|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
OpenBSD VPN stops working after NAT-T update...
From: Fredrik Malm (fmm00001
student.mdh.se)
Date: Mon Nov 01 2004 - 15:15:05 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello
I'm running OpenBSD 3.6 + isakmpd + l2tpd + l2tp/ipsec(bulit-in client
in windows-xp) to make a VPN connection. Here's the config for isakmpd
isakmpd.conf
[General]
Retransmits = 5
Exchange-max-time = 120
[Phase 1]
Default = ISAKMP-clients
[Phase 2]
Passive-Connections = IPSec-clients
[ISAKMP-clients]
Phase = 1
Transport = udp
Configuration = win-main-mode
Authentication = mysecret
[IPsec-clients]
Phase = 2
Configuration = win-quick-mode
Local-ID = default-route
Remote-ID = dummy-remote
[default-route]
ID-type = IPV4_ADDR_SUBNET
Network = 0.0.0.0
Netmask = 0.0.0.0
[dummy-remote]
ID-type = IPV4_ADDR
Address = 0.0.0.0
[win-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = 3DES-SHA-GRP2
[win-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = QM-ESP-3DES-SHA-SUITE
isakmpd.policy
Comment: This policy accepts ESP SAs from a remote that uses the rigth
password.
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
This config works nice but after upgrading the windows client to support
nat-t http://support.microsoft.com/?kbid=818043 it stopped working.
Running isakmpd -d -D9=99 shows the followig: Default dropped message
from a.b.c.d port 4500 due to notification type PAYLOAD_MALFORMED. It is
also the only output I can get from isakmpd. I have checked the
pre-shared secret on both sides and it's OK. I can still make
connections to the server with another machine witch don't have the
patch installed. So there must be some changes to the client during the
install of the nat-t patch. But i can't figure it out.
My network setup:
Internet ---------- Public IP |OpenBSD3.6/nat+isakmpd+l2tpd| Private
Address ---------- Local LAN
pf is configured to allow udp ports 500 + 4500 + esp
Thanks!
--------------------------------------------
Fredrik Malm
mail: fmm00001student.mdh.se
icq: 4411301
--------------------------------------------
Fredrik Malm
mail: fmm00001student.mdh.se
mobil: 073-718 83 93
icq: 4411301
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]