Monday, October 02, 2017

l2tp and openbsd 6.1

Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux knowledge). After searching the previous forum posts (and the internet) I have found a lot of information on l2tp ipsec.conf connection strings. However, I can't get android to connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/
https://man.openbsd.org/npppd.conf.5
https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/
https://marc.info/?l=openbsd-misc&m=145922338026396&w=2
https://marc.info/?l=openbsd-misc&m=145614573528471&w=2
https://www.mail-archive.com/misc@openbsd.org/msg145747.html
... etc


I can get IOS to connect, but I can't get android 7 to connect. I've read that android has bugs with the vpn client in 6.x and 7.x (not sure if it is fixed in 8 or not). However, what is confusing is it connections just fine
To my windows l2tp server. Bug tracker: https://issuetracker.google.com/issues/37074640#c35


My goal: Setup openbsd to work with IOS/android/windows/whatever.

My questions.


1) Can you have more than one ike line in ipsec.conf? from my presumption of looking at sites on the internet, you can, however, I am not sure.

https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is just two examples


2) Every time I read a site that says, "this configuration worked for me on android", it doesn't work for me. I presume it is my lack of understanding, though, I'm not ruling out the possible android bug.


I appreciate any help.



Here is my ipsec.conf (this allows IOS to connect)

public_ip = "x.x.x.x"



ike passive esp transport \

proto udp from $public_ip to any port 1701 \

main auth "hmac-sha1" enc "aes" group modp1024\

quick auth "hmac-sha1" enc "aes" \

psk "PSK-GOES-HERE"

Here is my npppd.conf



authentication LOCAL type local {

users-file "/etc/npppd/npppd-users"

}



tunnel L2TP protocol l2tp {

listen on 0.0.0.0

listen on ::

}



ipcp IPCP {

pool-address 10.0.0.101-10.0.0.254

dns-servers x.x.x.x

}



# use pppx(4) interface. use an interface per a ppp session.

interface pppx0 address 10.0.0.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)