Hi,
I'm running npppd/ipsec VPN server on ISP_A where I got a public IP address
(A.A.A.A) on my WAN interface. It works just fine with windows/linux/ios
clients on the following conf for years.
## /etc/ipsec.conf
wan_ipv4 = A.A.A.A
ike passive esp transport \
proto udp from $wan_ipv4 to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp2048 \
quick auth "hmac-sha1" enc "aes" \
psk "pskpskpsk"
## /etc/npppd/npppd.conf
[...]
tunnel L2TP protocol l2tp {
listen on A.A.A.A
[...]
Im trying to run the same box on ISP_B, where I got a private IP 192.168.88.54
on my WAN inteface and all the traffic is NATed one-to-one to a public IP
(B.B.B.B). The following conf works fine with linux client but it doesn't work
with WIN10/11.
## /etc/ipsec.conf
wan_ipv4 = B.B.B.B
ike passive esp transport \
proto udp from $wan_ipv4 to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp2048 \
quick auth "hmac-sha1" enc "aes" \
psk "pskpskpsk"
## /etc/npppd/npppd.conf
[...]
tunnel L2TP protocol l2tp {
listen on 192.168.88.54
[...]
Apr 19 17:00:46 krz77-0405-fw isakmpd[50871]: attribute_unacceptable:
GROUP_DESCRIPTION: got ECP_384, expected MODP_2048
Apr 19 17:00:46 krz77-0405-fw isakmpd[50871]: attribute_unacceptable:
GROUP_DESCRIPTION: got ECP_256, expected MODP_2048
The log of windows connection ends here, there isn't even one npppd log line...
I think that the above two errors lines have no significance, they also occur
in a working connection on ISP_A.
The box is runnig:
OpenBSD 7.7 (GENERIC.MP) #616: Sat Apr 5 04:25:05 MDT 2025
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Is there anything I missed in the configuration that could make the VPN working
properly with Windows in this scenario?
Thanks!
--
Please do not CC me
Radek
