Re: Connecting to L2TP over IPsec VPN on OpenBSD 6.1 with Ubuntu 16.04

On 2018-09-07, Alexander Skwar wrote: > Hello > > We use a L2TP over IPsec VPN running on OpenBSD 6.1, which was setup > by prior sysadmins. They are no longer at the company. > > Now a user running Ubuntu 16.04 + Gnome tries to connect to the VPN. > The VPN client (on Linux

Connecting to L2TP over IPsec VPN on OpenBSD 6.1 with Ubuntu 16.04

Hello We use a L2TP over IPsec VPN running on OpenBSD 6.1, which was setup by prior sysadmins. They are no longer at the company. Now a user running Ubuntu 16.04 + Gnome tries to connect to the VPN. The VPN client (on Linux side) was configured with NetworkManager. The connection fails. In /var

Re: L2TP/IPsec VPN server: trying to force HMAC_SHA in phase 2, but isakmpd keeps offering HMAC_SHA2_256?

Hi Philipp, Thank you - this was exactly what I was missing. I have now gotten it to work by excluding hmac-sha2-256 (and therefore falling back to hmac-sha1), which strongly suggests my Nexus 6P (all patched) doesn't implement hmac-sha2-256 correctly. The irony is that the manpage of isakmpd.pol

Re: L2TP/IPsec VPN server: trying to force HMAC_SHA in phase 2, but isakmpd keeps offering HMAC_SHA2_256?

Am 19.03.2017 15:36 schrieb Jurjen Oskam: So, to validate that I'm indeed hitting this bug (and also as a workaround) I tried to set up the OpenBSD side to not use SHA2. I haven't been able to get this running yet: isakmpd always seems to offer HMAC_SHA2_256. It's not offering that - but acc

L2TP/IPsec VPN server: trying to force HMAC_SHA in phase 2, but isakmpd keeps offering HMAC_SHA2_256?

Hi, I'm trying to set up my OpenBSD 6.0 box as an L2TP/IPsec server for my Android phone to connect to. It appears that recent Android versions have a bug that can prevent it to successfully use HMAC_SHA2_256 for its built-in L2TP/IPsec VPN client. (Whether the bug occurs seems to depend o

Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?

R0me0 *** Sent: Thursday, August 4, 2016 1:57 PM To: Sebastian Wain Cc: OpenBSD misc Subject: Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10? ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \ main auth hmac-sha1 enc 3des group modp2048 \

Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?

, > Sebastian > > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > R0me0 *** > Sent: Thursday, August 4, 2016 1:57 PM > To: Sebastian Wain > Cc: OpenBSD misc > Subject: Re: How to configure OpenBSD L2TP/IPSEC VPN to work with W

Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?

ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \ main auth hmac-sha1 enc 3des group modp2048 \ quick auth hmac-sha1 enc 3des psk "YOURSECRET" You are welcome (: 2016-08-04 13:15 GMT-03:00 Sebastian Wain : > I can't figure out how to make an OpenBSD VPN wor

How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?

I can't figure out how to make an OpenBSD VPN work. I followed the guide at [1] to set up a VPN, modified the network interface there to tun0 instead of pppoe0, and didn't configure the pf.conf. When I tried to connect from Win10 using the "L2TP/IPsec with pre-shared key" VPN type I see the issues

Android 4.4 and L2TP/IPSEC VPN

Hi, I'm wondering if anyone has had any experience with VPN and Android 4.4?? I used to use OpenVPN with versions 4.1 through 4.3 however, 4.4 apparently broke the tun interface so the app doesn't work now. As I need vpn access I configured ipsec and npppd however, I keep getting these errors

Re: IPSec VPN with iked (8)

There is a post of my findings in the archives. Android 2.3 worked fine with iked and npppd

Re: IPSec VPN with iked (8)

On Mon, Nov 25, 2013 at 1:21 PM, Stuart Henderson wrote: > For Android phones the standard way to do VPNs is l2tp-over-ipsec (IKE). > You can do this with npppd and isakmpd (iked is for IKEv2 which is not > compatible with IKE). > > Apparently someone made an Android app to support IKEv2 ( https:/

Re: IPSec VPN with iked (8)

required to set up an IPSec VPN with > iked? I understand this is still under development, but what are its > limitations? Would it work with Android phones and Windows 8.1? > > I generated some keys using the examples in the iked presentation, I wrote > a very simple and nonrestrictive i

IPSec VPN with iked (8)

Hello, I am new to the concept of IPSec VPNs and although there are many tutorials to set one up with isakmp (8), I find there is less resources on setting up one with the newer iked. Can someone give me the main steps required to set up an IPSec VPN with iked? I understand this is still under

Re: routing to IPsec VPN with dummy lo1 broken

On Tue, 2 Jul 2013 10:26:40 +0200 Christopher Zimmermann wrote: > Hi, > > My IPsec roadwarrior setup on my laptop broke with one of the latest > snapshots because some outgoing connections are routed wrongly with a > source ip of 127.0.0.1. I found the according line in the source: netinet/in_p

Re: routing to IPsec VPN with dummy lo1 broken

On Tue, 2 Jul 2013 10:26:40 +0200 Christopher Zimmermann wrote: > Hi, > > My IPsec roadwarrior setup on my laptop broke with one of the latest > snapshots because some outgoing connections are routed wrongly with a > source ip of 127.0.0.1. I was wrong in assuming a recent change to the kernel

routing to IPsec VPN with dummy lo1 broken

Hi, My IPsec roadwarrior setup on my laptop broke with one of the latest snapshots because some outgoing connections are routed wrongly with a source ip of 127.0.0.1. On the roadwarrior laptop I use a dummy lo1 interface to which I assign the internal VPN IP of the laptop. wlan has the 172.26.153

External IP address not to go through IPSec VPN

Hi, I have setted up a simple IPSec VPN using the following instructions: http://www.symantec.com/connect/articles/zero-ipsec-4-minutes and have noticed that not only my internal networks get routed through the VPN but also the external IP address of both firewalls. I would like the external

Re: IPSEC VPN performance

On Tue, Oct 2, 2012 at 9:59 AM, Christiano F. Haesbaert wrote: > Why not using tcpbench where you can actually specify the parameters > and know what is going on :). > > Play with buffer sizes and you'll see a big difference, using -u will > give you the actual PPS. > I agree, I stopped using Ipe

Re: IPSEC VPN performance

On Tue, Oct 02, 2012 at 09:59:05AM +0200, Christiano F. Haesbaert wrote: > Why not using tcpbench where you can actually specify the parameters > and know what is going on :). > > Play with buffer sizes and you'll see a big difference, using -u will > give you the actual PPS. I agree with this.

Re: IPSEC VPN performance

On 2 October 2012 08:57, David Coppa wrote: > On Mon, Oct 1, 2012 at 5:55 PM, Russell Garrison > wrote: >> Is iPerf running threaded? What about dd to null and a loopback listener? > > Beware: only -current (since Tue Sep 25) net/iperf port has threading enabled. > > ciao, > David > Why not usin

Re: IPSEC VPN performance

On Mon, Oct 1, 2012 at 5:55 PM, Russell Garrison wrote: > Is iPerf running threaded? What about dd to null and a loopback listener? Beware: only -current (since Tue Sep 25) net/iperf port has threading enabled. ciao, David

Re: IPSEC VPN performance

Thus said Jim Miller on Mon, 01 Oct 2012 11:20:06 EDT: > # dd if=/dev/zero bs=1000 count=100 | nc -v 172.16.2.2 12345 What if you try a different bs? $ dd if=/dev/zero bs=1000 count=100 > /dev/null 100+0 records in 100+0 records out 10 bytes transferred in 1.102 secs (907

Re: IPSEC VPN performance

Perhaps the pipe size causes degradations, I seem to recall getting better results on benchmarks without pipes. Den 1 okt 2012 18:07 skrev "Otto Moerbeek" : > On Mon, Oct 01, 2012 at 11:20:06AM -0400, Jim Miller wrote: > > > I just reran the test again. I still receive about 600Mbps using iPerf >

Re: IPSEC VPN performance

On Mon, Oct 01, 2012 at 11:20:06AM -0400, Jim Miller wrote: > I just reran the test again. I still receive about 600Mbps using iPerf > however using > > client > # dd if=/dev/zero bs=1000 count=100 | nc -v 172.16.2.2 12345 > > server > # nc -v -l 12345 > /dev/null > > I get numbers around

Re: IPSEC VPN performance

I just reran the test again. I still receive about 600Mbps using iPerf however using client # dd if=/dev/zero bs=1000 count=100 | nc -v 172.16.2.2 12345 server # nc -v -l 12345 > /dev/null I get numbers around 350Mbps. I tend to think iPerf is more reliable in this situation. Any ideas wh

Re: IPSEC VPN performance

600Mbps seems about right, I tested a pair of E5649-based boxes to 550Mbps last year (with aes-128-gcm): http://marc.info/?l=openbsd-misc&m=134033767126930 You'll probably get slightly more than 600 with with multiple TCP streams. Assuming PF was enabled for your test (the default configuration

Re: IPSEC VPN performance

Yes. Let me double check everything again on Monday. Keep in mind that all devices had 1Gb ethernet interfaces and everything was directly cabled. No pf rules either. w/o ipsec I could get 900mbps through the openbsd boxes. Now you've got me thinking I need to recheck everything. -Jim On 9/2

Re: IPSEC VPN performance

Hi, On 28.9.2012 22:09, Jim Miller wrote: > So using another Mac w/ 1Gb ethernet adapter to a Linux box w/ 1Gb eth I > was able to achieve approx. 600Mbps performance through the test setup > (via iperf and my dd method). > 600Mbps via ipsec between two Intel E31220 ?

Re: IPSEC VPN performance

So I just realized another serious flaw in my testing. I was using a Mac Air w/ USB 100Mb ethernet adapter for one of the hosts behind the OpenBSD VPN devices. And it must have been limiting the speed more than I thought. So using another Mac w/ 1Gb ethernet adapter to a Linux box w/ 1Gb eth I w

Re: IPSEC VPN performance

Jim Miller wrote: > The test I'm using is this > Host A: > # nc -v -l 12345 | /dev/null > > Host B: > # dd if=/dev/zero bs=1000 count=1 | nc -v 12345 I increased the count a bit: 10 bytes transferred in 53.265 secs (18773882 bytes/sec) That's with AES-256-GCM between two Sandy Bri

Re: IPSEC VPN performance

um Pro MTRR support >> uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 >> uhidev0 at uhub2 port 2 configuration 1 interface 0 "Winbond Electronics >> Corp Hermon USB hidmouse Device" rev 1.10/0.01 addr 3 >> uhidev0: iclass 3/1 >>

Re: IPSEC VPN performance

oard" rev 1.10/2.05 addr 3 > uhidev2: iclass 3/1 > ukbd1 at uhidev2: 8 modifier keys, 6 key codes > wskbd2 at ukbd1 mux 1 > wskbd2: connecting to wsdisplay0 > uhidev3 at uhub3 port 2 configuration 1 interface 1 "Generic USB > Keyboard" rev 1.10/2.05 addr 3 > uh

Re: IPSEC VPN performance

re=0 uhid1 at uhidev3 reportid 2: input=3, output=0, feature=0 ums1 at uhidev3 reportid 3: 0 button, Z dir wsmouse1 at ums1 mux 0 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on sd0a (532543e2c86874e1.a) swap on sd0b dump on sd0b On 9/28/12

Re: IPSEC VPN performance

On 2012 Sep 27 (Thu) at 17:30:38 -0400 (-0400), Jim Miller wrote: :Hardware Configuration: :- (2) identical SuperMicro systems with quad core E31220 w/ AES-NI enabled : :cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz ("GenuineIntel" 686-class) :3.10 GHz :cpu0: :FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,

Re: IPSEC VPN performance

On Fri, Sep 28, 2012 at 11:45 AM, Otto Moerbeek wrote: > On Thu, Sep 27, 2012 at 05:30:38PM -0400, Jim Miller wrote: > >> Hi, >> >> I'm trying to determine if the performance I'm seeing between two >> OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected

Re: IPSEC VPN performance

On Thu, Sep 27, 2012 at 11:30 PM, Jim Miller wrote: > Hi, > > I'm trying to determine if the performance I'm seeing between two > OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize > there are quite a few variables to consider and I'm sure I&#

Re: IPSEC VPN performance

On Thu, Sep 27, 2012 at 05:30:38PM -0400, Jim Miller wrote: > Hi, > > I'm trying to determine if the performance I'm seeing between two > OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize > there are quite a few variables to consider and I'm su

IPSEC VPN performance

Hi, I'm trying to determine if the performance I'm seeing between two OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize there are quite a few variables to consider and I'm sure I've not toggled each one but I could use a sanity check regardless.

Re: IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC vpn

On 2012-06-01, Sarah Caswell wrote: > Hi all, > > I am currently using vpnc to connect to a client site (which has an CISCO ASA > firewall/vpn endpoint) > This setup works, but everytime I use vpnc from my server it breaks other > networking, especially the openvpn tunnels I maintain to other si

Re: IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC vpn

tocol6.com > To: misc@openbsd.org > Subject: IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC vpn > > Hi all, > > I am currently using vpnc to connect to a client site (which has an CISCO ASA firewall/vpn endpoint) > This setup works, but everytime I use vpnc fro

IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC vpn

Hi all, I am currently using vpnc to connect to a client site (which has an CISCO ASA firewall/vpn endpoint) This setup works, but everytime I use vpnc from my server it breaks other networking, especially the openvpn tunnels I maintain to other sites. I'd prefer to use the built-in IPSEC softw

Re: IPSec VPN dropping packets from time to time

See -stable fixes to 4.9. Otherwise consider upgrading 4.9->5.0. -Steve S. -Steve S. -Original Message- From: Georg Buschbeck [open...@thomas-daily.de] Received: Tuesday, 20 Dec 2011, 2:35am To: misc@openbsd.org [misc@openbsd.org] Subject: IPSec VPN dropping packets from time to t

IPSec VPN dropping packets from time to time

Hi, i've two openbsd firewalls running 1x OpenBSD 4.9 (amd64) in our office 1x OpenBSD 5.0 (amd64) in our co location. we have a vpn set up between both locations via /etc/ipsec.conf isakmpd is setup to not read any konfiguration files: === /etc/rc.conf.local === isakmpd_flags="-4 -K -v" === /

Re: ipsec vpn 'colouring'

On Fri, May 27 2011 at 07:16, Oeschger Patrick wrote: > *hmmm* *hmmm*, > i did a test using ipsec vpn colouring aka. tagging > ipsec.conf offers the option to tag the vpn traffic for further PF filtering > using these tags i can instruct PF to use different public NAT addresses &g

ipsec vpn 'colouring'

*hmmm* i did a test using ipsec vpn colouring aka. tagging ipsec.conf offers the option to tag the vpn traffic for further PF filtering using these tags i can instruct PF to use different public NAT addresses (outgoing to internet) for each VPN but when you have overlapping subnets behind the VPNs

Routing all traffic through IPSEC VPN

Hello @misc I seem to still be having some problems but I have made progress. The branch office cannot get out to the internet at large which I think may be a NAT problem. At least, when changing the default route on the branch office, I don't lose connectivity to it. On the branch office, t

Re: Routing all traffic through IPSEC VPN

Matt S P?P8QP5Q: Hello @misc: I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. However, I would like the remote site to route all of its traffic through the VPN. After googling, I seemed to come up with a suggestion to do a route change -net 0.0.0.0/0

Re: Routing all traffic through IPSEC VPN

00 - > > 32 gre0 > > 206.125.169.96/29 link#1 UC 20 - > > 4 em0 > > 206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 - > > 4 em0 > > matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 - >

Re: Routing all traffic through IPSEC VPN

UHLc 00 - > 4 lo0 > BASE-ADDRESS.MCAST localhost URS00 33160 > 8 lo0 > > > > On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > > Hello @misc: > > > > I am up against a stumper. I have a Site-to-Site IPSEC VPN wo

Re: Routing all traffic through IPSEC VPN

bf UHLc 10 - > 4 em0 > matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 - > 4 lo0 > BASE-ADDRESS.MCAST localhost URS00 33160 > 8 lo0 > > > > On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > > Hello @mis

Re: Routing all traffic through IPSEC VPN

172.16.254.2 A.B.C.D.E My setup is using a GRE tunnel. I have the GRE Tunnel endpoints configured on /30 subnet. There might be a gap in my understanding. Thank you again, Matt On 12 April 2011 23:53, Matt S wrote: > Hello @misc: > > I am up against a stumper. I have a Site-to-Site

Re: Routing all traffic through IPSEC VPN

On 12 April 2011 23:53, Matt S wrote: > Hello @misc: > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. > However, I would like the remote site to route all of its traffic through the > VPN. After googling, I seemed to come up with a suggestio

Re: Routing all traffic through IPSEC VPN

p against a stumper. I have a Site-to-Site IPSEC VPN working >beautifully. > > However, I would like the remote site to route all of its traffic through > the > VPN. After googling, I seemed to come up with a suggestion to do a route >change > > -net 0.0.0.0/0 wh

Re: Routing all traffic through IPSEC VPN

On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > Hello @misc: > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working > beautifully. > However, I would like the remote site to route all of its traffic through > the > VPN. After googling, I see

Routing all traffic through IPSEC VPN

Hello @misc: I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. However, I would like the remote site to route all of its traffic through the VPN. After googling, I seemed to come up with a suggestion to do a route change -net 0.0.0.0/0 which didn't work

Re: Force Internet traffic out IPSec VPN

. Build IP-IP IPSec and then build GRE tunnel on those 2 IP. You could > route anything over GRE tunnel. Beware of encapsulation overhead, cause > it is tunnel in tunnel. > 2. Use OpenVPN instead of IPSec. It is far less painful. > > I. > > On Thu, 2011-04-07 at 16:51 -0700, And

Re: Force Internet traffic out IPSec VPN

build GRE tunnel on those 2 IP. You could route anything over GRE tunnel. Beware of encapsulation overhead, cause it is tunnel in tunnel. 2. Use OpenVPN instead of IPSec. It is far less painful. I. On Thu, 2011-04-07 at 16:51 -0700, Andrew Klettke wrote: > We have a working IPSec VPN between two

Re: Force Internet traffic out IPSec VPN

On 2011-04-07, Andrew Klettke wrote: > We have a working IPSec VPN between two 4.8 endpoints. One of them is at > a remote location, and the other at the main office. The remote location > has its own external, routable IP (to establish the VPN), and an > internal subnet behind

Force Internet traffic out IPSec VPN

We have a working IPSec VPN between two 4.8 endpoints. One of them is at a remote location, and the other at the main office. The remote location has its own external, routable IP (to establish the VPN), and an internal subnet behind it. The main office has its own external IP, though which it

Re: ipsec vpn unexpected flow

On 2010/11/27 23:47, Andrea Parazzini wrote: > On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson> > wrote: > > isakmpd.policy(5), and have some aspirin ready for the inevitable > > headache. > > > Stuart is right. > I tried to play with isakmpd.policy and it's rather complicated. > Read

Re: ipsec vpn unexpected flow

On Thu, 11/25/10, Andrea Parazzini wrote: > Hi, > we have a vpn connection with a customer. > The remote peer is not under our management. > Our box is an OpenBSD 4.7 i386. > We have configured the vpn as follows: > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -v" > > /etc/ipsec.conf > i

Re: ipsec vpn unexpected flow

On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson wrote: > On 2010-11-25, Andrea Parazzini wrote: >> As you can see there is a flow that is not configured on our box. >> It is probably configured on the remote peer. >> Is a normal behavior? > > Yes. This is especially fun when you end u

Re: ipsec vpn unexpected flow

On 2010-11-25, Andrea Parazzini wrote: > As you can see there is a flow that is not configured on our box. > It is probably configured on the remote peer. > Is a normal behavior? Yes. This is especially fun when you end up accidentally routing all traffic from a 100mb-connected site down an ADSL

Re: ipsec vpn unexpected flow

t; > 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic > in >> > the >> > tunnel?3. is nat allowed in the tunnel? 4. you may have let in more >> > networks >> > than you realize >> > -damon >> > >> > --- On Thu, 1

Re: ipsec vpn unexpected flow

let in more > > networks > > than you realize > > -damon > > > > --- On Thu, 11/25/10, Andrea Parazzini > > wrote: > > > > From: Andrea Parazzini > > Subject: ipsec vpn unexpected flow > > To: misc@openbsd.org > > Date: Thursday, Novemb

Re: ipsec vpn unexpected flow

ecting traffic in > the > tunnel?3. is nat allowed in the tunnel? 4. you may have let in more > networks > than you realize > -damon > > --- On Thu, 11/25/10, Andrea Parazzini > wrote: > > From: Andrea Parazzini > Subject: ipsec vpn unexpected flow > To: mi

Re: ipsec vpn unexpected flow

1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini wrote: From: Andrea Parazzini Subject: ipsec vpn unexpected flow To: misc

ipsec vpn unexpected flow

Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags="-K -v" /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90

IPSEC VPN

1.- IPSEC VPN Load Balancer connections it's make that posible ? 2.- somebody have benchmark or something to reference CPU consuption of vpn tunel -- Jorge Andris Medina Oliva.

IPSEC VPN

Hello I am wondering if anyone whom uses OpenBSD as an IPSEC VPN concentrator could provide an example configuration. I am planning on using OpenBSD 4.7 to achieve this and I need to be able to support multiple road warrior users who will have dynamic IP addresses. If possible, I would also

test : ipsec vpn and mac road warrior

Hi, I ve done theses tests : inter...@work (OpenBSD PF)(ip fixe) (dynamic ip) Home (A mac) I mounted vpn on mac to Work with third software : VPN Tracker VPN is OK, i can ping my openbsd gateway and ping my Windows 7 Workstation. But i cant access any ressource except pings. Why ? Enc0 is n

Re: IPSec VPN and tunnel mode routing

you describe your configuration, the output from the relevant > commands (e.g. sudo ipsecctl -sa, netstat -n), what if any changes > you've made to PF rules to accommodate the vpn, how you're testing, > etc, perhaps someone can help. I always thought that pf should have nothing

Re: IPSec VPN and tunnel mode routing

On 2010-03-30, Girish Venkatachalam wrote: > Dear all, > > I find no explicit mention of how to encapsulate and decapsulate IPsec > protected packets in tunnel mode. > > Are we supposed to use gre0 or gif0 interface to add routes? > > I am able to create SAs using automatic keying with isakmpd and

Re: IPSec VPN and tunnel mode routing

> Dear all, > > I find no explicit mention of how to encapsulate and decapsulate IPsec > protected packets in tunnel mode. > > Are we supposed to use gre0 or gif0 interface to add routes? > > I am able to create SAs using automatic keying with isakmpd and 1 line > in ipsec.conf. > > But I am unable

IPSec VPN and tunnel mode routing

Dear all, I find no explicit mention of how to encapsulate and decapsulate IPsec protected packets in tunnel mode. Are we supposed to use gre0 or gif0 interface to add routes? I am able to create SAs using automatic keying with isakmpd and 1 line in ipsec.conf. But I am unable to connect two pr

IPSEC VPN and NAT

It works, i remove my "enc0" from "set skip on {lo enc0 }" like told Mitja. Thank's to Mitja.

Re: Ipsec VPN and NAT

't help I'll look at your config again later tonight. > >> -Original Message- >> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of >> open...@e-solutions.re >> Sent: Friday, March 12, 2010 4:34 PM >> To: misc@openbsd.or

Ipsec VPN and NAT

I'm trying to do vpn ipsec with nat. (I can do fully some test @ work with have sdsl with 5 ip address) To resume i want to do ipsec vpn between Site A (192.168.0.0/24) and Site B (192.168.0.0/24). They have same network address. So i ve done done with this good article : http://undeadly.or

Ipsec vpn and nat

Hello, we have to connect factory using ipsec vpn and nat. The factory server (windows 2003) will send his backup to our NAS using FTP,so : Site A and Site B (factory) Site A , OpenBSD 4.5 -RELEASE, used like firewall (and ftpproxy) Ip address (provided by IAP): 11.11.11.11(Egress), IP

Re: OpenBSD Road Warrior connecting to L2TP/IPSec VPN?

> -Urspr|ngliche Nachricht- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Im Auftrag von Aaron W. Hsu > Gesendet: Montag, 22. September 2008 20:04 > An: misc@openbsd.org > Betreff: OpenBSD Road Warrior connecting to L2TP/IPSec VPN? > > > Hell All, >

OpenBSD Road Warrior connecting to L2TP/IPSec VPN?

Hell All, I am trying to connect to my University's VPN System, with little luck, I am not sure how to even begin, though I have found Undeadly articles on IPSec in Under 4 Minutes, as well as some various tutorials and documents on connecting OpenBSD Servers to other Servers and gateways. I d

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Dirk Mast wrote: Linux /etc/ipsec.conf: version 2.0 config setup ... (snip) Hi, I finally managed to get it up and working (without IKE). OpenBSD: /etc/ipsec.conf: ike esp from 10.50.0.0/24 to 192.168.9.0/24 peer PUBLIC_LINUX quick \ auth hmac-sha1 enc aes group modp1024 psk

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Laurent CARON wrote: > Dirk Mast wrote: >> This config works for me: > > Hi, > >> >> OpenBSD 4.3 as GW and Debian Linux with OpenSWAN as client, and >> the package ike is installed under Linux, too. > > The openswan package is not sufficient to get a working IPsec between > Linux and OpenBSD ?

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Dirk Mast wrote: This config works for me: Hi, OpenBSD 4.3 as GW and Debian Linux with OpenSWAN as client, and the package ike is installed under Linux, too. The openswan package is not sufficient to get a working IPsec between Linux and OpenBSD ? OpenBSD: ike esp from any to 172.16.1

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

This config works for me: OpenBSD 4.3 as GW and Debian Linux with OpenSWAN as client, and the package ike is installed under Linux, too. OpenBSD: ike esp from any to 172.16.1.98 quick auth hmac-sha1 enc aes group modp1024 psk "IMTEHLINUXCLIENT" Linux: /etc/ipsec.conf version 2.0 cono,
g setu

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Sean Malloy wrote: It looks like you are trying to use different encryption algorithms and hash functions for the phase 2 SA. They need to match at both end points. It looks like the Linux box is configured to do 3DES and SHA1. The OpenBSD box is configured to do AES and SHA256. Hi, Even with

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

On Mon, Aug 25, 2008 at 09:50:08PM +0200, Laurent CARON wrote: > John Jackson wrote: > >It may also be worth noting that Debian has OpenBSD's isakmpd packaged, > >'apt-get install isakmpd'. I've had success using isakmpd on Debian to > >create VPN's between OpenBSD and Debian gateways. > > > Her

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

John Jackson wrote: It may also be worth noting that Debian has OpenBSD's isakmpd packaged, 'apt-get install isakmpd'. I've had success using isakmpd on Debian to create VPN's between OpenBSD and Debian gateways. Here is where I'm now: Openswan's side: conn lncjakarta-lncha leftsubnet=1

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

John Jackson wrote: It may also be worth noting that Debian has OpenBSD's isakmpd packaged, 'apt-get install isakmpd'. I've had success using isakmpd on Debian to create VPN's between OpenBSD and Debian gateways. Since i'm using OpenSwan on 99% of my servers, i'd like to be able to integrate O

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

It may also be worth noting that Debian has OpenBSD's isakmpd packaged, 'apt-get install isakmpd'. I've had success using isakmpd on Debian to create VPN's between OpenBSD and Debian gateways. John On Mon, Aug 25, 2008 at 03:52:42PM +0300, Imre Oolberg wrote: > Hi! > > > > >I'm basically trying

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Hi! I'm basically trying to setup a VPN between a linux box (debian) and an OpenBSD one. I am not a seasoned IPSec user but i tried out couple of configurations and one of them was Debian with Racoon and OpenBSD's native isakmpd. I based my experimentation on article which is about FreeBS

IPSEC VPN between OpenBSD and Linux (OpenSwan)

Hi, I'm basically trying to setup a VPN between a linux box (debian) and an OpenBSD one. I'd like to use a PSK for that VPN. Here are the config files: Linux box: conn jak-ha left=PUBLICIP_OF_LINUX_BOX leftsubnet=192.168.9.0/24 right=PUBLIC_IP_OF_BSD_BOX rightsubnet=10.50.0.0

Re: ipsec vpn problem

On Fri, Aug 22, 2008 at 03:11:16PM +0200, Claus Larsen wrote: > Well I did get a bit futher with the problem, it seems it was cause by a > firewall blocking some of the traffic. > > So new problem now. > Using the Greenbow vpn client. > > It says "Phase 2 algoritm problem". > > From the isakmpd

Re: ipsec vpn problem

Well I did get a bit futher with the problem, it seems it was cause by a firewall blocking some of the traffic. So new problem now. Using the Greenbow vpn client. It says "Phase 2 algoritm problem". >From the isakmpd output I get (a larger portion of the output included below): 164658.900458 Def

ipsec vpn problem

Have a problem getting a vpn tunnel up between a zyxel vpn gw and my openbsd 4.3 system. /etc/ipsec.conf ike passive from any to any \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk openbsdrules Below follows output from cmd: isakmpd -d -DA=99 -K

Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E

TED]> To: misc@openbsd.org Subject: Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E From which machine do I have to do "ping -I A.B.C.D E.F.G.H" pf has default config and allows everything forwarding is enabled What does "netstat -rn -f encap" look like? ~b

ipsec vpn netgear DG834 : openbsd 4.2 (SOLVED !)

So by the way .. the problem was link with pf.conf.. In fact there is something i did not put on my last mail, it is the fact i'am using TWO adsl pppoe link on the same PC. i'm doing load balancing for the web access it's working like a charm So there is TWO tun interfaces : tun0 link w

Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

g > von jcr > Gesendet: Dienstag, 27. November 2007 12:10 > An: misc@openbsd.org > Betreff: ipsec vpn netgear DG834 : openbsd 4.2 (new thread) > > > New thread .. after some new test.. > > And stiill the same ... shit ! > > Here is the LAn/WAn network > > > 1

Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

know whether the packets really leave openBSD, we can do further analysis. > -Urspr|ngliche Nachricht- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag > von jcr > Gesendet: Dienstag, 27. November 2007 12:10 > An: misc@openbsd.org > Betreff: ipsec vpn netgear D

  1   2   >