Am 6. Dezember 2016 10:04:34 MEZ, schrieb Florian Ermisch
<florian.ermi...@alumni.tu-berlin.de>:
> Hi Robert,
>
> Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz
> <rsz...@saxonco.com>:
> > I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users
> to
> >
> > tunnel in to our office network.
> >
> > I'm testing with the following setup
> >
> > Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)
> >
> > I'd like something reasonably robust, able to pass through most NAT
> a
> > user might find themselves behind. Our current cisco vpn handles
> that
> > part fairly well, but otherwise is unreliable and a pain to manage.
> >
> > The connection process fails at stage 2 with the error message
> below
> > where X is the public IP of the box being connected to, and Y is the
> > ip
> > of the firewall the win10 machine is behind 10...58 is the private
> ip
> > of
> > the win10 machine.
> >
> > Thanks,
> >
> > Robert Szasz
> >
> >
> >
> > error in the isakmpd log
> >
> > ---
> >
> > 010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed
> > invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
> > 010420.423325 Default dropped message from y.y.y.y port 58544 due to
>
> > notification type INVALID_ID_INFORMATION
>
> And I guess that's the problem: the client
> goes "hi I'm 10.1.1.58 and I'd like to
> connect" and isakmpd doesn't know no
> 10.1.1.58. IKEv1 is very picky about those
> things: When it doesn't expect an ID no
> peer presenting one will be allowed to
> connect AFAIK.
Little correction: the client comes from
y.y.y.y but probably says it's 10.1.1.58
thus presented ID doesn't match the
one taken from the src address as your
ipsec.conf doesn't specify one.
>
> >
> > ipsec.conf
> >
> > ike passive esp transport \
> > proto udp from x.x.x.x to any port 1701 \
> > main auth hmac-sha1 enc "aes" group modp2048\
> > quick auth hmac-sha1 enc "aes" group modp2048\
> > psk ""
>
> Maybe adding local/peer or srcid/dstid
> will help. You can try with using the
> clients current local IP of 10.1.1.58
> as ID to expect.
>
> Regards, Florian
