Am 6. Dezember 2016 10:04:34 MEZ, schrieb Florian Ermisch <florian.ermi...@alumni.tu-berlin.de>: > Hi Robert, > > Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz > <rsz...@saxonco.com>: > > I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users > to > > > > tunnel in to our office network. > > > > I'm testing with the following setup > > > > Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC) > > > > I'd like something reasonably robust, able to pass through most NAT > a > > user might find themselves behind. Our current cisco vpn handles > that > > part fairly well, but otherwise is unreliable and a pain to manage. > > > > The connection process fails at stage 2 with the error message > below > > where X is the public IP of the box being connected to, and Y is the > > ip > > of the firewall the win10 machine is behind 10...58 is the private > ip > > of > > the win10 machine. > > > > Thanks, > > > > Robert Szasz > > > > > > > > error in the isakmpd log > > > > --- > > > > 010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed > > invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x > > 010420.423325 Default dropped message from y.y.y.y port 58544 due to > > > notification type INVALID_ID_INFORMATION > > And I guess that's the problem: the client > goes "hi I'm 10.1.1.58 and I'd like to > connect" and isakmpd doesn't know no > 10.1.1.58. IKEv1 is very picky about those > things: When it doesn't expect an ID no > peer presenting one will be allowed to > connect AFAIK.
Little correction: the client comes from y.y.y.y but probably says it's 10.1.1.58 thus presented ID doesn't match the one taken from the src address as your ipsec.conf doesn't specify one. > > > > > ipsec.conf > > > > ike passive esp transport \ > > proto udp from x.x.x.x to any port 1701 \ > > main auth hmac-sha1 enc "aes" group modp2048\ > > quick auth hmac-sha1 enc "aes" group modp2048\ > > psk "" > > Maybe adding local/peer or srcid/dstid > will help. You can try with using the > clients current local IP of 10.1.1.58 > as ID to expect. > > Regards, Florian