That ipsec.conf works perfectly if I am connecting to the VPN from the LAN
but doesn't work if I put the VPN behind a router doing NAT and redirecting
ports 500 and 4500 to the VPN server. In this case this is logged:
192.168.1.35 is the IP of the machine behind the router at 221.12.3.4 which
is trying to connect to the VPN through the router at 200.1.32.22)
Aug 6 10:10:19 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id
200.1.32.22
Aug 6 10:10:19 fw isakmpd[7947]: dropped message from 221.12.3.4 port
4500 due to notification type INVALID_ID_INFORMATION
Aug 6 10:10:34 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id
200.1.32.22
Aug 6 10:10:34 fw isakmpd[7947]: dropped message from 221.12.3.4 port
4500 due to notification type INVALID_ID_INFORMATION
Aug 6 10:11:16 fw isakmpd[7947]: transport_send_messages: giving up on
exchange peer-default, no response from peer 221.12.3.4:500
Thanks,
Sebastian
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
R0me0 ***
Sent: Thursday, August 4, 2016 1:57 PM
To: Sebastian Wain <[email protected]>
Cc: OpenBSD misc <[email protected]>
Subject: Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows
10?
ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \
main auth hmac-sha1 enc 3des group modp2048 \
quick auth hmac-sha1 enc 3des psk "YOURSECRET"
You are welcome
(:
2016-08-04 13:15 GMT-03:00 Sebastian Wain <[email protected]>:
> I can't figure out how to make an OpenBSD VPN work. I followed the
> guide at [1] to set up a VPN, modified the network interface there to
> tun0 instead of pppoe0, and didn't configure the pf.conf. When I tried
> to connect from Win10 using the "L2TP/IPsec with pre-shared key" VPN
> type I see the issues below in phase
> 2:
>
> Thanks
> Sebastian
>
> [1] http://blog.fuckingwith.it/2015/08/openbsd-l2tpipsec-vpn-
> works-with.html
>
> Aug 3 responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2
IDs:
> initiator id 192.168.0.129, responder id 192.168.0.253
> Aug 3 11:17:13 fw isakmpd[7947]: dropped message from
> 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> Aug 3 11:17:14 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> responder id
> 192.168.0.253
> Aug 3 11:17:14 fw isakmpd[7947]: dropped message from
> 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> Aug 3 11:17:15 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> responder id
> 192.168.0.253
> Aug 3 11:17:15 fw isakmpd[7947]: dropped message from
> 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> Aug 3 11:17:18 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> responder id
> 192.168.0.253
> Aug 3 11:17:18 fw isakmpd[7947]: dropped message from
> 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> Aug 3 11:17:25 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> responder id
> 192.168.0.253
> Aug 3 11:17:25 fw isakmpd[7947]: dropped message from
> 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> Aug 3 11:17:40 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> responder id
> 192.168.0.253
> Aug 3 11:17:40 fw isakmpd[7947]: dropped message from
> 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> Aug 3 11:17:55 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> responder id
> 192.168.0.253
> Aug 3 11:17:55 fw isakmpd[7947]: dropped message from
> 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> Aug 3 11:18:38 fw isakmpd[7947]: transport_send_messages: giving
> up on exchange peer-default, no response from peer 192.168.0.129:500
