Friday, 8 April 2016

OpenBSD L2TP/IPSec VPN for Android

Since posting the L2TP/IPSec VPN configuration for Windows devices I have had a lot of comments asking for me to test this with Android. I wasn't able to follow up on those  requests as I had lent my old Samsung S3 to a friend whose iPhone 5S has been playing up and eventually died while he waited for his new phone, he got an iPhone 6S .. how disappointing ?

Anyway, Once I got the phone back it took me less than 5 minutes to find the correct settings for an Android device - please to bear in mind that if your Android device does not work please check the /var/log/messages file for what was sent by the device and what was expected by the router and make the adjustments in your /etc/ipsec.conf file.

I've decided to make a completely new blog about it so there is no confusion and its just simpler in my mind, I've also just copied and pasted the text and modified the few parts that needed to be for an Android running 4.4.4 (this is an OLD phone and it's running Cyanogen 11).

In OpenBSD to use L2TP / IPSEC you can use the native NPPPD (8) as I have done. I'm a big fan of using the out of the box features, afterall OpenBSD is built for security from the ground up, so using a 3rd party L2TP/IPSEC port wasn't an option, I literally didn't even give it a thought.

With NPPPD there are a bunch of files you'll need to configure in order to make it work.

My npppd.conf file looks something like this, note the reference to the npppd-users file, you can configure multiple VPN's here with different users in different files. You'll see I'm using tun instead of pppx

authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"

tunnel L2TP protocol l2tp {
        listen on
        listen on ::

ipcp IPCP {

interface tun0 address ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

and list of users in the npppd-users file, add as many users you require, you can set them a static IP here too, check the man page for npppd for additional options:


and ipsec.conf file should look something like this, the first two lines set macros as you can in pf.conf, this helps as I have a dynamic IP, although I still have some issues if the IP changes and need to run pf.conf, possibly also reloading ipsec.conf rules, you may need to change aes to 3des or something else your device requires, same applies to modp2048 and hmac-sha1, check /var/log/messages after trying to connect your device:


ike passive esp transport \
        proto udp from $IF_WAN to any port 1701 \
        main auth "hmac-sha1" enc "3des" group modp1024 \
        quick auth "hmac-sha1" enc "3des" \
        psk $key

If you've got a working OpenBSD router using pf.conf as your firewall, you'll need to modify this too, adding tun to your skip statement, NAT rule allowing VPN clients LAN and WAN access, and the last two lines allow the VPN traffic in otherwise the VPN's wouldn't establish:

set skip on { lo, enc, tun }      #Added tun here

match out on $IF_WAN from {$IF_LAN:network,} nat-to ($IF_WAN:0) \
scrub (no-df max-mss 1440) #Added the network range for the VPN clients

pass quick proto { esp, ah }
pass in proto udp to $IF_WAN:0 port {isakmp, ipsec-nat-t}

You also need to add in some sysctl.conf options:


and in rc.conf.local


There are not many changes, you can either reboot the router or reload the firewall, load the modules in sysctl and start the services. If you already have a VPN configuration then restarting the services should be enough.


  1. Thanks actually updating the blog posts! I'll give it a shot and report back! I am using CM13 "bacon"

    1. If you have any problems reply with the last 10 lines of /var/log/messages after trying to connect and I'll give you some pointers.

  2. Hi, I tried these instructions but my Android client cant establish connection. For configurations & daemon.log please check my thread at


    1. Hi Chigurh,

      That's some weirdness in your log!
      Can you change your "3des" to "aes" and "hmac-md5" to "hmac-sha1" in your ipsec.conf?

      Restart iskmpd with:
      /etc/rc.d/isakmpd restart
      ipsecctl -f /etc/ipsec.conf

      and test again, please let me know if it does work and if it doesn't let me know and give me the logs and I'll have another look.

    2. Hi Jay,

      Please check this paste - ,
      sorry about that but here I can't paste more than 4K characters. The paste wont expire.

    3. Change your "hmac-sha1" to "hmac-sha2-256", reload/restart the service and try again.

      PS: the logs give you a good idea of what to change in order to get it working.

    4. Tried it but still no luck -

      Dec 1 12:32:49 ireland2 isakmpd[94768]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
      Dec 1 12:32:49 ireland2 last message repeated 5 times
      Dec 1 12:32:49 ireland2 isakmpd[94768]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
      Dec 1 12:32:49 ireland2 last message repeated 2 times
      Dec 1 12:32:49 ireland2 isakmpd[94768]: message_negotiate_sa: no compatible proposal found
      Dec 1 12:32:49 ireland2 isakmpd[94768]: dropped message from port 306 due to notification type NO_PROPOSAL_CHOSEN
      Dec 1 12:33:01 ireland2 npppd[85134]: l2tpd ctrl=1 timeout waiting ack for ctrl packets.
      Dec 1 12:33:01 ireland2 npppd[85134]: l2tpd ctrl=1 logtype=Finished
      Dec 1 12:33:15 ireland2 npppd[85134]: l2tpd ctrl=2 logtype=Started RecvSCCRQ tunnel_id=2/14044 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000
      Dec 1 12:33:27 ireland2 npppd[85134]: l2tpd ctrl=2 timeout waiting ack for ctrl packets.
      Dec 1 12:33:27 ireland2 npppd[85134]: l2tpd ctrl=2 logtype=Finished

    5. Can you post all your config files paste bin? anonymised of course.

    6. I will mail you if you like. Please let me know.

    7. Hi, sorry I've been really busy and hadn't checked on my blog for a while and missed your comments. Please email your config files to