Hello, I don't mean to bring up an old thread, but I was wondering if anyone else was experiencing issues with OpenBSD 5.8 and Android 6.0.1 (preferably the version on the Nexus line of devices) connecting to ipsec/l2tp.
I had this working late last year some time and hadn't used it in a few months. When I went to use it again a few days ago it didn't work at all. After rebooting my phone and even trying it on my tablet that coincidentally runs the exact same version of stock Android 6.0.1, it too didn't work there. I have confirmed some interesting behavior. First if I tweak the ipsec.conf stanza to something like: > ike passive esp transport \ > proto udp from X.X.X.X to any port 1701 \ > main auth "hmac-sha2-256" enc "aes-256" group "modp1024" \ > quick auth "hmac-sha2-s256" enc "aes-256" group "modp1024" \ > psk "redacted" It creates an IPSEC SA and flow as shown by ipsecctl -s all, but npppd never sees a connection attempt and tcpdumping enc0 shows no traffic and ultimately the connection fails. If I modify it to hmac-md5, aes, modp2048 I can get my Chromebook with latest updates to connect successfully. If I modify it to hmac-sha2-256, aes-256, modp2048 I can get an iPhone with iOS 9.3 to connect successfully. If I modify it to hmac-sha, aes, modp2048 I can get a Windows 10 box to connect successfully. If I restore it to hmac-sha1, aes, modp1024 I can get an older Android tablet (one of my kid's) to connect successfully. What else can I do to troubleshoot this? Because I signed up to a free 1 day trial of some Internet based VPN provider and successfully was able to connect to their IPSEC/L2TP VPN using my Android phone so I know it works. It must just be a recent change in Android (or during the OpenBSD 5.7->5.8) update that is causing this incompatibility that makes it almost work. Any help would be greatly appreciated. Sly On 02/22/2016 07:48 AM, Stefan Krueger wrote: > In mailing.openbsd.misc, you wrote: >> Hi, everyone: >> >> [...] >> >> But the android devices I had won't work by all means. I found out that >> Android 5.x >> L2TP/IPSec VPN client works in: >> hash algorithm: hmac-sha2-256 >> encrypt method: aes_cbc >> life time: 28800 >> >> The ipsec.conf with: >> `` >> ike passive esp tunnel \ >> from "IP_ADDRESS" to any \ >> main auth "hmac-sha2-256" enc "aes" group "modp1024" lifetime 2880\ >> quick group "modp1024" \ >> psk "SECRET_KEY" >> '' didn't make a chage.(after `ipsecctl -f /etc/ipsec.conf`) > Hi, > > the following config worked for me when I was using it (with npppd) > last year (dumped it since I couldn't find a way to use it with iOS > and Android at the same time): > > /etc/ipsec.conf > public_ip = "x.y.z.a" > > ike passive esp transport \ > proto udp from $public_ip to any port l2tp \ > aggressive auth "hmac-sha1" enc "aes" group modp1024 \ > psk "XXX" > > IIRC Android required the use of "aggressive auth" where iOS only worked > with the default "main auth"...
