r "nat out on em4"? Because of the bridging?
Mar 24 01:58:34.393762 rule 1/(match) nat out on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
Mar 24 01:58:34.395040 rule 37/(match) pass in on em4: 69.67.212.126 >
69.67.212.94: icmp: echo request
--
albert chin (ch...@thewrittenword.com)
set skip on lo0
Is the standard solution to configure mail on hammer so delivery is
through 192.168.13.82, not 67.95.107.111?
--
albert chin ([EMAIL PROTECTED])
On Wed, Feb 20, 2008 at 08:55:44AM +0100, Stefan Kell wrote:
> Original-Nachricht
> > Datum: Tue, 19 Feb 2008 22:36:20 -0600
> > Von: Albert Chin <[EMAIL PROTECTED]>
> > An: misc@openbsd.org
> > Betreff: Sending mail from external firewall to
sing ftp and www from 'WWW/FTP SERVER' server. Curl reports that
downloading via ftp shows no bandwidth limiting. As for www, the
bandwidth seems limited to ~30Kb/s. Why isn't my 10Kb bandwidth being
honoured?
--
albert chin ([EMAIL PROTECTED])
On Tue, Feb 27, 2007 at 12:40:41PM -0700, Tim Kuhlman wrote:
> On Tuesday 27 February 2007 11:31 am, Albert Chin wrote:
> > [ snip snip ]
>
> You are queueing on fxp1 on the external firewall. This should
> affect traffic going from the external firewall to the www/ftp
> serv
On Tue, Feb 27, 2007 at 07:57:58PM +, Stuart Henderson wrote:
> On 2007/02/27 12:31, Albert Chin wrote:
> > I created a queue to limit traffic on the internal interface
> > connecting 'EXTERNAL FIREWALL' to 'WWW/FTP SERVER':
> > altq on fxp1 cbq ba
d above to get pf working with the vlan tagged
interface? Bug in pf?
--
albert chin ([EMAIL PROTECTED])
ace-name ")" | hostname |
ipv4-dotted-quad | ipv6-coloned-hex )
So, "-> $nat_if" and "-> ($nat_if)" seem equally-valid.
> Perhaps the parse code is trying too hard to resolve $nat_if in the
> former, and thus finding the underlying inte
0/(match) block in on fxp0: 10.20.30.13.80 >
192.168.10.100.54486: [|tcp]
Thinking about this some more, the rdr on enc0 doesn't make much
sense. I'm thinking we need some kind of binat rule but I'm unable to
come up with one that works. Any ideas?
--
albert chin ([EMAIL PROTECTED])
y ->
fe80::20e:cff:feb2:e3e3
when #2 looks like:
nat pass log on $nat_if from to any -> $nat_if
And, #3 shows the following:
nat pass log on vlan109 from to any -> (vlan109) round-robin
when #2 looks like:
nat pass log on $nat_if from to any -> ($nat_if)
I guess pf picks the first address for the interface.
--
albert chin ([EMAIL PROTECTED])
On Wed, Jun 20, 2007 at 11:40:36AM +0200, Henning Brauer wrote:
> * Albert Chin <[EMAIL PROTECTED]> [2007-06-20 11:24]:
> > On Wed, Jun 20, 2007 at 10:47:43AM +0200, Henning Brauer wrote:
> > > * Brian A. Seklecki <[EMAIL PROTECTED]> [2007-06-20 07:39]:
> > >
ompt appears on the ILOM console.
--
albert chin ([EMAIL PROTECTED])
ERVER FQDN] dstid [CLIENT FQDN]
ike passive from [VPN SERVER IP] to [CLIENT IP] \
srcid [VPN SERVER FQDN] dstid [CLIENT FQDN]
Considering the lack of "psk ", I'd expect authentication to
happen with public key authentication, not keynote credentials.
Any ideas?
--
albert chin ([EMAIL PROTECTED])
oFIREWALL 2 |
| |
-
|(internal network)
--
albert chin ([EMAIL PROTECTED])
On Fri, Nov 10, 2006 at 07:11:41PM +0100, Joachim Schipper wrote:
> On Fri, Nov 10, 2006 at 09:34:42AM -0600, Albert Chin wrote:
> > With the following firewall configuration, what recommendations does
> > anyone have for how we should handle VPN? I see two solutions:
> >
On Fri, Nov 10, 2006 at 02:06:42PM -0600, Albert Chin wrote:
>
> Expanding on the config some more:
> (fxp0)|(internal network - 192.168.0.0/24)
>o
> |VPN CLIENT |
>
from your customer gets nated on em1 of vpn
How do you NAT the traffic from the VPN? We're trying to do this with
the following but it's not working:
nat on enc0 proto tcp from any to any -> em1
--
albert chin ([EMAIL PROTECTED])
On Sat, Nov 11, 2006 at 11:58:14AM +0100, Joachim Schipper wrote:
> On Fri, Nov 10, 2006 at 02:06:42PM -0600, Albert Chin wrote:
> > Then, from the VPN CLIENT, how would an ssh connection to 192.168.1.1,
> > server A on the internal network behind FW2, work? IPsec would encrypt
l use the default values hmac-sha2-256
and aes; PFS will only be used if the remote side requests it.
However, Openswan doesn't support sha2 so I added the following to
/etc/ipsec.d/work.conf:
esp=aes-sha1
and then /etc/ipsec.conf becomes:
ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
quick auth hmac-sha1 enc aes \
srcid vpn.thewrittenword.com dstid home.thewrittenword.com
But, the above doesn't get me any further.
Any ideas?
--
albert chin ([EMAIL PROTECTED])
On Wed, Nov 22, 2006 at 12:49:50PM -0600, Albert Chin wrote:
> I'm trying to get an FC5 laptop behind a firewall connected to an
> OpenBSD 4.0 server running isakmpd (controlled by ipsecctl) with IPsec
> using CA authentication. The CA authentication seems to be working and
> I se
1 exchange goes ok but phase 2 does not:
...
2006-11-22 23:24:02: INFO: ISAKMP-SA established 192.168.6.244[4500]-[4500] spi:daec8263785958bf:95fea98fde24c61b
Am I getting the sainfo section wrong in racoon.conf? With the sainfo
section, do I still need setkey?
--
albert chin ([EMAIL PROTECTED])
nnecting to the same OpenBSD 4.0 VPN server and I don't have any
problems.
Anyone with ideas on why this is happening? The client is behind a
Panasonic DN-C200NC firewall (VOIP/NAT/...).
--
albert chin ([EMAIL PROTECTED])
On Thu, Nov 23, 2006 at 08:21:33AM -0600, Albert Chin wrote:
> I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
> 4.0 VPN server running isakmpd. I already have things working with
> Openswan but would like to get it working with racoon for our Mac OS
> clients.
On Fri, Nov 24, 2006 at 12:04:57PM +0500, Igor Goldenberg wrote:
> 2006/11/24, Albert Chin <[EMAIL PROTECTED]>:
>
> >> quick auth hmac-sha1 enc aes \
>
> > sainfo anonymous {
> >pfs_group 2;
> >encryption_algorithm aes, 3des, blowfish;
&
On Fri, Nov 24, 2006 at 12:38:46AM -0600, Albert Chin wrote:
> On Thu, Nov 23, 2006 at 08:21:33AM -0600, Albert Chin wrote:
> > I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
> > 4.0 VPN server running isakmpd. I already have things working with
> >
ny to any srcid [EMAIL PROTECTED] dstid
> [EMAIL PROTECTED]
>
> And VPN-B's ipsec.conf:
> ike dynamic esp from vpn-b.my.domain to any peer vpn-a.my.domain srcid
> [EMAIL PROTECTED] dstid [EMAIL PROTECTED]
So every roadwarrior has one key, [EMAIL PROTECTED]
--
albert chin ([EMAIL PROTECTED])
e authentication occur
with the client IP, for which I certainly won't have a CERTIP
certificate because the IP is undetermined?
--
albert chin ([EMAIL PROTECTED])
On Fri, Nov 24, 2006 at 07:54:49AM -0600, Albert Chin wrote:
> On Fri, Nov 24, 2006 at 07:35:10PM +0900, Mathieu Sauve-Frankel wrote:
> > > > Now VPN-A has this in ipsec.conf:
> > > > ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
> > > > [E
On Thu, Nov 23, 2006 at 09:22:32PM -0600, Albert Chin wrote:
> We have someone connecting from an FC4 host running Openswan 2.4.4
> behind a firewall to our VPN server running OpenBSD 4.0. They are able
> to establish a connection ok but tcpdump shows a bad cksum value for
> pings fro
nf:
ike passive esp from 192.168.1.0/24 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid vpn.fqdn.com
With this, I can have multiple users behind a single NAT firewall
connect without anyone being dropped. This is with isakmpd on OpenBSD
4.0. We're using X.509 certificates as well.
--
albert chin ([EMAIL PROTECTED])
30 matches
Mail list logo
