MPLS and Google SoC
Hi All, My name is Ryan French. I am a uni student at Waikato University in New Zealand. This year I will be porting the Ayame project (an implementation of the MPLS networking stack) to FreeBSD as part of my course. I was wondering if there was anyone out there wanting to be a mentor for me with this project for the google summer of code. I'm not quite sure if this is the right way to try and find someone. Thanks for any help, Ryan French. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: MPLS and Google SoC
Please check even NetBSD tech mailing list since there has been posted an updated patch of ayame implementation for netbsd. This might help you since it fixed some bugs on ayame and has some more discussions on the remainings one. Regards Ermal Luçi IT Projects & Development Raiffeisen Bank of Albania "Dëshmorët e 4 Shkurtit" Street, Tirana Tel: +355 4 233 396 Ext: 1316 E-mail: [EMAIL PROTECTED] Web: www.raiffeisen.al [EMAIL PROTECTED] nkey.com Sent by: To owner-freebsd-net freebsd-net@freebsd.org @freebsd.org cc Subject 02/14/2008 11:16 MPLS and Google SoC AM Hi All, My name is Ryan French. I am a uni student at Waikato University in New Zealand. This year I will be porting the Ayame project (an implementation of the MPLS networking stack) to FreeBSD as part of my course. I was wondering if there was anyone out there wanting to be a mentor for me with this project for the google summer of code. I'm not quite sure if this is the right way to try and find someone. Thanks for any help, Ryan French. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: MPLS and Google SoC
Ryan French wrote: Hi All, My name is Ryan French. I am a uni student at Waikato University in New Zealand. This year I will be porting the Ayame project (an implementation of the MPLS networking stack) to FreeBSD as part of my course. I was wondering if there was anyone out there wanting to be a mentor for me with this project for the google summer of code. I'm not quite sure if this is the right way to try and find someone. This way is OK. Once this years SoC starts and your project application shows up in the mentor extranet I can pick it up. We'll discuss internally who exactly will mentor each project and determine the ranking among the projects. We don't know in advance how many students we will get sponsored by Google. Please make sure you provide very a comprehensive project description and fill in all fields with a reasonable level of verbosity. -- Andre ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ospf cost and route selection (openospfd)
Thu, Feb 14, 2008 at 07:49:34AM +0300, Eygene Ryabinkin wrote: > > I have replaced patch-ospfd_packet.c with the new one, > > and OSPF packets can find their way through again now. Unfortunately, > > the behavior is the same as with openospfd 4.0; it converges with > > right costs etc., but with the wrong interface. > > Everything is exactly the same. > > OK, I will up my gifX interfaces and will try to simulate your problem. OK, problem recreated. Will try to understand and fix the issue. Will drop a mail, once the situation will be more clear. Thinking, 20%... ;)) -- Eygene ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
PF firewall NAT and Windows IPSEC tunnel
Howdy folks. I have several computers behind a FreeBSD router (NAT
192.168.0.x using OpenBSD's PF) . One of those computers is a Windows
machine which is using software called "Cisco Systems VPN Client" to connect
to some other computers outside of our internal network. Our FreeBSD
router's connection to the outside world is DHCP via cable modem. I can
connect the Windows machine directly to the cable modem, bypassing the
FreeBSD router entirely; the VPN works fine in this case. However, when I
try going through the FreeBSD router I get dropped VPN connections after
four to eight minutes; the VPN works fine only when it first connects and
for five minutes thereafter.
Secure VPN Connection terminated locally by the client.
Reason 412: The remote peer is no longer responding.
We contacted the administrator on the other side and he said to do the
following:
The following ports should be allowed through the local firewall:
UDP port 500, port 1
ESP all ports
AH all ports
I'm not quite sure what this means.
My original /etc/pf.conf:
ext_if="fxp0"
int_if="fxp3"
internal_net="192.168.0.0/24
nat on $ext_if from $internal_net to any -> ($ext_if)
and I added these three lines in trying to follow the administrator's
instructions (the Windows machine is 192.168.0.3):
rdr on $ext_if proto udp from any to ($ext_if) port {500,1} ->
192.168.0.3
rdr on $ext_if proto esp from any to ($ext_if) -> 192.168.0.3
rdr on $ext_if proto ah from any to ($ext_if) -> 192.168.0.3
But the VPN connections still get dropped after five minutes. Any ideas?
I'm also running a bridge between several network interfaces.
My /etc/sysctl.conf looks like this:
net.link.ether.bridge.enable=1
net.link.ether.bridge.config=em0,em1,fxp1,fxp2,fxp3
The interesting lines from /etc/rc.conf are:
ifconfig_fxp0="DHCP"
ifconfig_fxp3="inet 192.168.0.254 netmask 255.255.255.0"
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PF firewall NAT and Windows IPSEC tunnel
Hi-- On Feb 14, 2008, at 9:59 AM, Nerius Landys wrote: Howdy folks. I have several computers behind a FreeBSD router (NAT 192.168.0.x using OpenBSD's PF) . One of those computers is a Windows machine which is using software called "Cisco Systems VPN Client" to connect to some other computers outside of our internal network. [ ... ] The following ports should be allowed through the local firewall: UDP port 500, port 1 ESP all ports AH all ports When I was dealing with the Cisco VPN client, I was doing so with IPFW +natd and not PF, but you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 1/tcp, and the GRE protocol. In my case, /etc/natd.conf contained: punch_fw 1:100 redirect_proto gre 10.1.1.247 redirect_port udp 10.1.1.247:500 500 redirect_port udp 10.1.1.247:4500 4500 redirect_port udp 10.1.1.247:62515 62515 redirect_port tcp 10.1.1.247:1 1 redirect_port tcp 10.1.1.247:pptp pptp ...to send the traffic to a VPN endpoint located at IP 10.1.1.247. -- -Chuck ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: PF firewall NAT and Windows IPSEC tunnel
I'm using this combination for a long time. Since the VPN client
initiates the VPN connection I have only provided NAT directives going
out.
nat pass on $ext_if proto { tcp, udp } from any to port { isakmp }
-> ($ext_if:0) static-port
nat pass on $ext_if proto { udp } from any to port { 1 } ->
($ext_if:0) static-port
nat pass on $ext_if proto { tcp } from any to port { 4005 } ->
($ext_if:0)
nat pass on $ext_if proto { esp } from any to -> ($ext_if:0)
I think the static-port was doing he trick in my case.
BTW I think the nat pass will only work in FreeBSD-7. For FreeBSD-6 you
have to split this up in two lines, one nat and one pass.
Peter
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nerius Landys
Sent: Thursday, February 14, 2008 7:00 PM
To: freebsd-net@freebsd.org
Subject: PF firewall NAT and Windows IPSEC tunnel
Howdy folks. I have several computers behind a FreeBSD router (NAT
192.168.0.x using OpenBSD's PF) . One of those computers is a Windows
machine which is using software called "Cisco Systems VPN Client" to
connect
to some other computers outside of our internal network. Our FreeBSD
router's connection to the outside world is DHCP via cable modem. I can
connect the Windows machine directly to the cable modem, bypassing the
FreeBSD router entirely; the VPN works fine in this case. However, when
I
try going through the FreeBSD router I get dropped VPN connections after
four to eight minutes; the VPN works fine only when it first connects
and
for five minutes thereafter.
Secure VPN Connection terminated locally by the client.
Reason 412: The remote peer is no longer responding.
We contacted the administrator on the other side and he said to do the
following:
The following ports should be allowed through the local firewall:
UDP port 500, port 1
ESP all ports
AH all ports
I'm not quite sure what this means.
My original /etc/pf.conf:
ext_if="fxp0"
int_if="fxp3"
internal_net="192.168.0.0/24
nat on $ext_if from $internal_net to any -> ($ext_if)
and I added these three lines in trying to follow the administrator's
instructions (the Windows machine is 192.168.0.3):
rdr on $ext_if proto udp from any to ($ext_if) port {500,1} ->
192.168.0.3
rdr on $ext_if proto esp from any to ($ext_if) -> 192.168.0.3
rdr on $ext_if proto ah from any to ($ext_if) -> 192.168.0.3
But the VPN connections still get dropped after five minutes. Any
ideas?
I'm also running a bridge between several network interfaces.
My /etc/sysctl.conf looks like this:
net.link.ether.bridge.enable=1
net.link.ether.bridge.config=em0,em1,fxp1,fxp2,fxp3
The interesting lines from /etc/rc.conf are:
ifconfig_fxp0="DHCP"
ifconfig_fxp3="inet 192.168.0.254 netmask 255.255.255.0"
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
__ Information from ESET NOD32 Antivirus, version of virus
signature database 2876 (20080214) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__ Information from ESET NOD32 Antivirus, version of virus
signature database 2876 (20080214) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
KAME IPsec spd_delete2 bug ...
All,
There is a bug in /usr/src/sys/netipsec/key.c in FreeBSD KAME IPsec
sources. If an spd_delete2 message is submitted for an invalid policy
id, the kernel crashes. Can someone please commit this trivial patch?
I'm afraid its against 6.2 sources but its also only one line.
Thanks,
-Matthew
--- key.c Fri Feb 15 02:18:16 2008
+++ key.c.fixed Fri Feb 15 02:18:35 2008
@@ -2125,7 +2125,7 @@
/* Is there SP in SPD ? */
if ((sp = key_getspbyid(id)) == NULL) {
ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id));
- key_senderror(so, m, EINVAL);
+ return key_senderror(so, m, EINVAL);
}
sp->state = IPSEC_SPSTATE_DEAD;
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: PF firewall NAT and Windows IPSEC tunnel
Nerius, This sounds like a DPD timeout. The Cisco VPN client or Cisco gateway is probably not configured to use NAT-T or you are blocking UDP port 4500. Using the static-port trick will help in some instances where a client doesn't support NAT-T, but it also prevents multiple clients behind the pf firewall from communicating with the same gateway simultaneously. If thats not the case then no big deal. If so, its best to just NAT UDP port 4500 outbound normally for Cisco clients unless the Cisco gateway has NAT-T disabled. In legacy IPsec fashion, the client will establish its IKE session on the standard UDP port 500 and then pass ESP transport packets. With NAT-T enabled, the client will initiate IKE on port 500 and then switch to port 4500 if NAT is detected. ESP packets will be encapsulated in UDP and passed on port 4500 as well which is easier for NAT firewalls to deal with. The client should also issue keep-alive packets to prevent firewall state from being culled. Without this, no traffic would be sent while the client is idle and pf would drop state after 60secs by default. udp.first60s udp.single 30s udp.multiple 60s other.first 60s other.single 30s other.multiple 60s If you don't see traffic on port 4500 but you do see ESP traffic, the other thing to try would be to increase the state lifetime for UDP port 500 and ESP traffic. Assuming DPD is enabled on the Cisco gateway, this would help avoid state timeout so that the client has more time between sending or receiving notifications. ESP shouldn't be too troublesome as there are no ports to translate ... unless you have multiple clients behind the same firewall trying to talk to the same gateway. But thats what NAT-T is for. Hope this helps, -Matthew ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
