sd.conf(5) man pages and that seems to be the way to
> go, but I thought I'd check the wisdom here to see if there is a better
> approach.
As said, just pay attention that nsd is a resolver only.
> Thanks,
> Steve Williams
Nowadays, I try to avoid using the same domain for internal and
external. From my ops point of view, having a domain.local and a
domain.ext is easier to maintain.
Regards,
Claer
t; If someone has experience with similar setup please chime in.
I built this kind of setup in the past, still running after all those
years. So the configuration you want to build is robust.
If you plan to have multiple R3 routers and don't interract with other
ospf routers outside your responsabilities, I advise you to move to bgp.
It's not way harder to learn and it is more powerful regarding route
filtering.
Claer
On Fri, Jun 02 2017 at 42:07, cdix wrote:
> I have the same problem.
> Did you ever found a resolution for your problem?
> If so what was it?
>
Hi,
FTP has one command tcp connection and one dynamic data connection that makes
an entire applicative session. In order FTP to work, it needs both co
as working
> against Cisco. What I don't know is whether it harms interop with
> anything else.
>
> http://marc.info/?l=openbsd-tech&m=131244805816474
I ran with this patch on production for nearly 2 years. It didn't cause any
issue interoperating with few kind of devices. I successfully configured VPN
with ASA, Juniper, Fortinet, StormShield and Windows on the other side.
If there were some side effects, they were not visible.
Claer
ring big files, not for
common web browsing (usually smaller packets).
Best regards,
Claer
usecase.
>
> Thanks for your answer
>
> Kim
Best regards,
Claer
#--- | NET
> NET # 10Mb |DSL|/ ---
> --- # ---101.0.0.0
> 100.0.0.0 #21.0.0.0
Best regards,
Claer
conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.gre.allow=1
# isakmpd -4K
# ipsecctl -f /etc/ipsec.conf
# npppd -f /etc/npppd/npppd.conf
#
Claer
Hello,
Thanks guys for the pointer on pair. My mail was intended to show (what IMO is)
an issue in the bridge code. With the recent post on n2k15 by Reyk[0], I'll keep
an eye on the following developments :)
Claer
[O] http://undeadly.org/cgi?action=article&sid=20151217134417
On Th
42: arp who-has
192.168.79.193 tell 192.168.79.159
12:14:20.054016 08:00:27:36:20:e8 ff:ff:ff:ff:ff:ff 0806 42: arp who-has
192.168.79.193 tell 192.168.79.159
Thanks for reading that far :)
Claer
heck what's wrong.
With ScreenOS software (not JunOS like you, but they should be similar)
the "encryption domain" is usually set to 0/0 and the OS manages routes
to determine what to send to the tunnel. This will not work with your
configuration and the network/sys admin on the other side needs to do
some ajustments. Do you have the configuration of the other side?
Good luck with troubleshooting.
Claer
onstant(xf->field,
Common subdirectories: src/sbin/isakmpd/obj and src2/sbin/isakmpd/obj
Common subdirectories: src/sbin/isakmpd/sysdep and src2/sbin/isakmpd/sysdep
- Forwarded message from Stuart Henderson -
From: Stuart Henderson
To: Claer
Subject: Re: Isakmpd NAT-T interoperability
D
On Sat, Aug 02 2014 at 09:01, Nick Holland wrote:
> On 08/01/14 08:12, Claer wrote:
> > On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
> ...
> >> I'll leave you to develop the script.
>
> >> My design philosophy:
> >> 1) No additional hw, other
hange. If something goes horribly wrong before you sync it,
> log into the "other" firewall, and push the changes back.
>
> Wonder why a rule is in the firewall? Look back through the change log
> and read the comments.
>
> I've done the same thing with DNS zone files and config files, (in my
> opinion) better than the BIND "master/slave" model -- set up each node
> as a master, and sync the data through scripts like this.
>
> Nick.
Claer
27;t find the problem. I will be grateful if you could help me.
>
>
> Please find attached my pf.conf file.
Attachements are blocked on this list ;-)
You can read the PF book http://home.nuug.no/~peter/pf/ to find good
informations on PF.
Regards,
Claer
On Sun, Jan 13 2013 at 04:11, Maximo Pech wrote:
> At work, we have an "information security" area for IT.
>
> They mandate that on all shell scripts we have to use absolute paths for
> every single command.
>
> I feel that this does not provide real security and only makes scripts
> somewhat mor
d who's gonna be the default resolver?
> What is the status of nsd then? (I am just about to try
> it on one of my resolvers).
NSD is just an autoritative name server that doesn't do cache and does not
answer recursive queries.
nsd and unbound are complementary.
Claer
On Tue, Oct 04 2011 at 42:21, Stuart Henderson wrote:
> On 2011-10-03, Claer wrote:
> > On Sat, Oct 01 2011 at 18:08, Joe S wrote:
> >
> >> On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius wrote:
> >> > I have used Soekris for a few years and are very happ
On Sat, Oct 01 2011 at 18:08, Joe S wrote:
> On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius wrote:
> > I have used Soekris for a few years and are very happy with them. They have
> > a new board that will start shipping soon: http://soekris.com/net6501.htm
> >
>
> Curious if anyone has tried
er link
fail. This way, the complexity on the central site is only 2 tunnels
per site and not 4.
Claer
tell
> > ospfd to reload interface addressing.
>
> interfaces and addresses moving around hurts me too.
>
> > I'm often needing to add more and more interfaces and ospf interfaces,
> > necessitating failing over so as to make it safe to kill and re-start
> > ospfd -- in the process it just seems to nip some flows from flowing.
>
> i do that too. lets annoy claudio together!
In my world, it happends to change interface numbering. The solution we
found is
- remove the interface from ospfd.conf,
- reload configuration with ospfctl reload
- destroy the interface (our ospf interfaces are mainly gif ones),
- recreate interface with new IPs
- add conf to ospfd.conf,
- reload configuration with ospfctl reload
This may sound a bit too much, but it works and seems to be reliable for
the moment and it does not require to kill and restart the daemon :)
Claer
bios
parameter to change, I didn't took time to investigate (and bug report)
yet. It's on my todo list :)
Regards,
Claer
case
> any ideas? an important option i missed?
Using ipsec tunnels in different rdomains to manage overlapping easily?
(Thanks to Reyk to clarify the usage of ipsec+rdomain)
Claer
ig configuring gif, reported to devs,
and now it's fixed in current. Try current and report the bug if it's still
present.
As I didn't try more than 200 rdomains in a test machine, I could not tell
if 512/1024/2048 is a silly idea or not.
Claer
nk that enc(4)
supports rdomain yet.
[...]
> anybody having experience in
> terminating a IPSEC tunnel in a routing domain? (virtual firewall setup)
> maybe i should try GRE with IPSEC on top of
> that...(?)
Setting up gif on rdomain on top of ipsec works.
Hope this helps :)
Claer
one loopback to another and affect the gif
interface to the right rdomain. Don't forget to define gif tunnels in
both directions!
Ex: gif1 in rdomain 1, lo1 -> lo2
gif2 in rdomain 2, lo2 -> lo1
..
Claer
unnel B. Although this process
> can be scripted easily enough I was hoping to automate this as much as
> possible.
>
> Any suggestions ?
You setup permanently tunnels A and B,
you add gif over both tunnels,
then you run ospf on to of gif on both end points, assigning different weights
for the links.
Claer
o/?l=openbsd-misc&m=129534605406967&w=2
Claer
Dear list,
Recently I built a new VPN hub and it seems I reached a limit in ospfd.
The configuration is the following :
2 central OpenBSD (4.7 on production, 4.8 and latest snapshot in our
lab). they both run ospfd on LAN side.
49 OpenBSD clients, running IPSEC + gif encapsulation over to each
wrong, or if its even
> possible to use layer 3/4 info in OpenBSD to hash the traffic. Since I'm
> using the box as a router, layer 2 hashing doesn't help me very much since the
> source MAC is always the same.
>
> I took a peek at the source, but I'm definitely not a C hacker, so nothing
> jumped out at me for computing the hash...
>
> Thanks,
>
> Jason
Claer
e offered by them.
>
> And it is not a good idea to change on every computer...
>
> Is there a better idea?
Proxification will mostly require modifications on the client's side but
it could be simplified with proxy.pac distribution. If you go the socks
way, you won't have any choice but to install a proxy client on each
computer.
Claer
l for
> communication), and I load balance with mod_proxy_balancer, and I
> know a lot of people who use nginx (but not me).
Move your puppet to apache+passenger instead of starting serveral
mongrel instances. It is much simpler to manage.
Claer
> --
> --
> Joe McDonagh
> Operations Engineer
> AIM: YoosingYoonickz
> IRC: joe-mac on freenode
> "When the going gets weird, the weird turn pro."
On Fri, Oct 01 2010 at 00:11, Denis Doroshenko wrote:
> On Fri, Oct 1, 2010 at 10:31 AM, Claer wrote:
> ...
>
> it's usual for todays modems to no negotiate their IP address (in
> older days handsets would send some dummy value), but you can add a
> predefined address f
On Thu, Sep 30 2010 at 45:10, Tilo Stritzky wrote:
> On 30/09/10 00:40 Claer wrote:
> > Hello list,
> >
> > I have a minipci umts modem that is reconized fine by OpenBSD (4.7-stable)
> > but I'm unable to find the good pppd configuration to establish
99***1#
'CONNECT' '\c'
'TIMEOUT' '5'
In the /var/log/messages I can see these lines :
Aug 24 02:51:14 fw pppd[14700]: pppd 2.3.5 started by root, uid 0
Aug 24 02:52:00 fw pppd[14700]: Connect script failed
Any help appreciated :)
Thanks,
Claer
On Thu, Aug 05 2010 at 50:12, Z Wing wrote:
[...]
> The question I have is how do I get dhclient working with the cable modem,
> given that the IP address is dynamic? dhclient doesn't work when the carp
> interface is in INIT mode and I'm not sure how to get carp to "share" the IP
> address between
On Tue, Jul 27 2010 at 04:10, Maikel Verheijen wrote:
> Hello fellow openbsd fans,
Hello,
> While preparing a test environment for my upgrade to openbsd 4.7 I ran into a
> slight problem. My current setup uses route-to rules to send out traffic back
> out on the interface it received it on like th
psk OpenBSD
As stated, juste adding the "local" keyword should suffice.
Claer
kmpd/isakmpd.conf
# $Id: isakmpd.conf 44 2009-04-02 16:32:20Z claer $
[General]
DPD-check-interval= 30
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 28800,60:86400
Listen-on= IP.IP.IP.IP
Claer
On Wed, May 19 2010 at 14:21, Enrico Scichilone wrote:
> Am 19.05.2010 20:52, schrieb Claer:
> >However, on the kerberos server side, no request have been made to the
> >"claer" account :
> >May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17
On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
> > claer:*:1000:1000:Claer:/home/claer:/bin/ksh
> >
> > Now the next step is to try an authentification wi
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > It seems that the client is trying to get a ticket for the afs client.
> > AFS is not enabled on my BSD box and I don't need it. The only reference
> > I found on UALBERTA.CA
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > It seems that the client is trying to get a ticket for the afs client.
> > AFS is not enabled on my BSD box and I don't need it. The only reference
> > I found on UALBERTA.CA
rb5.keytab
>From there, I can obtain a kerberos ticket on the system :
# kinit claer
cl...@claer.hammock.fr's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: cl...@claer.hammock.fr
Issued Expires Principal
May 19 10:06:28
On Wed, Nov 12 2008 at 18:13, Joe Warren-Meeks wrote:
> Hey guys,
Hi,
> I'm struggling to get isakpmd to talk to a checkpoint firewall
>
> I need the following parameters
>
> General IKE Properties = AES-256 with SHA1
> IKE Phase 1 SA = Group2 (1024 bit)
> IKE Phase 1 SA renegotiation = 1440
> I
path but, did you looked at "proxying" the
trap with net-snmp ?
Direct the original trap to your firewall (carped ?) and then when the
trap arrives on it, ask net-snmp to send serveral traps to the
supervision servers.
Claer
> The main objective though, is to preserve the source
via .2.
> >
>
> Sorry, but I don't get what your suggestion can do for the case I
> proposed.
> Maybe I'm dense.
> Assuming my link is 4.3.2.0/30 the upstream router is 4.3.2.1 and I
> have no choice but to use 4.3.2.2 as my $ext_if. How does that work
> with your example?
>
> Thanks,
Did you look at ifstated ? I tryed it for 2 firewalls with 1 pppoe link.
This setup didn't go on production but worked fine during tests.
Claer
On Mon, Oct 13 2008 at 48:08, Freddy DISSAUX wrote:
> Thanks to all the developers for a job well done.
Hehehe Where in Poissy? I'm in beauregard ;-)
cya
Claer
ide tryed to
restart isakmp negociations after a short internet failure.
Claer
> > In our environnement (we manage openbsd tunnels to cisco 3030
> > which is out of our scope) we debugged a strange problem when
> > the connection goes down. The tunnels won't come back afte
On Fri, Sep 26 2008 at 45:07, Mariusz Makowski wrote:
> I finally was able to setup vpn connection.
> Other side was configured in wrong way and sum of all my ipsec.conf look in
> this way:
>
> -- ipsec.conf --
> other_peer = "c.c.c.c_public_ip"
>
>
> ike esp tunnel from a.a.a.a_net to d.d.d.d_net
ni-pcie 3G cards.
Does someone here already play with such devices ?
Regards,
Claer
ks for your prompt reply.
>
> Just out of curiosity what's this 'MTU' stands for?
Maximum Transmission Unit. Its the biggest number of bytes that can be
transmited on the media (ISO layer 2).
You can go on wikipedia for more informations
http://en.wikipedia.org/wiki/Maximum_transmission_unit
Claer
ly, 4.3 can read DSCP but not write it. Write support was commited
last month (http://marc.info/?l=openbsd-cvs&m=121014159632272&w=2)
so you can certainly test this functionnality with a snapshot.
Claer
the moment, no issues with them.
We hadn't tested performance. These Dell protect small Internet link
so we didn't bother check performance for links below 10Mb.
Claer
> Torsten Frost escribis:
>> On Fri, Jul 11, 2008 at 11:47 PM, Martmn Coco
>> <[EMAIL P
yet tried building net-snmp from the ports system, but that's
> > my next step.
> >
> > Has anybody else run into this?
>
> I've seen this, too. But a package made out of the port will work.
Repeatable also here. We built net-snmp package from ports.
Claer
st broken?
If you wish to execute commands (for example ospfd) regarding carp
states, I recommend you to check ifstated(8) and ifstated.conf(5)
> Sorry for the long email and thanks in advance.
Sorry I shortened it :)
Claer
ay alternative rules that use the tagged key-
word can be implemented following the ftp-proxy anchor. These
rules can use special pf(4) features like route-to, reply-to, la-
bel, rtable, overload, etc. that ftp-proxy does not implement it-
self.
Claer
re full messages.
You can just use a value bigger than the MTU.
# tcpdump -ns 1550
Claer
_mask: 255.255.255.255
> >>>> dst_mask: 255.255.0.0
> >>>> protocol: proto 0 flags 0
> >>>> flow_type: type unknown direction in
> >>>> src_flow: 208.70.72.13
> >>>> dst_flow: 10.0.0.0
> >>>
> >>> I would recommend taking a look at if you haven't already:
> >>> http://www.securityfocus.com/infocus/1859
> >>>
> >>> Jonathan
> >>>
> >>>
> >>
> >> http://www.securityfocus.com/infocus/1859
> >> is the article that started it all for me using ipsec and OpenBSD. It's
> >> not exactly geared for one end being dynamic ip though.
> >>
> >> I don't have much experience with dynamic addresses, but if my
> >> understanding is correct, the best would be as below.
> >>
> >> Let me know if it works, I'm curious, since I've also never done ipsec
> >> between a static and dynamic device without an internal subnet on both
> >> hosts:
> >>
> >>
> >> colo /etc/ipsec.conf:
> >>
> >> ike passive from 208.70.72.13 to 10.0.0.0/16
> >>
> >> home /etc/ipsec.conf:
> >>
> >> ike dynamic from 10.0.0.0/16 to 208.70.72.13
> >>
> >> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to
> >> amaze me in it's simplicity compared to other options)
> >>
> >> Make sure your pf on both ends is allowing negotiation (which it seems to
> >> be). Also, unless you need to apply pf rules to your encrypted traffic,
> >> make sure you've got enc0 in your "set skip on" interfaces.
> >>
> >> I'd suggest using pubkeys as in isakmpd(8) which should be:
> >>
> >> copy /etc/isakmpd/local.pub from colo to
> >> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine
> >>
> >> copy /etc/isakmpd/local.pub from home to
> >> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo
> >>
> >> That would be better than psk if you can get it working, imho.
> >>
> >> Cheers
> >>
> >>
> >>
> >
> > i have switched to using pubkeys via fqdn as im using fqdn in both
> > dstid and srcid, that is now working. and quite nicely if i do say so
> > myself
> >
> > i have appropriate nonat on the dynamic side as well
> > angie="208.70.72.13"
> > table const { 10/8, 172.16/12, 192.168/16 }
> > no nat on $ext_if from to $angie
> >
> >
> > the pf is set up to allow all udp 500 traffic on both sides.
> > pass in on $ext_if inet proto udp from any to $ext_if port isakmp
> >
> > enc0 was not on my skip list however it is now, and still no change
> > set skip on {enc0, lo0}
> >
> > from the man page sample:
> > #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
> > # srcid me.mylan.net dstid the.others.net
> > #ike esp from 192.168.3.1 to 192.168.3.2 \
> > # srcid me.mylan.net dstid the.others.net
> >
> > # Set up a tunnel using static keying:
> > #
> > # The first rule sets up the flow; the second sets up the SA.
> >
> > it seems to imply that 2 rules are needed for any one connection, one
> > rule that specifies interesting traffic and one that defines
> > termination points. I will try this.
> >
> >
> > --
> > -Lawrence
> >
>
> Im not exactly sure how to tell the second rule, as the home endpoint
> is dynamic, i cant set that one to a ip since it will change, and if i
> set it to a fqdn i get errors for mismatched types, however i think it
> just looks up the name anyone doesnt it?
Do you have a rule to allow esp traffic ? If you don't have one, here is
what you should add in your pf ruleset :
pass in on $ext_if inet proto 50 from any to $ext_if
Claer
On Wed, May 14 2008 at 24:09, David Gwynne wrote:
> i believe this has been fixed with revision 1.80 of src/sys/dev/ic/mfi.c.
> could you please try -current (or at least 4.3) and see if the problem
> persists?
OK. I'll try to upgrade these servers asap. (It's have to be done
ode.
As this firewall is used for tests it did not impact any users
(exept myself ;)) but permits to run debug commands if suggested.
I'll update the perc firmware as mentionned on the thread posted above.
The server will be upgraded soon to 4.3 too.
Any help on how to avoid this problem is we
LAN_priv $IPSEC_peers $IPSEC_crypto \
psk $Our_PSK
With 4.3-current you can use includes. Sample from man page :
Additional configuration files can be included with the include
keyword, for example:
include "/etc/macros.conf"
Claer
> And it seems to be working with snapshots.
>
> But my question is: will it be supported by the 4.3 release? We're not used
> to run -current on our firewalls, and we'd prefer to continue with -release
> and -stable.
We tested r200 servers this week with a 4.3 stable release. It seems to work
fine for the moment.
Claer
On Wed, Apr 23 2008 at 40:17, Monah Baki wrote:
> Hi all,
Hi,
> I implemented the following rule and so far I can see that all users are
> accessing my proxy server
>
> Tried the following in /etc/inetd.conf
>
> 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w \
>20 192.168.
On Wed, Apr 23 2008 at 01:00, Jon Radel wrote:
> Sam Fourman Jr. wrote:
> >> Is there a way to login the passwords that were used in the bruteforce
> >> attack?
> >
> > I am siting trying to come up with a good reason why you would give a
> > damn what passwords they tried?
> >
> > I mean for t
On Tue, Apr 22 2008 at 43:22, Arun G Nair wrote:
> On Mon, Apr 21, 2008 at 11:44 PM, Claer <[EMAIL PROTECTED]> wrote:
> > I personnaly use unicode rxvt. It's a clone of rxvt that comes with
> > unicode (oh surprising) and with client/server mode to reduce memor
urxvt is also one of the rare terms out there with transparency and
whitening the background and not darkening it.
Claer
AN interface is in master mode : add the carp address to
the NAT table
- If the LAN interface is in backup mode : remove the carp address from
the nat table
Claer
.soekris.com/vpn1401.htm
I searched for crypto cards for IPSEC Encryption, the best answer I
found was : not use one ;-)
> It mentions AES but not blowfish.
As said by other people, you should go for AES encryption.
Claer
revent traffic from WWW DMZ from leaking into the trusted LAN.
> >
> >
> > that is ONE use of them, but certaily not the only one.
>
> Please enlighten us then, Henning. What do you use tags for, routing?
> Why don't you update the doco with some examples?
For example, I use tags for QoS inside IPSEC. It's documented in
ipsec.conf(5)
Claer
haven't found yet a firewall log analyser that emphase the important
alerts and not summarise in a beautiful graph all the connections.
Claer
it's quite easy, just do s/GRE/gif/ in my
previous sentense ;-)
Claer
> Claer wrote:
>> On Sat, Feb 09 2008 at 00:10, Chris Jones wrote:
>>> Hi all,
>> Hi,
>>> A while back I attempted to setup a route-based VPN tunnel between a
>>> Fortigate fi
sec
should work. It's not the way to go if you want to take the vpn decision
based on ip routes.
I'd firstly try to create a GRE tunnel (numbered) between peers and then
create a host to host vpn with GRE tunnel on top of it.
Both OpenBSD and Netscreen support GRE, I hope Fortinet does.
Cl
ill fully
functionnal (got an ip address)
If the pppoe link become OK, start isakmpd and reapply pf just in case
For the moment, I didn't have any issues on the primary :)
Claer
On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote:
> Claer <[EMAIL PROTECTED]> writes:
>
> > I always hesitate to use this trick. Could you please develop more the
> > implications of this method? Is it still effective?
> Yes, it's still effective. You ne
st was giving the
> netblock owner a hard time. It's their responsibility. It's not too
> hard to make up a shellscript (or use another scripting language) which
> automates a daily report and the complaint.
I always hesitate to use this trick. Could you please develop more the
implications of this method? Is it still effective?
Thanks!
Claer
w hardware should arrive near december for the PE 1950.
Claer
> On Wed, Nov 21, 2007 at 09:55:54AM -0800, Stanislav Ovcharenko wrote:
> > Hello,
> >
> > I'm planning on running OpenBSD 4.2 on Dell Power Edge 1950.
> >
> > Question 1: How stable is it on x64
y with Cisco Systems products, and for no other use.
--8<---8<--8<-
Claer
n with two rules without any issues. I guess we will support +, ., -
> , ^ and $.
About OpenBGPd todo list, is there any plan to implement bpg
confederations ?
Thanks
Claer
On Tue, Sep 11 2007 at 41:12, Bryan Irvine wrote:
> I've found a couple of threads in the archive about the possibility of
> adding this feature, but can't seem to find out whether or not this is
> possible.
I think this is the patch you are looking for :
http://marc.info/?l=openbsd-misc&m=1182324
t_LAN to $peer_LAN \
>>>>> peer $peer_GW \
>>>>> main auth hmac-sha1 enc 3des group modp1024 \
>>>>> quick auth hmac-sha1 enc 3des group none \
>>>>> psk ""
You have "group none" for phase 2. That means you don't use PFS. But in
this email you fixed sysctl's pfs option to 1. There is a contradiction.
Regards,
Claer
modp81928192
none0 [quick mode only]
Regards,
Claer
t; > what im doing wrong.
Hi,
I read somewhere on the list that you cannot assign IPs to the
interfaces if you are using carp + pfsync + sasyncd. You should have
only the carp IP set up.
Is your config working ? Did you test failover ?
Thanks,
Claer
On Fri, Apr 20 2007 at 34:05, Lars D. Nood?n wrote:
> On Fri, 20 Apr 2007, Claer wrote:
> > On Thu, Apr 19 2007 at 53:12, carlopmart wrote:
> >> Somebody have tried to use cisco vpn client to connect to openbsd ipsec
> >> gateway using user and pass or x509 certific
didn't took time to try
it, sorry.
Claer
ve IPsec aggregator with many
> dynamic tunnels from "road warrior" type peers.
I didn't try roadw arriors yet. What client software do you use ?
Claer
for phase 2. I doubt it's a lifetime
problem.
The configuration should work, at least it works here between Checkpoint
R61 and OpenBSD 4.0.
Could you provide us some error messages pleas? Messages from the Checkpoint
side
would help too :)
Claer
he time to investigate but
changing the encryption to 3des resolved the issue.
There is certainly an error in the ipsecctl generated output for
isakmpd.
regards,
Claer
>
> I started isakmpd -K and then did an ipsecctl -vv -c /etc/ipsec.conf, and
> then I
> immediately
> get a
ng in the enc0 interface is done with the flow statement in the
ipsec.conf file. Your ipsec.conf should include a line like this one :
flow esp from 192.168.1.0/24 to 10.10.0.0/16 peer peer 2.2.2.2
Good luck!
Claer
> cisco
> IKE proposal
> authentication mode - presharedkeys
> a
g antispoofing
protections (they should, they rarely do). The other problem I see in
that setup is the asymetric routing it creates. It can be another source
of problems later. Please, try to check with a temp server (with one of
your free IP) before putting this configuration in production
environement.
Claer
to 192.168.4.0/24 peer 10.10.2.253
The tunnel worked fine since that moment :-)
A happy user,
Claer
maller setup (1 carp cluster and a single box at the other
end) and also noted the duplicate SAs. I updated to current
in order to see a resolution of this problem with no luck.
I didn't see the "invalid Cookie" message in log files.
Claer
92 matches
Mail list logo
