Re: VPN client-to-site over IPSec
Toni, Do you mean a VPN where only a HOST will access an entire NETWORK? If so, then the answer is YES. For instance, I have some OpenBSD servers acting as VPN Server and they allow me to connect from home to the networks behind those OpenBSD servers. PC -- Internet -- OpenBSD LAN PC IPSec Tunnel -- LAN I also have other situations where I need an entire LAN communicate with other LAN, like: LAN -- OpenBSD/Other -- Internet --- OpenBSD -- LAN LAN --- IPSec Tunnel --- LAN What do you need? - Original Message - From: "Toni Mueller" To: Sent: Friday, April 03, 2009 5:43 PM Subject: Re: VPN client-to-site over IPSec Hi, On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti wrote: Is it possible to implement a client-to-site VPN over IPSec? I have searched on the web, but only found site-to-site models. what exactly do you mean by "client to site"? You can distinguish between transport mode, where you use the IP that you actually use, as an endpoint, and tunnel mode, where you assign an IP of your chosing for use inside the tunnel, and then use that IP for all of your connections. Usually, "site-to-site" is associated with tunnel mode, and I currently see no reason, and much less any advantage, in using transport mode. Kind regards, --Toni++
Re: VPN client-to-site over IPSec
to $ext_if port isakmp
keep state
pass out quick on $ext_if inet proto udp from $ext_if to port isakmp
keep state
# Rules to encapsulate/decapsulate IP Traffic
#
pass in quick on enc0 proto ipencap all
pass out quick on enc0 all
# VPN rules between endpoints of the tunnel
###
pass in quick log on enc0 inet proto tcp from port 1433 to {
192.168.0.1, 192.168.0.254 } keep state
block out quick log on enc0 inet proto tcp from ! 192.168.0.100 to
port { 1433, 22, 80, 443 }
block in quick log on enc0 inet proto tcp from port { 1433, 22, 80,
443 } to ! 192.168.0.100
pass in quick log on enc0 inet from $netX_lan to $int_net keep state
pass out quick log on enc0 inet from $int_net to $netX_lan keep state
/etc/folder/vpn-cli.txt
200.200.200.200
192.168.99.1
/etc/rc.conf.local
isakmpd_flags="-L"
/etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Authorizer: "POLICY"
/etc/isakmpd/isakmpd.conf
[General]
Listen-on= 212.212.212.212
Default-phase-1-lifetime= 1200,60:86400
Default-phase-2-lifetime= 3600,60:86400
[Phase 1]
222.222.222.222=FW-NetworkX
Default=RemoteClient
[Phase 2]
Connections=IPSec-NetworkX
Passive-Connections=IPSec-Remote
# ISAKMP Phase 1 peer sections
##
[FW-NetworkX]
Phase= 1
Address=222.222.222.222
Configuration= Default-main-mode
Authentication= your-pre-shared-key-string1
[RemoteClient]
Phase= 1
Configuration= Remote-main-mode
Authentication= your-pre-shared-key-string2
# IPSec Phase 2 sections
[IPSec-NetworkX]
Phase= 2
ISAKMP-peer=FW-NetworkX
Configuration= Default-quick-mode
Local-ID= Local-NET
Remote-ID= NetworkX-NET
[IPSec-Remote]
Phase= 2
ISAKMP-peer=RemoteClient
Configuration= Remote-quick-mode
Local-ID= Local-NET
Remote-ID= Remote-HOST
# Client ID sections
[Local-NET]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.0.0
Netmask=255.255.255.0
[NetworkX-NET]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.0.0
Netmask=255.0.0.0
[Remote-HOST]
ID-type=IPV4_ADDR
Address=0.0.0.0
# Main mode descriptions
[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= DES-MD5
[Remote-main-mode]
DOI=IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Microsoft-main-mode]
DOI=IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2
# Quick mode descriptions
#
[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-DES-MD5-SUITE
[Remote-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
[Microsoft-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
- Original Message -
From: "Marcos Laufer"
To: "Marcello Cruz"
Cc:
Sent: Wednesday, April 08, 2009 11:37 AM
Subject: Re: VPN client-to-site over IPSec
> Marcello ,
>
> If you don't mind, i'd like to know more info or what to read to
> acomplish your first scenario:
>
> PC -- Internet -- OpenBSD LAN
> PC IPSec Tunnel -- LAN
>
> Thanks!
> Marcos Laufer
>
> Marcello Cruz escribiC3:
>> Toni,
>>
>> Do you mean a VPN where only a HOST will access an entire NETWORK? If
>> so, then the answer is YES.
>>
>> For instance, I have some OpenBSD servers acting as VPN Server and
>> they allow me to connect from home to the networks behind those
>> OpenBSD servers.
>>
>> PC -- Internet -- OpenBSD LAN
>> PC IPSec Tunnel -- LAN
>>
>> I also have other situations where I need an entire LAN communicate
>> with other LAN, like:
>>
>> LAN -- OpenBSD/Other -- Internet --- OpenBSD -- LAN
>> LAN --- IPSec Tunnel --- LAN
>>
>> What do you need?
>>
>> - Original Message - From: "Toni Mueller"
>> To:
>> Sent: Friday, April 03, 2009 5:43 PM
>> Subject: Re: VPN client-to-site over IPSec
>>
>>
>>> Hi,
>>>
>>> On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti
>>> wrote:
>>>> Is it poss
Intel D945GCNL with OpenBSD 4.4 Hangs
Dear all,
I have an Intel D945GCNL board and when I try to enable a second NIC the
system hangs. I really don't know where to search for a clue.
I took some steps before posting this message:
* replaced the HD with another one
* replaced the NIC (D-Link DFE-530, 3COM Etherlink, generic NIC with Relatek
chipset)
* replaced memory
Also, I have installed the same periferals on another motherboard (Asus) and
had no problem. So I think the problem is with the motherboard. The BIOS
doesn't seem to have any configuration regarding PCI slots (where the NIC is
installed).
Now, I'm trying to update the BIOS in order to see some new implementation not
supported by the OpenBSD.
Please, I really need a help and I don4t know how to feed you with
information. Below is the DMESG.
Rgds,
Marcello
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error 80
cpu0: Intel(R) Celeron(R) CPU 430 @ 1.80GHz ("GenuineIntel" 686-class) 1.80
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR
real mem = 1062424576 (1013MB)
avail mem = 1018863616 (971MB)
RTC BIOS diagnostic error 80
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/28/07, SMBIOS rev. 2.4 @ 0xe44d0 (28
entries)
bios0: vendor Intel Corp. version "NL94510J.86A.0017.2007.0828.1137" date
08/28/2007
bios0: Intel Corporation D945GCNL
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown, estimated 0:00 hours
acpi at bios0 function 0x0 not configured
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xae00!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0x4000, size 0x1000
drm at vga1 unsupported
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: irq 9
azalia0: codec[s]: Realtek/0x0888
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x01: RTL8168 2 (0x3800), irq
10, address 00:1c:c0:7b:06:d9
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x01
pci4 at ppb3 bus 4
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 9
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 10
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci5 at ppb4 bus 5
xl0 at pci5 dev 5 function 0 "3Com 3c905B 100Base-TX" rev 0x24: irq 11,
address 00:10:4b:6c:69:53
exphy0 at xl0 phy 24: 3Com internal media interface
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, channel
0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 9 for native-PCI interrupt
atapiscsi0 at pciide1 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom
removable
cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd0 at pciide1 channel 1 drive 0:
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: irq 9
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcpp
Re: Intel D945GCNL with OpenBSD 4.4 Hangs
1) I updated the BIOS to NL94510J.86A.0033.2008.0807.1932. This is the most
recent BIOS available from Intel to this board. The old BIOS was
NL94510J.86A.0017.2007.0828.1137. Accordingly to the flash utility, I cannot
use a BIOS update with different prefix (NL94510J.86A).
2) Following another post I disabled APM. With version 4.3 (OpenBSD), it
worked, but the system become unstable and I lose connectivity with remote
SSH sessions. With version 4.4 (OpenBSD) the system hangs at "mtrr: Pentium
Pro MTRR Support".
3) Then I tried to disable ACPI. With version 4.3 the system hangs at "npx0
at isa0 port 0xf0/16: reported by CPUID; using exception 16". With version
4.4 (OpenBSD) the system hangs when I activate the second NIC (up, dhcp or
IP address).
4) Then I installed version 4.4 on a different hardware with the 3 NIC (3Com
3c905B 100Base-TX, DLink DFE-520TX, plus the on-board NIC with Realket
chipset). The system works with no problem. So, I realize the problem is
with the motherboard. But where?
5) A page
(http://www.intel.com/support/motherboards/desktop/sb/CS-008326.htm) from
Intel say that there is support for Linux.
What does "RTC BIOS diagnostic error 80" mean? Any clues?
The best option is to ask the dealer to replace the board for another wich
supports Linux. Is that right? Or, is there another solution?
Rgds
Marcello
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error 80
cpu0: Intel(R) Celeron(R) CPU 430 @ 1.80GHz ("GenuineIntel" 686-class) 1.80
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR
real mem = 1062412288 (1013MB)
avail mem = 1018851328 (971MB)
RTC BIOS diagnostic error 80
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/07/08, SMBIOS rev. 2.4 @ 0xe44d0
(28 entries)
bios0: vendor Intel Corp. version "NL94510J.86A.0033.2008.0807.1932" date
08/07/2008
bios0: Intel Corporation D945GCNL
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown, estimated 0:00 hours
acpi at bios0 function 0x0 not configured
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xae00!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0x4000, size 0x1000
drm at vga1 unsupported
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: irq 9
azalia0: codec[s]: Realtek/0x0888
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x01: RTL8168 2 (0x3800),
irq 10, address 00:1c:c0:7b:06:d9
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x01
pci4 at ppb3 bus 4
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 9
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 10
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci5 at ppb4 bus 5
xl0 at pci5 dev 4 function 0 "3Com 3c905B 100Base-TX" rev 0x24: irq 11,
address 00:10:4b:6c:69:53
exphy0 at xl0 phy 24: 3Com internal media interface
vr0 at pci5 dev 5 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 11, address
00:21:91:52:ac:df
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI
0x004063, model 0x0034
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 9 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide1 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: ATAPI
5/cdrom removable
cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at p
Re: Intel D945GCNL with OpenBSD 4.4 Hangs
On OBSD 4.4 when I disable apm it hangs on "mtrr: Pentium Pro MTRR support". On OBSD 4.3, it give me the login prompt, but when I activate the second NIC (up, dhcp, IP address) the the system hangs. A documentation from Intel (http://www.intel.com/support/motherboards/desktop/sb/CS-028426.htm) says that a message error could appear when installing W2K: "The BIOS in this System is not Fully ACPI Compliant". So, i tried to disable acpi, but the system hangs at "npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16" with OBSD 4.3. With OBSD 4.4 the system hangs only when I activate the second NIC (up, dhcp, IP address). Another test I did was to disable the on-board NIC and put a second off-board NIC, so the system had 3 NICs. The system hangs only when I activate the second NIC. In this case, the DLink NIC (DFE-520TX) make the system show the message "Watchdog Timeout". The same NICs in another motherboard doesn't cause the system to hang or to show error messages. Also, Intel says that this board has no support for Linux. Should I discard this model or has something else I can do? Ooops, I forgot to mention that I have 3 of these boards and the same occurs with all of them. Rgds, Marcello - Original Message - From: "Stijn" To: "Marcello Cruz" Sent: Thursday, April 09, 2009 5:03 PM Subject: Re: Intel D945GCNL with OpenBSD 4.4 Hangs OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC RTC BIOS diagnostic error 80 mtrr: Pentium Pro MTRR support Hi, Can you disable apm at the boot prompt? This way acpi will be used. Also try a recent snapshot to see if this helps. HTH, Stijn
Re: IPsec Windows Vista client - OpenBSD, NAT-T problem
Dear MK, There is a problem with the IPSec implementation on Vista and W2K8. Microsoft seems to have a patch. Please, see these articles: * http://support.microsoft.com/kb/957624/en-us * http://support.microsoft.com/kb/946887/en-us * http://technet.microsoft.com/en-us/library/bb878090.aspx If you try to connect to your VPN using XP or W2K clients it works fine. King regards, Marcello Cruz - Original Message - From: "MK" To: Sent: Thursday, April 23, 2009 12:49 PM Subject: IPsec Windows Vista client - OpenBSD, NAT-T problem Hello, I'm trying to learn how to setup IPsec connection, therefore I stared with quite simple settings. I'd like to allow clients from outside to connect my OpenBSD server through encrypted channel, however I came across some difficulties I'm not able to solve. scheme of my environment is following: client (Windows Vista) - NAT (mikrotik) --- internet --- (public IP) OpenBSD I decided to use PSK to simplify my settings: my ipsec.conf file contains: ike passive from any to any \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk my_key From my understanding this should allow all clients to connect my server via encrypted channel. I started isakmpd and setup a client for Windows Vista - for beginning I used TheGreenBow IPSec VPN Client. After a few minutes I had working environment so I deiced to use native Windows Vista IPsec client and here is my problem: Vista client is not able to communicate with my OpenBSD server for some reason I do not see. I was checking settings of the client and did not find any problem, then I just tried to shutdown isakmpd and to start it again with -T flag without NAT-T support. Immediately after this change, Vista client successfully connected to OpenBSD and communication was encrypted and working. If I start isakmpd again with NAT-T support then Vista can not negotiate IPsec with OpenBSD. I think NAT-T is important for me, because if I understand it well, it should allow IPsec communication for more clients behind same NAT simultaneously, however from some reason if I allow NAT-T support in OpenBSD, Vista can not reach the server anymore. TheGreenBow IPSec VPN Client works just fine even with NAT-T. I'm out of ideas and I'd like to kindly ask you for any help. I started isakmpd with -L switch to provide some additional information for both clients (working GreenBow and Vista client) Best regards MK Vista- NAT-T not working: 0:25:01.013804 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1-> msgid: len: 232 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 payload: VENDOR len: 24 payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 [ttl 0] (id 1, len 260) 00:25:01.014657 217.197.149.135.500 > 84.42.224.147.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: len: 188 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 216) 00:25:01.078015 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
Re: Transparent firewall (bridge) with DMZ + LAN
Hey guys, There are some articles that may bring some light to the discussion: * http://en.wikipedia.org/wiki/Network_bridge (best bet) * http://en.wikipedia.org/wiki/Bridging_(networking) * http://en.wikipedia.org/wiki/Transparent_bridge * http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Bridging-Basics.html Best, Marcello - Original Message - From: "Daniel Ouellet" To: "Openbsd-Misc" Sent: Monday, April 27, 2009 12:10 AM Subject: Re: Transparent firewall (bridge) with DMZ + LAN patrick keshishian wrote: On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote: It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off. People use it because they have a need to do something. B When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. so you prefer to take someone's word blindly without any backing evidence or facts, so long as you believe they are a credible source? Well, let say that if they spend years developing the system, including PF and the capability of bridge and the same people tells me that it's bad to do so. Well, HELL yes I would listen to them. They are better mind then me and they have the code to back it up as well as their saying too. So, to that answer yes. They are a credible source, they design it for crying wolf. Maybe management is a good place for you, but I'd hate to be a shareholder in a company people like you may have any sort of influential role in steering its goals and/or direction. Not relevant at all. But even if that was, contrary to the majority of managers that only listen to marketing vapor ware, or oppose to dig up themselves, this might, may be very good to listen to the source of reason, and not to say as well the origin of the product oppose to marketing people, then yes. I would. Most manager wouldn't even understand it anyway and there is exceptions, but by all mean not the norm, so your analogy is pointless and off topic. "Perhaps as one of the older generation, I should preach a little sermon to you, but I do not propose to do so. I shall, instead, give you a word of advice about how to behave toward your elders. When an old and distinguished person apeaks to you, listen to him carefully and with respect -- but do not believe him. Never put your trust in anything but your own intellect. Your elder, no matter whether he has gray hair or lost his hair, no matter whether he is a Nobel Laureate, may be wrong... So you must always be skeptical -- always think for yourself." I am so glad for you that you are born with the knowledge you need already and do not need to listen to anyone that might speak from years of experience. I envy you really I do! I can't claim that gift from birth itself. Some might become senile at old age, yes, by the simple fact of getting older. Still the natural path of life as we know it. May you be bless as to never suffer that sad outcome. But, many are still very sound and a few of them oppose to the "young padawan" with the hope to may be, become Jedi one day, don't need to proof anything to anyone anymore, and actually provide valuable informations from experiences without asking anything in return and without alternate motivations other then helping who ever are welling to listen. Many are not withholding knowledge in the hopes of getting ahead ans screwing you over in the process to get an edge over you. Yes, it's rare, but there is still many people like that. I guess it comes with self confidence and actual real knowledge. I actually welcome their input. But do as you wish, no one is stoping you rally. (;> As for why not to do bridge setup. May be something as simple as for one example that comes to mind. Your bridge needs to work in promiscuous mode and will see, received and process all kind of crap that it wouldn't need to do otherwise. More resources will be use on the bridge that could be better use else where. Should I also add that a miss configuration of a bridge can stay undetected for years, oppose to a miss configuration of a decent firewall not in bridge mode would become more obvious sooner in most cases anyway. Call that security by default setup if you like. (;> Don't forget that the simple action to put a box in bridge mode have the effect to pass all traffic across it. You may think your bridge is working as the traffic is passing, but in reality, may be someone affected it adversely and you can't see it. Bridg
Re: PPTP vpn with OBSD gateway (outgoing)
Hi, To publish an internal PPTP server: rdr pass on $ext_if proto tcp from any to $ext_if port 1723 -> $internal_server rdr pass on $ext_if proto gre from any to any -> $internal_server To allow an internal computer establish a PPTP tunnel to a server on the Internet: pass out on $ext_if proto gre from $ext_if to any keep state pass in on $int_if proto tcp from $internal_client to any port 1723 keep state pass in on $int_if proto gre from $internal_client to any keep state The PPTP needs GRE and 1723/tcp.. Rgds Marcello - Original Message - From: "Juan Miscaro" To: "patrick keshishian" Cc: "openbsd-misc" Sent: Friday, May 29, 2009 7:08 PM Subject: Re: PPTP vpn with OBSD gateway (outgoing) 2009/5/29 patrick keshishian : On Fri, May 29, 2009 at 2:08 PM, Juan Miscaro wrote: Hi, I'm trying to set up a PPTP tunnel for a Windows machine lying behind my OBSD 4.0 internet gateway. B I can establish the tunnel but I'm missing the last piece in the puzzle. B This is the routing of the RFC 1918 addresses. B Locally I have 10.9.0.0/16 addresses and the windows machine wants to connect to a web server on the remote side that is using 192.168.0.0/16. Just to make sure I am understanding you correctly, you have a Windows machine in your network which is behind an OpenBSD firewall (pf). The Windows machine establishes a PPTP VPN connection to the remote site. If I understood this correctly... What is the route table on the Windows box look like? I'm not a windows person but I believe the command is 'route print' from a DOS/CMD prompt. Does the route to the remote site exist/show up in the output? Does 'ipconfig' show your local ip assigned to your Windows machine by the VPN server? Yeah, you understood my setup. I will try the windows commands. Thanks. /jm
Re: ftp-proxy multiple instances
Hi Mathieu, After I sent the message to the group, I realized that the RC script reads the content of the rc.conf and rc.conf.local. One of the lines in the RC script searches for a line with "ftpproxy_flags" then executes the daemon with the parameters in that line. So, I tried exactly what you said but, simulating a new instance, just like the RC script. Now I have the confirmation that it is the way things should be. Thanks a lot. Rgds Marcello Cruz - Original Message - From: "Mathieu Sauve-Frankel" <[EMAIL PROTECTED]> To: "Technical Support" <[EMAIL PROTECTED]> Cc: Sent: Friday, December 15, 2006 9:29 PM Subject: Re: ftp-proxy multiple instances > Is it really possible to create two instances using the rc.conf.local > file? > I tried to, but the rc creates only the last instance. No you need to put a second startup line in /etc/rc.local In other words. ftpproxy_flags="" in /etc/rc.conf.local and the following line in /etc/rc.local /usr/sbin/ftp-proxy -R 10.10.10.1 -p 21 -b 192.168.0.1 > My rc.conf.local is: > ftpproxy_flags = "-R 10.10.10.1 -p 21 -b 192.168.0.1" > ftpproxy_flags = "" It should be obvious why this wont work. If it isn't please read sh(1) -- Mathieu Sauve-Frankel
Re: Deja-vu? (Explanation)
Sorry guys!!! A few days ago we had a problem with the mail queue and some messages were moved to the output queue erroneously. Sorry for the inconvenience. Rgds Marcello Cruz - Original Message - From: "Hannah Schroeter" <[EMAIL PROTECTED]> To: Sent: Thursday, July 07, 2005 3:53 AM Subject: Re: Deja-vu? > Hello! > > On Wed, Jul 06, 2005 at 12:09:20PM -0600, Jon Coller wrote: > >Is anyone else seeing a ton of old messages being resent to the list? > > Yeah, seems to be over though. > > >Every last one is identical to the previous on, but had an additional > >group of received headers: > > Received: from mail.corp.medcenter.com by shear.ucar.edu > > Received: from mail pickup service by mail.corp.medcenter.com > > Perhaps the one of those two who delivers the mail to the boxen hosting > the OpenBSD lists should be blacklisted (and that guy using a challenge > response system on the auto-acknowledgement of OpenBSD's bug tracking > system should be blacklisted too, especially as one shouldn't submit > new port suggestions as bugs). > > >-Jon > > Kind regards, > > Hannah.
Fw: OpenBSD's 10th birthday
Happy birthday OpenBSD. From Brazil. I'm glad that OpenBSD exists. Cruz
Re: Client no-ip in the OpenBSD.
Dear friend,
There is another way to update your IP address without the use of the no-ip
client.
I use lynx and it does just the same. Lynx is part of a regular OBSD
install. You can run it, for example, with your connection script (like
ppp.linkup) or after a reboot in the rc.local. Also, you can create a job
with crontab to run the command in a week basis, for example.
The command line is something like that:
# lynx -dump -accept_all_cookies -auth=mailb...@domain.com.br:\password
http://dynupdate.no-ip.com/nic/update?hostname=host.no-ip.info&myip=`ifconfig
tun0 | grep 'inet ' | awk '{print $2}'`
In my case, I use this line within a script and I redirect the output of
this command to another file. If something goes bad, then there is a job
running every 30 minutes that tries to update the information in the NO-IP
service.
Rgds
Marcello Cruz
Re: Client no-ip in the OpenBSD.
In the /etc/rc.local file.
Below is an excertp from that file...
# cat /etc/rc.local
# $OpenBSD: rc.local,v 1.39 2006/07/28 20:19:46 sturm Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
echo -n 'starting local daemons:'
# Add your local startup actions here.
echo '.'
- Original Message -
From: Saulo Bozzi
To: Marcello Cruz
Cc: OpenBSD-Misc
Sent: Sunday, January 17, 2010 1:21 AM
Subject: Re: Client no-ip in the OpenBSD.
cool, but now the no-ip binary work.
but, where put him to run in the boot?
rc.conf.local?
2010/1/17 Marcello Cruz
Dear friend,
There is another way to update your IP address without the use of the
no-ip client.
I use lynx and it does just the same. Lynx is part of a regular OBSD
install. You can run it, for example, with your connection script (like
ppp.linkup) or after a reboot in the rc.local. Also, you can create a job with
crontab to run the command in a week basis, for example.
The command line is something like that:
# lynx -dump -accept_all_cookies -auth=mailb...@domain.com.br:\password
http://dynupdate.no-ip.com/nic/update?hostname=host.no-ip.info&myip=`ifconfig
tun0 | grep 'inet ' | awk '{print $2}'`
In my case, I use this line within a script and I redirect the output of
this command to another file. If something goes bad, then there is a job
running every 30 minutes that tries to update the information in the NO-IP
service.
Rgds
Marcello Cruz
Sed and GNU-like
Dear friends,
I've read the documentation about sed - sed(8), re_format(7) and
/usr/share/doc/usd/15.sed/ - but I still don't realize how to make this
command work:
$ s/(^[A_Z]{1})([a-z]+)\.sgml/\1\2\.html/g
As I read I must prefix the '{', '}', '(' and ')' with backslashes. Even if
I do so, the command does not work. The command should take a filename
starting with a capital letter followed with the extension 'sgml' and
translate the extension to 'html'.
Accordingly to http://www.bsd.org/regexintro.html it should work, but it
does not.
I think there is some bug with the implementation of sed or the "branch"
(one or more pieces concatenated - as stated under re_format) is not
supported with BRE.
Someone could clarify this to me, please? Also, how do I get the expected
result?
Rgds
Marcello
Re: Sed and GNU-like
As I read I must prefix the '{', '}', '(' and ')' with backslashes. Even
if
I do so, the command does not work. The command should take a filename
starting with a capital letter followed with the extension 'sgml' and
translate the extension to 'html'.
1. Always show the commands you're actually running.
$ echo 'Teste.sgml' | sed 's/\(^[A-Z]\{1\}\)\([a-z]+\)/\1\2\.html/g'
This command is supposed to - only - change the file extension from ".sgml"
to ".html" on files starting with an uppercase letter, following one or more
lowercase letters.
I know [A_Z] is incorrect so, I'm sorry. But this command was taken from
http://www.bsd.org/regexintro.html exactly as it appears there. Also, the
explanation of the command in there seems to be wrong.
2. If you actually did type [A_Z], that's wrong.
I know it, I'm sorry, I should've correct it on my message.
3. 's/\([A-Z][a-z]*\)\.sgml/\1.html/g'
Thank you. It really works! But the problem is a bit complex. The original
idea is to identify two parts of the original string. For example, the file
named 'Teste.html' should be translated to 'T_new_este.sgml'. Accordingly to
the example from http://www.bsd.org/regexintro.html it should be possible to
identify 'T' as '\1' in the replacement string and 'este' as '\2' in the
replacement string. sed seems not to understand what "branch" is or I don't
know how to concatenate two "pieces". The definitions for "branch" and
"pieces" are in re_format(7), as below:
"An ERE is one** or more non-empty** branches, separated by `|'. It
matches anything that matches one of the branches.
A branch is one** or more pieces, concatenated. It matches a match for
the first, followed by a match for the second, etc.
A piece is an atom possibly followed by a single** `*', `+', `?', or
bound. An atom followed by `*' matches a sequence of 0 or more matches
of the atom. An atom followed by `+' matches a sequence of 1 or more
matches of the atom. An atom followed by `?' matches a sequence of 0
or
1 matches of the atom"
Rgds
Marcello
PS: Sorry for grammar errors, I'm not a native english person.
Re: Sed and GNU-like (SOLVED)
You didn't read re_format(7) well:
Basic regular expressions differ in several respects:
o `|', `+', and `?' are ordinary characters and there is no
equiva-
lent for their functionality.
o The delimiters for bounds are `\{' and `\}', with `{' and `}'
by
themselves ordinary characters.
$ sed -e 's/\(^[A_Z]\{1\}\)\([a-z]\{1,\}\)\.sgml/\1\2\.html/g'
Thank you all, guys.
Marcello
Re: Sed and GNU-like (SOLVED)
- Original Message -
From: "Abel Abraham Camarillo Ojeda"
"Marcello Cruz" wrote:
$ s/(^[A_Z]{1})([a-z]+)\.sgml/\1\2\.html/g
You didn't read re_format(7) well:
Basic regular expressions differ in several respects:
o `|', `+', and `?' are ordinary characters and there is no
equiva-
lent for their functionality.
I missed the line above. I forgot to replace '+' with '\{1,\}' when I
executed the command. I do read re_format(7) bad.
$ sed -e 's/\(^[A_Z]\{1\}\)\([a-z]\{1,\}\)\.sgml/\1\2\.html/g'
It works just fine. Thank you very much!
Rgds
Marcello
PF and LDAP
Dear all, Is there a way to use LDAP in a rule to allow or deny based on the user instead of the IP Address? The idea is to permit the traffic from an inside user to access, for example, a VoIP resource on the Internet. Thanks in advance. Marcello
Re: PF and LDAP
Thanks Chris! Thanks everybody! I was not clear, my mistake. I'm sorry. The idea is to allow traffic from a computer on the inside network to pass the traffic to the outside network (Internet) using some directory service based on LDAP (Active Directory). Users in the LAN sometimes need to use other PCs than usual or the PC should be used by lots of users. I should be good if the firewall rules could be created to allow/deny based on the user of the PC instead of the IP Address. Note that the PC and the firewall are distinct computers. For example, certain firewalls integrate the firewall rules with some kind of LDAP Server the same way as Squid does (I know Squid is a proxy server). Maybe it is not a smart idea, and if so, I4d like to know why (if possible)? Is there another way to do the same without compromising the security? I thought about authpf, but I'm trying to avoid future problems regarding security. Rgds, Marcello - Original Message - From: "Chris Dukes" To: "Marcello Cruz" Cc: Sent: Thursday, July 30, 2009 11:47 PM Subject: Re: PF and LDAP On Wed, Jul 29, 2009 at 01:42:44PM -0300, Marcello Cruz wrote: Dear all, Is there a way to use LDAP in a rule to allow or deny based on the user instead of the IP Address? Okay, I'm going to be literal here... ypldap to map LDAP to NIS. Configure the box to allow users to be resolved by NIS as well as local files. Use the "user" parameter on the pf rule. There's an example in the pf.conf manpage. The idea is to permit the traffic from an inside user to access, for example, a VoIP resource on the Internet. Of course I have no idea what you mean by "inside user." Your specific question indicates someone that can actually log in on the OpenBSD firewall and run a voip application. Which seems reasonable for me because someone might be foolish enough to want me to run asterisk or a SIP gateway on the firewall. If you mean an IP address associated with a specific user... If the system with the IP associated with the user is high function (IE can run an ssh client in addition to everything else), then you want to look at authpf. If the system with the IP associated with the user is low function (IE a SIP phone), but can negotiate WPA, LEAP, PPPoE, or 802.1X, then you'll want to investigate how to retrieve IP/user associations from your network auth mechanism and generate appropriate tables. If your system is using registered MAC addresses to determine which VLAN a NIC goes into, you'll have to look into extracting that data from your registration system, and then correlate it against ARP data. -- Chris Dukes
Re: :Microsoft" VPN
Hi Stan, OUr company was bought out a while back, and the new oweres are changing pretty much everryhting. This includes changing external access from a Cisco VPN to a "Microsoft" VPN. Can anyone here give me a pinter to where I can get information on this? What I want to be able to do is use my OpenBSD firwall at home to VPN on to work. If you want use IPSec, you can use Windows 2003 or 2008. The implementation on W2K8 needs some patches to work out. You can do it even if the Windows machine is going to be the central hub for the VPN. If you are interested, I have the following setups: 1) XP -> Internet -> OpenBSD -> LAN 2) LAN <-> OpenBSD <-> Internet <-> OpenBSD <-> LAN 3) XP -> Internet -> W2K3 / W2K8 4) Other variants are also possible All of them use IPSec. A few months ago I sent a message regarding this subject. You can read the conversation at http://www.mail-archive.com/misc@openbsd.org/msg74592.html. Rgds, Marcello
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
I had a similar problem. Transparente proxy is incompatible with SSL, as far as I know. Configuring each computer to use a proxy - either manually or by script - is time consuming. So I decided to use WPAD+Squid. Problem solved. The drawback is the overhead in the internal web server. Everytime a new browser session is initiated, the browser connects to the internal web server to identify how to reach the Internet. The advantage is that you can do filtering using WPAD, too. I don't know if it will work for you, so... good luck! Rgds Marcello - Original Message - From: "Matthew Young" To: "Bob Beck" ; Sent: Thursday, October 29, 2009 5:57 PM Subject: Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution? Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck wrote: apache or other reverse proxy. 2009/10/29 Matthew Young : Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
I'm not sure about Linux, but with Windows the WPAD works fine, even if the computers are not member of an AD. The IE comes with the default "Automatic proxy configuration". So, you don't need to configure it. The problem is that some programs try to find the wpad script in the wrong (?) place. The AV programs are good examples. To solve this problem, my wpad script is in the default site and I don't have to bother with configuring the AV on each computer. Rgds, PS: When I say "wrong place", I mean a place different than Windows. - Original Message - From: "Matthew Young" To: Sent: Thursday, October 29, 2009 7:02 PM Subject: Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution? Marcello, Thank you.. this is good except that I need to configure all my browsers for downloading the pac file, and some Adware,/antivirus will not auto discover this.. my users are linux as well as windows sadly. So while this is a lot more practical then manually configuring proxies in the machines it is not an option for for the requirement of this project. Thanks. -Matt On Thu, Oct 29, 2009 at 3:55 PM, Bob Beck wrote: browsing ssl by IP addresses will also result in certificate conflicts - because the ssl cert is for the name not the IP address. So if they were willing to do that, they're willing to have your stupid reverse proxy mitm all your certificates since they'll also fail. Perhaps between my extermely subtle taunting, I should give up and just ask you *why* the hell do you want to do this? 2009/10/29 Matthew Young : THis is great, however out LAN users are all technical. they would know and the next thing I have is people browsing the internet through IPs. It was good, but not applicable here. On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe wrote: So run your own dns and only resolve good domains. Then the proxy can only find the things you want it to. On Oct 29, 2009 1:03 PM, "Matthew Young" wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck wrote: > apache or other reverse proxy...
DHCPD and WPAD
I have a problem with DHCPD and WPAD. The OpenBSD version is 4.4. The error message is (in /var/log/messages): Nov 17 13:14:35 gw dhcpd[5096]: /etc/dhcpd.conf line 12: no option named option-252 Nov 17 13:14:35 gw dhcpd[5096]: option option-252 "http://wpad.domain.local/wpad.dat " * In older versions of OpenBSD the same line works fine * The problem seems to be with the option-252. If I change the number to 251 or 253, there is no error. Rgds Marcello
