I’d made cable modem act as bridge and let OpenBSD handle public IP/firewall
(guessing it is DHCP).
In this setup you’d eliminate this extra device with forwarding ports and
simplified debugging.
//mxb
On 21 jul 2014, at 02:35, Gordon Turner <tur...@ftn.net> wrote:
> Hey List,
>
> I am trying to use OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9
> native VPN clients, using L2TP / IPsec.
>
> At the moment I am running the VPN end point on an internal server and
> forwarding appropriate ports from the router:
> - UDP 500 - Internet Key Exchange (IKE)
> - UDP 1701 - L2TP traffic
> - UDP 4500 - IPSec Network Address Translation (NAT-T)
>
> (Long term plan is to replace the router with an OpenBSD box and terminate
> the VPN there.)
>
> It would seem that I am close, but can't over come this last issue.
>
> When I attempt to connect from an iOS device, in /var/log/messages I see this
> error message repeated several times:
>
> --
> Jul 20 17:51:52 access isakmpd[2979]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 25.1.65.61, responder id
> XXX.XXX.XXX.XXX
> Jul 20 17:51:52 access isakmpd[2979]: dropped message from YYY.YYY.YYY.YYY
> port 16659 due to notification type INVALID_ID_INFORMATION
> --
>
> Where XXX.XXX.XXX.XXX is the public ip address (in my case the cable modem's
> external ip) and YYY.YYY.YYY.YYY is the iOS device attempting to establish
> the vpn connection.
>
> (The 25.1.65.61 address I don't recognize and appears to be UK Ministry of
> Defence, so ah, wat? Assuming this is some weird misconfiguration...)
>
> The network topo looks like:
> Internet - Cable Modem (XXX.XXX.XXX.XXX public ip) - Router Firewall
> (forwarding ports) - OpenBSD
>
> Any suggestions, even "You can't do that", would be appreciated.
>
> Gord.
>
>
>
> Details:
>
>
> Internal network is 192.168.2.x
>
>
> /etc/rc.conf.local
> --
> isakmpd_flags="-K"
> ipsec=YES
> --
>
>
> /etc/npppd/npppd.conf
> --
> authentication LOCAL type local {
> users-file "/etc/npppd/npppd-users"
> }
>
> tunnel L2TP_ipv4 protocol l2tp {
> listen on 0.0.0.0
> }
>
> ipcp IPCP {
> pool-address 192.168.2.150-192.168.2.199
> dns-servers 8.8.8.8
> }
>
> interface pppx0 address 192.168.2.1 ipcp IPCP
> bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
> --
>
>
> /etc/npppd/npppd-users
> --
> juser:\
> :password=SEEKRIT:\
> :framed-ip-address=192.168.2.150:
> --
>
>
> /etc/ipsec.conf
> --
> public_ip = "192.168.2.232"
>
> ike passive esp transport \
> proto udp from $public_ip to any port 1701 \
> main auth "hmac-sha1" enc "aes" group modp1024 \
> quick auth "hmac-sha1" enc "aes" \
> psk "SEEKRIT"
> --
>
>
> /etc/pf.conf
> --
> pass quick proto { esp, ah } from any to any
> pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep
> state
> pass on enc0 from any to any keep state (if-bound)
> --
>
>
> /etc/sysctl.conf
> --
> net.inet.ip.forwarding=1
> net.pipex.enable=1
> --
>
>
> --
> $ dmesg
> OpenBSD 5.5 (GENERIC) #271: Wed Mar 5 09:31:16 MST 2014
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> real mem = 520081408 (495MB)
> avail mem = 497725440 (474MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfd9c0 (10 entries)
> bios0: vendor Bochs version "Bochs" date 01/01/2007
> bios0: Bochs Bochs
> acpi0 at bios0: rev 0
> acpi0: sleep states S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC HPET
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> acpihpet0 at acpi0: 100000000 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0
> mpbios at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: QEMU Virtual CPU version 1.0, 3210.36 MHz
> cpu0:
> FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,VMX,CX16,POPCNT,NXE,LONG,LAHF
> cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
> 64b/line 16-way L2 cache
> cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
> cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
> wired to compatibility, channel 1 wired to compatibility
> pciide0: channel 0 disabled (no drives)
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 1.0> ATAPI 5/cdrom
> removable
> cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
> uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: irq 11
> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 10
> iic0 at piixpm0
> iic0: addr 0x4c 48=00 words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000
> 06=0000 07=0000
> iic0: addr 0x4e 48=00 words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000
> 06=0000 07=0000
> vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00: Virtio
> Network Device
> vio0 at virtio0: address 52:54:00:9b:3b:bc
> virtio0: irq 11
> virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio
> Block Device
> vioblk0 at virtio1
> scsibus1 at vioblk0: 2 targets
> sd0 at scsibus1 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed
> sd0: 2048MB, 512 bytes/sector, 4195456 sectors
> virtio1: irq 11
> virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00: Virtio
> Memory Balloon Device
> viomb0 at virtio2
> virtio2: irq 10
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: density unknown
> fd1 at fdc0 drive 1: density unknown
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> nvram: invalid checksum
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd0a (5113c722c25af8c4.a) swap on sd0b dump on sd0b
> clock: unknown CMOS layout
> --
