x.y.4500 > 78.111.187.234.4500: udpencap: isakmp
> v1.0 exchange INFO encrypted
>         cookie: f226e0502ef70be5->377d76144ad08a15 msgid: c2fa3631 len:
> 76 (ttl 64, id 41987, len 108, bad ip cksum 0! -> 4459)
>
> I've also tried to connect directly from iphone by
> adjusting a bit main and quick section in ipsec.conf
> but got same result with "invalid phase 2".
>
> When I change Win7 VPN Data encryption setting to
> "Optional encryption" and don't use isakmpd on server
> side then I could connect to npppd and get access to
> resources behind server.
> However I don't know if this gives good security level
> (I mean data is secured from ManInMiddle) and this
> is why I want to go further with Ipsec.
>
>


-- 
Best regards,
Yury.

Reply via email to