Dear List, I tried to setup a simple road warrior VPN setup for my MacOS machine and found the following issue.
When using spaces in the pre-shared key the MacOS VPN client (racoon) cannot connect, this might well be a MacOS issue, but still worth sharing. (iOS is also playing funny, there I am more stable: iOS 9.3.2 - 13F69) ## OpenBSD vpn 6.0 GENERIC#1898 i386 (Snapshot 20 July 2016) ## Darwin Steves-13-inch-MacBook 16.0.0 Darwin Kernel Version 16.0.0: Sat Jul 9 23:23:38 PDT 2016; root:xnu-3777.0.0.0.1~27/RELEASE_X86_64 x86_64 ipsec.conf has this line: ike passive esp transport proto udp from $public_ip to any port l2tp main auth "hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc "aes-256" psk âPSK" Messages output (PSK NO SPACES): Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected SHA2_256 Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA2_256 Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA2_256 Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected SHA2_256 Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA2_256 Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 logtype=Started RecvSCCRQ from=85.93.205.98:51860/udp tunnel_id=13/48 protocol=1.0 winsize=4 hostname=Steves-13-inch-MacBook.office.lan vendor=(no vendorname) firm=0000 Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 call=25707 logtype=PPPBind ppp=9 Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base logtype=TUNNELSTART user="steve" duration=3sec layer2=L2TP layer2from=85.93.205.98:51860 auth=MS-CHAP-V2 ip=10.0.0.129 iface=pppx0 Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base Using pipex=yes Failing line in ipsec.conf: ike passive esp transport proto udp from $public_ip to any port l2tp main auth "hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc "aes-256" psk âPSK 2â Messages output (PSK SPACES): Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected SHA2_256 Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA2_256 Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA2_256 Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected SHA2_256 Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA2_256 Jul 25 16:10:23 vpn isakmpd[80810]: message_parse_payloads: reserved field non-zero: af Jul 25 16:10:23 vpn isakmpd[80810]: dropped message from 85.93.205.98 port 61021 due to notification type PAYLOAD_MALFORMED Jul 25 16:10:26 vpn isakmpd[80810]: message_parse_payloads: reserved field non-zero: af Jul 25 16:10:26 vpn isakmpd[80810]: dropped message from 85.93.205.98 port 61021 due to notification type PAYLOAD_MALFORMED Jul 25 16:10:30 vpn isakmpd[80810]: message_parse_payloads: reserved field non-zero: af Jul 25 16:10:30 vpn isakmpd[80810]: dropped message from 85.93.205.98 port 61021 due to notification type PAYLOAD_MALFORMED Jul 25 16:10:33 vpn isakmpd[80810]: message_parse_payloads: reserved field non-zero: af Jul 25 16:10:33 vpn isakmpd[80810]: dropped message from 85.93.205.98 port 61021 due to notification type PAYLOAD_MALFORMED Jul 25 16:10:45 vpn isakmpd[80810]: message_parse_payloads: reserved field non-zero: af Jul 25 16:10:45 vpn isakmpd[80810]: dropped message from 85.93.205.98 port 61021 due to notification type PAYLOAD_MALFORMED I tried to connect my Nexus 5 with Android 6.0.1 but that plainly failed, no clue what the correct config should be, so I havenât reproduced it under the Droid. If someone is more passionate about this I can share some more logs. But something works for me now and my patience wore thin. Cheers, -- Steve Clement https://www.twitter.com/SteveClement mailto:st...@localhost.lu .lu: +352 20 333 55 65 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]