Re: l2tp and openbsd 6.1

[lilit-aibolit]

Hi,
with l2tp I have situation when iOS  and Android devices could connect
but Windows 7 and Windows 10 couldn't.
Is it possible to adjust ipsec.conf somehow so it could accept
connection from Windows clients too?
Or is there a way to adjust some settings in Windows so it
will work with current ipsec.conf?

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk "password"

Here is npppd.conf:
authentication LOCAL type local {
    users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
    listen on x.x.y.y
}
ipcp IPCP {
        pool-address 192.168.222.2-192.168.222.254
        dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ 
from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 
hostname=anonymous vendor=(no vendorname) firm=0000
Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind 
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART 
user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0
Oct  2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 
PIPEX is ready.
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_512, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ 
from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 
hostname=xxx-iPhone vendor=(no vendorname) firm=0000
Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind 
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART 
user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0
Oct  2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 
PIPEX is ready.
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:

Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ 
from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 
hostname=xxx vendor=(no vendorname) firm=0000
Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind 
ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART 
user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes
Oct  2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 
PIPEX is ready.

And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
Oct  4 10:12:37 gw isakmpd[24211]: message_negotiate_sa: no compatible 
proposal found
Oct  4 10:12:37 gw isakmpd[24211]: dropped message from 37.73.208.134 
port 16884 due to notification type NO_PROPOSAL_CHOSEN

On 02/10/17 23:03, Charles Amstutz wrote:
Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
knowledge).  After searching the previous forum posts (and the internet) I have 
found a lot of information on l2tp ipsec.conf connection strings. However, I 
can't get android to connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/
https://man.openbsd.org/npppd.conf.5
https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/
https://marc.info/?l=openbsd-misc&m=145922338026396&w=2
https://marc.info/?l=openbsd-misc&m=145614573528471&w=2
https://www.mail-archive.com/misc@openbsd.org/msg145747.html
... etc


I can get IOS to connect, but I can't get android 7 to connect.  I've read that 
android has bugs with the vpn client in 6.x and 7.x (not sure if it is fixed in 
8 or not). However, what is confusing is it connections just fine
To my windows l2tp server.  Bug tracker: 
https://issuetracker.google.com/issues/37074640#c35


My goal: Setup openbsd to work with IOS/android/windows/whatever.

My questions.


1)      Can you have more than one ike line in ipsec.conf? from my presumption 
of looking at sites on the internet, you can, however, I am not sure.

https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is 
just two examples


2)      Every time I read a site that says, "this configuration worked for me on 
android", it doesn't work for me. I presume it is my lack of understanding, though, 
I'm not ruling out the possible android bug.


I appreciate any help.



Here is my ipsec.conf (this allows IOS to connect)

public_ip = "x.x.x.x"



ike passive esp transport \

   proto udp from $public_ip to any port 1701 \

   main auth "hmac-sha1" enc "aes" group modp1024\

   quick auth "hmac-sha1" enc "aes" \

   psk "PSK-GOES-HERE"

     Here is my npppd.conf



authentication LOCAL type local {

         users-file "/etc/npppd/npppd-users"

}



tunnel L2TP protocol l2tp {

         listen on 0.0.0.0

         listen on ::

}



ipcp IPCP {

         pool-address 10.0.0.101-10.0.0.254

         dns-servers x.x.x.x

}



# use pppx(4) interface.  use an interface per a ppp session.

interface pppx0 address 10.0.0.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0