Yes, I would like to know this as well, it seems annoying that Android 8/4.x and IOS can connect, but not windows 10 (I haven't tried earlier windows 10) and android 7.
Its either a user error (which I am willing to admit) or something very annoying. Especially when my l2tp PSK windows server can accept connections from anything it seems. I would like to get this figured out. I appreciate all of the suggestions, but I still can't get android 7 to connect, no matter which encryption, authentication or modp I use. -----Original Message----- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of lilit-aibolit Sent: Wednesday, October 4, 2017 2:46 AM To: misc@openbsd.org Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net Subject: Re: l2tp and openbsd 6.1 Hi, with l2tp I have situation when iOS and Android devices could connect but Windows 7 and Windows 10 couldn't. Is it possible to adjust ipsec.conf somehow so it could accept connection from Windows clients too? Or is there a way to adjust some settings in Windows so it will work with current ipsec.conf? I also noticed that I have to add pass rule for tun0 to PF explicitly: - pass on tun0 all instead of having just: - set skip on { lo0, tun0 } Here is ipsec.conf: ike passive esp transport \ proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "password" Here is npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on x.x.y.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.a.b } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 Log from Android: Oct 2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000 Oct 2 16:22:40 gw npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind ppp=3 Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:22:41 gw /bsd: pipex: ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready. Oct 2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes Log from IPhone6s: Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_512, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Oct 2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) firm=0000 Oct 2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 logtype=PPPBind ppp=2 Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367 auth=MS-CHAP-V2 ip=192.168.222.110 iface=tun0 Oct 2 16:13:18 gw /bsd: pipex: ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready. Oct 2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes Log from IPhone4s: Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx vendor=(no vendorname) firm=0000 Oct 2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 call=5660 logtype=PPPBind ppp=0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028 auth=MS-CHAP-V2 ip=192.168.222.101 iface=tun0 Oct 2 15:55:58 gw npppd[10826]: ppp id=0 layer=base Using pipex=yes Oct 2 15:55:58 gw /bsd: pipex: ppp=0 iface=tun0 protocol=L2TP id=5660 PIPEX is ready. And unsuccessful connection from Win7: Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct 4 10:12:37 gw isakmpd[24211]: message_negotiate_sa: no compatible proposal found Oct 4 10:12:37 gw isakmpd[24211]: dropped message from 37.73.208.134 port 16884 due to notification type NO_PROPOSAL_CHOSEN On 02/10/17 23:03, Charles Amstutz wrote: > Hello everyone, > > I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux > knowledge). After searching the previous forum posts (and the internet) I > have found a lot of information on l2tp ipsec.conf connection strings. > However, I can't get android to connect. I keep getting IKE negotiation > failed errors. > > I've looked at sites such as: > > http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro > id-601-ios.html > https://www.authbsd.com/blog/?p=20 > http://daemonforums.org/showthread.php?t=10326 > https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb > sd-invalid_cookie/ > https://man.openbsd.org/npppd.conf.5 > https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for- > ios-and-osx/ > https://marc.info/?l=openbsd-misc&m=145922338026396&w=2 > https://marc.info/?l=openbsd-misc&m=145614573528471&w=2 > https://www.mail-archive.com/misc@openbsd.org/msg145747.html > ... etc > > > I can get IOS to connect, but I can't get android 7 to connect. I've > read that android has bugs with the vpn client in 6.x and 7.x (not > sure if it is fixed in 8 or not). However, what is confusing is it > connections just fine To my windows l2tp server. Bug tracker: > https://issuetracker.google.com/issues/37074640#c35 > > > My goal: Setup openbsd to work with IOS/android/windows/whatever. > > My questions. > > > 1) Can you have more than one ike line in ipsec.conf? from my > presumption of looking at sites on the internet, you can, however, I am not > sure. > > https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless > it is just two examples > > > 2) Every time I read a site that says, "this configuration worked for me > on android", it doesn't work for me. I presume it is my lack of > understanding, though, I'm not ruling out the possible android bug. > > > I appreciate any help. > > > > Here is my ipsec.conf (this allows IOS to connect) > > public_ip = "x.x.x.x" > > > > ike passive esp transport \ > > proto udp from $public_ip to any port 1701 \ > > main auth "hmac-sha1" enc "aes" group modp1024\ > > quick auth "hmac-sha1" enc "aes" \ > > psk "PSK-GOES-HERE" > > Here is my npppd.conf > > > > authentication LOCAL type local { > > users-file "/etc/npppd/npppd-users" > > } > > > > tunnel L2TP protocol l2tp { > > listen on 0.0.0.0 > > listen on :: > > } > > > > ipcp IPCP { > > pool-address 10.0.0.101-10.0.0.254 > > dns-servers x.x.x.x > > } > > > > # use pppx(4) interface. use an interface per a ppp session. > > interface pppx0 address 10.0.0.1 ipcp IPCP > > bind tunnel from L2TP authenticated by LOCAL to pppx0 >
