Re: l2tp and openbsd 6.1

[Noth]

5.5, apart from no longer being supported, allows by default for weaker 
ciphers that aren't since 5.9. This was the release that broke android 
6.x/7.x configs if you didn't specify which mod group you wanted.

On 05/10/17 06:51, Vivek Vinod wrote:
I do not understand the question ‎but this may be connected...

My Wi-Fi uses AD (LDAP) auth with certificates‎. I set this up using some 
"guide" without understanding a thing. My IOS, Android and Mac clients connect 
without a hitch. Windows 10 do not.

To get my windows 10 to work, I have to copy over and install the ce‎rtificates 
from a previously connected Mac machine's keychain.

‎In your setup, can you check in your windows 10 certificate store if the necessary 
certificates (if any) have been installed? If not, try copying the certificates. This is 
windows 10 behaviour. It may or may not be related to "self signed 
certificates".

Again, I do not understand a thing. Sorry for the noise.

Please excuse my brevity. Sent from my handphone.
   Original Message
From: Vijay Sankar
Sent: Wednesday 4 October 2017 23:42
To: misc@openbsd.org
Subject: Re: l2tp and openbsd 6.1


Quoting Charles Amstutz <charl...@infinitesys.com>:

Yes,

I would like to know this as well, it seems annoying that Android
8/4.x and IOS can connect, but not windows 10 (I haven't tried
earlier windows 10) and android 7.

Its either a user error (which I am willing to admit) or something
very annoying. Especially when my l2tp PSK windows server can accept
connections from anything it seems.

I would like to get this figured out.

I appreciate all of the suggestions, but I still can't get android 7
to connect, no matter which encryption, authentication or modp I use.

-----Original Message-----
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On
Behalf Of lilit-aibolit
Sent: Wednesday, October 4, 2017 2:46 AM
To: misc@openbsd.org
Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net
Subject: Re: l2tp and openbsd 6.1

Hi,
with l2tp I have situation when iOS  and Android devices could
connect but Windows 7 and Windows 10 couldn't.

Is it possible to adjust ipsec.conf somehow so it could accept
connection from Windows clients too?
Or is there a way to adjust some settings in Windows so it will work
with current ipsec.conf?

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc
aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password"

Here is npppd.conf:
authentication LOCAL type local {
     users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
     listen on x.x.y.y
}
ipcp IPCP {
         pool-address 192.168.222.2-192.168.222.254
         dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP bind tunnel from
L2TP authenticated by LOCAL to tun0

Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started
RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667
protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname)
firm=0000 Oct  2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962
logtype=PPPBind
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base
logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP
layer2from=192.38.129.182:41634
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:22:41 gw
/bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready.
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw
isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  2 16:13:13
gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_512, expected SHA Oct  2 16:13:13 gw
isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw
isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct  2 16:13:13
gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:14 gw
npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ
from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4
hostname=xxx-iPhone vendor=(no vendorname) firm=0000 Oct  2 16:13:14
gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base
logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP
layer2from=192.38.129.182:65367
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:13:18 gw
/bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready.
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:

Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started
RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0
winsize=4 hostname=xxx vendor=(no vendorname) firm=0000 Oct  2
15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind
ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base
logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP
layer2from=37.73.241.124:59028
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0 Oct  2 15:55:58 gw
npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct  2 15:55:58 gw
/bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready.

And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  4 10:12:37
gw isakmpd[24211]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct  4 10:12:37
gw isakmpd[24211]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct  4 10:12:37
gw isakmpd[24211]: message_negotiate_sa: no compatible proposal
found Oct  4 10:12:37 gw isakmpd[24211]: dropped message from
37.73.208.134 port 16884 due to notification type NO_PROPOSAL_CHOSEN

On 02/10/17 23:03, Charles Amstutz wrote:
Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working
UNIX/Linux knowledge). After searching the previous forum posts
(and the internet) I have found a lot of information on l2tp
ipsec.conf connection strings. However, I can't get android to
connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro
id-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb
sd-invalid_cookie/
https://man.openbsd.org/npppd.conf.5
https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-
ios-and-osx/
https://marc.info/?l=openbsd-misc&m=145922338026396&w=2
https://marc.info/?l=openbsd-misc&m=145614573528471&w=2
https://www.mail-archive.com/misc@openbsd.org/msg145747.html
... etc


I can get IOS to connect, but I can't get android 7 to connect. I've
read that android has bugs with the vpn client in 6.x and 7.x (not
sure if it is fixed in 8 or not). However, what is confusing is it
connections just fine To my windows l2tp server. Bug tracker:
https://issuetracker.google.com/issues/37074640#c35


My goal: Setup openbsd to work with IOS/android/windows/whatever.

My questions.


1) Can you have more than one ike line in ipsec.conf? from my
presumption of looking at sites on the internet, you can, however,
I am not sure.

https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless
it is just two examples


2) Every time I read a site that says, "this configuration
worked for me on android", it doesn't work for me. I presume it is
my lack of understanding, though, I'm not ruling out the possible
android bug.


I appreciate any help.



Here is my ipsec.conf (this allows IOS to connect)

public_ip = "x.x.x.x"



ike passive esp transport \

proto udp from $public_ip to any port 1701 \

main auth "hmac-sha1" enc "aes" group modp1024\

quick auth "hmac-sha1" enc "aes" \

psk "PSK-GOES-HERE"

Here is my npppd.conf



authentication LOCAL type local {

users-file "/etc/npppd/npppd-users"

}



tunnel L2TP protocol l2tp {

listen on 0.0.0.0

listen on ::

}



ipcp IPCP {

pool-address 10.0.0.101-10.0.0.254

dns-servers x.x.x.x

}



# use pppx(4) interface. use an interface per a ppp session.

interface pppx0 address 10.0.0.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0

Unfortunately I am not sure if what I am saying is correct or valid
because maybe this stuff works for me only because I am using older
versions of Android etc., plus I am using a slightly modified OpenBSD
5.5 kernel. But you may want to try the following.

The order is important -- doesn't seem to work if modp2048 is listed
after modp1024. If I do something like

ike passive esp transport proto udp from $local_ip to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp2048 \
quick auth "hmac-sha1" enc "aes" \
psk "mypsk"
ike passive esp transport proto udp from $local_ip to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk "mypsk"

in the order listed, it works, and it has been working for at least a
few years. To make sure I am not posting wrong information, I have
double-checked using Lenovo YogaPad (Android 4.4.2), Windows 7,
Windows 8, Windows 10, iOS 10.3.3, and MacOS 10.13.

I will try the same thing with -current and report back to the list if
it is useful.

Hope this helps.

Vijay