Re: OpenBSD 6.1 installs from DVD, but 7.6 does not.

On 1/13/25 11:54, Fables Bookshop wrote: It fails soon after loading the file sets, they do not load fully, the %age count never reaches 100% and it then offers to reboot. I did a second download, burnt a second dvd, but the process repeats itself. So at this point no dmesg. The only time I sa

Re: PF Question/Help

On 12/23/24 19:31, Jon Fineman wrote: third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it and the ISP. Clients on 10.0.3.x should not be able to access the other sub nets. Take a look at the rules from your pf.conf: > block out quick from $wired3 to { $wired1 $wire

Re: pf anchors attached to irrelevant states

On 5/19/24 13:37, Stuart Henderson wrote: I can confirm this is a problem, definitely seen in 7.4, I can't remember if 7.3 was affected. 7.2 from Dec 22 seems ok. Yes, 7.3 is affected. It is the same problem reported here: https://marc.info/?l=openbsd-misc&m=168754952806369

Re: lcamtuf on the recent xz debacle

On 4/4/24 23:17, Katherine Mcmillan wrote: an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems." There are a couple of problems with this statement, but I just want to focus in on the "almost all installations of Linux a

Re: Bridging firewall with online update/upgrade

On 4/3/24 18:19, Karel Lucas wrote: I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the conne

Re: can't find PID

I have asked myself the same question. When runninng tcpdump -n -i pflog0 with the -e -v flags (and only in that combination), it outputs tuples that looks like they should be a uid and pid: 16:40:47.110033 rule 2/(match) [uid 0, pid 92257] block in on trunk0: ... (it's 92257 on the machine t

Re: Open-source security processor

On 9/8/23 00:24, Richard Thornton wrote: Say you had the guts of an x86_64 desktop running Windows on the bench and another computer running OpenBSD right next to it, is there some mechanism available that could allow you to integrity scan the NVMe drive (and also the firmware but that's probabl

Re: IP6 redirects through relayd no longer working reliably

Just for the record: The problem was caused by a malfunctioning upstream gateway, which did no longer respond properly to neighbor solicitation requests. The SYN ACK from the server was dropped because the firewall had already removed the state created by the SYN. On 6/23/23 22:51, Markus

IP6 redirects through relayd no longer working reliably

Hi all (Sorry for flooding, this seems related to the question I asked earlier. Please bear with me.) I am using relayd on 7.3-release as an IP loadbalancer in front of some dualstack backend hosts. This setup has worked for some years now. After upgrading to 7.3 about 4 weeks ago I noticed

All packets logged with relayd/* anchor rule number

Hi all I am using relayd on 7.3-release as an incoming IP loadbalancer and therefore have this line near the beginning of the filter section of pf.conf: anchor "relayd/*" It shows up as rule number 2 in pfctl -vv -s rules: @0 match all scrub (no-df reassemble tcp) [ Evaluations: 89452

Re: carp status master on both firewalls

for my external carp interface both firewalls show master as status The config is below for reference: /etc/hostname.carp0 on fw1 inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password advskew 1 inet alias x.x.x.115 0xfff0 inet alias x.x.x.116 0xfff0 /etc/hostname

Re: redirection puzzle

On 12/2/22 16:17, rsyk...@disroot.org wrote: echo 1 | tee $(tty) | sed 's/1/2/' Not 100% sure, but probably some timing/subshell issue. This works: tty=$(tty) && echo 1 | tee $tty | sed 's/1/2/' best /m

Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks

Hi Tom On 5/11/22 21:32, Tom Smyth wrote: We are updating some course material for an upcoming PF firewall course, and I would like to put a call out to those who use PFsync in a redundant firewall cluster The one thing that immediately comes to mind is to NOT use a crossover cable for the pfs

Re: (bug?) relayd forward to directives interfering

On 11.08.21 08:40, Vladimir Nikishkin wrote: > table { 127.0.0.1 } > table { 127.0.0.1 } Have you tried having the two backend listeners on different IP addresses rather than on different ports? Eg. 127.0.0.1 and 127.0.0.2? best /m

Re: Why demotion counter for group carp is set to 33 on boot?

On 7/13/21 9:32 AM, Tom K wrote: > why demotion counter for group carp is set to 33 on boot? This is the > primary firewall and there are no adskew settings in all hostname.carpX > files or anywhere else. > Because of this the other firewall which should be normaly the standby > (adskew 100), i

Re: rad daemon strange error message

On 6/30/21 1:32 PM, Pierre Dupond wrote: > veteher30 has no IPv6 link-local address, ignoring ^ I don't know rad, but from the output above there seems to be a typo in some config.

Re: IPv6 NDP Confusion with PF enabled

On 3/8/21 11:05 PM, Antonino Sidoti wrote: > There is no blocking showing up when I examine the pflog0, I would run tcpdump -n -i em0 icmp6 during /etc/netstart with and without pf enabled. If you see a difference, that should help you find out what to allow in your ruleset. /m

Re: seeing carp interface state change for unknown reason ; cluestick hunting

On 2/7/21 1:38 AM, Bryan Stenson wrote: 31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2, link: no carrier, mtu: 1500, Just grasping for something here...my next steps are to swap this unit out with the other one (to try and eliminate hardware failure of THIS unit). Any oth

Re: OpenBSD VM creation problem

On 1/23/21 3:25 AM, Hakan E. Duran wrote: I have a few VMs on KVM/QEMU infrastructure. When I try to create an OpenBSD VM, my key strokes start echoing on the VM console. Not sure if this is the same problem, but I did have similar trouble with qemu and OpenBSD in the past. I had to disable

Re: auto-boot

On 1/20/21 10:01 AM, Bastien Durel wrote: If There is no software way to solve this problem, I shall need to buy a small HDMI screen and drop serial console ... If the console gets input from the serial port even with no cable plugged into it (and not just the other side disconnected), there'

Re: question about hostname.carp

On 11/4/20 4:05 PM, Harald Dunkel wrote: inet 10.0.1.1 0xff00 NONE vhid 41 pass secret carpdev em1 advbase 1 advskew 0 If you use the actual broadcast address 10.0.1.255 instead on NONE it will work with both.

Re: Encrypted notepad software suggestions

On 9/28/20 4:54 PM, William Orr wrote: > https://vim.fandom.com/wiki/Encryption That post is from 2001 (still valid, though). Vim from the current package defaults to blowfish2 as encryption algorithm. best /m

Re: Encrypted notepad software suggestions

On 9/28/20 9:18 AM, Martin wrote: > I'm looking for some notepad with encryption of notes/files created. Simply > Text File encryption is suitable too to hide some info from plain text files > I have. Depending on your definition of "notepad", vim (gvim) should have built-in encryption (:X comma

Re: Routing and forwarding: directly connected computers

On 9/3/20 5:41 PM, Ernest Stewart wrote: > And which pf rules and how to establish those routing tables are exactly what > I'm asking. Maybe if you share the output of the ping test from your original mail we could see what is actually happening. >From your setup I would assume that the IP addres

Re: pfsync interface in carp group

On 6/9/20 9:25 PM, Paul B. Henson wrote: > Hmm, I had never considered using jumbo frames. ... > I guess multicast would work too Neither jumbo frames nor multicast will prevent group demotion when the other side of a crosslink cable goes physically down. Only not having the sync interface in t

Re: pfsync interface in carp group

On 6/9/20 12:27 AM, Paul B. Henson wrote: > Yes, I am using a direct link between the two physical firewalls. [...] > Is this no longer a best practice? If it's in the documentation, I suppose it still is. But I have found it problematic, because taking down one firewall, or even only its sync i

Re: pfsync interface in carp group

On 6/8/20 12:29 AM, Paul B. Henson wrote: > whenever I rebooted the secondary firewall, the > carp interfaces on the primary would flip to backup and then back to > master as the secondary one rebooted I don't see that behaviour on my carp pair. Are you using a cross-link cable between the two fir

Re: Select ssh key from ssh-agent?

On 5/24/20 3:55 AM, David A. Pocock wrote: > I can't relate; doing this from OpenBSD6.7 to OpenBSD6.7 the ecdsa forward > through and show up via ssh-add without any issues (and allow using the > intermediary host without having the keys present (and being able to choose > keys as per the initial

Re: Strange behavior when I try to use lladdr

On 5/22/20 12:12 PM, Денис Давыдов wrote: > I decided to reinstall OpenBSD to a newer version on my VMware ESXi > cluster. So I deleted an old router and start the new one using the old > configuration, except that I add lladdr parameter with the old MAC address Last I looked into it (some years

Re: pfsync on VLAN - supported ?

On 14.11.2019 11:30, Rachel Roch wrote: >>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan >>> interface for pfsync ? I have had pfsync running happily over a vlan interface for years, never a problem. > Regarding the extra port, in my case I'm using that for LACP (my

Re: random packet drops with syncookies/synproxy

On 09.11.2019 15:24, Claudio Jeker wrote: >> So nobody is using syncookies/synproxy at all? > > I guess that is a reasonably safe assumption. syncookies are rather new > and probably need more battle testing. OK, then I will send a bug report. > synproxy never helped me much in > case of a SYN

Re: random packet drops with syncookies/synproxy

Hm, also no replies to that one :-) On 11/6/19 8:15 PM, Markus Wernig wrote: > So just to make sure: Is anybody using syncookies and/or synproxy in > production in a similar setup? So nobody is using syncookies/synproxy at all? best /m

Re: random packet drops with syncookies/synproxy

Hi again Nobody has answered, so I suppose nobody else has this problem :-) That's good. So just to make sure: Is anybody using syncookies and/or synproxy in production in a similar setup? Thx /markus On 11/4/19 8:35 PM, Markus Wernig wrote: > Hi all > > After being hit by

random packet drops with syncookies/synproxy

Hi all After being hit by some synflood waves recently I enabled syncookies on our OBSD 6.6 i386 CARP fw pair: set syncookies always This stopped the state table from filling up. But after some hours pf started (randomly?) dropping legitimate connection attempts, both on external->internal (dst-

pf dropping fragmented UDP despite of scrub no-df

Hi all I have this at the beginning of pf.conf: match all scrub (reassemble tcp no-df ) match out all scrub (random-id) Behind that FW is a (OpenIndiana) DNS server that fragments those of its UDP replies that are too large for the local MTU (1500). (Log below is from a DNSKEY query, the failure

Re: Does pf's Sources table ever get cleared?

On 03.08.2017 06:42, Emille Blanc wrote: > 005: RELIABILITY FIX: May 6, 2017 > Expired pf source tracking entries never got removed, leading to memory > exhaustion. > ref: https://www.openbsd.org/errata61.html Thanks for the pointer! Problem gone after running syspatch (such a cool tool!). /m

Re: Does pf's Sources table ever get cleared?

On 02.08.2017 16:07, Steve Williams wrote: > pfctl -t Sources -T flush Thanks for the hints. The above yields an error here: # pfctl -t Sources -T flush pfctl: Table does not exist. pfctl(8) is rather clear on the topic: ... -F modifier Flush the filter parameters specified by

Re: Does pf's Sources table ever get cleared?

? best markus On 01.08.2017 17:34, Markus Wernig wrote: > Hi all > > I have a pair of OBSD 6.1 firewalls, on which some rules require source > tracking, i.e. have a max-src-conn or similar statement as in: > > pass log quick on { em0 vlan1 } inet proto tcp from any to

Does pf's Sources table ever get cleared?

Hi all I have a pair of OBSD 6.1 firewalls, on which some rules require source tracking, i.e. have a max-src-conn or similar statement as in: pass log quick on { em0 vlan1 } inet proto tcp from any to port { 80, 443 } modulate state ( max-src-conn 50, max-src-conn-rate 25/5, overload flush

Re: pf changes port on udp nat-to and rdr-to reply packets (RTP stream)

On 06/09/2016 08:03 PM, Bryan Vyhmeister wrote: > On Thu, Jun 9, 2016, at 10:48 AM, Markus Wernig wrote: >> Short question: >> How do I prevent pf from changing the source port of outgoing natted udp >> packets? > > Did you look at static-port in pf.conf(5)? Argh! I

pf changes port on udp nat-to and rdr-to reply packets (RTP stream)

Hi all I have a strange behaviour in pf on 5.9-stable: A system (asterisk) behind the gateway is receiving and replying to udp streams (RTP). The connection parameters (src/dst ip/port) are set up before (STUN and SIP), so both systems "know" where to send to. The gateway does NAT (rdr-to in, na

ntpd not setting time under kvm-qemu

Hi all I have 5.5 i386 running under kvm-qemu, using ntpd to sync time. But the system keeps constantly loosing time, at a rate of about two seconds per minute (which of course makes it unusable). When starting ntpd with the "-s" flag, it successfully sets the system time and initializes /var/db

Re: how to debug iked failures?

Hi all To finish off this ancient thread, I've written up what it took to get StrongSwan to play nicely with iked and to build a GRE tunnel over the IPSec link: http://markus.wernig.net/en/it/ip6tunnel.phtml Any feedback is of course very welcome. krgds /markus On 08/13/2014 06:05 AM, M

Re: how to debug iked failures?

Finally found a rather awkward workaround: 1) On the VPN GW, set an ip alias from a different subnet (192.168.100.1/24) on the primary interface 2) Set up iked.conf with ikev2 ... from 0.0.0.0/0 to 192.168.100.0/24 config address 192.168.100.0/24 config address 192.

Re: how to debug iked failures?

On 08/12/2014 07:19 PM, Reyk Floeter wrote: > Another reason for AF 0 could be the use of the keyword "any" in your > iked.conf. I thought we fixed that before to inherit the AF from the > peer, but try to use "0.0.0.0/0" instead of "any" for IPv4 and > something like "::/0" for IPv6. > > Reyk >

Re: how to debug iked failures?

On 08/12/2014 05:39 PM, Markus Wernig wrote: > But really, I think this is the problem: > Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD > SA spi 0xcb320247 > Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0 > Aug 12 16:56:18 tu

Re: how to debug iked failures?

On 08/12/2014 12:33 PM, Markus Wernig wrote: > sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389 > address_src: A.B.C.D > address_dst: 10.x.y.z > spirange: min 0x0100 max 0x > sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389 &g

Re: how to debug iked failures?

On 08/12/2014 11:58 AM, Reyk Floeter wrote: > Operation not supported is from the kernel returning "EOPNOTSUPP". > > If any of the following sysctls are turned off and it is requested via > the PFKEYv2 socket, the kernel will return EOPNOTSUPP: > > net.inet.esp.enable=1 > net.inet.ah.enable=1 >

Re: how to debug iked failures?

On 08/10/2014 03:09 PM, Reyk Floeter wrote: > Just try to increase the number of "v"s to get more info, for example, > iked -dvv or iked -dvvv to get packet dumps. Thanks for the hint. That brought some progress. I've now switched back to -current and changed the client setup (I had been using th

how to debug iked failures?

Hi all I am trying to set up a ipsec tunnel with iked in a double NAT scenario: Client --> NAT GW 1 --> Inet --> NAT GW 2 --> VPN GW Client has 192.168.1.x, User is j...@doe.com VPN GW has 10.x.y.z, hostname vpn.doe.com NAT GW 1 does hide NAT to A.B.C.D NAT GW 2 does static NAT for public GW IP,

Re: Very slow I/O under OpenBSD i386 on qemu-kvm from RHEL7rc

On 06/17/2014 11:10 AM, Brad Smith wrote: >>> boot -c >>> disable mpbios > Because ACPI is in use which takes higher precedence over MP BIOS. You > have to disable acpimadt. THANKS GUYS!! This just "resolved" a blocker that had for 2 years prevented me from upgrading my OpenBSD kvm guests

Re: Oddity with httpd/mod_ssl: missing HTTPS environment variable on non _default_ vhosts

Not sure about the ported httpd, but usually you have to enable the generation of those environment vars with SSLOptions +StdEnvVars as they are off by default. krgds /m On Tue, 18 Feb 2014, Olivier Mehani wrote: (Almost) everything works fine, and I do indeed manage to successfully acces

ipsec with smartcard?

Hi all I need to build an OpenBSD IPsec gateway that uses keys/certificates from a hardware device (external smartcard, presumably via pkcs#11) for authenticating itself to other gateways when establishing a connection with them (active). In the ipsec/isakmpd man pages I found no references to pk

Re: vpn isakmpd ipsec, one side with only one interface

Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA .

Re: CARP strangeness after 5.0 upgrade

On 01/25/12 18:23, Matt Hamilton wrote: > > pass in quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18 > queue carp_out > pass in quick on $int_if proto carp from $fw_int_ips to 224.0.0.18 > queue carp_in > pass out quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18 > queue carp_ou

Solved: /bsd: carpN: ip_output failed: 65

cluster back to normal. Thanks to cd for the help. lg /markus On 01/15/12 16:18, Markus Wernig wrote: > Hi all > > After upgrading to 5.0 (and also on -current) I keep getting those > errors for 2 out of 4 carp'd interfaces in a fw cluster pair: > > /bsd: carp2: ip_outp

/bsd: carpN: ip_output failed: 65

Hi all After upgrading to 5.0 (and also on -current) I keep getting those errors for 2 out of 4 carp'd interfaces in a fw cluster pair: /bsd: carp2: ip_output failed: 65 /bsd: carp3: ip_output failed: 65 And effectively, no CARP traffic is seen on those two interfaces, neither in nor out. Both b

Re: CARP strangeness after 5.0 upgrade

On 01/12/12 00:05, Markus Wernig wrote: > If I set net.inet.carp.log=7, I get lots of the following on both fws, > only for carp1 and carp2, never for carp0 and carp3: > carp2: ip_output failed: 65 > carp1: ip_output failed: 65 > carp2: ip_output failed: 65 > carp1: ip_output

CARP strangeness after 5.0 upgrade

Hello all I have recently upgraded a pair of CARPed firewalls from 4.6 to 5.0 (late, I know ...) after almost 2 years of absolutely flawless operation (ipv4 interfaces only). I have changed all the nat/rdr rules in pf.conf to the new syntax, not changed any other fw/nw setting (at least to my kno

Re: sasyncd syncs only newly created sad's

Hi Mihajlo Yes, this feature (re-sychronization after master failure) has been missing from the day sasyncd came out (http://archives.neohapsis.com/archives/openbsd/2005-09/0818.html). When I gave that speech in Switzerland (the one you found the PDF of), I was confident that it would be implement

Re: mod_perl script is failing to work under SSL

Chris Bennett wrote: > I now wanted to improve security a bit, so when I tried accessing script > with https, I get this error in log file: > Can't locate object method "request" via package "Apache" Hi Compare the httpd.conf of your ssl and non-ssl virtual hosts. Both must have something like

Re: how to set gnome-terminal default encoding

23e7 wrote: > Hi, > my openbsd is 4.5, gnome-terminal default encoding is ascii, I cannot > find how to set to utf-8. Which version? Normally, it's under Terminal->Set Character Encoding (Alt-T C) /m [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of s

Re: dealing with incoming mail your own domain

Hi Jose The MX is the host destined for receiving mail for a domain. There is no indication that it should also be the only one sending mail from a domain. At the moment most domains use SPF records to mark their preferred relay, so you might want to check that instead of/in addition to the MX rec

Re: Solved: sendmail: restrict sender domain for authenticated users

$@ OK recipient local? ok. this seems to be incoming R$+<@$+>$#error $@ 5.1.8 $: "551 Invalid sender domain" thx /markus Dan Harnett wrote: > On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote: >> I have sendmail on 4.4 as MX and

Re: Solved: sendmail: restrict sender domain for authenticated users

$@ OK recipient local? ok. this seems to be incoming R$+<@$+>$#error $@ 5.1.8 $: "551 Invalid sender domain" thx /markus Dan Harnett wrote: > On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote: >> I have sendmail on 4.4 as MX and

sendmail: restrict sender domain for authenticated users

Hi all I have sendmail on 4.4 as MX and relay for outgoing mail using smtp auth. Now some users started using arbitrary from: addresses in their mail clients. I would like to restrict those sender addresses to the local domains, i.e. allow them to send mail from u...@my.domain or u...@my.other.dom

Re: cpu not configured??

/markus Markus Wernig wrote: > I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without > success so far.

cpu not configured??

Hi all I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without success so far. The kernel stops booting after some lines of output. I've tried 4.4 and 4.5. On 4.4 it stops right after the first lines. The last line of output is: acpi0: tables DSDT FACP HPET MCFG SLIC APIC BOOT SSDT SSD

Re: Flapping VPN under load on Soekris

Mikolaj Kucharski wrote: Another scenario. When all VPNs are up and stable (traffic is low) and one of the clients is rebooted at boot time when ipsecctl -f /etc/ipsec.conf is executed it's tunell is setup and _all_ other tunnels are immediately dropped. Am I right to assume that only those tu

Re: PF/Carp/Pfsync

Hi Georg I think I remember something like this ... could it be that carp takes over the interface before pfsync has finished updating the booted machine's connection table? TCP (and many other protocols) takes care of such situations by simply retransmitting, so any TCP connections should rec

Re: CARP not leaving backup state

If you tcpdump do you see any carp traffic at all (ip proto 112)? Upon reboot? And you did enable carp preemption on both hosts (sysctl net.inet.carp.preempt=1)?

Re: CARP not leaving backup state

Hi Are you sure that all the interfaces you have configured carp on have link and can connect to each other? (I've seen similar behaviour caused by defective NICs: receive buffer not receiving while send buffer still sending - try ping on all interfaces) Is lo up? Is there any other router on

isakmpd times out on rolled-over client certificate

Hi all I have an OBSD4.3 VPN gateway that authenticates users based on their certificate and an isakmpd.policy, which works just fine. Now a user had to renew his certificate: same CA, same CA certificate, same Subject DN, same EVERYTHING. I'd have expected that he'd just need to close the VPN

Re: IPSec tunnel problem

Alexey Vatchenko wrote: It's because of: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Yes, it's because of that. But I'm convinced that you don't need that at all. From what I understand, you just need to give access from some remote network(s) to you

Re: IPSec tunnel problem

Hi From my point of view the problem is that you use the same network range 192.168.0/24 in your home and office. Off the top of my head I'd say that this should not work. The routing entries look a bit scary, actually. If I had the same setup, I'd try one of the following: - change the home

Re: IPSec tunnel problem

Hi What does the ipsec.conf entry on the Office gateway for the Home gateway look like? IP range of Home network? Are you trying to use the Home gateway as a relay to get into the Office net from other locations than from Home network? Do you have any NAT rules involved? "ipsecctl -s all" on

Re: multiple ipsec-nat-t clients behind same ip address

Rephrasing: Is it possible to have multiple nat-t clients behind the same NAT address connect to the same OBSD ipsec gateway? How? thx /markus Markus Wernig wrote: Hi all I'm having some trouble with VPN clients (workstations) connecting to an OBSD 4.2 VPN gateway. All clients sit behin

multiple ipsec-nat-t clients behind same ip address

Hi all I'm having some trouble with VPN clients (workstations) connecting to an OBSD 4.2 VPN gateway. All clients sit behind one natting gateway, and are natted to the same egress ip address. They try to connect to another network behind the VPN gateway. The first connect succeeds, and the client

syslog-ng and isakmpd

Hi all I have replaced syslogd with syslog-ng on my OBSD4.2 boxes (needed tcp, encryption and fifos). I have managed to mimick all traditional log behaviour (as per the default syslogd config) with one exception: isakmpd will not log a single bit into any facility. afaik isakmpd uses the daemon fa

deploy openssl patch

Dear list I have a couple of 4.1 firewalls that I would like to upgrade to 4.2. Before taking them online again I'd like to deploy the openssl patch from ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/002_openssl.patch Being perimeter firewalls, those systems don't have compile tools in

Re: ipsec with carp

Hi The one time I remember getting that error was when I _thought_ I was using certificates from /etc/isakmpd/{certsB&private}, but still had a local.pub and local.key from the installation lying around that got used instead. Some more debug info (/var/log/daemon) would be helpful indeed. krgds /

Re: carp devices master/backup behavior

Hi If the problem is intermittent, this is probably correct, but have you checked that you _really_ have different vhids for all devices? You might also want to set different passwords for each carp device, just to go sure they don't interfere with each other. krgds /markus Erich wrote: the

Re: IPSec VPN gateway with only one interface

tunnel from any to srcid Markus Wernig wrote: Hi all I'v looked through what documentation I could find, but didn't find this case mentioned, so I assumed it would work (which it doesn't): I have an OBSD 4.1 vpn gateway (A) with only one interface, over which the default r

pf tag from ipsec in nat rules

Hi all Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat rules (OBSD 4.1)? The idea is: ipsec.conf: ike esp from A to B tag "mytag" pf.conf: nat on $int_if tagged "mytag" -> ($int_if:1) nat on $int_if from !($int_if) -> ($int_if:0) If I use the "tagged" keyword, the second

IPSec VPN gateway with only one interface

Hi all I'v looked through what documentation I could find, but didn't find this case mentioned, so I assumed it would work (which it doesn't): I have an OBSD 4.1 vpn gateway (A) with only one interface, over which the default route points out and over which the packets to forward through the

Re: isakmpd.policy not getting evaluated? SOLVED

Hi all For the archives: isakmpd.policy for authenticating users by their certificates' subjects (ASN1 DNs): KeyNote-Version: 2 Authenticator: "POLICY" Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject" Conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present =="yes"

isakmpd.policy not getting evaluated? (was: Use certificate subjec/ASN1 t in ipsec.conf ?)

Hi again! I need to authenticate users in isakmpd by the subject DN of their x509 certificates. For this, I wrote isakmpd.policy as follows: KeyNote-Version: 2 Authenticator: "POLICY" Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject" Conditions: app_domain == "IPsec policy" && doi =

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

s/isakmpd.conf/isakmpd.policy/g typo /m Markus Wernig wrote: > Hello & thanx for the swift reply > > Now i've read through the isakmpd.conf and keynote manpages, but, > honestly, I still don't know how to get this working. > > Here's the isakmpd.conf I

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

ertificate will be used as phase 2 > IDs, ie. that's what is sent. If you want to use the Subject Canonical > Name, you have to additionlly provide an isakmpd.policy file and you have > to run isakmpd without the "-K" option. See isakpmd.policy(5). > > On Fri, Jul 20,

Use certificate subjec/ASN1 t in ipsec.conf ?

Hi all I'm setting up a OBSD 4.1 ipsec gateway, against which users will authenticate using x509 certificates. They all use personal certificates (key usage: digSig), which contains their user name and Email in the subject. I need to authenticate them by the whole subject, but can't seem to f

pckbc, pmsi_* errors, mouse not working on 4.1

Hi all I've upgraded OBSD on my notebook (hp-compaq nc7xxx series) from 3.8 to 4.1. All went well, except that when I start X, neither mouse nor keyboard are responding any more. Instead I get repeating error messages in syslog and on console: pmsi_enable: command error pckbc: command timeout

encap routes

Hi all Does anybody know what the status of the problem described here is? http://archives.neohapsis.com/archives/openbsd/2005-12/0327.html The problem is that OBSD IPSec gateways will reject packets they have an SA for if they don't have an IP route to the destination (any route, default gw wil

Re: host to host ipsec link

Stuart Henderson wrote: > On 2007/04/16 15:06, Markus Wernig wrote: > ... > > the error message does come from sasyncd. > >> sharedkey [32byte RSA key] > > the other config lines are ok, the error must be here. > aarrgg ... and indeed it w

Re: CARP access outside a subnet

Hi I'm not sure about carp supporting addresses in other subnets than the physical one. But to debug this further: - what does tcpdump -e -n -i xennet1 show on the routers when you ping the virtual interface from outside the lan? - is the route for the egress path the same as for the ingress path

Re: host to host ipsec link

Mathieu Sauve-Frankel wrote: > Currently the order in which isakmpd, ipsecctl and sasyncd need to be > invoked in order for everything to work is pretty rigid. > > # isakmpd -KS > # ipsecctl -f /etc/ipsec.conf > # sasyncd > > First start isakmpd with -KS, this brings up isakmpd in passive m

Re: host to host ipsec link

Hello! Renaud Allard wrote: > Markus Wernig wrote: >> Renaud Allard wrote: >> >>> Did you verify that isakmpd is running? >> Yes. It runs as follows: >> >> 11967 ?? Is 0:00.05 isakmpd: monitor [priv] (isakmpd) >> 18753 ?? I 0:01.40 isak

Re: host to host ipsec link

Renaud Allard wrote: > Maybe also try on both firewalls: > > cd /etc/isakmpd && ln -s private/local.pub . > > Then restart isakmpd and reload the rules. > Hi Tried that as well ... still no go. I have disabled pf for setting the enc up. I suppose, that doesn't matter, does it? krgds /markus

Re: host to host ipsec link

Renaud Allard wrote: > Did you verify that isakmpd is running? Yes. It runs as follows: 11967 ?? Is 0:00.05 isakmpd: monitor [priv] (isakmpd) 18753 ?? I 0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo

Re: host to host ipsec link

Renaud Allard wrote: > It seems you just forgot to load your rules. > Just add "ipsecctl -f /etc/ipsec.conf" in the rc.local of both your > firewalls and everything should just work fine. Hi I've tried to load the rules by hand with "ipsecctl -f /etc/ipsec.conf" - to no avail. On the other hand

host to host ipsec link

Hello all I am trying a - what I think is - simple ipsec setup. The point is to ipsec-encrypt all traffic between a pair of firewalls (gateA and gateB, both OBSD 4.0), in order to send pfsync traffic over the encrypted link. Although having read through ipsec, ipsec.conf, isakmpd and friend's man

  1   2   >