On Tue, Dec 12, 2023 at 07:38:30AM +0100, Sebastian John wrote:
> Hello,
>
> I installed (not upgrade) OpenBSD 7.4 (amd64) on a brand new
> machine. I put the isakmpd.conf from the old maschine (7.3) on the
> new one. Also some other configurations (interfaces, pf...). All
> works fine but the inc
Thanks Stuart for the answer
the new flags don't change the log output.
While with tcpdump I can see that the other endpoint is sending correct ipsec
parameters:
12:49:08.025601 *.fastwebnet.it.isakmp > *.it.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: db2bb04573305edb->00
On 2021-05-04, Giacomo Marconi wrote:
> Hi all
>
> I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820.
>
> In my last VPN config (unsing 6.8) I see in the logs that isakmpd is
> expexting RSA_SIG as authentication method, while in ipsec.conf I set the psk
> value.
This usually mean
Tommy Nevtelen wrote on 31-8-2018 16:12:
On 2018-08-31 10:44, Daniel Polak wrote:
Tommy Nevtelen wrote on 30-8-2018 23:13:
We use isakmpd to interconnect 30ish routers and I would like to switch
to iked, but since there is no support to run both at the same time it
makes it quite hard to mi
Hello Philipp,
I use to (reliably) run from two to four parallel instances of isakmpd on
same boxes (for years) - first using different ports, then different IPs.
It seems like they've had to (peacefully) share the SADB. Did I just not
have enough tunnels to trigger the problem? If this isn't the
On 2018-08-31 10:44, Daniel Polak wrote:
Tommy Nevtelen wrote on 30-8-2018 23:13:
We use isakmpd to interconnect 30ish routers and I would like to switch
to iked, but since there is no support to run both at the same time it
makes it quite hard to migrate slowly. Will basically need to do it a
Am Donnerstag, August 30, 2018 17:39 CEST, Philipp Buehler
schrieb:
> Hi,
>
> Am 30.08.2018 10:27 schrieb Sebastian Reitenbach:
> > Hi,
> >
> > I'm wondering if it would be possible to add iked to my box already
> > running isakmpd.
> > I found this quite old thread:
> > http://openbsd-archive.7
Tommy Nevtelen wrote on 30-8-2018 23:13:
We use isakmpd to interconnect 30ish routers and I would like to switch
to iked, but since there is no support to run both at the same time it
makes it quite hard to migrate slowly. Will basically need to do it all
at the same time and that is not very g
On 2018-08-30 22:06, Daniel Polak wrote:
> On 30/08/2018 17:39, Philipp Buehler wrote:
>> I was not following development too closely, but I think that on the
>> kernel side
>> things have not changed. Which means iked and isakmpd will happily
>> "toe tap"
>> on each others SADB in the kernel (even
On 30/08/2018 17:39, Philipp Buehler wrote:
I was not following development too closely, but I think that on the
kernel side
things have not changed. Which means iked and isakmpd will happily
"toe tap"
on each others SADB in the kernel (even if there is *some* PID handling).
Would like to hear
Hi,
Am 30.08.2018 10:27 schrieb Sebastian Reitenbach:
Hi,
I'm wondering if it would be possible to add iked to my box already
running isakmpd.
I found this quite old thread:
http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html
Why is it "always" my old thre
Am 2017-12-07 13:34, schrieb Jeremie Courreges-Anglas:
On Thu, Dec 07 2017, Bernd wrote:
Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
On Wed, Dec 06 2017, Bernd wrote:
[...]
As a result, the IPSec tunnel can not be established. What did
I overlook here?
Looks like ipsec.conf(5
On Thu, Dec 07 2017, Bernd wrote:
> Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
>> On Wed, Dec 06 2017, Bernd wrote:
[...]
>>> As a result, the IPSec tunnel can not be established. What did
>>> I overlook here?
>>
>> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph
Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
On Wed, Dec 06 2017, Bernd wrote:
Hi @misc,
I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).
My /etc/ipsec.conf looks like this:
ike esp from any to any peer x.y.z.0/27 \
main auth hma
On Wed, Dec 06 2017, Bernd wrote:
> Hi @misc,
>
> I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
> OpenBSD 6.2 amd64 (dmesg below).
>
> My /etc/ipsec.conf looks like this:
>
> ike esp from any to any peer x.y.z.0/27 \
> main auth hmac-sha2-256 enc aes-256 group modp2048 \
>
On 17/06/17(Sat) 09:49, Nicolas Repentin wrote:
> No one ?
>
> Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas a écrit :
> >Hi everyone
> >
> >I'm searching some help about isakmpd, which is eating a lot of memory,
> >until the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti).
> >After 3 days,
mpd memory problem with the
devs.
We have isakmpd running more than 100 tunnels.
Please post Your ipsec.conf with auth data and addresses anonimised to
investigate.
best regards
Michał Koc
-- Wiadomość oryginalna --
Temat: Re: isakmpd memory usage
Nadawca: N
No one ?
Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas a écrit :
>Hi everyone
>
>I'm searching some help about isakmpd, which is eating a lot of memory,
>until the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti).
>After 3 days, the process is using 650MB of memory.
>
>When she's "freezed",
Hi Stuart,
Rising openfiles-cur does not change anything.
Best Regards
M.K.
-- Wiadomość oryginalna --
*Temat: *Re: isakmpd dies quietly with over 100 tunnels
*Nadawca: *Stuart Henderson
*Adresat: *misc@openbsd.org
*Data: *30.05.2017 11:55
On 2017-05-28, Michał Koc wrote:
Hi all
On 2017-05-28, Michał Koc wrote:
> Hi all,
>
> I'm running 6.0/amd64 inside KVM/Quemu with over 100 ipsec tunnels.
>
> Everything was running just fine when the number of tunnels was lower.
> But as we have been setting up more and more tunnels we suddenly run on
> problems.
> The isakmpd deaemo
On 2017-05-29, Alexis VACHETTE wrote:
> I didn't think it was isakmpd related back then.
> Maybe a configuration issue on my end or the partner's.
If isakmpd crashes, there is a bug in isakmpd. No network input should
cause that to happen.
t /usr/src/sbin/isakmpd/isakmpd.c:533
(gdb)
Best regards
M.K.
-- Wiadomość oryginalna --
*Temat: *Re: isakmpd dies quietly with over 100 tunnels
*Nadawca: *Michał Koc
*Adresat: *Alexis VACHETTE , Theo de Raadt
, Florian Ermisch
*Kopia: *misc@openbsd.org
*Data: *29.05.2017 11:39
Hi all,
we are set
Hi all,
we are setting up a test environment, will be back soon with the traces.
Best Regards
M.K.
-- Wiadomość oryginalna --
*Temat: *Re: isakmpd dies quietly with over 100 tunnels
*Nadawca: *Alexis VACHETTE
*Adresat: *Theo de Raadt , Florian Ermisch
*Kopia: *, Michał Koc
*Data
I didn't think it was isakmpd related back then.
Maybe a configuration issue on my end or the partner's.
But sure we need to post traces.
Nonetheless OpenBSD is an amazing piece of software, so thank you !
Regards,
Alexis.
On 29/05/2017 11:14, Theo de Raadt wrote:
Great thing is you all have
Great thing is you all have source code, and can run the same
debuggers live in your key-happy situations, and then generate traces
to expose the problem so that someone can help you.
But, yet, that doesn't happen. Strange isn't it?
Hi all,
I got to admit I've seen isakmpd dying on 5.9*
(amd64 on VMware). But after having to deal
with half a dozen peers all over Europe using
different proprietary solutions a cronjob like
"rcctl ls faulty | grep isakmpd && rcctl restart…"
worked well enough for me.
I won't be able to test w
Hi Michał,
I'm having same issue without 100 ipsec tunnels and dedicated hardware.
Unfortunately it's a production environment so I can't really
troubleshooting this issue to track down the culprit.
Anyway maybe it's not related to your issue.
Regards,
Alexis.
On 28/05/2017 14:31, Michał Koc
Thanks so much I was looking at the wrong place and was expecting it to be a
parameter...
Original Message
Subject: Re: isakmpd listen address
Local Time: May 25, 2017 9:06 PM
UTC Time: May 25, 2017 7:06 PM
From: hrv...@srce.hr
To: misc@openbsd.org
On 25.5.2017. 20:46, mabi
On 25.5.2017. 20:46, mabi wrote:
> Hello,
> I can't seem to find an option in isakmpd in order to have it listen only on
> one interface or IP address respectively. Is there an option for that I am
> not aware of? I just saw the -p option but that's for the port number.
> Thanks,
> M.
>
Hi,
cr
Hi,
Ok working well now, actually I shouldn't have set up the srcid with my
public_ip. Without this line (or this line containing private IP) it's
working well.
Regards,
Sebastien
On Sat, Mar 18, 2017 at 2:03 AM, Sébastien Morand
wrote:
> Hello Mike,
>
> "group none" in phase 2 because of thi
Hello Mike,
"group none" in phase 2 because of this in the documentation:
<<
Possible values for auth, enc, and group are described below in CRYPTO
TRANSFORMS. Perfect Forward Secrecy (PFS) is enabled unless group none is
specified.
>>
And their documentation says: No PFS. As far as I understan
Hello,
On Fri, Mar 17 2017 at 22:07, Stuart Henderson wrote:
> On 2017-03-16, Sébastien Morand wrote:
> > Thank you Mike for your answer. There is nothing more like you said.
> > Actually we succeed in phase 1 but not in phase 2.
> ..
> > It's look like good to me and conform to the provided spec
On 2017-03-16, Sébastien Morand wrote:
> Thank you Mike for your answer. There is nothing more like you said.
> Actually we succeed in phase 1 but not in phase 2.
..
> It's look like good to me and conform to the provided specs. Phase 1 is ok
> but no phase 2:
> 155851.640374 Default ipsec_validat
Hello Sebastien,Why "group none" for phase 2 ?
"Â Â Â Â The following group types are permitted with the group keyword:
          Group      Size
          none       0      [phase 2 only]
"
maybe you should ask them their conf and their logs
Try alsosy
Hi Mike and everybody,
Thank you Mike for your answer. There is nothing more like you said.
Actually we succeed in phase 1 but not in phase 2.
My client give me the following spec:
Phase 1: SHA1 - 160 bits / DH 5 / Authentication with PSK / CIPHER :
AES-256 / Lifetime 86400s
Phase 2: Tunnel mode
Am 14.03.2017 01:46 schrieb Mik J:
Hello Sebastien,I'm not sure there's something special to force nat-t,
it's
automatic.The natted side has to initiate the flow to the non natted
side.If
the two sides are natted then there should be a port forward to one of
them.There should be a nat keepalive
Hello Sebastien,I'm not sure there's something special to force nat-t, it's
automatic.The natted side has to initiate the flow to the non natted side.If
the two sides are natted then there should be a port forward to one of
them.There should be a nat keepalive parameter as well.
Le Lundi 13
Disclaimer: I don't want to sound too negative, I really appreciate all the
hard work that went in to OpenIKED but I've just made the reverse trip;
OpenIKED (IKEv2) to isakmpd (IKEv1). We just couldn't get our connections
stable with OpenIKED. We backported multiple patches from the master in t
On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote:
> I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD
> 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0.
>
Some more information on this and possibly a real question:
Here's t
On 2017-01-02, Peter Fraser wrote:
> I want the fixed IP address so I don't have to drive there to fix problems.
PS: I haven't used it recently, but I've found ports/sysutils/autossh useful
in the past for these.
On 2017-01-02, Peter Fraser wrote:
> A charity that I support has been having trouble with its internet provider
> (Rogers).
> The problem I have is that Roger is the only supplier that is available that
> will
> give a fixed IP address.
>
> I want the fixed IP address so I don't have to drive the
I apologise if it has already been said but we have heaps of clients with
Office 365 where Microsoft do not control the DNS. The client does but you
need special TXT records. Then again, none are charities with that special
$1/month/user deal.
Regards - Damian
Pacific Engineering Systems Inter
On Mon, 2017-01-02 at 22:05 +, Peter Fraser wrote:
[...]
> any hint as to what I am doing wrong?
Your config looks strange for sure!
Please read http://www.kernel-panic.it/openbsd/vpn/vpn3.html and http:/
/stuffresearch.tor.hu/?p=64
In addition I recomend reading http://undeadly.org/cgi?actio
t;
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Steve Williams
> Sent: Monday, January 2, 2017 6:57 PM
> To: Peter Fraser ; 'misc@openbsd.org'
> Subject: Re: isakmpd set up
>
> Hi,
>
> I have bee
Yes I did try with the extra .0 it made no difference
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Denis Fondras
Sent: Tuesday, January 3, 2017 1:56 AM
To: Peter Fraser
Cc: 'misc@openbsd.org'
Subject: Re: isakmpd set up
> ike
[mailto:owner-m...@openbsd.org] On Behalf Of
Steve Williams
Sent: Monday, January 2, 2017 6:57 PM
To: Peter Fraser ; 'misc@openbsd.org'
Subject: Re: isakmpd set up
Hi,
I have been using OpenBSD on a dynamic IP address for 10+ years.
I have an account with dynamic dns provider Zoneedit a
> ike from egress to 192.102.11/24 peer 192.102.11.1 srcid kwaccessability.ca
> dstid thinkage.ca tag ipsec-kwa
> ike from 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa
>
Have you tried to replace 192.102.11/24 with 192.102.11.0/24
Hi,
I have been using OpenBSD on a dynamic IP address for 10+ years.
I have an account with dynamic dns provider Zoneedit and use the
ddclient package.
I run a SMTP daemon, HTTP, SSH and in those 10+ years, I have never had
a situation where I could not reach my server. I access it from all
On 04.04.2015 00:41, Martin Larsson wrote:
Its been fixed now in strongswan 5.3. Was more curious if anyone
though isakmpd made something wrong here :)
Best regards
Martin
Thank you. Today I have built new OpenWRT firmware with strongSwan 5.3.0
and the same configuration. Now reauthenticatio
Its been fixed now in strongswan 5.3. Was more curious if anyone though
isakmpd made something wrong here :)
Best regards
Martin
On Fri, Apr 3, 2015 at 10:38 PM, Atanas Vladimirov wrote:
> On 20.03.2015 16:17, Martin Larsson wrote:
>
>> Hello!
>>
>> I've been struggeling alot lately with isakmp
On 20.03.2015 16:17, Martin Larsson wrote:
Hello!
I've been struggeling alot lately with isakmpd net to net to a
strongswan
(nat-t) client.
Isakmpd tells strongswan to delete the SA after a while.
I've gotten great help from one of the strongswan developers which came
up
with this.
isakmpd
On 12/04/2014 04:28 PM, Ted Unangst wrote:
On Thu, Dec 04, 2014 at 12:29, Kaya Saman wrote:
On 12/03/2014 07:39 PM, Christian Weisgerber wrote:
On 2014-12-03, Josh Grosse wrote:
This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
Check your system logs for "isakmpd: backwards memc
On Thu, Dec 04, 2014 at 12:29, Kaya Saman wrote:
> On 12/03/2014 07:39 PM, Christian Weisgerber wrote:
>> On 2014-12-03, Josh Grosse wrote:
>>
This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
Check your system logs for "isakmpd: backwards memcpy".
>>> It may not be that cha
On 2014-12-04, Kaya Saman wrote:
> I am seeing this in the logs:
> Dec 4 09:35:33 Gamma-Ray isakmpd: backwards memcpy
> Dec 4 09:35:33 isakmpd: backwards memcpy
So your isakmpd is broken. Wait for the next snapshot or build one from
-current sources yourself.
--
Christian "naddy" Weisgerbe
On 12/03/2014 07:39 PM, Christian Weisgerber wrote:
> On 2014-12-03, Josh Grosse wrote:
>
>>> This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
>>> Check your system logs for "isakmpd: backwards memcpy".
>> It may not be that change, since it was only committed two days ago.
>> I've
>
On 2014-12-03, Josh Grosse wrote:
>> This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
>> Check your system logs for "isakmpd: backwards memcpy".
>
> It may not be that change, since it was only committed two days ago.
> I've
> seen the same symptoms in i386 snapshots from Nov 26 a
On 2014-12-03 13:59, Josh Grosse wrote:
On 2014-12-03 12:47, Christian Weisgerber wrote:
...
This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
Check your system logs for "isakmpd: backwards memcpy".
It may not be that change, since it was only committed two days ago.
I've
seen
On 2014-12-03 12:47, Christian Weisgerber wrote:
On 2014-12-03, Zé Loff wrote:
for some reason, this seems to have been for a while now; isakmpd
will
simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
I am seeing the same behaviour (apparently a clean exit, no message
whatsoe
On 2014-12-03, Zé Loff wrote:
>> for some reason, this seems to have been for a while now; isakmpd will
>> simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
>
> I am seeing the same behaviour (apparently a clean exit, no message
> whatsoever nor core file) on -current, with an ip
On Wed, Dec 03, 2014 at 03:24:06PM +, Zé Loff wrote:
> On Wed, Dec 03, 2014 at 04:09:02PM +0100, Sebastian Reitenbach wrote:
> > I run this kernel from beginning of November:
> >
> > OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014
> > dera...@i386.openbsd.org:/usr/src/sys/
On Wed, Dec 03, 2014 at 04:09:02PM +0100, Sebastian Reitenbach wrote:
> I run this kernel from beginning of November:
>
> OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Geode(TM) Integrated Processor by
I run this kernel from beginning of November:
OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC"
586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MM
On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote:
> Hi,
>
> for some reason, this seems to have been for a while now; isakmpd will
> simply quit running after initiating: ipsecctl -f /etc/ipsec.conf
>
> Starting isakmpd manually with flags -Kdv doesn't give any indication as
> to what
> On 01/11/2013, at 12:06, Stuart Henderson wrote:
>
>> On 2013-11-01, Zé Loff wrote:
>> Just a minor glitch. Apologies in advance if the diff's badly done.
>
> No, that's incorrect, the key already exists; see /etc/rc.
Yes, I'm sorry. I was creating the certificates on a different folder, in
On 2013-11-01, Zé Loff wrote:
> Just a minor glitch. Apologies in advance if the diff's badly done.
No, that's incorrect, the key already exists; see /etc/rc.
> Cheers
> Zé
>
>
> --- isakmpd.8.orig Fri Nov 1 10:26:47 2013
> +++ isakmpd.8 Fri Nov 1 10:27:11 2013
> @@ -671,7 +671,7 @@
>
On 2013-09-07, Christoph Leser wrote:
>>Von: owner-m...@openbsd.org [owner-m...@openbsd.org]" im Auftrag von
>>"Stuart Henderson >[s...@spacehopper.org]
>>Gesendet: Samstag, 7. September 2013 00:11
>>An: misc@openbsd.org
>>Betreff: Re: ISAKMPD NAT/Tr
>Von: owner-m...@openbsd.org [owner-m...@openbsd.org]" im Auftrag von
>"Stuart Henderson >[s...@spacehopper.org]
>Gesendet: Samstag, 7. September 2013 00:11
>An: misc@openbsd.org
>Betreff: Re: ISAKMPD NAT/Traversal
>>On 2013-09-06, Christoph Leser wrote:
>
On 2013-09-06, Christoph Leser wrote:
> Hello, list,
>
> from a remark by Stuart Henderson on an older thread
> http://marc.info/?l=openbsd-misc&m=134849 788026722&w=2 back in September
> 2012,I understood that NAT-T support in openBSD was not complete at that time,
> especially the handling of th
e the values you were talking about, or are there other values that
> should be set?
>
> Thanks.
>
>
> -Ursprüngliche Nachricht-
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von mxb
> Gesendet: Dienstag, 18. September 2012 09:43
Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von
mxb
Gesendet: Dienstag, 18. September 2012 09:43
An: misc@openbsd.org
Betreff: Re: isakmpd lifetime trouble with openBSD 5.2 current
Tried to add those values into plain old isakmpd.conf?
I run 5.2-current and have
Tried to add those values into plain old isakmpd.conf?
I run 5.2-current and have those values in isakmpd.conf. Never seen
those messages and all works fine.
On 09/17/2012 09:30 PM, Christoph Leser wrote:
> After updating to 5.2 current, I noticed, that incoming phase-1 requests get
> drop due t
Follow on:
I investigated another case:
Same as in the previous case, 5.2 switches to port 4500 alfter the NAD-D
packets are exchanged and the tries to negotiate ENCAPSULATION MODE = TUNNEL (
tcpdump show, that this QUICK MODE packet is udp encapsulated. This is
rejected with NO PROPOSAL CHOSEN.
Hi Toni,
Toni Mueller wrote on Wed, Jan 04, 2012 at 06:09:55PM +0100:
> I've run into an interoperability problem with an Astaro, which does
> not like our certificate. The certificate basically looks like
>
> ...
> Subject: C=DE, L=..., CN=IP-number
> ...
> Subject Alternative Name: IPv4 Ad
Hi Stu,
On Sun, Dec 04, 2011 at 11:24:24AM +, Stuart Henderson wrote:
> I don't see any code changes that would result in a different presentation
> order of certificates between 4.8 and 5.0..
>
> tcpdump traces of the negotiation from 4.8 and 5.0 might be useful, as might
> logs from the 3rd
I don't see any code changes that would result in a different presentation
order of certificates between 4.8 and 5.0..
tcpdump traces of the negotiation from 4.8 and 5.0 might be useful, as might
logs from the 3rd party and maybe isakmpd, though I'll be the first to admit
isakmpd logging is pretty
On 2011-07-15, MG wrote:
> On 7/14/2011 9:31 PM, Kenneth R Westerback wrote:
>> On Thu, Jul 14, 2011 at 11:28:44PM +0200, rancor wrote:
>>> Are there many updates of the source that is not published as an
>>> errata (on stable)?
>> Yes.
>>
>> Ken
>>
>>> // rancor
>>>
>>> 2011/7/14 Stuart Hend
MG wrote:
Forgive my ignorance, but does this mean that if I were to install
OpenBSD 4.9 via FTP today, there shouldn't be random IPsec disconnects
as described in bug PR6601? Thanks.
The file sets on ftp.openbsd.org/pub/OpenBSD/4.9/ (and of course on all
official mirrors) are 4.9-release (t
MG [mas...@fourseasonsnow.com] wrote:
> Forgive my ignorance, but does this mean that if I were to install
> OpenBSD 4.9 via FTP today, there shouldn't be random IPsec
> disconnects as described in bug PR6601? Thanks.
Only if it's 4.9-current (snapshot)
If you install 4.9 release, you have to up
On 7/14/2011 9:31 PM, Kenneth R Westerback wrote:
On Thu, Jul 14, 2011 at 11:28:44PM +0200, rancor wrote:
Are there many updates of the source that is not published as an
errata (on stable)?
Yes.
Ken
// rancor
2011/7/14 Stuart Henderson:
On 2011-07-14, Paul Suh wrote:
If it's easy t
On Thu, Jul 14, 2011 at 11:28:44PM +0200, rancor wrote:
> Are there many updates of the source that is not published as an
> errata (on stable)?
Yes.
Ken
>
> // rancor
>
> 2011/7/14 Stuart Henderson :
> > On 2011-07-14, Paul Suh wrote:
> >> If it's easy to pull the diff it shouldn't be h
Are there many updates of the source that is not published as an
errata (on stable)?
// rancor
2011/7/14 Stuart Henderson :
> On 2011-07-14, Paul Suh wrote:
>> If it's easy to pull the diff it shouldn't be hard to post it
>
> It's not about difficulty.
>
>> and it would be a nice thing to do for
On 2011-07-14, Paul Suh wrote:
> If it's easy to pull the diff it shouldn't be hard to post it
It's not about difficulty.
> and it would be a nice thing to do for folks have scripts that
> notify them on changes of the errata pages.
It's normal to have things in -stable where no erratum is issu
On Thu, Jul 14, 2011 at 11:49:16AM -0400, Paul Suh wrote:
> Folks,
>
> Hmm -- it's not showing on the 4.9 or 4.8 Errata pages:
>
> http://www.openbsd.org/errata49.html
> http://www.openbsd.org/errata48.html
>
> If it's easy to pull the diff it shouldn't be hard to post it, and it would be
> a n
Folks,
Hmm -- it's not showing on the 4.9 or 4.8 Errata pages:
http://www.openbsd.org/errata49.html
http://www.openbsd.org/errata48.html
If it's easy to pull the diff it shouldn't be hard to post it, and it would be
a nice thing to do for folks have scripts that notify them on changes of the
err
On Thu, Jul 14, 2011 at 10:36:54AM -0400, Wade, Daniel wrote:
> It's tagged for 4.9-STABLE
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
And I just comitted a corresponding diff into 4.8 stable.
Dunno if this warrants a patch. It's easy to pull the diff from cvs.
-Ott
It's tagged for 4.9-STABLE
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Steve
Sent: Thursday, July 14, 2011 9:41 AM
To: misc@openbsd.org
Subject: ISAKMPD
Hi all,
Sorry this has
On Thu, Jul 14, 2011 at 06:41:06AM -0700, Steve wrote:
> Hi all,
>
> Sorry this has been asked before but I can find no answer.
>
> Is there going to be an official patch for ISAKMPD for 4.8 4.9.
Do remedy what problem?
>
> I did see something in the bug tracking a while back but I now get the
Hmm.. sounds like this might be a candidate for -STABLE?
--Paul
On Jul 8, 2011, at 10:09 AM, Stuart Henderson wrote:
> On 2011-07-08, Tony Sarendal wrote:
If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certain
On Fri, Jul 8, 2011 at 4:09 PM, Stuart Henderson wrote:
> On 2011-07-08, Tony Sarendal wrote:
> >> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
> >> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly
> >> > see problems from time to time.
> >>
> >
> > Is thi
On 2011-07-08, Tony Sarendal wrote:
>> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
>> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly
>> > see problems from time to time.
>>
>
> Is this a cosmetic thing or does it affect connectivity ?
dh.c r1.14 affects
We are not using the tunnels for production use yet and have not started to
measure uptime but we will do it soon. I have not noticed any problem when
Im using the tunnels, only the messages.
How ever. I was recommended by Stuart to pull up src/sbin/isakmpd/dh.c to
1.14 since there is a bug that a
On Mon, Jul 4, 2011 at 4:12 PM, rancor wrote:
> Ah =) Thanks!
>
> // rancor
>
> 2011/7/4 Stuart Henderson :
> > On 2011-07-02, rancor wrote:
> >> Hi.
> >>
> >> I have two separate ipsec tunnels from 4.9 boxes and both are
> >> generating this message i /var/log/messages once every hour or two
>
Ah =) Thanks!
// rancor
2011/7/4 Stuart Henderson :
> On 2011-07-02, rancor wrote:
>> Hi.
>>
>> I have two separate ipsec tunnels from 4.9 boxes and both are
>> generating this message i /var/log/messages once every hour or two
>> Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid
>> cookie(
On 2011-07-02, rancor wrote:
> Hi.
>
> I have two separate ipsec tunnels from 4.9 boxes and both are
> generating this message i /var/log/messages once every hour or two
> Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid
> cookie(s) 57603c2
> Jul 2 08:14:54 isakmpd[28247]: dropped message
On 2010-05-26, Jacob Yocom-Piatt wrote:
> i'm looking for an alternative
still very early days, but Reyk just committed an ikev2 daemon, iked...
http://article.gmane.org/gmane.os.openbsd.cvs/97036
http://article.gmane.org/gmane.os.openbsd.cvs/97037
Michiel van Baak wrote:
And you want any help after talking to this list that way ?
i explained my problem pretty succinctly in the first email - isakmpd is
episodically unreliable, painful to debug, and i am looking for an
alternative if anyone is using something else on openbsd for vpn
On May 26, 2010, at 1:58 PM, Jacob Yocom-Piatt wrote:
> Bryan wrote:
>> On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
>> wrote:
>>
>>> over the past several years i have encountered a variety of problems with
>>> isakmpd that range from difficult to translate error messages to tunnels
>
Bryan wrote:
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
wrote:
over the past several years i have encountered a variety of problems with
isakmpd that range from difficult to translate error messages to tunnels
dropping without explanation.
Greetings,
Did you t
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
wrote:
> over the past several years i have encountered a variety of problems with
> isakmpd that range from difficult to translate error messages to tunnels
> dropping without explanation.
>
>
>
Greetings,
Did you try different hardware?
This has been committed. Thanks.
-mark
lum@
===
Hello,
while playing with isakmpd, I found that it would be nice to have a
complement for the "isakmpd: exiting" log entry.
Index: isakmpd.c
=
1 - 100 of 242 matches
Mail list logo
