Hello Dani...
this is just a report from the "works for me" department:
l...@ecentrum.hu (Lévai, Dániel), 2019.06.30 (Sun) 19:12 (CEST):
> I know (saw) this has come up numerous times, and someone has been
> successful, others weren't. I thought I'd try this out myself, and not
> surprisingly it wasn't successful :)
>
> So this is my configuration:
> OpenBSD 6.5-stable
Same here.
> /etc/ipsec.conf:
> ike passive esp transport \
> proto udp \
> from any to any port l2tp \
^^^ I have my external IP here
> main auth "hmac-sha2" enc "aes-256" group modp1024 \
^ 1 here
^^^^^^^ just "aes"
2048 here ^^^^
> quick auth "hmac-sha2" enc "aes-256" \
^ 1 here
^^^^^^^ just "aes"
I have "group modp2048" here, too ^^^^
> psk "thisismykey"
^^^^^^^^^^^ same here :-)
Just tested
auth "hmac-sha2" - does not work.
enc "aes-256" - does not work.
Complete snippet:
ike passive esp transport proto udp \
from AAA.BBB.CCC.DDD to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp2048 \
quick auth "hmac-sha1" enc "aes" group modp2048 \
psk "thisismykey"
> Then doing an:
> /sbin/ipsecctl -vf /etc/ipsec.conf
For testing configs I had to make this "ipsecctl -Fvf /etc/ipsec.conf"!
[snip log]
> /etc/npppd/npppd.conf:
> =====================8<=====================
Same here.
Marcus
> So now when I connect from my Android 9 phone, set up as an L2TP/IPsec
> PSK connection, specifying the Server address as my internal LAN IP on
> the OpenBSD router (no NAT, just direct connection on the local
> network), setting the IPSec preshared key to the real key, and
> entering my username and password I've set for npppd(8), I'm getting
> this output from isakmpd(8):
> =====================8<=====================
> 190048.505560 Default attribute_unacceptable: HASH_ALGORITHM: got SHA2_384,
> expected SHA2_256
> 190048.505768 Default attribute_unacceptable: GROUP_DESCRIPTION: got
> MODP_1024, expected MODP_3072
> 190048.505943 Default attribute_unacceptable: HASH_ALGORITHM: got SHA2_384,
> expected SHA2_256
> 190048.530050 Default isakmpd: phase 1 done (as responder): initiator id
> 192.168.5.17, responder id 192.168.0.1, src: 192.168.0.1 dst: 192.168.5.17
> 190049.556596 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190049.556699 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190052.571991 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190052.572093 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190055.594500 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190055.594593 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190058.615783 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190058.615909 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190101.642382 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190101.642478 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190104.674817 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190104.674885 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190107.702932 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190107.703001 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190110.728935 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190110.729004 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190113.760991 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190113.761061 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> 190116.770799 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.17, responder id 192.168.0.1
> 190116.770869 Default dropped message from 192.168.5.17 port 500 due to
> notification type INVALID_ID_INFORMATION
> =====================8<=====================
>
> Now I'm stuck here. I don't really know why it wouldn't accept these "IDs", I
> thought I've covered all my bases with "from any/to any" in ipsec.conf(5).
> As for the attribute_unacceptable lines, I've tried to change the 'auth'
> attributes to "hmac-sha2-384", and I actually got the same messages.. I also
> tried to set the 'group' option for the 'main' and 'quick' lines to modp3072,
> no luck there either.
>
> What also doesn't help is that every time my phone does an unsuccessful
> connection, I must restart it, because "something gets stuck there", and
> every subsequent connection attempt just doesn't do anything -- no packets
> are coming in from the phone anymore... Anyway.
>
> I hope someone has had success with this and could point me in some kind of
> direction I'm not seeing.
>
> Thanks in advance,
> Dani
>
>
>
> [1]:
> http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
> http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn-for-android.html
> http://openbsd-archive.7691.n7.nabble.com/L2TP-IPSec-via-npppd-won-t-work-with-Android-5-x-td290194.html
>
>
> --
> Lévai, Dániel
