ispec - PSK - issues

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ispec - PSK - issues

Steve Clement
Dear List,

I tried to setup a simple road warrior VPN setup for my MacOS machine and
found the following issue.

When using spaces in the pre-shared key the MacOS VPN client (racoon) cannot
connect, this might well be a MacOS issue, but still worth sharing.
(iOS is also playing funny, there I am more stable: iOS 9.3.2 - 13F69)


## OpenBSD vpn 6.0 GENERIC#1898 i386 (Snapshot 20 July 2016)
## Darwin Steves-13-inch-MacBook 16.0.0 Darwin Kernel Version 16.0.0: Sat Jul
9 23:23:38 PDT 2016; root:xnu-3777.0.0.0.1~27/RELEASE_X86_64 x86_64


ipsec.conf has this line:

ike passive esp transport proto udp from $public_ip to any port l2tp main auth
"hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc
"aes-256" psk “PSK"

Messages output (PSK NO SPACES):

Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_2048, expected MODP_1024
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA2_512, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_1536, expected MODP_1024
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 logtype=Started RecvSCCRQ
from=85.93.205.98:51860/udp tunnel_id=13/48 protocol=1.0 winsize=4
hostname=Steves-13-inch-MacBook.office.lan vendor=(no vendorname) firm=0000
Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 call=25707 logtype=PPPBind
ppp=9
Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base logtype=TUNNELSTART
user="steve" duration=3sec layer2=L2TP layer2from=85.93.205.98:51860
auth=MS-CHAP-V2  ip=10.0.0.129 iface=pppx0
Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base Using pipex=yes

Failing line in ipsec.conf:

ike passive esp transport proto udp from $public_ip to any port l2tp main auth
"hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc
"aes-256" psk “PSK 2”

Messages output (PSK SPACES):

Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_2048, expected MODP_1024
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA2_512, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_1536, expected MODP_1024
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:23 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:26 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:26 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:30 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:30 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:33 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:33 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:45 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:45 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED



I tried to connect my Nexus 5 with Android 6.0.1 but that plainly failed, no
clue what the correct config should be, so I haven’t reproduced it under the
Droid.

If someone is more passionate about this I can share some more logs. But
something works for me now and my patience wore thin.

Cheers,

--
Steve Clement
https://www.twitter.com/SteveClement
mailto:[hidden email]
.lu: +352 20 333 55 65

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: ispec - PSK - issues

Maurice Janssen-2
On Mon, Jul 25, 2016 at 04:54:09PM +0200, Steve Clement wrote:
>I tried to connect my Nexus 5 with Android 6.0.1 but that plainly failed, no
>clue what the correct config should be, so I haven???t reproduced it under the
>Droid.

There seems to be an issue with Android 6.0.1 and L2TP/IPSEC connetions:
https://code.google.com/p/android/issues/detail?id=194269

--
Maurice

Reply | Threaded
Open this post in threaded view
|

Re: ispec - PSK - issues

Steve Clement
Your link talks more about 6.0

But this is probably it:
https://code.google.com/p/android/issues/detail?id=196939

Testing in Cyanogenmod would be next.

But the look and feel of all of these issues, I fear OpenVPN would have been
(perhaps less secure) but better to config and mostly use…

Darn those non-compliant peeps :)

I will test further once I recovered ;)

Thanks,

> On 25 Jul 2016, at 22:06, Maurice Janssen <[hidden email]> wrote:
>
> On Mon, Jul 25, 2016 at 04:54:09PM +0200, Steve Clement wrote:
>> I tried to connect my Nexus 5 with Android 6.0.1 but that plainly failed,
no
>> clue what the correct config should be, so I haven???t reproduced it under
the
>> Droid.
>
> There seems to be an issue with Android 6.0.1 and L2TP/IPSEC connetions:
> https://code.google.com/p/android/issues/detail?id=194269
>
> --
> Maurice

--
Steve Clement
https://www.twitter.com/SteveClement
mailto:[hidden email]
.lu: +352 20 333 55 65

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: ispec - PSK - issues

Maurice Janssen-2
On Mon, Jul 25, 2016 at 11:13:48PM +0200, Steve Clement wrote:
>Your link talks more about 6.0
>
>But this is probably it:
>https://code.google.com/p/android/issues/detail?id=196939

Yeah, that's the link I wanted to send.  Somehow I managed to copy
the wrong link in my previous email.

Maurice

Reply | Threaded
Open this post in threaded view
|

Re: ispec - PSK - issues

Raul Miller
On Tue, Jul 26, 2016 at 2:08 AM, Maurice Janssen <[hidden email]> wrote:
>>https://code.google.com/p/android/issues/detail?id=196939
>
> Yeah, that's the link I wanted to send.  Somehow I managed to copy
> the wrong link in my previous email.

I have been seeing a lot of copy&paste errors myself, where I
performed the keyboard action to trigger a copy but paste gives me
something from an older context.

I'm sure a lot of people put a lot of time into making things work this way...

--
Raul

Reply | Threaded
Open this post in threaded view
|

Re: ispec - PSK - issues

Justin Mayes
Hello all -

I was also recently trying to do a simple ipsec/l2tp vpn. I found that it works fine for everything except my android 5.1.1 device. The odd thing is that when I watch the log and/or isakmpd output I can see it connect fine, authenticate to l2tp and so on then it immediately disconnects and says that the client caused the disconnection. When I google I see all sorts of issues with android but mostly related to 6+. I can even see in the log that npppd successfully authenticates my android and creates a tunnel, android just kills it all after 1 second for some reason. Can anyone confirm that android 5.1.1 works with openbsd ipsec/l2tp before I spend more hours trying to figure out why just this android device is not working? Here is that tail of the log where l2tp is killed right after starting.


npppd[860]: ppp id=20 layer=base logtype=TUNNELSTART user="mike" duration=0sec layer2=L2TP layer2from=x.x.x.x:1701 auth=MS-CHAP-V2  ip=10.0.0.103 iface=pppx0
npppd[860]: ppp id=20 layer=base Using pipex=yes
npppd[860]: ppp id=20 layer=lcp terminated by peer
npppd[860]: l2tpd ctrl=21 RecvStopCCN result=GENERAL/1 error=none/0 tunnel_id=13671 message=""
npppd[860]: l2tpd ctrl=21 call=12222 SendCDN result=ADMINISTRATIVE_REASON/3
npppd[860]: l2tpd ctrl=21 call=12222 logtype=PPPUnbind
npppd[860]: ppp id=20 layer=base logtype=TUNNELUSAGE user="mike" duration=0sec layer2=L2TP layer2from=x.x.x.x:1701 auth=MS-CHAP-V2 data_in=213bytes,9packets data_out=219bytes,10packets error_in=0 error_out=0 mppe=no iface=pppx0
npppd[860]: l2tpd ctrl=21 Received CDN in 'cleanup-wait' state
npppd[860]: l2tpd ctrl=21 logtype=Finished


Justin


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Raul Miller
Sent: Tuesday, July 26, 2016 7:14 AM
To: Maurice Janssen <[hidden email]>
Cc: Steve Clement <[hidden email]>; OpenBSD general usage list <[hidden email]>
Subject: Re: ispec - PSK - issues

On Tue, Jul 26, 2016 at 2:08 AM, Maurice Janssen <[hidden email]> wrote:
>>https://code.google.com/p/android/issues/detail?id=196939
>
> Yeah, that's the link I wanted to send.  Somehow I managed to copy the
> wrong link in my previous email.

I have been seeing a lot of copy&paste errors myself, where I performed the keyboard action to trigger a copy but paste gives me something from an older context.

I'm sure a lot of people put a lot of time into making things work this way...

--
Raul

Reply | Threaded
Open this post in threaded view
|

Re: ispec - PSK - issues

Maurice Janssen-2
No problems with Android 5.0.2.

-----Original Message-----
From: Justin Mayes <[hidden email]>
To: Raul Miller <[hidden email]>, Maurice Janssen <[hidden email]>
Cc: Steve Clement <[hidden email]>, OpenBSD general usage list <[hidden email]>
Sent: do, 18 aug. 2016 21:59
Subject: Re: ispec - PSK - issues

Hello all -



I was also recently trying to do a simple ipsec/l2tp vpn. I found that it works fine for everything except my android 5.1.1 device. The odd thing is that when I watch the log and/or isakmpd output I can see it connect fine, authenticate to l2tp and so on then it immediately disconnects and says that the client caused the disconnection. When I google I see all sorts of issues with android but mostly related to 6+. I can even see in the log that npppd successfully authenticates my android and creates a tunnel, android just kills it all after 1 second for some reason. Can anyone confirm that android 5.1.1 works with openbsd ipsec/l2tp before I spend more hours trying to figure out why just this android device is not working? Here is that tail of the log where l2tp is killed right after starting.





npppd[860]: ppp id=20 layer=base logtype=TUNNELSTART user="mike" duration=0sec layer2=L2TP layer2from=x.x.x.x:1701 auth=MS-CHAP-V2  ip=10.0.0.103 iface=pppx0

npppd[860]: ppp id=20 layer=base Using pipex=yes

npppd[860]: ppp id=20 layer=lcp terminated by peer

npppd[860]: l2tpd ctrl=21 RecvStopCCN result=GENERAL/1 error=none/0 tunnel_id=13671 message=""

npppd[860]: l2tpd ctrl=21 call=12222 SendCDN result=ADMINISTRATIVE_REASON/3

npppd[860]: l2tpd ctrl=21 call=12222 logtype=PPPUnbind

npppd[860]: ppp id=20 layer=base logtype=TUNNELUSAGE user="mike" duration=0sec layer2=L2TP layer2from=x.x.x.x:1701 auth=MS-CHAP-V2 data_in=213bytes,9packets data_out=219bytes,10packets error_in=0 error_out=0 mppe=no iface=pppx0

npppd[860]: l2tpd ctrl=21 Received CDN in 'cleanup-wait' state

npppd[860]: l2tpd ctrl=21 logtype=Finished





Justin





-----Original Message-----

From: [hidden email] [mailto:[hidden email]] On Behalf Of Raul Miller

Sent: Tuesday, July 26, 2016 7:14 AM

To: Maurice Janssen <[hidden email]>

Cc: Steve Clement <[hidden email]>; OpenBSD general usage list <[hidden email]>

Subject: Re: ispec - PSK - issues



On Tue, Jul 26, 2016 at 2:08 AM, Maurice Janssen <[hidden email]> wrote:

>>https://code.google.com/p/android/issues/detail?id=196939

>

> Yeah, that's the link I wanted to send.  Somehow I managed to copy the

> wrong link in my previous email.



I have been seeing a lot of copy&paste errors myself, where I performed the keyboard action to trigger a copy but paste gives me something from an older context.



I'm sure a lot of people put a lot of time into making things work this way...



--

Raul

Reply | Threaded
Open this post in threaded view
|

Re: ispec - PSK - issues

Stefan Sperling-5
In reply to this post by Justin Mayes
On Thu, Aug 18, 2016 at 07:57:40PM +0000, Justin Mayes wrote:
> Hello all -
>
> I was also recently trying to do a simple ipsec/l2tp vpn. I found that it works fine for everything except my android 5.1.1 device.

This problem and a workaround were already discussed here:
http://marc.info/?l=openbsd-misc&m=145931891921713&w=2

Quote:
[[[
This issue is caused by Android, it sends ESP packets with wrong
padding size when SHA2-256 is selected for HMAC.  It seems that
Android is using an old ietf draft for SHA2-256, but OpenBSD is using
RFC 4868.

When the issue occurs,

  XXX packets with bad payload size or padding received

counter in "netstat -sp esp" will be incremented.

We can force using MD5 or SHA for HMAC to workaround this issue.  To
do this, put the text below to /etc/isakmpd/isakmpd.policy and remove
"-K" from isakmpd_flags.

  Authorizer: "POLICY"
  Comment: This is test
  Licensees: "passphrase:PASSPHRASE"
  conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == "yes" \
&& (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true";

--yasuoka
]]]