Page MenuHomePhabricator

L2TP Server: cant connect from macosx behind nat without some changes to ipsec config
Closed, ResolvedPublic

Description

Hi! Just found an issue, when user behind NAT can't connect to l2tp+ipsec server with right config (posted above), without fixing (adding some options) to /etc/ipsec.d/tunnels/remote-access (posted above, lines that were added marked with ->>> <<<-
Client running MacOS Sierra

  1. macos uses 3des-sha1-modp1024 which is not added to config by default
  2. without specifying rightsubnet=0.0.0.0/0 ipsec could not find child SA. But allowed networks were added to vyos config...

Please, test and confirm.

CONFIG:

vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0.900
        }
        nat-networks {
            allowed-network 10.0.0.0/24 {
            }
            allowed-network 172.16.0.0/20 {
            }
            allowed-network 192.168.0.0/16 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username mihon {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.255.1
                stop 192.168.255.254
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
            }
            outside-address A.B.C.D
        }
    }

/etc/ipsec.d/tunnels/remote-access:

conn remote-access
  authby=secret
    ->>> installpolicy=yes <<<-
    ->>> type=transport <<<-
  pfs=no
  left=A.B.C.D
  leftprotoport=17/1701
  right=%any
  rightsubnet=vhost:%no,%priv
  ->>> rightsubnet=0.0.0.0/0 <<<-
  auto=add
  ->>> ike=aes256-sha1,3des-sha1-modp1024!  <<<-
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  esp=aes256-sha1,3des-sha1!
  rekey=no
  ikelifetime=3600
  keylife=3600

Details

Difficulty level
Easy (less than an hour)
Version
999.201702152137 (default boot)
Why the issue appeared?
Implementation mistake

Event Timeline

gaztel created this task.Feb 17 2017, 3:33 PM
gaztel renamed this task from L2TP Server cant connect from macosx without some changes to config to L2TP Server: cant connect from macosx behind nat without some changes to ipsec config.Feb 17 2017, 3:36 PM
c-po added a subscriber: c-po.EditedAug 3 2017, 1:55 PM

I can confirm this. Above mentioned lines not present in my custom build (Version: VyOS 999.201708011131).

Access from Windows 10 / iOS10 not working.

syncer added a subscriber: syncer.Aug 5 2017, 12:30 AM

@gaztel can you assign this to me please

c-po added a comment.EditedAug 25 2017, 9:41 AM

@gaztel I modified the pm script responsible for the configuration and verified it with iOS 10.3.3 as I do not have a Mac. Windows 10 is now also able to connect.
https://github.com/c-po/vyatta-ravpn/commit/20b85ddf4777ced900da2a56c25922c190823dd5

c-po added a comment.Sep 1 2017, 1:03 PM

@syncer This one is fixed/merged and already working in the nightly builds.

syncer closed this task as Resolved.May 27 2018, 9:18 AM
syncer claimed this task.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.