Re: Android mobile - OpenBSD IPSEC

Thu, 24 Jan 2013 02:55:40 -0800 

On 2013-01-24, Jan Lambertz <jd.arb...@googlemail.com> wrote:
> Hi,
>
> Running OpenBSD 5.2 AMD64 release as homeserver.
> Got Andoid 2.3 Samsung Mobile.
> Want to connect via vpn IPSEC.
> Config:
> ike passive esp tunnel from any to any \
> main auth hmac-sha1 enc des \
> quick auth hmac-sha1 enc des \
> srcid  dstid (testted different things here without effect) \
> psk "test123"
>
>
> Also changed any to any to more concise settings, without effect.
> local ip and peer any didnt help, too.
>
>
> Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC
> Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC
> Jan 24 08:41:38 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id
> 178.26.160.62
> Jan 24 08:41:38 puffy isakmpd[10830]: dropped message from 89.204.138.90
> port 51210 due to notification type INVALID_ID_INFORMATION
> Jan 24 08:41:50 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id
> 178.26.160.62
> Jan 24 08:41:50 puffy isakmpd[10830]: dropped message from 89.204.138.90
> port 51210 due to notification type INVALID_ID_INFORMATION
> Jan 24 08:41:58 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id
> 178.26.160.62
> Jan 24 08:41:58 puffy isakmpd[10830]: dropped message from 89.204.138.90
> port 51210 due to notification type INVALID_ID_INFORMATION
>
>
> 89.204.138.90 seems to be the mobile
> 10.166.112.90 ?? whats this ?
>
> btw. im using the standard vpn client built in android. before i can
> connect i have to enter a username / pw (not psk). is ipsec about username
> / pw stuff ? could find it anywhere in the manuals.
>
>
> thanks
>
>

The standard Android vpn client uses l2tp/ipsec. Here are some files
from a working setup with Android 4.1.2; I'm pretty sure similar worked
with Android 3.x, no idea about 2.x.

>> /etc/ipsec.conf

ike passive esp transport \
         proto udp from $SERVER_IP to any port 1701 \
         main auth "hmac-sha" enc "aes" group modp1024 \
         quick auth "hmac-sha" enc "aes" \
         psk "somepsk"

.....

>> /etc/npppd/npppd.conf

authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_ipv4 protocol l2tp {
        listen on $SERVER_IP
}

ipcp IPCP {
        pool-address 172.28.15.128-172.28.15.255
        dns-servers 172.28.15.2
}

interface pppx0 address 172.28.15.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0

.....

>> /etc/npppd/npppd-users

someuser:\
        :password=blahblah:\
        :framed-ip-address=172.28.15.50:

.....

>> /etc/sysctl.conf

net.pipex.enable=1
net.inet.ip.forwarding=1

Reply via email to