VPN Between OpenBSD and iOS
Hello, I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD VPN server. If I understand the problem correctly, it's unable to negotiate phase 2. I'd welcome any pointers. Below, I've provided the output of uname, rc.conf.local, ipsec.conf, messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs (e.g. 10.a.b.c) and I removed some line from /var/log/messages and replaced them with "", since this is already fairly long. I welcome any suggestions/recommendations. Thanks, Matt # uname -a OpenBSD carbon.my.domain 5.4 GENERIC#37 i386 # cat /etc/rc.conf.local ipsec=YES isakmpd_flags="-Kv" ftpproxy_flags="" ntpd_flags= pppd_flags="" route6d_flags="" named_flags="" # grep -v ^# /etc/ipsec.conf ike passive esp transport \ proto udp \ from any to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024 \ quick auth "hmac-sha1" enc "aes-256" \ psk "1" # cat /var/log/messages Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2 Dec 29 16:31:24 carbon named[6427]: command channel listening on 127.0.0.1#953 Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953 Dec 29 16:31:24 carbon named[6427]: running Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659 version=5.0.0 Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.pcap" Dec 29 16:31:30 carbon npppd[22659]: Load configuration from='/etc/npppd/npppd.conf' successfully. Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i dst: 166.d.e.f Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:19 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:19 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:22 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:22 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:25 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:25 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i Dec 29 16:33:29 carbon isakmpd[28467]: dropped message from 166.d.e.f port 48970 due to notification type INVALID_ID_INFORMATION Dec 29 16:33:29 carbon isakmpd[28467]: isakmpd: Peer 166.d.e.f made us delete live SA peer-default for proto 1, initiator id: 10.a.b.c, responder id: 69.g.h.i # tcpdump -vvr /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 116 to 65536 16:32:57.256488 mobile-166-d-e-f.mycingular.net.6885 > c-69.g.h.i.hsd1.va.comcast.net.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 84d030732a69f98e-> msgid: len: 500 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY
Re: VPN Between OpenBSD and iOS
Yasuoka, I tried that just now and it doesn't seem to make a difference. Thanks, Matt On Mon, Dec 30, 2013 at 7:34 PM, YASUOKA Masahiko wrote: > Hi, > > On Sun, 29 Dec 2013 20:58:03 -0500 > Matt Carlson wrote: > > # grep -v ^# /etc/ipsec.conf > > > > > > ike passive esp transport \ > >proto udp \ > >from any to any port 1701 \ > >main auth "hmac-sha1" enc "aes" group modp1024 \ > >quick auth "hmac-sha1" enc "aes-256" \ > >psk "1" > > AFAIK, fixed IP address should be used for the source address. > > Does changing > > from any to any port 1701 \ > > to > > from "69.g.h.i" to any port 1701 \ > > fix the problem? > > --yasuoka
Re: VPN Between OpenBSD and iOS
Jeff,
Here you go:
$ grep -v ^# /etc/npppd/npppd.conf
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 8.8.8.8
}
interface pppx0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
Thanks,
Matt
On Mon, Dec 30, 2013 at 4:10 PM, Jeff Goettsch wrote:
> What does your npppd.conf look like?
>
>
>
> --
> Jeff Goettsch
> Agricultural and Resource Economics
> http://agecon.ucdavis.edu/
> 530-752-2219
>
>
> On 12/29/13 5:58 PM, Matt Carlson wrote:
>
>> Hello,
>>
>> I'm trying to get my iPhone with iOS 7.0.4 to connect to my OpenBSD
>> VPN server. If I understand the problem correctly, it's unable to
>> negotiate phase 2. I'd welcome any pointers.
>>
>> Below, I've provided the output of uname, rc.conf.local, ipsec.conf,
>> messages, isakmpd.pcap. I changed a couple IP addresses and FQDNs
>> (e.g. 10.a.b.c) and I removed some line from /var/log/messages and
>> replaced them with "", since this is already fairly long.
>>
>> I welcome any suggestions/recommendations.
>>
>> Thanks,
>>
>> Matt
>>
>> # uname -a
>> OpenBSD carbon.my.domain 5.4 GENERIC#37 i386
>> # cat /etc/rc.conf.local
>>
>>
>> ipsec=YES
>> isakmpd_flags="-Kv"
>> ftpproxy_flags=""
>> ntpd_flags=
>> pppd_flags=""
>> route6d_flags=""
>> named_flags=""
>> # grep -v ^# /etc/ipsec.conf
>>
>>
>> ike passive esp transport \
>> proto udp \
>> from any to any port 1701 \
>> main auth "hmac-sha1" enc "aes" group modp1024 \
>> quick auth "hmac-sha1" enc "aes-256" \
>> psk "1"
>> # cat /var/log/messages
>>
>> Dec 29 16:31:23 carbon named[6427]: starting BIND 9.4.2-P2
>> Dec 29 16:31:24 carbon named[6427]: command channel listening on
>> 127.0.0.1#953
>> Dec 29 16:31:24 carbon named[6427]: command channel listening on ::1#953
>> Dec 29 16:31:24 carbon named[6427]: running
>> Dec 29 16:31:26 carbon isakmpd[595]: isakmpd: starting
>> Dec 29 16:31:29 carbon npppd[22659]: Starting npppd pid=22659
>> version=5.0.0
>> Dec 29 16:31:30 carbon isakmpd[28467]: log_packet_init: starting IKE
>> packet
>> capture to file "/var/run/isakmpd.pcap"
>> Dec 29 16:31:30 carbon npppd[22659]: Load configuration
>> from='/etc/npppd/npppd.conf' successfully.
>>
>> Dec 29 16:32:58 carbon isakmpd[28467]: isakmpd: phase 1 done (as
>> responder): initiator id 10.a.b.c, responder id 69.g.h.i, src: 69.g.h.i
>> dst: 166.d.e.f
>> Dec 29 16:32:59 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
>> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
>> Dec 29 16:32:59 carbon isakmpd[28467]: dropped message from 166.d.e.f port
>> 48970 due to notification type INVALID_ID_INFORMATION
>> Dec 29 16:33:02 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
>> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
>> Dec 29 16:33:02 carbon isakmpd[28467]: dropped message from 166.d.e.f port
>> 48970 due to notification type INVALID_ID_INFORMATION
>> Dec 29 16:33:06 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
>> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
>> Dec 29 16:33:06 carbon isakmpd[28467]: dropped message from 166.d.e.f port
>> 48970 due to notification type INVALID_ID_INFORMATION
>> Dec 29 16:33:09 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
>> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
>> Dec 29 16:33:09 carbon isakmpd[28467]: dropped message from 166.d.e.f port
>> 48970 due to notification type INVALID_ID_INFORMATION
>> Dec 29 16:33:12 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
>> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
>> Dec 29 16:33:12 carbon isakmpd[28467]: dropped message from 166.d.e.f port
>> 48970 due to notification type INVALID_ID_INFORMATION
>> Dec 29 16:33:16 carbon isakmpd[28467]: responder_recv_HASH_SA_NONCE: peer
>> proposed invalid phase 2 IDs: initiator id 10.a.b.c, responder id 69.g.h.i
>> Dec 29 16:33:16 carbon isakmpd[28467]: dropped message from 166.d.e.f port
>> 48970 due to notification type INVALID_ID_INFORMATION
>> Dec 29 16:33:19 carbon isakmpd[28467]: responde
Re: VPN Between OpenBSD and iOS
mxb, I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? Thanks, Matt On Fri, Jan 3, 2014 at 8:03 AM, mxb wrote: > I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is > pre-release). My ipsec.conf for L2TP is this: > > ike passive esp transport \ > proto udp from $local_gw to any port 1701 \ > main auth "hmac-sha1" enc "3des" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ > psk ReallyweakPassword > > > > On 31 dec 2013, at 05:01, Mike Pistone wrote: > > > Strangely enough I am having the exact same problem. OPENBSD 5.4, etc. > > > > Phase I works once I tweaked my isakmp settings to match IOS7's > capabilities > > (no modp2048 mainly), but I get the same messages Matt does on phase II. > > > > > > I have a npppd PPTP tunnel to the same server that works fine. > > It is just L2TP/IPSEC that has the issues. > > > > > > Mike
