Re: l2ip + ipsec question
21.07.2020 11:43, Stuart Henderson пишет: most endpoints cope wigh slightly less terrible crypto, you can try something like ike passive esp transport \ proto udp from my.external.ip to any port 1701 \ main auth "hmac-sha1" enc "aes-256" group modp2048 \ quick auth "hmac-sha2-256" enc "aes-256" \ psk "0s5jTDcMziOVw3DXZqaGOVlEZyoe8I9c" (psk generated randomly from "openssl rand -base64 (length)", use something complex if you can copy-and-paste to the other devices) Yep, mod2048 works, thanks! 2) ipsec.conf man, says that "esp" is default. But if I omit this option, it stops working with error like: PAYLOAD_MALFORMED. 3) and the most difficult for me to understand: Why does all howto's use this fragment: proto udp from my.ga.te.ip to any port 1701 ?? the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port dport] so, this line declare a tunnel, where our gate use any port, and our expected remote client use port 1701?? why does this even work? Thank you in advance for help! It relies on the fact that l2tp uses a fixed source port, iirc you can use "from my.gate.ip port 1701 to any port 1701" if you want. btw I strongly recommend avoiding l2tp+ipsec if you have another choice. Plain ipsec (ikev1 or ikev2) or other protocols like wireguard/openvpn cope better if you end up on a natted network. i'm sorry but i still do not understand. I have fired up tcpdump on enc0 and what's that I see there: 12:20:01.791795 (authentic,confidential): SPI 0x0e3e51b6: 212.233.112.12.l2tp > mx.kasakoff.net.59516: l2tp:[LS](14/9936)Ns=13,Nr=65535[hdlc|][|l2tp] 12:20:01.894911 (authentic,confidential): SPI 0x0e3e51b6: 212.233.112.12.l2tp > mx.kasakoff.net.59516: l2tp:[LS](14/9936)Ns=14,Nr=65535[hdlc|][|l2tp] 12:20:05.066256 (authentic,confidential): SPI 0xd5815d86: mx.kasakoff.net.59516 > 212.233.112.12.l2tp: l2tp:[L](83/7415)[hdlc|][|l2tp] 12:20:06.073233 (authentic,confidential): SPI 0xd5815d86: mx.kasakoff.net.59516 > 212.233.112.12.l2tp: l2tp:[L](83/7415)[hdlc|][|l2tp] Here, 212.233.112.12 is my gateway ip, and mx.kasakoff.net is the client. As I can see, the client side does not use 1701 port. But either "from 212.233.112.12 port l2tp to any" or "from 212.233.112.12 to any port l2tp" works! I can't fully understand why.
Re: l2ip + ipsec question
On 2020-07-20, kasak wrote: > Hello misc. > Recently, i needed to setup l2tp-ipsec for some ip phones to reach my > network. > > so, the l2tp part is not trouble at all with npppd, but, the ipsec part > is harder to understand. > > after reading ipsec and ipsec.conf man, > > i tryed to add just one line: > > ike passive from my.ga.te.ip to any psk "mykey" > > but this didn't work. > > after some googling, i have found this line: > > ike passive esp transport \ > proto udp from 1.2.3.4 to any port 1701 \ > main auth "hmac-sha1" enc "3des" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ > psk "password" > > it was found on undeadly.org most endpoints cope wigh slightly less terrible crypto, you can try something like ike passive esp transport \ proto udp from my.external.ip to any port 1701 \ main auth "hmac-sha1" enc "aes-256" group modp2048 \ quick auth "hmac-sha2-256" enc "aes-256" \ psk "0s5jTDcMziOVw3DXZqaGOVlEZyoe8I9c" (psk generated randomly from "openssl rand -base64 (length)", use something complex if you can copy-and-paste to the other devices) > I need help to understand how it even works. > > 1) why does somebody use "transport" here and somebody use "tunnel"? I > myself tryed "transport" and it works. than, what is the difference for > l2tp? "tunnel" adds an extra header to the packet carrying src/dest addresses so ipsec can directly protect packets from other machines. "transport" doesn't have the extra header so ipsec can only carry packets from endpoint to endpoint - but this reduces overheads and increases max usable packet size. the "endpoint-endpoint" traffic can itself be a tunnel as is the case with l2tp. the usual setup for l2tp+ipsec has transport mode to reduce overheads. (both ends need to be set the same way). > 2) ipsec.conf man, says that "esp" is default. But if I omit this > option, it stops working with error like: PAYLOAD_MALFORMED. > > 3) and the most difficult for me to understand: Why does all howto's use > this fragment: > > proto udp from my.ga.te.ip to any port 1701 ?? > > the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port > dport] > > so, this line declare a tunnel, where our gate use any port, and our > expected remote client use port 1701?? why does this even work? > > Thank you in advance for help! > > > It relies on the fact that l2tp uses a fixed source port, iirc you can use "from my.gate.ip port 1701 to any port 1701" if you want. btw I strongly recommend avoiding l2tp+ipsec if you have another choice. Plain ipsec (ikev1 or ikev2) or other protocols like wireguard/openvpn cope better if you end up on a natted network.
l2ip + ipsec question
Hello misc. Recently, i needed to setup l2tp-ipsec for some ip phones to reach my network. so, the l2tp part is not trouble at all with npppd, but, the ipsec part is harder to understand. after reading ipsec and ipsec.conf man, i tryed to add just one line: ike passive from my.ga.te.ip to any psk "mykey" but this didn't work. after some googling, i have found this line: ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "password" it was found on undeadly.org I need help to understand how it even works. 1) why does somebody use "transport" here and somebody use "tunnel"? I myself tryed "transport" and it works. than, what is the difference for l2tp? 2) ipsec.conf man, says that "esp" is default. But if I omit this option, it stops working with error like: PAYLOAD_MALFORMED. 3) and the most difficult for me to understand: Why does all howto's use this fragment: proto udp from my.ga.te.ip to any port 1701 ?? the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port dport] so, this line declare a tunnel, where our gate use any port, and our expected remote client use port 1701?? why does this even work? Thank you in advance for help!
