On Mon, Jan 06, 2025 at 03:16:08PM GMT, Harald Dunkel wrote:
> Hi folks,
> is there some hidden feature to tell iked to show the proposals of both peers
> in the log file, esp if phase 1 or 2 fails with "no proposal chosen"? That
> would
> help a lot.
>
> By now I have tried iked -d -v -v -v in v
On Mon, Oct 21, 2024 at 10:10:44PM GMT, Mark Kettenis wrote:
> > Date: Mon, 21 Oct 2024 20:40:38 +0200
> > From: Tobias Heider
> >
> > On Mon, Oct 21, 2024 at 08:33:53PM GMT, Mark Kettenis wrote:
> > > > Date: Mon, 21 Oct 2024 14:12:33 +0200
> > > &
On Mon, Oct 21, 2024 at 08:33:53PM GMT, Mark Kettenis wrote:
> > Date: Mon, 21 Oct 2024 14:12:33 +0200
> > From: Tobias Heider
> >
> > On Mon, Oct 21, 2024 at 01:04:10PM GMT, Stuart Henderson wrote:
> > > On 2024/10/21 13:54, Sylvain Saboua wrote:
> > &g
On Mon, Oct 21, 2024 at 01:04:10PM GMT, Stuart Henderson wrote:
> On 2024/10/21 13:54, Sylvain Saboua wrote:
> > Are we to understand that the default wireless device
> > of the Apple M1 is not functional yet with openbsd ?
>
> It was working on M1, but based on this report it looks like a change
On Sun, Oct 13, 2024 at 05:36:05PM GMT, Isaac Meerleo wrote:
> Confirmed working in latest snapshot.
> Thank you!
>
We have tested a ihidev patch in snapshots that I suspect might have been
responsible for the regression you saw. I sent an updated version of that
patch to tech@ at: https://marc.i
On Tue, Dec 12, 2023 at 07:38:30AM +0100, Sebastian John wrote:
> Hello,
>
> I installed (not upgrade) OpenBSD 7.4 (amd64) on a brand new
> machine. I put the isakmpd.conf from the old maschine (7.3) on the
> new one. Also some other configurations (interfaces, pf...). All
> works fine but the inc
> > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> > > from 10.88.0.0/22 to 10.88.12.0/24 \
> > > from 203.0.113.92 to 10.88.12.0/24 \
> > > peer any local 203.0.113.92 \
> > > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
> > >childsa enc aes-256-gcm prf hmac-sha2-512 gro
On Tue, Oct 24, 2023 at 10:42:11PM +0200, Tobias Heider wrote:
> On Tue, Oct 24, 2023 at 03:35:57PM -0500, rea...@catastrophe.net wrote:
> > On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> > [..]
> > >$ uname -a
> > >OpenBSD open
On Tue, Oct 24, 2023 at 03:35:57PM -0500, rea...@catastrophe.net wrote:
> On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> [..]
> >$ uname -a
> >OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
> >
> >ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> > from 10.88.0.0/22 to 10.88
Hi,
On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> I have a small raspberry pi device that I'd like to connect to a 7.4
> machine with iked(8) and PSK auth, to start. The rpi device is going
> to be on a mobile network and behind a small NAT device.
>
> I haven't had
On October 3, 2023 2:30:54 PM GMT+02:00, "Robert B. Carleton"
wrote:
>Tobias Heider writes:
>
>> On October 3, 2023 1:32:39 AM GMT+02:00, "Robert B. Carleton"
>> wrote:
>>>I'm trying to setup host-to-host encryption using iked with
On October 3, 2023 1:32:39 AM GMT+02:00, "Robert B. Carleton"
wrote:
>I'm trying to setup host-to-host encryption using iked with the
>following configuration:
>
>On 10.2.2.10:
>
>ikev2 passive esp from 10.2.2.10 to 10.2.1.11 srcid 10.2.2.10
>
>On 10.2.1.11:
>
>ikev2 active esp from 10.2.1.11
On Wed, Aug 23, 2023 at 08:03:34AM +0200, Jiri Navratil wrote:
> Hello,
>
> Thank you for quick and helpful replies.
>
> Adding line
>
> set skip on enc0
>
> to pf.conf enabled traffic between my sites.
>
> I see in https://www.openbsd.org/faq/faq1
I am a bit late to the party, but some more comments below.
On Sun, Jul 09, 2023 at 11:27:20PM -0400, Anthony Coulter wrote:
> Summary of this email:
>
> 1. I respond to a couple of specific points made by other folks in this
>thread to clarify what I'm trying to accomplish (set up a couple o
On July 5, 2023 4:35:30 AM GMT+03:00, Anthony Coulter
wrote:
>Short version:
>
>I'm trying to set up a "road warrior"-style VPN like the one described
>at https://www.openbsd.org/faq/faq17.html but I'm trying to use IPv6 so
>I can have globally-routable addresses (so I'm not using NAT). So far
On Tue, Apr 11, 2023 at 06:29:50PM +0200, Jan Stary wrote:
> > o On arm64, add a machdep.lidaction sysctl(8)
> > for aplsmc(4) Apple Silicon laptops.
>
> Should that be mentioned in the arm64 examples/sysctl.conf
> as on other such architectures?
>
> Index: etc/etc.arm64/sysctl.conf
> ===
On Fri, Mar 10, 2023 at 05:00:36PM -0500, A Tammy wrote:
>
> On 3/10/23 15:42, J Doe wrote:
> > On 2023-03-05 17:19, A Tammy wrote:
> >
> >>
> >> On 3/5/23 16:49, J Doe wrote:
> >>> Hello,
> >>>
> >>> I was wondering if there is a limit to the number of characters that
> >>> the username and/or pa
On Wed, Mar 01, 2023 at 01:38:24PM +, Stuart Henderson wrote:
> On 2023/03/01 14:21, Tobias Heider wrote:
> > On Wed, Mar 01, 2023 at 09:24:50AM -, Stuart Henderson wrote:
> > > On 2023-03-01, J Doe wrote:
> > > > Hello,
> > > >
> > > &
On Wed, Mar 01, 2023 at 09:24:50AM -, Stuart Henderson wrote:
> On 2023-03-01, J Doe wrote:
> > Hello,
> >
> > I have a question regarding authentication options in OpenIKED on
> > OpenBSD 7.2
> >
> > On my test lab I have one OpenBSD 7.2 machine with OpenIKED configured
> > to use PSK and a
On Fri, Feb 24, 2023 at 09:24:29AM -, Stuart Henderson wrote:
> On 2023-02-23, Thomas Bohl wrote:
> > I have several OpenBSD 7.2 connected to a commercial VPN-Router (LANCOM
> > 1781EW+) using iked. It works, except every time the Child SA
> > negotiation starts, iked answers NO_PROPOSAL_CHO
On Thu, Nov 24, 2022 at 06:51:40PM +0300, Aleksandr Mikhaylov wrote:
> Tobias Heider wrote:
> > On Thu, Nov 24, 2022 at 05:50:57PM +0300, Aleksandr Mikhaylov wrote:
> > > Tobias Heider wrote:
> > > > On Thu, Nov 24, 2022 at 12:45:03PM +0300, Aleksandr Mikhaylov wrote
On Thu, Nov 24, 2022 at 05:50:57PM +0300, Aleksandr Mikhaylov wrote:
> Tobias Heider wrote:
> > On Thu, Nov 24, 2022 at 12:45:03PM +0300, Aleksandr Mikhaylov wrote:
> > > Hi. Please tell me how to connect to an OpenBSD 7.2 Release
> > > from an OpenBSD
On Thu, Nov 24, 2022 at 12:45:03PM +0300, Aleksandr Mikhaylov wrote:
> Hi. Please tell me how to connect to an OpenBSD 7.2 Release
> from an OpenBSD 7.2 Release client via iked.
> I'm trying to set it up with this documentation,
> https://www.openbsd.org/faq/faq17.html#clientikev2
> but it just doe
On Sat, Aug 13, 2022 at 11:10:12AM +, Kostya Berger wrote:
> Hi,I'm trying to connect my OpenBSD 7.1 box to WPA-Enterprise AP. But
> wpa_supplicant fails to connect. However, the same config works fine in
> FreeBSD etc, just as it did in previous versions of OpenBSD (the last I used
> was 6
On Tue, Apr 12, 2022 at 01:03:55AM +0200, Ettore Tagarelli wrote:
> If I use the "dynamic keyword I get this error: "no IP address found for
> dynamic" though "config address 192.168.98.1/24" is there.
> Using 0.0.0.0/32 instead of 0.0.0.0/0 causes that traffic is not routed
> ('cause /32 restrict
On Tue, Apr 12, 2022 at 03:06:50PM +0200, Ettore Tagarelli wrote:
> Updated to 7.0
> ...same problem 🙁
What does the updated config look like?
"from 0.0.0.0/0 to dynamic" should work in 7.0.
On Mon, Apr 11, 2022 at 11:13:45PM +0200, Ettore Tagarelli wrote:
> this is my iked.conf
> as far as I know the "somename" Stuart wrote about is automatically added
> by iked.
I don't exactly remember how it worked back in 6.6 either but you
could try 0.0.0.0/32 instead of 0.0.0.0/0.
In any case I
On Fri, Mar 25, 2022 at 12:23:45PM -0500, rea...@catastrophe.net wrote:
> The setup is two gateways with IPsec channels setup in tunnel mode
> to bridge networks 10.255.255.0/24 and 10.254.255.0/24. Traffic from
> server-east:enc0 does not match a SA in place when trying to connect to
> httpd on s
On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote:
> I have two openbsd machines configured to connect their respective
> downstream networks over ipsec. When I try to generate traffic (ping)
> from server-west's enc0 interface (10.255.255.1) to server-east's enc0
> interface (
On Fri, Mar 11, 2022 at 11:27:59AM +0100, Axel Rau wrote:
>
>
> > Am 09.03.2022 um 11:44 schrieb Axel Rau :
> >
> > are both able to support the same network topologies with both IPv4 and
> > IPv6?
> Seems to be a difficult question.
> What can I do to get an answer / a comment of one of the ex
On Mon, Feb 21, 2022 at 09:12:27AM -0600, rea...@catastrophe.net wrote:
> On Mon, Feb 21, 2022 at 02:55:39PM +0100, Tobias Heider wrote:
> >On Sat, Feb 19, 2022 at 12:28:15AM -0600, rea...@catastrophe.net wrote:
> >> IKE is failing when I connect using a simple password de
On Mon, Feb 21, 2022 at 01:33:12PM +, n8dandy wrote:
> Hello there,
>
> First of all, I would like to thank people involved with iked. It works
> flawlessly, especially with Apple devices. Thanks for your work.
> In the near future, I plan to allow around 330 people to use this service. Do
>
On Sat, Feb 19, 2022 at 12:28:15AM -0600, rea...@catastrophe.net wrote:
> IKE is failing when I connect using a simple password defined in
> /etc/iked.conf. I'm connecting from a native Mac client...is
> mschap-v2 on MacOS broken or are my configs wrong? Thanks in advance.
>
> Working configurati
On Sun, Dec 12, 2021 at 10:01:20PM +0100, Harald Dunkel wrote:
> Hi folks,
>
> since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters
> (2 hosts on each end, carp interface, passive by default, managed via
> sasyncd) appears to be broken. /var/log/messages says
>
> Dec 12 21:40:
Hey Georg,
The configs look ok to me. The error message and your description
sound like you might have forgotten to copy the certificate private
keys to /etc/iked/private/local.key
On Wed, Dec 01, 2021 at 08:50:58PM +0100, Georg Pfuetzenreuter wrote:
> Hello,
>
> I try to connect two OpenBSD 7.
On Tue, Jul 27, 2021 at 11:18:53AM +0200, Patrick Wildt wrote:
> On Tue, Jul 27, 2021 at 09:55:34AM +0200, Claudio Jeker wrote:
> > On Tue, Jul 27, 2021 at 07:32:09AM -, Stuart Henderson wrote:
> > > On 2021-07-27, Vladimir Nikishkin wrote:
> > > > Hello, everyone.
> > > >
> > > > This is my i
On Mon, May 31, 2021 at 02:31:22PM +, Leclerc, Sebastien wrote:
> > > > If that doesn't help you could share the output of 'ipsecctl -sa' to
> > > > find
> > > > out if the IPsec SAs or flows are the problem.
> > >
> > > That may be the problem, there is nothing between 192.168.1.109 and
> >
On Mon, May 31, 2021 at 12:20:29PM +, Leclerc, Sebastien wrote:
> > I'm not sure about that bge0 rule. iked.conf(5) mentions ipencap only
> > in the context of enc interfaces.
> > You could try adding 'set skip on enc0' to find out if pf is the problem.
>
> That rule has been the same for som
On Fri, May 28, 2021 at 11:56:54AM +, Leclerc, Sebastien wrote:
> >It looks like 'keep state (if-bound)' iked.conf(5) is not present or being
> >respected on the return traffic to the VPN device/firewall from your
> >internal network. ICMP traffic is coming into the VPN device >encrypted,
>
ither try using 0.0.0.0/0 instead or even better update
to the latest version.
>
> Full log: https://pastebin.com/MLC4VXSs
>
> P.S. Tried removing the ikelifetime and lifetime parameters as well. Did
> not help, the same behavior.
>
> On Tue, May 11, 2021 at 7:43 PM Tobias Hei
SA UP. Reason: New Connection Established
> May 11 2021 13:35:11: %ASA-6-113009: AAA retrieved default group policy
> (GroupPolicy-Def-IKE2) for user = 1.1.1.1
>
>
> P.S. This is strange, but with another provider, which has the Cisco ASA
> 5585-SSP10, there are no such problems.
On Fri, May 07, 2021 at 12:17:35PM +0300, Денис Давыдов wrote:
> Hello all,
>
> I can't understand why I got SA_INIT timeout:
> May 5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: sa_free:
> SA_INIT timeout
>
> 1.1.1.1 (crypto-gw2) - my host
> 7.7.7.7 - our isp provider (some of cisco
On Mon, Feb 22, 2021 at 03:59:53PM +0100, Riccardo Giuntoli wrote:
> Ok. In the log you can appreciate.
>
> UK-HOST one OpenBSD machine connected to three openbsd, one mikrotik and
> one VyOS. The VyOS is CAT-HOST
>
> Kind regards
The log looks fine but it doesn't seem to contain the error messa
On Mon, Feb 22, 2021 at 09:06:58AM +0100, Riccardo Giuntoli wrote:
> I there I've got a lot of problems putting a IKE2 point to point connection
> stable between OpenBSD/OpenIKED and VyOS/Strongswan.
>
> Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE
> transport. Gre t
Hi,
looks like a PFS problem.
Here's where it fails:
> Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
> ikev2_log_proposal: ESP #1 DH=MODP_2048
At the moment, PFS groups must be enabled manually.
Try this:
ikev2 "home" passive esp inet \
from 10.0.10.0/24 to 10.0.1.0/24 \
Hi,
this doesn't look like an IKE problem if the handshake succeeds.
Try comparing the kernel SAs and flows (ipsecctl -sa on OpenBSD).
I think strongswan for some errors deletes child SAs right after
the handshake, maybe the charon log contains more information.
- Tobias
On Wed, Jul 29, 2020 at
On Wed, Jul 22, 2020 at 11:56:15AM +, Scheibel, Michael wrote:
> Hi, folks,
>
> I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using
> OpenIKED but I have not copied any key material (public keys) from one host
> to the other. Still, authentication succeeds.
>
> This
On Mon, Jul 20, 2020 at 12:03:57PM +0300, Антон Касимов wrote:
> I am using OpenBSD 6.7
> iked does not respect mixing ports in the source and the destination of
> traffic selectors.
>
> Such policy in iked.conf
> ikev2 "epsilon" active \
> proto tcp \
> from ::::30 to
On Fri, Jul 10, 2020 at 01:17:38PM +0300, Антон Касимов wrote:
> The descriptions of the ikesa and childsa options contain the following
> statements:
>
> Possible values for auth, enc, prf, group, and the* default proposals* are
> described below in CRYPTO TRANSFORMS. If omitted, iked(8) will use
On Sun, Jun 21, 2020 at 04:33:14PM -0400, Sonic wrote:
> On Sun, Jun 21, 2020 at 12:11 PM Patrick Wildt wrote:
> > If you want to use a specific address for a policy, you can use the
> > "local" keyword to specify it. This is part of the policy, not a global
> > option.
> >
> > Then iked(8) conti
On Tue, Jun 16, 2020 at 08:20:59PM -0400, Daniel Ouellet wrote:
> Hi,
>
> > What I see is that the initial message is received but ignored, so this
> > side here probably runs into some kind of error.
> > To find out what exactly causes this, a more verbose log would help.
> > You could manually s
On Tue, Jun 16, 2020 at 05:08:47PM -0400, Daniel Ouellet wrote:
> > The retransmits tell us that the peer doesn't answer. Or, to be more
> > precise, it doesn't receive *any* message from the peer. Can you have
> > a look at the peer's logs? Does the peer see these packets but chooses
> > not to
Hi,
On Tue, Jun 16, 2020 at 03:25:12PM +0200, tris...@pilat.me wrote:
> Hi guys,
>
> First of all, thanks for the amazing work you've done with 6.7!
>
> That said, I've got the same issue here after I updated to 6.7. The VPN
> keeps cutting off every 10 minutes or so. Is there any way I could fi
On Fri, Jun 12, 2020 at 09:27:18PM +0200, Tobias Heider wrote:
> On Fri, Jun 12, 2020 at 03:31:56PM +0200, Patrik Ragnarsson wrote:
> > Hi,
> >
> > We have two OpenBSD machines acting as gateways for our network using
> > CARP and IPsec (IKEv2).
> >
> > Whe
Hi Daniel,
On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote:
> > Probably related to the following change documented in
> > https://www.openbsd.org/faq/upgrade67.html:
> >
> > iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by
> > iked(8) or
> > isakmpd(8) was cha
On Fri, Jun 12, 2020 at 03:31:56PM +0200, Patrik Ragnarsson wrote:
> Hi,
>
> We have two OpenBSD machines acting as gateways for our network using
> CARP and IPsec (IKEv2).
>
> When the machines were running OpenBSD 6.6, from an IPSec client, you
> were able to reach the passive gateway while bei
On Thu, Jun 11, 2020 at 02:36:53PM +, Leclerc, Sebastien wrote:
> > I seems I got it wrong before. Even when there was ESP traffic, iked is
> > going
> > to start DPD when there hasn't been any incoming IKE message in the last
> > 5 minutes.
> >
> > My advice would be to just disable DPD in
On Tue, Jun 09, 2020 at 08:13:53PM +, Leclerc, Sebastien wrote:
> > > > Before 6.7 iked didn't start DPD in this particular case.
> > > > It kicks in if the tunnel is up and there haven't been any incoming ESP
> > > > packets
> > > > in the last 5 minutes.
> > > > A possible workaround would b
On Tue, Jun 09, 2020 at 06:29:05PM +, Leclerc, Sebastien wrote:
> > Before 6.7 iked didn't start DPD in this particular case.
> > It kicks in if the tunnel is up and there haven't been any incoming ESP
> > packets
> > in the last 5 minutes.
> > A possible workaround would be to ping through th
On Tue, Jun 09, 2020 at 01:11:38PM +, Leclerc, Sebastien wrote:
> > > > Jun 8 12:23:24 hv-fw-inf-02 iked[50153]: spi=0xa84faba012c73dce:
> > > > retransmit 1 INFORMATIONAL req 2
> > > peer 192.0.2.199:500 local 192.0.2.2:500
> > > > Jun 8 12:23:28 hv-fw-inf-02 iked[50153]: spi=0xa84faba012c7
On Mon, Jun 08, 2020 at 05:28:48PM +, Leclerc, Sebastien wrote:
> After an upgrade to 6.7 on amd64 this weekend, iked keeps reconnecting every
> 8 minutes, but only for one tunnel, to a Watchguard firewall. The tunnel has
> been functioning properly for 5 years. Other tunnels to OpenBSD devic
On Wed, Jun 03, 2020 at 02:07:52PM -0400, Sonic wrote:
> On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider wrote:
> > It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public
> > key
> > should be.
>
> The peers public key is there, the peer, a
On Wed, Jun 03, 2020 at 01:09:02PM -0400, Sonic wrote:
> Following the FAQ at https://www.openbsd.org/faq/faq17.html I ran into
> the following problem with the server2 example:
> ===
> ikev2 'server2_rsa' active esp \
> from 10.0.2.0/24 to 10.0.1.0/24 \
> pe
On Sun, May 03, 2020 at 01:07:56PM +0200, Florian Weber wrote:
> Good morning,
>
> I am trying to connect to remote locations to our main responder. The issue
> I am facing is that I can connect each site individually without any issue,
> however, I cannot connect both sides at the same time. The
On Fri, Apr 17, 2020 at 02:37:57PM +0200, Florian Weber wrote:
> Good afternoon,
>
> is it possible to have only traffic which is routed through a specific
> rdomain being encryped, i.e. have an enc interface in another rdomain and
> only the whole traffic that runs in that rdomain gets encryped?
I sent a diff to tech@ that should solve your problem:
https://marc.info/?l=openbsd-tech&m=158447623916319&w=2
On Sun, Jan 26, 2020 at 04:12:00PM +, Peter Müller wrote:
> Hello openbsd-misc,
>
> I am strongly interested in this, too.
>
> Since the iked manpage does not mention this, I suppos
Hi Alexander,
the log tells us that both times the handshake ends in the successful
establishment of an IKE SA. Like you reported both match the policy 'clientA'
instead of A and B:
> Jul 15 11:06:45 server iked[12701]: sa_state: VALID -> ESTABLISHED from
> 5.6.7.8:4500 to 1.2.3.4:4500 policy 'c
Hi Alexander,
On Fri, Jul 12, 2019 at 02:03:08PM +, Alexander Mischke wrote:
> I can connect fine using a single client, however using more than one client
> breaks the connection for clientA while clientB is able to connect. I've been
> testing this with two clients behind the SAME DSL mode
68 matches
Mail list logo
