knitti wrote:
On 10/19/07, Stephen Bosch <[EMAIL PROTECTED]> wrote:
Other things I've tried:
- moving the Jetdirect to a different port on the same physical switch
- a variety of static and dynamic IPs in the subnet
I also forwarded the external port 9100 to this print server a
Jussi Peltola wrote:
Does the print server have the right gateway configured?
Yeah. Checked that.
Does scrub have any effect (fragments get dropped in some cases if scrub
is off - that bit me once with openvpn)?
I think scrub is on, though -- I'll have to look again.
Wouldn't tcpdump tell
Claudiu Pruna wrote:
hi Stephen,
No offense, but did you check JetDirect's ip settings about the default
gateway ?
None taken. Yes, I did actually check that, and it was correct.
Try an tcpdump on the ethernet interface at site A while trying to print
from site B and check if you "see" packe
Hi, folks:
Here's a good one for you.
I have an IPsec tunnel running between two OpenBSD boxes. One is still
running 3.8 (yes, it needs to be updated) and the other is running 4.1.
There is a functioning tunnel running between the two devices.
Hosts on one end can "see" hosts on the other, a
joerch wrote:
> On Mon, Oct 16, 2006 at 02:13:53PM -0600, Stephen Bosch wrote:
>> I recently switched to 1.0 GB SanDisk CF. I can generate images no
>> problem, but at boot time, we see this warning:
>>
>>> Automatic boot in progress: starting file system checks.
Hi:
I use a script to generate images for the compact flash disks I use in
my Soekris net4801 devices.
I recently switched to 1.0 GB SanDisk CF. I can generate images no
problem, but at boot time, we see this warning:
> Automatic boot in progress: starting file system checks.
> /dev/rwd0a: file
Stephen Bosch wrote:
> Hi:
>
> I have a Soekris net4801 which runs from a compact flash disk. It boots
> to the serial console. I've set everything to 9600 baud, 8 bit words, no
> parity, 1 stop bit.
>
> When left unattended, it boots normally.
>
> If I try to en
Hi:
I have a Soekris net4801 which runs from a compact flash disk. It boots
to the serial console. I've set everything to 9600 baud, 8 bit words, no
parity, 1 stop bit.
When left unattended, it boots normally.
If I try to enter anything at the boot> prompt, I see one character and
then it hangs
I have an OpenBSD 3.8 device, running on Soekris 4801 hardware, sitting
on a private network. Its sole purpose is to NAT traffic before it goes
through an IPsec tunnel.
I am using binat and static routes to reach the
Two interfaces are connected to the network.
This is the pf.conf file:
> # def
Steve Welham wrote:
> The painless way to do this is with webservers on non-routable
> addresses, NAT and two interfaces. Is that out of the question?
>
> In any case man pf.conf says:
>
> "Redirections cannot reflect packets back through the interface they
> arrive on, they can only be redirecte
Tobias Ulmer wrote:
> Wow fun :) (the IP is from your mail, don't know if this is the firewall
> or what and i didn't look at other ips around it.)
>
> uran:tobiasu$ nmap -vv -P0 66.18.218.36
>
> Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-08-10 10:05
> CEST
> DNS resolution of 1
Hi:
I have an OpenBSD 3.8 host.
My authlog is filling up with strange messages:
> Aug 9 17:30:27 fw1 sshd[7006]: Connection closed by XX.XX.XX.XX
> Aug 9 17:31:31 fw1 sshd[21487]: Connection closed by XX.XX.XX.XX
> Aug 9 17:32:35 fw1 sshd[339]: Connection closed by XX.XX.XX.XX
> Aug 9 17:33:
My apologies to everyone. This is a pf problem -- I've sorted it out.
Thanks,
-Stephen-
Stephen Bosch wrote:
> jared r r spiegel wrote:
>> On Mon, Jul 17, 2006 at 05:25:38PM -0600, Stephen Bosch wrote:
>>> route add -host 192.168.0.57 -interface enc0
>>>
>&g
jared r r spiegel wrote:
> On Mon, Jul 17, 2006 at 05:25:38PM -0600, Stephen Bosch wrote:
>> route add -host 192.168.0.57 -interface enc0
>>
>> I get this response:
>>
>> route: enc0: bad address
>
> -interface actually takes an address:
>
> ---
&g
Hi:
When I do this --
route add -host 192.168.0.57 -interface enc0
I get this response:
route: enc0: bad address
Even though a security association for the target address exists on
enc0. Unfortunately, the device is not passing traffic to 192.168.0.57.
I assume I need to add a route -- but is
Tim Donahue wrote:
> I swear, spam keeps getting wierder and wierder
My own theory is that these are messages designed (by the spammers) to
test spam filters.
>
>
> On Fri, 14 Jul 2006 20:43:50 -0700 (PDT)
> "Anon Y. Mous" <[EMAIL PROTECTED]> wrote:
>
>> BOB is dying.
>> Right turn on RED
Hi:
Hi folks -- remember me? I finally resolved my problem of doing NAT
before IPsec by putting a second device on the internal network of a
redundant CARP firewall.
Nevertheless -- I am facing an avalanche of VPN requests and a need to
NAT them. The more traffic goes through this internal NAT de
Hi, everybody:
First -- thanks to everyone who tried to help me out on this one. It is
most appreciated. I apologise if my questions or responses rubbed anyone
the wrong way. It wasn't intended.
I want to recap the situation because I think that, indeed, what I want
to do can't be done.
I have a
Matthew R. Dempsky wrote:
> On Wed, Jul 05, 2006 at 11:30:54AM -0600, Stephen Bosch wrote:
>> I am not seeing any traffic on enc0 when using tcpdump, that is why I
>> asked.
>
> Are you sure IPsec is being used? Can you see IPsec-processed traffic
> on the physical
Otto Moerbeek wrote:
> On Wed, 5 Jul 2006, Stephen Bosch wrote:
>
>> Does tcpdump work on enc0?
>
> Are you really too lazy to read a manual page?
And for the record -- since some people found that question beyond the
pale -- I have been tcpdumping enc0 all morning and I am
Otto Moerbeek wrote:
> On Wed, 5 Jul 2006, Stephen Bosch wrote:
>
>> Does tcpdump work on enc0?
>
> Are you really too lazy to read a manual page?
Please don't get me started. I have been working on this problem with
precious little assistance from folks like you for ov
Marcus Glocker wrote:
> On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote:
>
>> Does tcpdump work on enc0?
>>
>> -Stephen-
>
> $ man enc
>
> "The enc interface allows an administrator to see outgoing packets before
> they have been proc
Does tcpdump work on enc0?
-Stephen-
Matthew Closson wrote:
> In setting up about 30 ISPEC tunnels on an OpenBSD box in the past 6
> months I had this issue come up with about 4 of the remote peers.
> Typically it is one of two problems.
>
> 1. They have a made a policy level decision somewhere and say they will
> only route traffic
Matthew Closson wrote:
> On Tue, 4 Jul 2006, Stephen Bosch wrote:
>
>> Stephen Bosch wrote:
>>> Hi, all:
>>>
>>> I am configuring an IPsec tunnel like so:
>>>
>>> local_internal_IP -> alias_IP ->remote_peer_IP -> remote_inte
Matthew Closson wrote:
> I don't think what you want to do is currently possible:
>
> Here is your problem:
>
> Let's say you have these settings
>
> internal_host 10.0.0.5
> internal_openbsd_nic 10.0.0.1
> external_openbsd_nic AAA.AAA.AAA.AAA
>
> Remote_concentrator BBB.BBB.BBB.BBB
> Remote_i
Stephen Bosch wrote:
> Hi, all:
>
> I am configuring an IPsec tunnel like so:
>
> local_internal_IP -> alias_IP ->remote_peer_IP -> remote_internal_IP
> local host | openBSD | Cisco PIX | remote internal host
>
> alias_IP is a carp alias. I
Hi, all:
I am configuring an IPsec tunnel like so:
local_internal_IP -> alias_IP ->remote_peer_IP -> remote_internal_IP
local host| openBSD | Cisco PIX | remote internal host
alias_IP is a carp alias. It is one end of an IPsec security
association. netstat -rn gives this (altered)
Stuart Henderson wrote:
On 2006/06/30 10:51, Stephen Bosch wrote:
Thanks. No joy yet. Traceroute traffic is still going out the public
interface when I try to ping a host on ...
If this traceroute is from the vpn gateway itself (rather than
an endpoint) you'll need to either set the s
Clint Pachl wrote:
Stephen Bosch wrote:
In the NAT section of my pf.conf, I have the following command:
binat on $enc_if from $HostA_private_IP to
-> $HostA_private_NAT_IP
Try "binat pass ..."
Done.
In the FILTER section, I have:
pass in on $enc_if from to \
HostA_p
Stephen Bosch wrote:
Hi, everybody:
Okay -- the good news is that we've got the SA up between these two
sites, the bad news is that traffic isn't passing.
The situation is complicated by some NAT that I need through the
encryption interface.
We have the following:
HostA_
Hi, everybody:
Okay -- the good news is that we've got the SA up between these two
sites, the bad news is that traffic isn't passing.
The situation is complicated by some NAT that I need through the
encryption interface.
We have the following:
HostA_private_IP
HostA_private_NAT_IP
In t
Hekan Olsson wrote:
On 29 jun 2006, at 22.33, Stephen Bosch wrote:
I'm trying to set up a tunnel to a Cisco PIX.
It seems to make it past Phase 1, the trouble starts at Phase 2. I've
provided some tcpdump output below:
...
So, at this point it looks like Phase 1 was successfu
I'm trying to set up a tunnel to a Cisco PIX.
It seems to make it past Phase 1, the trouble starts at Phase 2. I've
provided some tcpdump output below:
14:21:45.379077 OpenBSD.500 > Cisco_PIX.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: bf4ecb71857072fa-> m
Hans-Joerg Hoexer wrote:
isakmpd is only allowed to write to files in the /var/run directory.
I've updated the manpage accordingly.
Thanks, Hans-Jvrg.
-Stephen-
Hi:
Running OpenBSD 3.8, I cannot get isakmpd to write to a capture file.
Here is my mount output:
/dev/wd0a on / type ffs (local, noatime)
mfs:1824 on /tmp type mfs (asynchronous, local, nodev, nosuid,
size=24576 512-blocks)
mfs:16738 on /var type mfs (asynchronous, local, nosuid, size=32768
Roy Morris wrote:
Stephen Bosch wrote:
Dag Richards wrote:
Um no, it wont work. Once the traffic is encrypted you will
no longer be
able to nat it. The original packet is now and encrypted
blob that is
the payload of a new packet with a source of your gateway and
dest their
GW. you can
Hi, Roy:
Roy Morris wrote:
Yes it does work! I guess I better hold on to these two boxes I have. Seems
they are the only ones that do! lol
I have
A. clients on each end behind a vpn/pf box
B. enc0 binat from internal client to public IP of other side client
C. /etc/hostname.if alias for the
Dag Richards wrote:
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd
and pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd and
pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network. Renumbering isn't going to work.
The VPN concentrato
40 matches
Mail list logo
