Re: IPSec VPN with iked (8)

There is a post of my findings in the archives. Android 2.3 worked fine with iked and npppd

Re: IPSec VPN with iked (8)

On Mon, Nov 25, 2013 at 1:21 PM, Stuart Henderson wrote: > For Android phones the standard way to do VPNs is l2tp-over-ipsec (IKE). > You can do this with npppd and isakmpd (iked is for IKEv2 which is not > compatible with IKE). > > Apparently someone made an Android app to support IKEv2 ( https:/

Re: IPSec VPN with iked (8)

On 2013-11-25, Benjamin Epitech wrote: > Hello, > > I am new to the concept of IPSec VPNs and although there are many tutorials > to set one up with isakmp (8), I find there is less resources on setting up > one with the newer iked. > > Can someone give me the main steps required to set up an IPSe

Re: IPSEC VPN performance

On Tue, Oct 2, 2012 at 9:59 AM, Christiano F. Haesbaert wrote: > Why not using tcpbench where you can actually specify the parameters > and know what is going on :). > > Play with buffer sizes and you'll see a big difference, using -u will > give you the actual PPS. > I agree, I stopped using Ipe

Re: IPSEC VPN performance

On Tue, Oct 02, 2012 at 09:59:05AM +0200, Christiano F. Haesbaert wrote: > Why not using tcpbench where you can actually specify the parameters > and know what is going on :). > > Play with buffer sizes and you'll see a big difference, using -u will > give you the actual PPS. I agree with this.

Re: IPSEC VPN performance

On 2 October 2012 08:57, David Coppa wrote: > On Mon, Oct 1, 2012 at 5:55 PM, Russell Garrison > wrote: >> Is iPerf running threaded? What about dd to null and a loopback listener? > > Beware: only -current (since Tue Sep 25) net/iperf port has threading enabled. > > ciao, > David > Why not usin

Re: IPSEC VPN performance

On Mon, Oct 1, 2012 at 5:55 PM, Russell Garrison wrote: > Is iPerf running threaded? What about dd to null and a loopback listener? Beware: only -current (since Tue Sep 25) net/iperf port has threading enabled. ciao, David

Re: IPSEC VPN performance

Thus said Jim Miller on Mon, 01 Oct 2012 11:20:06 EDT: > # dd if=/dev/zero bs=1000 count=100 | nc -v 172.16.2.2 12345 What if you try a different bs? $ dd if=/dev/zero bs=1000 count=100 > /dev/null 100+0 records in 100+0 records out 10 bytes transferred in 1.102 secs (907

Re: IPSEC VPN performance

Perhaps the pipe size causes degradations, I seem to recall getting better results on benchmarks without pipes. Den 1 okt 2012 18:07 skrev "Otto Moerbeek" : > On Mon, Oct 01, 2012 at 11:20:06AM -0400, Jim Miller wrote: > > > I just reran the test again. I still receive about 600Mbps using iPerf >

Re: IPSEC VPN performance

On Mon, Oct 01, 2012 at 11:20:06AM -0400, Jim Miller wrote: > I just reran the test again. I still receive about 600Mbps using iPerf > however using > > client > # dd if=/dev/zero bs=1000 count=100 | nc -v 172.16.2.2 12345 > > server > # nc -v -l 12345 > /dev/null > > I get numbers around

Re: IPSEC VPN performance

I just reran the test again. I still receive about 600Mbps using iPerf however using client # dd if=/dev/zero bs=1000 count=100 | nc -v 172.16.2.2 12345 server # nc -v -l 12345 > /dev/null I get numbers around 350Mbps. I tend to think iPerf is more reliable in this situation. Any ideas wh

Re: IPSEC VPN performance

600Mbps seems about right, I tested a pair of E5649-based boxes to 550Mbps last year (with aes-128-gcm): http://marc.info/?l=openbsd-misc&m=134033767126930 You'll probably get slightly more than 600 with with multiple TCP streams. Assuming PF was enabled for your test (the default configuration

Re: IPSEC VPN performance

Yes. Let me double check everything again on Monday. Keep in mind that all devices had 1Gb ethernet interfaces and everything was directly cabled. No pf rules either. w/o ipsec I could get 900mbps through the openbsd boxes. Now you've got me thinking I need to recheck everything. -Jim On 9/2

Re: IPSEC VPN performance

Hi, On 28.9.2012 22:09, Jim Miller wrote: > So using another Mac w/ 1Gb ethernet adapter to a Linux box w/ 1Gb eth I > was able to achieve approx. 600Mbps performance through the test setup > (via iperf and my dd method). > 600Mbps via ipsec between two Intel E31220 ?

Re: IPSEC VPN performance

So I just realized another serious flaw in my testing. I was using a Mac Air w/ USB 100Mb ethernet adapter for one of the hosts behind the OpenBSD VPN devices. And it must have been limiting the speed more than I thought. So using another Mac w/ 1Gb ethernet adapter to a Linux box w/ 1Gb eth I w

Re: IPSEC VPN performance

Jim Miller wrote: > The test I'm using is this > Host A: > # nc -v -l 12345 | /dev/null > > Host B: > # dd if=/dev/zero bs=1000 count=1 | nc -v 12345 I increased the count a bit: 10 bytes transferred in 53.265 secs (18773882 bytes/sec) That's with AES-256-GCM between two Sandy Bri

Re: IPSEC VPN performance

Good catch. I've since upgraded to the amd64 kernel. See the below dmesg. The performance jumped from 40mbps to approx. 70mbps. This is obviously a significant jump. I've tried switching the childsa from aes-256-gmac, aes-256-gcm, aes-128 and the times are fairly constant. I assume the AES-NI

Re: IPSEC VPN performance

On Fri, Sep 28, 2012 at 08:38:37AM -0400, Jim Miller wrote: > Sorry I was stingy on the dmesg output. Here's the full dump. I will > test with other AES modes now. And then install amd64 ;-) -Otto > > -Jim > > > OpenBSD 5.1 (GENERIC.MP) #188: Sun Feb 12 09:55:11 MST 2012 >

Re: IPSEC VPN performance

Sorry I was stingy on the dmesg output. Here's the full dump. I will test with other AES modes now. -Jim OpenBSD 5.1 (GENERIC.MP) #188: Sun Feb 12 09:55:11 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz ("GenuineIntel

Re: IPSEC VPN performance

On 2012 Sep 27 (Thu) at 17:30:38 -0400 (-0400), Jim Miller wrote: :Hardware Configuration: :- (2) identical SuperMicro systems with quad core E31220 w/ AES-NI enabled : :cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz ("GenuineIntel" 686-class) :3.10 GHz :cpu0: :FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,

Re: IPSEC VPN performance

On Fri, Sep 28, 2012 at 11:45 AM, Otto Moerbeek wrote: > On Thu, Sep 27, 2012 at 05:30:38PM -0400, Jim Miller wrote: > >> Hi, >> >> I'm trying to determine if the performance I'm seeing between two >> OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize >> there are quite a few v

Re: IPSEC VPN performance

On Thu, Sep 27, 2012 at 11:30 PM, Jim Miller wrote: > Hi, > > I'm trying to determine if the performance I'm seeing between two > OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize > there are quite a few variables to consider and I'm sure I've not > toggled each one but I coul

Re: IPSEC VPN performance

On Thu, Sep 27, 2012 at 05:30:38PM -0400, Jim Miller wrote: > Hi, > > I'm trying to determine if the performance I'm seeing between two > OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize > there are quite a few variables to consider and I'm sure I've not > toggled each one b

Re: IPSec VPN dropping packets from time to time

See -stable fixes to 4.9. Otherwise consider upgrading 4.9->5.0. -Steve S. -Steve S. -Original Message- From: Georg Buschbeck [open...@thomas-daily.de] Received: Tuesday, 20 Dec 2011, 2:35am To: misc@openbsd.org [misc@openbsd.org] Subject: IPSec VPN dropping packets from time to time

Re: ipsec vpn 'colouring'

On Fri, May 27 2011 at 07:16, Oeschger Patrick wrote: > *hmmm* *hmmm*, > i did a test using ipsec vpn colouring aka. tagging > ipsec.conf offers the option to tag the vpn traffic for further PF filtering > using these tags i can instruct PF to use different public NAT addresses > (outgoing to inte

Re: ipsec vpn unexpected flow

On 2010/11/27 23:47, Andrea Parazzini wrote: > On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson> > wrote: > > isakmpd.policy(5), and have some aspirin ready for the inevitable > > headache. > > > Stuart is right. > I tried to play with isakmpd.policy and it's rather complicated. > Read

Re: ipsec vpn unexpected flow

On Thu, 11/25/10, Andrea Parazzini wrote: > Hi, > we have a vpn connection with a customer. > The remote peer is not under our management. > Our box is an OpenBSD 4.7 i386. > We have configured the vpn as follows: > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -v" > > /etc/ipsec.conf > i

Re: ipsec vpn unexpected flow

On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson wrote: > On 2010-11-25, Andrea Parazzini wrote: >> As you can see there is a flow that is not configured on our box. >> It is probably configured on the remote peer. >> Is a normal behavior? > > Yes. This is especially fun when you end u

Re: ipsec vpn unexpected flow

On 2010-11-25, Andrea Parazzini wrote: > As you can see there is a flow that is not configured on our box. > It is probably configured on the remote peer. > Is a normal behavior? Yes. This is especially fun when you end up accidentally routing all traffic from a 100mb-connected site down an ADSL

Re: ipsec vpn unexpected flow

On Fri, 26 Nov 2010 10:32:59 +0330, Bahador NazariFard wrote: > On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini < > a.parazz...@sirtisistemi.net> wrote: > >> Hi, >> "from 10.1.0.0/16" is the network id that I would negotiate with the >> remote >> peer. >> "(0.0.0.0/0)" is our real network, we h

Re: ipsec vpn unexpected flow

On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini < a.parazz...@sirtisistemi.net> wrote: > Hi, > "from 10.1.0.0/16" is the network id that I would negotiate with the > remote > peer. > "(0.0.0.0/0)" is our real network, we have a lot of networks behind this > box. > We perform NAT on traffic leavi

Re: ipsec vpn unexpected flow

Hi, "from 10.1.0.0/16" is the network id that I would negotiate with the remote peer. "(0.0.0.0/0)" is our real network, we have a lot of networks behind this box. We perform NAT on traffic leaving through the VPN tunnel. 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/16

Re: ipsec vpn unexpected flow

1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini wrote: From: Andrea Parazzini Subject: ipsec vpn unexpected flow To: misc@open

Re: IPSec VPN and tunnel mode routing

Many thanks for the answers. I should certainly thank Daniel with a full heart since he really made my day. Many thanks. On Tue, Mar 30, 2010 at 6:32 PM, Stuart Henderson wrote: >> I am able to create SAs using automatic keying with isakmpd and 1 line >> in ipsec.conf. > > If you describe your co

Re: IPSec VPN and tunnel mode routing

On 2010-03-30, Girish Venkatachalam wrote: > Dear all, > > I find no explicit mention of how to encapsulate and decapsulate IPsec > protected packets in tunnel mode. > > Are we supposed to use gre0 or gif0 interface to add routes? > > I am able to create SAs using automatic keying with isakmpd and

Re: IPSec VPN and tunnel mode routing

> Dear all, > > I find no explicit mention of how to encapsulate and decapsulate IPsec > protected packets in tunnel mode. > > Are we supposed to use gre0 or gif0 interface to add routes? > > I am able to create SAs using automatic keying with isakmpd and 1 line > in ipsec.conf. > > But I am unable

Re: Ipsec VPN and NAT

Yes it is "lo" for loopback, a keyboard error. I can't do any modification because i'm not any more at work. I will do changes Monday (GMT+4). I keep you inform, and of course thank you very much for your help. On Fri, 12 Mar 2010 16:54:50 +0100, Mitja MuE>eniD / Kerberos.si / wrote: > Just a qu

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Dirk Mast wrote: Linux /etc/ipsec.conf: version 2.0 config setup ... (snip) Hi, I finally managed to get it up and working (without IKE). OpenBSD: /etc/ipsec.conf: ike esp from 10.50.0.0/24 to 192.168.9.0/24 peer PUBLIC_LINUX quick \ auth hmac-sha1 enc aes group modp1024 psk

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Laurent CARON wrote: > Dirk Mast wrote: >> This config works for me: > > Hi, > >> >> OpenBSD 4.3 as GW and Debian Linux with OpenSWAN as client, and >> the package ike is installed under Linux, too. > > The openswan package is not sufficient to get a working IPsec between > Linux and OpenBSD ?

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Dirk Mast wrote: This config works for me: Hi, OpenBSD 4.3 as GW and Debian Linux with OpenSWAN as client, and the package ike is installed under Linux, too. The openswan package is not sufficient to get a working IPsec between Linux and OpenBSD ? OpenBSD: ike esp from any to 172.16.1

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

This config works for me: OpenBSD 4.3 as GW and Debian Linux with OpenSWAN as client, and the package ike is installed under Linux, too. OpenBSD: ike esp from any to 172.16.1.98 quick auth hmac-sha1 enc aes group modp1024 psk "IMTEHLINUXCLIENT" Linux: /etc/ipsec.conf version 2.0 cono,
g setu

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Sean Malloy wrote: It looks like you are trying to use different encryption algorithms and hash functions for the phase 2 SA. They need to match at both end points. It looks like the Linux box is configured to do 3DES and SHA1. The OpenBSD box is configured to do AES and SHA256. Hi, Even with

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

On Mon, Aug 25, 2008 at 09:50:08PM +0200, Laurent CARON wrote: > John Jackson wrote: > >It may also be worth noting that Debian has OpenBSD's isakmpd packaged, > >'apt-get install isakmpd'. I've had success using isakmpd on Debian to > >create VPN's between OpenBSD and Debian gateways. > > > Her

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

John Jackson wrote: It may also be worth noting that Debian has OpenBSD's isakmpd packaged, 'apt-get install isakmpd'. I've had success using isakmpd on Debian to create VPN's between OpenBSD and Debian gateways. Here is where I'm now: Openswan's side: conn lncjakarta-lncha leftsubnet=1

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

John Jackson wrote: It may also be worth noting that Debian has OpenBSD's isakmpd packaged, 'apt-get install isakmpd'. I've had success using isakmpd on Debian to create VPN's between OpenBSD and Debian gateways. Since i'm using OpenSwan on 99% of my servers, i'd like to be able to integrate O

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

It may also be worth noting that Debian has OpenBSD's isakmpd packaged, 'apt-get install isakmpd'. I've had success using isakmpd on Debian to create VPN's between OpenBSD and Debian gateways. John On Mon, Aug 25, 2008 at 03:52:42PM +0300, Imre Oolberg wrote: > Hi! > > > > >I'm basically trying

Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Hi! I'm basically trying to setup a VPN between a linux box (debian) and an OpenBSD one. I am not a seasoned IPSec user but i tried out couple of configurations and one of them was Debian with Racoon and OpenBSD's native isakmpd. I based my experimentation on article which is about FreeBS

Re: ipsec vpn problem

On Fri, Aug 22, 2008 at 03:11:16PM +0200, Claus Larsen wrote: > Well I did get a bit futher with the problem, it seems it was cause by a > firewall blocking some of the traffic. > > So new problem now. > Using the Greenbow vpn client. > > It says "Phase 2 algoritm problem". > > From the isakmpd

Re: ipsec vpn problem

Well I did get a bit futher with the problem, it seems it was cause by a firewall blocking some of the traffic. So new problem now. Using the Greenbow vpn client. It says "Phase 2 algoritm problem". >From the isakmpd output I get (a larger portion of the output included below): 164658.900458 Def

Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

I forgot to ask: what are the NAT statements in your pf.conf, that you mention. the ipsec packets should not be NAT'ed inyour configuration ( although ipsec can go through NAT in general ). > -Urspr|ngliche Nachricht- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag > von jcr >

Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

Hi, here my 50 cent: tcpdump looks good, obsd maschine receives first message of phase 1 exchange and sends a suitable response. your netgear log says, that no response to first message is received. this means, response from isakmpd gets lost, either in local pf or in netgear ( dont know if the

Re: ipsec vpn openbsd 4.2 / netgear DG834

Hello jcr, Friday, November 23, 2007, 5:36:30 PM, you wrote: > k . > here i go > i have red the misc list upside/down and right to left , but i can't > find a solution to my problhme > Here is the LAn/WAn network 192.168.0/24(lan)-->>Netgear DG 834 (adsl + NAT + ipsec +ip fix A) >

Re: IPSec VPN gateway with only one interface

For the record: The problem was not with with the single interface, but with my misreading the documentation. The error was in specifying the tunnel twice. The working ipsec directives are of course: ipsec.conf on A: ike esp from to peer srcid dstid ipsec.conf on B: ike passive esp tu

Re: ipsec vpn?

On Thu, Aug 16, 2007 at 09:56:05AM +0200, Hans-Joerg Hoexer wrote: > Can you try to run isakmpd without "-K" and use a 2 line isakmpd.policy > like this: > > KeyNote-Version: 2 > Authorizer: "POLICY" > > This policy accepts anything, so this should be done only for testing. Well done this such p

Re: ipsec vpn?

Hans-Joerg, Markus - Thanks for the advice and the help. I sat down and did some more testing at work. I definitely have an IPSEC tunnel from one point to the other. Any suggestions on how I can now have my users route all of their traffic through our end? I'd like them to be able to safely browse

Re: ipsec vpn?

I finally have some SUCCESS to report! I changed the ipsec.con file back to the one that I got to work on Phase 1, but appeared to be hanging on Phase 2, ran ipsecctl -f /etc/ipsec.conf and started isakmpd without the "-K". Greenbow now reports both Phases worked and I had a tunnel. When I test

Re: ipsec vpn?

Following the advice from Hans-Joerg and Markus I changed the ipsec.con file back to the default transforms sent by Greenbow, ran ipsecctl -f /eetc/ipsec.conf, changed the permissions on the policy file and started isakmpd without the "-K". Greenbow logging shows I did not even get past the Phase 1

Re: ipsec vpn?

On Thu, Aug 16, 2007 at 06:43:34PM -0700, Steve B wrote: > I made a few changes and did some more testing this evening. > > 1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow > default transforms that Hans-Joerg recommened. > > # cat /etc/ipsec.conf > ike dynamic esp tunnel fr

Re: ipsec vpn?

On Thu, Aug 16, 2007 at 06:43:34PM -0700, Steve B wrote: > I made a few changes and did some more testing this evening. > > 1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow > default transforms that Hans-Joerg recommened. > > # cat /etc/ipsec.conf > ike dynamic esp tunnel fr

Re: ipsec vpn?

I made a few changes and did some more testing this evening. 1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow default transforms that Hans-Joerg recommened. # cat /etc/ipsec.conf ike dynamic esp tunnel from any to 192.168.1.0/24 \ main auth hmac-sha1 enc 3des group modp1024

Re: ipsec vpn?

Can you try to run isakmpd without "-K" and use a 2 line isakmpd.policy like this: KeyNote-Version: 2 Authorizer: "POLICY" This policy accepts anything, so this should be done only for testing. On Thu, Aug 16, 2007 at 02:53:44AM +0300, Sergey Prysiazhnyi wrote: > On Wed, Aug 15, 2007 at 10:37:5

Re: ipsec vpn?

On Wed, Aug 15, 2007 at 10:37:59PM +0200, Hans-Joerg Hoexer wrote: > On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > > ike dynamic from any to any \ > > main auth hmac-sha1 enc aes group modp1024 \ > > quick auth hmac-sha1 enc aes psk secret > > > > ; ike passive

Re: ipsec vpn?

And I should mention, that in the "any to any" case you can not use -K and you have to specify an isakmpd.policy file. On Wed, Aug 15, 2007 at 10:37:59PM +0200, Hans-Joerg Hoexer wrote: > On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > > ike dynamic from any to any \ > >

Re: ipsec vpn?

On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > ike dynamic from any to any \ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes psk secret > > ; ike passive, ike passive esp, ike esp, etc - no results. On the openbsd gateway you nee

Re: ipsec vpn?

On 2007/08/13 21:00, Steve B wrote: > If I am interpreting the logs correctly then I have partial success using > > ike dynamic esp tunnel from any to 192.168.1.0/24 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha2-256 enc 3des \ > psk abc123 > > I am confident that the f

Re: ipsec vpn?

If I am interpreting the logs correctly then I have partial success using ike dynamic esp tunnel from any to 192.168.1.0/24 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha2-256 enc 3des \ psk abc123 I am confident that the first two lines are correct. The dynamic variable sho

Re: ipsec vpn with os x clients

> # cat ipsec.conf > ike dynamic from any to any \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des psk TheSecret > this should be "ike passive from ..." roger that... # cat ipsec.conf ike passive from any to any \ main auth hmac-sha1 enc 3des group modp1024 \

Re: ipsec vpn with os x clients

Hi, On Thu, Jul 12, 2007 at 05:38:47PM -0800, eric wrote: > I have an OpenBSD 4.1 (OpenBSD 4.1 GENERIC#1435 i386) acting > as a PPPoE NAT router & firewall to my ISP. I'd like to replace my OS > X 10.4 Server IPSEC VPN with the OpenBSD system. My "road warrior" > clients are all OS X 10.4.1

Re: ipsec vpn and intermittent session timeouts...

* Add support for ESP+NULL encryption for ipsec. Useful for traversing NAT where AH can't be used. * Fixes for ipsec in IPv6. * In ipsecctl(8), allow rule if there is at least one matching address family combination. * Added better support for IPv6 hostname/numeric representation in the ipsecctl(8)

Re: ipsec vpn and intermittent session timeouts...

Sounds a little like: http://marc.info/?l=openbsd-misc&m=117915053113185&w=2 I was privately requested to try an upgrade to 4.1-stable. I have not had the opportunity to do so and I seem to be having a little trouble building 4.1-stable at the moment... -Steve S.

Re: ipsec vpn

Matt Bettinger wrote: On 11/8/06, Adam <[EMAIL PROTECTED]> wrote: Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote: -snip the high school creative writing assignment- Let's see, you show up to answer an ipsec question by advocating openvpn instead. Then you decide to tell openbsd developers how th

Re: ipsec vpn

On 11/8/06, Adam <[EMAIL PROTECTED]> wrote: Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote: -snip the high school creative writing assignment- Let's see, you show up to answer an ipsec question by advocating openvpn instead. Then you decide to tell openbsd developers how they should be acting on

Re: ipsec vpn

Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote: -snip the high school creative writing assignment- Let's see, you show up to answer an ipsec question by advocating openvpn instead. Then you decide to tell openbsd developers how they should be acting on their mailing list. You even use 'M$' and dis

Re: ipsec vpn

Original message >Date: Tue, 7 Nov 2006 22:57:23 -0500 >From: Adam <[EMAIL PROTECTED]> >Subject: Re: ipsec vpn >To: [EMAIL PROTECTED] >Cc: misc@openbsd.org > >Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote: > >> > >> >> M$

Re: ipsec vpn

Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote: > > > >> M$ is notoriously crappy when it comes to VPN software, IMO. openvpn is > >> probably > > > >I really wish people would stop advocating this garbage on our mailing lists. > > > > i really wish people wouldn't be such pricks on misc@ ... So s

Re: ipsec vpn

Original message >Date: Wed, 8 Nov 2006 10:05:14 +0900 >From: [EMAIL PROTECTED] (Mathieu Sauve-Frankel) >Subject: Re: ipsec vpn >To: Jacob Yocom-Piatt <[EMAIL PROTECTED]> >Cc: misc@openbsd.org > >> M$ is notoriously crappy when it comes to VPN software

Re: ipsec vpn

> M$ is notoriously crappy when it comes to VPN software, IMO. openvpn is > probably I really wish people would stop advocating this garbage on our mailing lists. -- Mathieu Sauve-Frankel

Re: ipsec vpn

On Tue, Nov 07, 2006 at 07:26:19PM +, Paul Civati wrote: > Correct, I wasn't talking about plain IPSec, I was talking about > "the simple connection of Windows clients, using the built-in VPN > connector" exactly as I wrote. > > Can we drop the condescending "everyone without an openbsd.org

Re: ipsec vpn

Original message >Date: Tue, 07 Nov 2006 19:26:19 + >From: [EMAIL PROTECTED] (Paul Civati) >Subject: Re: ipsec vpn >To: misc@openbsd.org >Cc: [EMAIL PROTECTED] > >> starting with windows 2000, it is possible to use the built-in ipsec >> suppo

Re: ipsec vpn

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Reyk Floeter) writes: >> My understanding is, if you want to support the simple connection >> of Windows clients, using the built-in VPN connector (eg. control >> panel -> network -> make new connection -> VPN -> L2TP), the >> server sid

Re: ipsec vpn

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Reyk Floeter) writes: >> 2000 and XP will support authentication using X.509 (ie. SSL >> like) certificates, only XP will support PSK (pre-shared-key). > > i won't necessarily defeat windows, but 2000 and xp do support > kerberos 5, x.509

Re: ipsec vpn

Reyk Floeter wrote: On Fri, Nov 03, 2006 at 12:35:55AM +, Paul Civati wrote: My understanding is, if you want to support the simple connection of Windows clients, using the built-in VPN connector (eg. control panel -> network -> make new connection -> VPN -> L2TP), the server side needs:

Re: ipsec vpn

On Fri, Nov 03, 2006 at 12:35:55AM +, Paul Civati wrote: > 2000 and XP will support authentication using X.509 (ie. SSL > like) certificates, only XP will support PSK (pre-shared-key). > i won't necessarily defeat windows, but 2000 and xp do support kerberos 5, x.509 _and_ pre-shared key auth

Re: ipsec vpn

On Fri, Nov 03, 2006 at 12:35:55AM +, Paul Civati wrote: > My understanding is, if you want to support the simple connection > of Windows clients, using the built-in VPN connector (eg. control > panel -> network -> make new connection -> VPN -> L2TP), the > server side needs: > > > 1. IPSec

Re: ipsec vpn

On Thu, Nov 02, 2006 at 03:51:04PM -0800, Bryan Irvine wrote: > On 11/2/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > >On Wed, Nov 01, 2006 at 05:49:18PM -0800, Bryan Irvine wrote: > >> I'm going to upgrading a couple of our firewalls soon and as part of > >> the upgrade I will be implementing

Re: ipsec vpn

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] ("Bryan Irvine") writes: > Also[1], there may be the need for an occasional connection from users > just using the windows vpn client. Anybody doing this? I rarely even > see windows so I'm not sure what to look for there. > Do I need to

Re: ipsec vpn

On 11/2/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: On Wed, Nov 01, 2006 at 05:49:18PM -0800, Bryan Irvine wrote: > I'm going to upgrading a couple of our firewalls soon and as part of > the upgrade I will be implementing VPN between a couple of our sites. > > Does this page still apply: http

Re: ipsec vpn

On Wed, Nov 01, 2006 at 05:49:18PM -0800, Bryan Irvine wrote: > I'm going to upgrading a couple of our firewalls soon and as part of > the upgrade I will be implementing VPN between a couple of our sites. > > Does this page still apply: http://www.securityfocus.com/infocus/1859 Yes, although some

Re: ipsec vpn: freebsd and openbsd

Jason McIntyre wrote: On Wed, Oct 04, 2006 at 11:04:55PM -0700, Stephen J. Bevan wrote: Type "man vpn" on your OpenBSD box and read the section on "Configuring the Keying Daemon [automated keying]". That explains the gory details that ipsecctl and ipsec.conf deliberately hide from you. (sorr

Re: ipsec vpn: freebsd and openbsd

2006/10/5, Will Maier <[EMAIL PROTECTED]>: This issue has come up on #OpenBSD on freenode a few times recently, too. Would it be a good idea to update the FAQ to point to pkg-stable.html and [EMAIL PROTECTED] Or would it be preferable to make use of that list again (in conjunction, perhaps, with

Re: ipsec vpn: freebsd and openbsd

On Thu, Oct 05, 2006 at 03:47:07PM +0200, Martin Schr"oder wrote: > Should I take the silence of the list as evidence that all ports > are secure or is the list simply ignored by the developers? Or is > it only used in dire emergencies (like security-announce)? The list just hasn't been used in a

Re: ipsec vpn: freebsd and openbsd

2006/10/4, Martin Gignac <[EMAIL PROTECTED]>: As always, make sure to subscribe to the 'ports-security' mailing list, follow the stable ports tress, or at least visit Should I take the silence of the list as evidence that all ports are secure or is the list simply ignored by the developers? Or

Re: ipsec vpn: freebsd and openbsd

As always, make sure to subscribe to the 'ports-security' mailing list, follow the stable ports tress, or at least visit http://www.openbsd.org/pkg-stable.html once in a while to make sure you've got the latest version (i.e. version with the most security issues fixed) of the OpenVPN package insta

Re: ipsec vpn: freebsd and openbsd

On Wed, Oct 04, 2006 at 11:04:55PM -0700, Stephen J. Bevan wrote: > > Type "man vpn" on your OpenBSD box and read the section on > "Configuring the Keying Daemon [automated keying]". That explains the > gory details that ipsecctl and ipsec.conf deliberately hide from you. > (sorry for taking you

Re: ipsec vpn: freebsd and openbsd

4 PM Subject: Re: ipsec vpn: freebsd and openbsd IPsec is based on standards (RFCs) while OpenVPN is not (it is based on "standard" SSL, though). I guess the best way to make your mind up is to actually go to the OpenVPN web site (http://openvpn.net/) and read up on it. There's so

Re: ipsec vpn: freebsd and openbsd

IPsec is based on standards (RFCs) while OpenVPN is not (it is based on "standard" SSL, though). I guess the best way to make your mind up is to actually go to the OpenVPN web site (http://openvpn.net/) and read up on it. There's some good info there. Also, a visit on Google with keywords "openv

Re: ipsec vpn: freebsd and openbsd

<[EMAIL PROTECTED]> To: misc@openbsd.org Sent: Tuesday, October 3, 2006 12:26:39 PM Subject: Re: ipsec vpn: freebsd and openbsd I agree with you Han. If Kintaro finds that configuring an IPsec VPN between a FreeBSD and an OpenBSD machine is too complicated, OpenVPN installed on both machin

Re: ipsec vpn: freebsd and openbsd

I agree with you Han. If Kintaro finds that configuring an IPsec VPN between a FreeBSD and an OpenBSD machine is too complicated, OpenVPN installed on both machines may offer an easier alternative. -Martin On 10/2/06, Han Boetes <[EMAIL PROTECTED]> wrote: kintaro oe wrote: > I'm setting up ipse

Re: ipsec vpn: freebsd and openbsd

kintaro oe wrote: > I'm setting up ipsec/vpn on freebsd and openbsd. I try to read > this how to http://www.securityfocus.com/infocus/1859 but this > applies to 2 openbsd systems. could anyone help me on how to > setup between two systems? Perhaps OpenVPN is a good alternative? I wrote a setupscr

Re: ipsec vpn: freebsd and openbsd

"ipsec between freebsd and openbsd" didn't turn up anything on Google directly related to what you seem to want to do (at least for me), so I guess you'll have to look at the FreeBSD side of things: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html http://www.onlamp.com/

  1   2   >