Re: l2tp and openbsd 6.1

Mon, 02 Oct 2017 17:41:56 -0700 


Quoting Stuart Henderson <s...@spacehopper.org>:


On 2017-10-02, Charles Amstutz <charl...@infinitesys.com> wrote:

Hello Sterling,

Thanks for the response. I changed it to

ike passive esp transport \
   proto udp from $public_ip to any port 1701 \
   main auth "hmac-sha1" enc "aes-256" group modp1024\
   quick auth "hmac-sha1" enc "aes-256" \
   PSK "PSK-GOES-HERE"
and still no luck. I found out that Android 8 will connect (using aes). I am dumpping pflog0 and seeing no blocks. However, that doesn't mean it still isn't a potential pf problem I guess. However, if IOS and android 8 would connect, I would think that would rule a pf problem?
Is there a way to turn on additional debugging? I'm using isakmpd -K in rc.conf.local, so not using isakmpd.policy/.conf (from my understanding) Everything in /var/log/messages is just from npppd. Unless I'm reading it wrong, there doesn't appear to be any errors. 

I have "isakmpd_flags=-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30
-D8=30 -D9=30 -D10=20" in rc.conf.local as a general-purpose debugging
config, then if there's a particular area I look at isakmpd source to
see if I need to bump one of them up a little. These end up in
/var/log/daemon (or start it by hand to run in the foreground
using -d).
1) Can you have more than one ike line in ipsec.conf? from my presumption of looking at sites on the internet, you can, however, I am not sure. 

You can, *but* only one "default peer" ("to any" line) will take effect.


https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless
it is just two examples
That site makes it look like you can use the two, but it won't work like that. 
One config will override the other.
I don't know about Android 8 but have been able to use iPhones as well as Android tablets with the following on an older version on OpenBSD. Hope this is helpful and not sending the OP in the wrong direction. 

In npppd.conf, I am using

interface tun0  address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0

instead of

interface pppx0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0

and in pf.conf, I have

pass in quick on tun0 inet proto tcp from 10.0.0.0/24







--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

Reply via email to