Hi fix...@gmail.com.
I use this set of parameters for l2tp+IPSec. It works fine both with
Windows and Apple ( includng iOS15 and OSX 12 )
Hope it'll help you.
ike passive esp transport proto udp from 100.88.99.100 to any port 1701 \
main auth hmac-sha1 enc aes-256 group modp2048 \
quick auth hmac-sha1 enc aes \
psk "<passwd>"
Regards.
On 19.02.22 00:55, fix...@gmail.com wrote:
On Fri, Feb 18, 2022 at 15:06 Stuart Henderson wrote...
On Fri, Feb 18, 2022 at 11:43 AM I wrote:
ike passive esp transport proto udp from $public_ip to any \
main auth "hmac-sha2-256" enc "aes-256" group "modp2048" \
quick auth "hmac-sha2-256" enc "aes-256" group "modp2048" \
psk "THIS_IS_MY_IPSEC_PASSPHRASE"
ike passive esp transport proto udp from $public_ip to any \
main auth "hmac-md5" enc "3des" group "modp1024" \
quick auth "hmac-md5" enc "3des" group "modp1024" \
psk "THIS_IS_MY_IPSEC_PASSPHRASE"
With isakmpd and ipsec.conf you can't have two proposals for the default
("to any") peer with different PFS groups, you will have to choose one
or the other. As-is the second will overwrite the first config block.
(Use ipsecctl -v to see the commands sent by ipsecctl to isakmpd;
it generates what are basically isakmpd.conf style config blocks and
sends them over the control socket).
It still fails even with one block, but this is good to know. Thanks.
You will save yourself a lot of trouble if you can move the newer machines
to IKEv2 .. (It would not be possible to run both isakmpd and iked on a
single OpenBSD machine though). Or alternatively wireguard or openvpn
(which _can_ coexist with IKEv1) though IKEv2 generally has a simpler
client config.
I'm not opposed to this and I've tried, but even now it still gives me
proposal errors from both iOS and MacOS
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 ENCR=AES_CBC-128
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 PRF=HMAC_SHA1
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 INTEGR=HMAC_SHA1_96
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 DH=MODP_1024
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 ENCR=3DES
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 PRF=HMAC_SHA1
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 INTEGR=HMAC_SHA1_96
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 DH=MODP_1024
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_add_error: NO_PROPOSAL_CHOSEN
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: send
IKE_SA_INIT res 0 peer 100.64.10.10:57904 local 203.0.113.1:500, 36
bytes
--
Mit Freundliche Gruesse
Dimon
tel: +4158 1000428
mobile: +4178 7299592
