On 03/25/2016 04:27 PM, Sly Midnight wrote: > Hello, > > I don't mean to bring up an old thread, but I was wondering if anyone > else was experiencing issues with OpenBSD 5.8 and Android 6.0.1 > (preferably the version on the Nexus line of devices) connecting to > ipsec/l2tp. > > I had this working late last year some time and hadn't used it in a few > months. When I went to use it again a few days ago it didn't work at > all. After rebooting my phone and even trying it on my tablet that > coincidentally runs the exact same version of stock Android 6.0.1, it > too didn't work there. > > I have confirmed some interesting behavior. > > First if I tweak the ipsec.conf stanza to something like: > >> ike passive esp transport \ >> proto udp from X.X.X.X to any port 1701 \ >> main auth "hmac-sha2-256" enc "aes-256" group "modp1024" \ >> quick auth "hmac-sha2-s256" enc "aes-256" group "modp1024" \ >> psk "redacted" > It creates an IPSEC SA and flow as shown by ipsecctl -s all, but npppd > never sees a connection attempt and tcpdumping enc0 shows no traffic and > ultimately the connection fails. > > If I modify it to hmac-md5, aes, modp2048 I can get my Chromebook with > latest updates to connect successfully. > If I modify it to hmac-sha2-256, aes-256, modp2048 I can get an iPhone > with iOS 9.3 to connect successfully. > If I modify it to hmac-sha, aes, modp2048 I can get a Windows 10 box to > connect successfully. > > If I restore it to hmac-sha1, aes, modp1024 I can get an older Android > tablet (one of my kid's) to connect successfully. > > What else can I do to troubleshoot this? Because I signed up to a free > 1 day trial of some Internet based VPN provider and successfully was > able to connect to their IPSEC/L2TP VPN using my Android phone so I know > it works. It must just be a recent change in Android (or during the > OpenBSD 5.7->5.8) update that is causing this incompatibility that makes > it almost work. Any help would be greatly appreciated. >
I can't get android to connect with modp > 1024, but settings like this work: ike passive esp transport \ proto udp from A.B.C.D to any port l2tp \ main auth "hmac-sha2-256" enc "aes-256" group modp1024 \ quick auth "hmac-sha2-256" enc "aes-256" \ psk "mysharedsecret" [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]