On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutz <charl...@infinitesys.com> wrote: > Hello everyone, > > I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux > knowledge). After searching the previous forum posts (and the internet) I > have found a lot of information on l2tp ipsec.conf connection strings. > However, I can't get android to connect. I keep getting IKE negotiation > failed errors. > > I've looked at sites such as: > > http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html > https://www.authbsd.com/blog/?p=20 > http://daemonforums.org/showthread.php?t=10326 > https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/ > https://man.openbsd.org/npppd.conf.5 > https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/ > https://marc.info/?l=openbsd-misc&m=145922338026396&w=2 > https://marc.info/?l=openbsd-misc&m=145614573528471&w=2 > https://www.mail-archive.com/misc@openbsd.org/msg145747.html > ... etc > > > I can get IOS to connect, but I can't get android 7 to connect. I've read > that android has bugs with the vpn client in 6.x and 7.x (not sure if it is > fixed in 8 or not). However, what is confusing is it connections just fine > To my windows l2tp server. Bug tracker: > https://issuetracker.google.com/issues/37074640#c35 > > > My goal: Setup openbsd to work with IOS/android/windows/whatever. > > My questions. > > > 1) Can you have more than one ike line in ipsec.conf? from my > presumption of looking at sites on the internet, you can, however, I am not > sure. > > https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is > just two examples > > > 2) Every time I read a site that says, "this configuration worked for me > on android", it doesn't work for me. I presume it is my lack of > understanding, though, I'm not ruling out the possible android bug. > > > I appreciate any help. > > > > Here is my ipsec.conf (this allows IOS to connect) > > public_ip = "x.x.x.x" > > > > ike passive esp transport \ > > proto udp from $public_ip to any port 1701 \ > > main auth "hmac-sha1" enc "aes" group modp1024\ > > quick auth "hmac-sha1" enc "aes" \ > > psk "PSK-GOES-HERE" > > Here is my npppd.conf > > > > authentication LOCAL type local { > > users-file "/etc/npppd/npppd-users" > > } > > > > tunnel L2TP protocol l2tp { > > listen on 0.0.0.0 > > listen on :: > > } > > > > ipcp IPCP { > > pool-address 10.0.0.101-10.0.0.254 > > dns-servers x.x.x.x > > } > > > > # use pppx(4) interface. use an interface per a ppp session. > > interface pppx0 address 10.0.0.1 ipcp IPCP > > bind tunnel from L2TP authenticated by LOCAL to pppx0
I'm able to connect using a similar setup, but using aes-256 instead of aes as encoding in ipsec.conf. -- :wq!