Re: VPN Concentrator
On 30-Nov-07, at 2:13 AM, Khalid Schofield wrote: Hi, I'd like to make a VPN Concentrator using openbsd. I want users to be able to authenticate using usernames and passwords and to either nat the users or give them an ip from our main dhcp server via a bridge. If I have say a mac user at home wanting to connect into my network using the built in mac os client how should I set up the vpn server? Will it auth using usernames and passwords or is certificates only simple way to authenticate to the vpn server? How would I know which is better to use for this application out of PPTP or IPsec? Any and all input welcome. Khalid I'm embarking down the same path for what it's worth, but I'm actually doing it to eventually get rid of my Cisco 3005. My main structure though is ipsec between static fixed devices/locations and I don't need to worry about supporting PPTP or L2TP over IPSEC, or supplying addresses- yet. I think Brian A. Seklecki's response: `That's a tall order. In Cisco-land a VPNC3000k will run you $5k plus SMARTNet. You'll need isakmpd(8) policies. You'll need dhclient-server relay support. You'll need XAuth authentication (Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all together with LDAP and PKI. Kind of hit the nail on the head of my worries as well. I'm busy enough now making a secure network between offices using an OpenBSD box as the hub, but when I need to start adapting for "Road Warriors" things may get tricky. For example, your Mac user at home, assuming Tiger's built in client (I'm not clear on Leopard's new VPN protocols), can only use PPTP or L2TP over IPSEC. I don't know if it's even possible to support all protocols easily on an OpenBSD concentrator, so I plan to push my Road Warriors into using clients such as VPN Tracker or The Greenbow client, though open source alternatives would be preferable. In my perfect world it would be isakmp/ipsec only for me and to hell with clients. Too bad that can't always happpen... So, anyway, lots of ramble for little benefit, but at least I know somebody else is doing it...
Routing between "spokes" - recent best practices?
Hi, apologies if it's been talked about until blue, but I'm all manpage/google/list-searched out on this. Using the old adage of Central Office and Branch Offices looking for secure connectivity: - My old and outdated understanding (last time I was involved in planning a VPN was quite a while back) the only proper way to achieve Branch to Branch communication was using a star or full mesh solution. - It's my understanding that this is no longer the case, with certain strategies like Cisco's DMVPN etc allowing Branch to Branch communication in a Hub and Spoke style VPN. Branch to Branch traffic will be rare for me, but it is necessary. So, my question is this - what are the current best practices for setting up a hub and spoke topology using OpenBSD, allowing for traffic to securely flow from Branch to Branch on occasion without using a full mesh topology. If it's at all possible... (network description below) What am I missing to route from Branch to Branch? Do I need to set aliases on the Central site? Do I need to add gre to the mix? gif? The network will consist (for the sake of discussion anyway) of - OpenBSD 4.2-current devices for all gateways - isakmp automatic keying (so no manual flows, right?) using publickey authentication. A bit of additional security via pf only allowing related traffic from a static list of IPs. Please feel free to tell me know if I should really head down the certificate path. ipsec.conf files are simple, and already functional from Branch - Central, ie: ike esp from a.b.c.d to e.f.g.h ike esp from s.t.u.v/24 to w.x.y.z/24 peer e.f.g.h (This will obviously need changing to reflect the greater class A that all branches share, but that's my next worry...) If I add additional lines to ipsec.conf reflecting the class C subnet of another branch, ipsecctl -sa does show flows, I just can't actually get packets through. pf will set skip on enc0 Thanks for your time. I can send actual pf.conf and ipsec.conf if you like, but I've been changing them around to mess with this so who knows what's current. Cheers, an apologies for the long winded newbie question. visc
OpenBSD 4.2 isakmp/ipsec defaults
Greetings, I am trying to establish ipsec between a 4.2-current box and a Cisco 3005 concentrator, without going to manual keying or setting up isakmpd.conf or .policy. I have come across a few folks who have been successful using 4.0 and 4.1 with isakmpd.conf or isakmpd.policy, but my understanding is that under 4.2 the functions provided by the aforementioned files are now better handled by ipsec.conf. I'm going to toss out some generalities here before I resort to posting debugs from isakmpd because I think I'm only missing one critical factor in Phase2. If this is improper, I'll gladly post logs, but I think I'm almost there and only missing one key piece of info. Phase1 negotiates fine, Phase2 fails. I believe this is due to the fact that the key lifetime isn't coordinated, but I could be wrong (hell, it's likely...). My question is - what is the default key lifetime (in seconds preferably) for the 4.2 implementation of isakmp? I can modify the Cisco end to a degree, but I can't find any way to change this on my OpenBSD 4.2 box, nor even find the default. The ipsec man page has a paragraph on lifetimes, but I the specifics escape me. I cant find anything in man isakmpd. - Am I forced to use manual keying/flows in order to specify key lifetimes? And if so, what is the syntax? - Is there a modifier in 4.2 ipsec.conf to use automatic keying with a specified key lifetime? I can't find it for the life of me. Like I said, if I'm being improper by not posting logs, I can certainly do that, but I think I'm almost there. ipsec.conf that negotiates phase1 fine (going with Cisco 3005 default transforms for Lan-to-Lan IPSEC Tunnel): ike esp from a.a.a.a/24 to z.z.z.z/24 peer 1.1.1.1 main auth hmac-md5 enc 3des group modp1024 quick auth hmac-md5 enc 3des group none psk blahblah Peer/Endpoint id's are tricky, and I have messed around with adding "local" and/or srcid dstid to the line, with no major change in behavior - leading me to believe that my issue is outside of this line. Anyhow, thanks for any advice you can provide. Cheers
Re: OpenBSD 4.2 isakmp/ipsec defaults
Wow, excellent help thank you. That's helped me track down some other problems as well. I have success! And in the interests of full disclosure... I, um, was missing a character in the PSK. [shame and embarrasment] That's what you get when you generate a nice 63 character key and have to weedle it down to 24 for Cisco. I never thought to check considering the Cisco would show Phase1 complete, but I guess that'll learn me. Cheers and thanks again. On 7-Dec-07, at 2:09 AM, Stuart Henderson wrote: On 2007/12/07 00:53, visc wrote: I'm going to toss out some generalities here before I resort to posting debugs from isakmpd because I think I'm only missing one critical factor in Phase2. You can usually identify the problem more easily by looking at packet traces, than by looking at logs. From memory, this should do the trick: # echo p on > /var/run/isakmpd.fifo [allow it to attempt negotiation] # echo p off > /var/run/isakmpd.fifo # tcpdump -nvvr /var/run/isakmpd.pcap My question is - what is the default key lifetime (in seconds preferably) for the 4.2 implementation of isakmp? It's unchanged, and mentioned in isakmpd.conf(5); [General] Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 The Main Mode lifetime currently defaults to one hour (minimum 60 sec- onds, maximum 1 day). The Quick Mode lifetime defaults to 20 minutes (minimum 60 seconds, maximum 1 day). (note that ipsec.conf is parsed into isakmpd.conf configuration sections, so this still applies; you can see this happening with ipsecctl -nvf /etc/ipsec.conf). - Is there a modifier in 4.2 ipsec.conf to use automatic keying with a specified key lifetime? I can't find it for the life of me. It is currently only "documented" in the ipsecctl regression tests, you can use this format: ike esp from 10.1.1.0/24 to 10.1.2.0/24 \ peer 192.168.3.2 \ main life 12345 quick life 23456 \ srcid me.mylan.net dstid the.others.net
Re: freeBSD7.0 advertised.
On 8-Dec-07, at 10:57 PM, STeve Andre' wrote: On Sunday 09 December 2007 00:27:01 badeguruji wrote: Hello, Is there anything on OpenBSD like the one below for FreeBSD. It presents material very clearly and cleanly, makes look freebsd very attractive. http://people.freebsd.org/~kris/scaling/7.0 Preview.pdf Thank you. -BG Not really. OpenBSD doesn't attempt to market itself. You can look at the 4.2 page to see all the new things in 4.2, or scroll back in time by looking at earlier pages. Given that a new release comes out every six months, releases don't tend to have a lot of show-biz flash to them. They give useful data but aren't for the masses. Really, you want to do a lot of reading on the web site. Do that and you'll get good idea of what OpenBSD is "about". --STeve Andre' Newbie commenter here, but I feel the need to chime in. It my be the rum talking, but i digress.. As somebody who has thought very long and hard about leaving the OSX church, and then which open source system to support, and then which *bsd to support, I hope my choice of OpenBSD can at least be heard. There is a comic related to the 4.2 release (which I'm too lazy to find and reference at the moment) in which "puffy" and other related creatures are in a race. Yes, I know the comic was OpenBSD produced and centric, but it hit home anyway. There is a frame that shows a Daemon (representative of FreeBSD) racing a penguin. That kind of solidified for me the feeling I always had using FreeBSD that it was trying to be/compete with Linux. Don't get me wrong, I applaud the FreeBSD team, but I'm not interested in another religious OS argument. I can get that with OSX vs Windows. I love arguing OS vs OS with people, but my choice to support OpenBSD was based on the fact that it doesn't want to play that game. It's an OS to choose based on it's merits, not it's name. OpenBSD is not trying to supplant another OS, it is not trying to become a religion, it is simply trying to be a secure and proper BSD implementation. And that's what I want. Advertising would certainly help where it's needed, ie cash and hardware, but that is a secondary goal (from my understanding). You have here an OS with modest yet commendable goals that isn't making OS "penis size" it's number one goal. OpenBSD has it's goals and it is trying to achieve them. Yes, I'd love to see OpenBSD ads out there. But there needs to be a balance between "hey, I'm awesome, use me." and "Wow, that's awesome, I'll buy a CD." FreeBSD is in the same boat. The beauty of OpenBSD is that it tries to exist on it's merits. To me, OpenBSD's merits are greater than FreeBSDs. Ultimately people need to be pointed to donate their time/money/ efforts to projects that they see value in. I know OpenBSD is fairly "stuffy puffy" in it's philosopy, but that's what it is. People who agree with that ideal will seek it out. Yes, it'd be great to see magazine ads, but ultimately the great paradox comes into play - OpenBSD needs donations to progress - progress can't happen without users - users want a good product - a good product in this arena needs donations. /ramble off
Re: HP LaserJet P2015 on OpenBSD -- BEWARE
On 12-Dec-07, at 8:49 PM, bofh wrote: On Dec 12, 2007 10:42 PM, Greg Thomas <[EMAIL PROTECTED]> wrote: For the archives I think you mean an HL-5250DN. yes es, oops :) -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related I have to agree on the warning regarding these printers. Our corporate structure includes a few Redhat (RHEL) servers from another (internal) corporate entity that prints postscript to devices on my network using HPs port 9100 setup. For sake of convenience, it was always easier for me to just buy HP. I was happy with the printers, 9100 was always enabled by default and the world was right. I have a mix of HP models depending on purchase date - 1300n, 1320n, etc. Also had about 10 HP 2015s that were working FINE... ...until they upgraded their server to the most recent Redhat/Linux kernel. Forgive me for not knowing (caring) about which version, but the basics are that a Redhat upgrade on the server end left me with 10 useless printers that were blamed on either my networking skills or HP firmware. It's nice to know that I'm not seeing things, as it was fairly obvious to me that the Redhat upgrade caused these printers to stop properly printing .ps files. I had to run out and buy 10 Lexmarks just to keep offices running and ultimately eat the "hit" for equipment not functioning. Not to mention that nobody will believe that the Redhat upgrade caused the problem (even though it seems HP is ultimately at fault). - visc
Straw men etc.
This really is getting old... it's getting harder to want to even go through new messages in [EMAIL PROTECTED] I'm not siding with RMS or anybody, but let's either make a new mailing list for it or let this stuff get archived and move on. Just my 2"
Re: ipsecctl and isakmpd
> Dear list, > > I have a firewall and an ipsec.conf with 42 ike esp connections: > > ike esp from 192.168.100.0/24 to 192.168.129.0/24 peer my.firewall \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk "mekmitasdigoat" tag "yet.another.connection" > > ISAkmpd is started with the "-K -T". I am talking to lots of > Watchguard Fireboxes by the way. All connections are established and > traffic flows over enc0, all seems good. However, when I try to reload > ipsec.conf due to a rule change, either isakmpd dies with nothing in > the logs whatsoever and/or my /var/log/daemon is filling up with > messages like these: > > Feb 25 14:00:41 evo-access isakmpd[27974]: attribute_unacceptable: > AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG > Feb 25 14:00:41 evo-access isakmpd[27974]: message_negotiate_sa: no > compatible proposal found > Feb 25 14:00:41 evo-access isakmpd[27974]: dropped message from > some.ipsec.peer port 500 due to notification type NO_PROPOSAL_ > CHOSEN > > I would like to be using something other than shared keys but the > Watchguard boxes only support fancy things like that through a > "Watchguard System Manager" which I'd like to avoid. So for the moment > I am stuck with preshared keys. > > If I do "ipsecctl -F" and do a kill and restart of isakmpd the > connections seem to be established succesfully again. Am I missing > something obvious in reloading/adding connections to ipsec.conf ? Is a > simple ipsecctl -f /etc/ipsec.conf sufficient when adding a rule or do > I need to give isakmpd a SIGHUP? > > Thanks in advance, > > -- > Michiel van der Kraats > Backup Service / BackupStore > > I'm sure wiser minds than me may prove me wrong, but I have a similar situation with some Cisco and Linksys devices <-> OpenBSD. I think the Watchguard devices are quite happily waiting for their key lifetime to expire before re-negotiating with your isakmpd. By reloading isakmpd you are forcing expiry and re-negotiation. Do you lose all SA's when you change rules, or just to devices affected by your rule change? I've had better luck with other devices by using ike passive, but that's probably unrelated. Cheers
Re: i have lost /etc
Just a noob here (so take with a big grain of don't blame me), but if an rm -rf /etc actually is what happened imho you'd need to REALLY want your config files to spend the time attempting recovery. /home should still persist just fine regardless of your partitioning scheme unless you did something silly on day 1 like change the default home to /etc/home. You should wait for better minds than mine to confirm, but you could probably either: - Boot from an install media (CD, etc - I don't know if hd0a:/bsd.rd would work in this case or not? List?) and (U)pgrade following recommended procedures. You'd still need to start from a fresh /etc though. - If you have the capability, you could toss the drive into another device and mount your home partition to grab yer stuff. Scott > Hi list, > > Please someone help me I have deleted my /etc dir (rm > -rf /etc), is there any way to recover it, or there is > a way to recover my data stored in /home ??? > > Rergards > > > > !Capacidad ilimitada de almacenamiento en tu correo! > No te preocupes mas por el espacio de tu cuenta con Correo Yahoo!: > http://correo.yahoo.com.mx/
Re: How do I set up personal web sites for users?
> Hi folks, > I have a few questions about how to set up users on my OBSD 4.3 box. > > I've created a user (Stephanie) on the box, and I've added her to the > /etc/ftpchroot file so she can upload stuff to her directory; now I > just want her to be able to reach whatever she uploads (which probably > will be just a bunch of files) via Apache and that's where I'm > stumped. > > I was expecting to be able to reach her stuff via the typical *nix > http://server/~stephanie, but that didn't work. > > 1.) Can someone tell me what I'm doing wrong? > 2.) Inside the /var/www directory, there's a "user" directory. What's that > for? > 3.) Do I need to, or would it be advantageous to, modify the > httpd.conf file? What sort of entries might be helpful? > > Thank you, > Ed > > Howdy, 1) By default, apache is chrooted to /var/www , so there is no way for your web user to get to her home directory. 2) Not confident enough in my knowledge to answer that accurately ;) 3) Although it would be, imho, a bad idea, you could use httpd.conf to change the ServerRoot to /home to probably achieve what you want, but it is a big security compromise.
Re: How do I set up personal web sites for users?
> On Tue, 6 May 2008, Ed Flecko wrote: > >> Hi folks, >> I have a few questions about how to set up users on my OBSD 4.3 box. >> >> I've created a user (Stephanie) on the box, and I've added her to the >> /etc/ftpchroot file so she can upload stuff to her directory; now I >> just want her to be able to reach whatever she uploads (which probably >> will be just a bunch of files) via Apache and that's where I'm >> stumped. >> >> I was expecting to be able to reach her stuff via the typical *nix >> http://server/~stephanie, but that didn't work. >> >> 1.) Can someone tell me what I'm doing wrong? >> 2.) Inside the /var/www directory, there's a "user" directory. What's >> that for? >> 3.) Do I need to, or would it be advantageous to, modify the >> httpd.conf file? What sort of entries might be helpful? >> >> Thank you, >> Ed >> > Turn on UserDir in your Apache config & verify the directory location > should do the trick. > > Lee > > == > Leland V. Lammert[EMAIL PROTECTED] > Chief ScientistOmnitec Corporation > Network/Internet Consultants www.omnitec.net > == > > Hey, colour me humbled. Something new every day I guess. Cheers
