On 03/25/2016 04:27 PM, Sly Midnight wrote:
> Hello,
>
> I don't mean to bring up an old thread, but I was wondering if anyone
> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
> (preferably the version on the Nexus line of devices) connecting to
> ipsec/l2tp.
>
> I had this working late last year some time and hadn't used it in a few
> months. When I went to use it again a few days ago it didn't work at
> all. After rebooting my phone and even trying it on my tablet that
> coincidentally runs the exact same version of stock Android 6.0.1, it
> too didn't work there.
>
> I have confirmed some interesting behavior.
>
> First if I tweak the ipsec.conf stanza to something like:
>
>> ike passive esp transport \
>> proto udp from X.X.X.X to any port 1701 \
>> main auth "hmac-sha2-256" enc "aes-256" group "modp1024" \
>> quick auth "hmac-sha2-s256" enc "aes-256" group "modp1024" \
>> psk "redacted"
> It creates an IPSEC SA and flow as shown by ipsecctl -s all, but npppd
> never sees a connection attempt and tcpdumping enc0 shows no traffic and
> ultimately the connection fails.
>
> If I modify it to hmac-md5, aes, modp2048 I can get my Chromebook with
> latest updates to connect successfully.
> If I modify it to hmac-sha2-256, aes-256, modp2048 I can get an iPhone
> with iOS 9.3 to connect successfully.
> If I modify it to hmac-sha, aes, modp2048 I can get a Windows 10 box to
> connect successfully.
>
> If I restore it to hmac-sha1, aes, modp1024 I can get an older Android
> tablet (one of my kid's) to connect successfully.
>
> What else can I do to troubleshoot this? Because I signed up to a free
> 1 day trial of some Internet based VPN provider and successfully was
> able to connect to their IPSEC/L2TP VPN using my Android phone so I know
> it works. It must just be a recent change in Android (or during the
> OpenBSD 5.7->5.8) update that is causing this incompatibility that makes
> it almost work. Any help would be greatly appreciated.
>
I can't get android to connect with modp > 1024, but settings like this
work:
ike passive esp transport \
proto udp from A.B.C.D to any port l2tp \
main auth "hmac-sha2-256" enc "aes-256" group modp1024 \
quick auth "hmac-sha2-256" enc "aes-256" \
psk "mysharedsecret"
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
