Hi, I'm trying to set up my OpenBSD 6.0 box as an L2TP/IPsec server for my Android phone to connect to. It appears that recent Android versions have a bug that can prevent it to successfully use HMAC_SHA2_256 for its built-in L2TP/IPsec VPN client. (Whether the bug occurs seems to depend on the specifics of the Linux kernel that happens to be used for the device. See https://code.google.com/p/android/issues/detail?id=196939 for more information).
I suspect I'm hit by this bug. The isakmpd negotiations seem to work fine, but npppd doesn't see any traffic. When tcpdumping the external interface of the OpenBSD box, I see incoming encrypted traffic, but on a simultaneously running tcpdump on the enc0 interface, I see no traffic at all. This behavior is consistent with the Android bug description: Android is requesting a SHA2 HMAC, but it is using a DRAFT version that is incompatible with the final RFC. So, to validate that I'm indeed hitting this bug (and also as a workaround) I tried to set up the OpenBSD side to not use SHA2. I haven't been able to get this running yet: isakmpd always seems to offer HMAC_SHA2_256. Here is /etc/ipsec.conf: ike passive esp transport \ proto udp from egress to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp1024 \ quick auth "hmac-sha1" enc "aes" group modp1024 \ psk "SHARED_SEEKRIT" With this configuration, isakmpd still offers HMAC_SHA2_256. See a snippet of the output of tcpdumping the pcap file created by isakmpd below. The " ziggo.nl" address is OpenBSD, the "static.kpn.net" address is my Android phone connected to the cellular network): 15:31:00.865423 static.kpn.net.ipsec-nat-t > 5356F312.cm-6-7d.dynamic.ziggo.nl.isakmp: [bad udp cksum e50! -> 74e4] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: 0f659aa030f4904d->64d8256cce1ec37b msgid: 8281d122 len: 460 payload: HASH len: 24 payload: SA len: 336 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 324 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 12 SPI: 0x0a89e2b7 payload: TRANSFORM len: 28 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute KEY_LENGTH = 256 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA2_256 payload: TRANSFORM len: 28 transform: 2 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute KEY_LENGTH = 256 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: TRANSFORM len: 28 transform: 3 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute KEY_LENGTH = 256 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: TRANSFORM len: 28 transform: 4 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute KEY_LENGTH = 128 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA2_256 payload: TRANSFORM len: 28 transform: 5 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute KEY_LENGTH = 128 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: TRANSFORM len: 28 transform: 6 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute KEY_LENGTH = 128 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: TRANSFORM len: 24 transform: 7 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA2_256 payload: TRANSFORM len: 24 transform: 8 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: TRANSFORM len: 24 transform: 9 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: TRANSFORM len: 24 transform: 10 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA2_256 payload: TRANSFORM len: 24 transform: 11 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: TRANSFORM len: 24 transform: 12 ID: DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 payload: NONCE len: 20 payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 100.93.193.197 payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 83.86.243.18 [ttl 0] (id 1, len 492) 15:31:00.865689 5356F312.cm-6-7d.dynamic.ziggo.nl.ipsec-nat-t > static.kpn.net.ipsec-nat-t: [bad udp cksum 9d3a! -> 1d43] udpencap: isakmp v1.0 exchange QUICK_MODE cookie: 0f659aa030f4904d->64d8256cce1ec37b msgid: 8281d122 len: 148 payload: HASH len: 24 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xacb10a8a payload: TRANSFORM len: 28 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = UDP_ENCAP_TRANSPORT attribute KEY_LENGTH = 256 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA2_256 payload: NONCE len: 20 payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 100.93.193.197 payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 83.86.243.18 [ttl 0] (id 1, len 180) ipsecctl shows that hmac-sha2-256 is indeed selected: # ipsecctl -s all FLOWS: flow esp in proto udp from 31.161.203.40 to 83.86.243.18 port l2tp peer 31.161.203.40 srcid 83.86.243.18/32 dstid 100.93.193.197/32 type use flow esp out proto udp from 83.86.243.18 port l2tp to 31.161.203.40 peer 31.161.203.40 srcid 83.86.243.18/32 dstid 100.93.193.197/32 type require SAD: esp transport from 83.86.243.18 to 31.161.203.40 spi 0x030ab16e auth hmac-sha2-256 enc aes-256 esp transport from 31.161.203.40 to 83.86.243.18 spi 0xa31bf5b1 auth hmac-sha2-256 enc aes-256 Using the FIFO based interface to isakmpd, I verified that HMAC_SHA is configured: # get "[Phase 2]:Connections" # get "[Phase 2]:Passive-Connections" from-re1=17-to-0.0.0.0/0=17:1701 # get "[from-re1=17-to-0.0.0.0/0=17:1701]:Configuration" phase2-from-re1=17-to-0.0.0.0/0=17:1701 # get "[phase2-from-re1=17-to-0.0.0.0/0=17:1701]:Suites" phase2-suite-from-re1=17-to-0.0.0.0/0=17:1701 # get "[phase2-suite-from-re1=17-to-0.0.0.0/0=17:1701]:Protocols" phase2-protocol-from-re1=17-to-0.0.0.0/0=17:1701 # get "[phase2-protocol-from-re1=17-to-0.0.0.0/0=17:1701]:PROTOCOL_ID" IPSEC_ESP # get "[phase2-protocol-from-re1=17-to-0.0.0.0/0=17:1701]:Transforms" phase2-transform-from-re1=17-to-0.0.0.0/0=17:1701-AES128-SHA-MODP_1024-TRANSPORT # get "[phase2-transform-from-re1=17-to-0.0.0.0/0=17:1701-AES128-SHA-MODP_1024-TRANSPORT]:AUTHENTICATION_ALGORITHM" HMAC_SHA # I'm likely to miss something obvious here. Why is isakmpd negotiating HMAC_SHA2_256 instead of HMAC_SHA, as it is configured to do? Any hints would be much appreciated. Thanks, Jurjen Oskam