Steve Clement
2016-07-25 14:54:09 UTC
Dear List,
I tried to setup a simple road warrior VPN setup for my MacOS machine and
found the following issue.
When using spaces in the pre-shared key the MacOS VPN client (racoon) cannot
connect, this might well be a MacOS issue, but still worth sharing.
(iOS is also playing funny, there I am more stable: iOS 9.3.2 - 13F69)
## OpenBSD vpn 6.0 GENERIC#1898 i386 (Snapshot 20 July 2016)
## Darwin Steves-13-inch-MacBook 16.0.0 Darwin Kernel Version 16.0.0: Sat Jul
9 23:23:38 PDT 2016; root:xnu-3777.0.0.0.1~27/RELEASE_X86_64 x86_64
ipsec.conf has this line:
ike passive esp transport proto udp from $public_ip to any port l2tp main auth
"hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc
"aes-256" psk “PSK"
Messages output (PSK NO SPACES):
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_2048, expected MODP_1024
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA2_512, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_1536, expected MODP_1024
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 logtype=Started RecvSCCRQ
from=85.93.205.98:51860/udp tunnel_id=13/48 protocol=1.0 winsize=4
hostname=Steves-13-inch-MacBook.office.lan vendor=(no vendorname) firm=0000
Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 call=25707 logtype=PPPBind
ppp=9
Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base logtype=TUNNELSTART
user="steve" duration=3sec layer2=L2TP layer2from=85.93.205.98:51860
auth=MS-CHAP-V2 ip=10.0.0.129 iface=pppx0
Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base Using pipex=yes
Failing line in ipsec.conf:
ike passive esp transport proto udp from $public_ip to any port l2tp main auth
"hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc
"aes-256" psk “PSK 2”
Messages output (PSK SPACES):
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_2048, expected MODP_1024
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA2_512, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_1536, expected MODP_1024
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:23 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:26 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:26 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:30 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:30 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:33 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:33 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:45 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:45 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
I tried to connect my Nexus 5 with Android 6.0.1 but that plainly failed, no
clue what the correct config should be, so I haven’t reproduced it under the
Droid.
If someone is more passionate about this I can share some more logs. But
something works for me now and my patience wore thin.
Cheers,
--
Steve Clement
https://www.twitter.com/SteveClement
mailto:***@localhost.lu
.lu: +352 20 333 55 65
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
I tried to setup a simple road warrior VPN setup for my MacOS machine and
found the following issue.
When using spaces in the pre-shared key the MacOS VPN client (racoon) cannot
connect, this might well be a MacOS issue, but still worth sharing.
(iOS is also playing funny, there I am more stable: iOS 9.3.2 - 13F69)
## OpenBSD vpn 6.0 GENERIC#1898 i386 (Snapshot 20 July 2016)
## Darwin Steves-13-inch-MacBook 16.0.0 Darwin Kernel Version 16.0.0: Sat Jul
9 23:23:38 PDT 2016; root:xnu-3777.0.0.0.1~27/RELEASE_X86_64 x86_64
ipsec.conf has this line:
ike passive esp transport proto udp from $public_ip to any port l2tp main auth
"hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc
"aes-256" psk “PSK"
Messages output (PSK NO SPACES):
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_2048, expected MODP_1024
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA2_512, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_1536, expected MODP_1024
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:07:02 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 logtype=Started RecvSCCRQ
from=85.93.205.98:51860/udp tunnel_id=13/48 protocol=1.0 winsize=4
hostname=Steves-13-inch-MacBook.office.lan vendor=(no vendorname) firm=0000
Jul 25 16:07:03 vpn npppd[51700]: l2tpd ctrl=13 call=25707 logtype=PPPBind
ppp=9
Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base logtype=TUNNELSTART
user="steve" duration=3sec layer2=L2TP layer2from=85.93.205.98:51860
auth=MS-CHAP-V2 ip=10.0.0.129 iface=pppx0
Jul 25 16:07:06 vpn npppd[51700]: ppp id=9 layer=base Using pipex=yes
Failing line in ipsec.conf:
ike passive esp transport proto udp from $public_ip to any port l2tp main auth
"hmac-sha2-256" enc "aes-256" group modp1024 quick auth "hmac-sha2-256" enc
"aes-256" psk “PSK 2”
Messages output (PSK SPACES):
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_2048, expected MODP_1024
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA2_512, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: GROUP_DESCRIPTION:
got MODP_1536, expected MODP_1024
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got SHA, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: attribute_unacceptable: HASH_ALGORITHM:
got MD5, expected SHA2_256
Jul 25 16:10:23 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:23 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:26 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:26 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:30 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:30 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:33 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:33 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
Jul 25 16:10:45 vpn isakmpd[80810]: message_parse_payloads: reserved field
non-zero: af
Jul 25 16:10:45 vpn isakmpd[80810]: dropped message from 85.93.205.98 port
61021 due to notification type PAYLOAD_MALFORMED
I tried to connect my Nexus 5 with Android 6.0.1 but that plainly failed, no
clue what the correct config should be, so I haven’t reproduced it under the
Droid.
If someone is more passionate about this I can share some more logs. But
something works for me now and my patience wore thin.
Cheers,
--
Steve Clement
https://www.twitter.com/SteveClement
mailto:***@localhost.lu
.lu: +352 20 333 55 65
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]