Re: Cisco IPSec Security Association Idle Timers and isakmpd

Hi, On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote: > > I noticed that the cisco end of a VPN I configured on my openBSD sends a > DELETE message after a certain amount of idle time. Which SAs get deleted? isakmp, ipsec or both? HJ.

Re: Cisco IPSEC proposals

On Thu, Mar 05, 2009 at 02:32:36PM -0700, Cameron Schaus wrote: > I recently configured an IPSEC tunnel between OpenBSD 4.4 machine and a Cisco > gateway. I had trouble during the key exchange because I had configured DH > group 2. The Cisco sent a proposal for DH group 5 with a lifetime of 780

Re: ipsec.conf and AES 256

On Mon, Nov 19, 2007 at 12:26:16PM +0100, Mitja Mu?eni? wrote: > As far as I can tell, currently in ipsec.conf there is no way to use AES > with KEY_LENGHT=256. Is anybody working on adding this? Otherwise I might > try it when the time permits. > > I'm thinking that isakmpd should first learn ab

Re: IPSec help..

On Wed, Apr 11, 2007 at 01:28:28PM -0600, Roy Kim wrote: > I'm trying to setup an ipsec tunnel between an openbsd and a windows > box using X.509 certificates. Phase 1 gets successfully negotiated but > then things crap out at step 1 of phase 2 and I don't have a clue > what's wrong. Any thoughts?

Re: isakmpd multiple tunnels

On Thu, Apr 12, 2007 at 11:25:49AM -0600, Tim Pushor wrote: > Hi friends, > > I'm looking to add another IPSEC connection to my openbsd 3.9 firewall. > All examples I've seen are a single connection (phase 1). To support > multiple vpn's tunnels, is it as simple as adding additional lines under

Re: host to host ipsec link

On Sun, Apr 15, 2007 at 05:26:11PM +0200, Markus Wernig wrote: > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -f /var/run/isakmpd.fifo" why the -f ...? isakmpd takes care of the fifo itself. You only need "-K", nothing else.

Re: isakmpd multiple tunnels

nother relevant ISPEC > configuration? yes. > > Anyone? > > Thanks, > Tim > > Hans-Joerg Hoexer wrote: > >On Thu, Apr 12, 2007 at 11:25:49AM -0600, Tim Pushor wrote: > > > >>Hi friends, > >> > >>I'm looking to add another IP

Re: Specifying > 1 encryption algorithm in ipsec.conf(5) versus isakmpd.conf(5)

On Mon, May 28, 2007 at 07:02:39PM +0930, Damon McMahon wrote: > Greetings, > > How would I specify that blowfish, AES and 3DES should be accepted - > in that order - in ipsec.conf(5) to configure isakmpd(8)? this is not supported by ipsec.conf(5). > > In the deprecated isakmpd.conf(5) for Ma

Re: isakmpd on OpenBSD 3.7 and OpenBSD 4.0

Hi, please check the errata page for 3.7 [1], patch 6 solves this issue [2]. [1] http://www.openbsd.org/errata37.html. [2] ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/006_nat-t.patch HJ. On Mon, Jun 25, 2007 at 11:35:19AM -0400, catalin visinescu wrote: > Hello, > > I see that Op

Re: ipsec vpn with os x clients

Hi, On Thu, Jul 12, 2007 at 05:38:47PM -0800, eric wrote: > I have an OpenBSD 4.1 (OpenBSD 4.1 GENERIC#1435 i386) acting > as a PPPoE NAT router & firewall to my ISP. I'd like to replace my OS > X 10.4 Server IPSEC VPN with the OpenBSD system. My "road warrior" > clients are all OS X 10.4.1

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

Hi, the Subject Alternative Name of your certificate will be used as phase 2 IDs, ie. that's what is sent. If you want to use the Subject Canonical Name, you have to additionlly provide an isakmpd.policy file and you have to run isakmpd without the "-K" option. See isakpmd.policy(5). On Fri, Ju

Re: IPSec Keylifetime using ipsecctl and ipsec.conf?

Hi, On Thu, Jul 26, 2007 at 10:04:31AM +0200, [EMAIL PROTECTED] wrote: > Hi, > > I am using ipsecctl and /etc/ipsec.conf to create an IPSec tunnel to a > WatchGuard Firebox X700 in my company. It works fine, but the > re-keying always makes some trouble, it does not always work. My > questi

Re: isakmpd active mode and phase 1 build-up

Hi, On Thu, Aug 02, 2007 at 09:23:59PM +0200, Sven Ulland wrote: > I am running OpenBSD 4.0 on amd64, and I'm seeing that isakmpd builds > up a large amount of redundant phase 1 tunnels for one of our peers. > It will only report these when prompted with 'echo r > \ > isakmpd.fifo', it's not shown

Re: isakmpd active mode and phase 1 build-up

On Thu, Aug 02, 2007 at 10:23:59PM +0200, Sven Ulland wrote: > > I'm very (that's putting it mildly) interested in the issues with 4.0 > that you mention. Would you be able to shed some more light on which > issues they were, or point me to references? It would be most > interesting. I'm not sure,

Re: VPN Connection from 4.1 to WatchGuard

On Thu, Aug 09, 2007 at 02:22:31AM +0200, James Lepthien wrote: > Hi, > > I have set up a vpn from my OpenBSD Box (4.1-current) to our company > WatchGuard X700. My problem is that the re-keying > isn't always working and my tunnel does not come up if I send traffic to > the destination network.

Re: ipsec vpn?

On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > ike dynamic from any to any \ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes psk secret > > ; ike passive, ike passive esp, ike esp, etc - no results. On the openbsd gateway you nee

Re: ipsec vpn?

, Aug 15, 2007 at 10:37:59PM +0200, Hans-Joerg Hoexer wrote: > > On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > > > ike dynamic from any to any \ > > > main auth hmac-sha1 enc aes group modp1024 \ > > > quick auth hmac-sha1 enc ae

Re: ipsec vpn?

On Thu, Aug 16, 2007 at 06:43:34PM -0700, Steve B wrote: > I made a few changes and did some more testing this evening. > > 1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow > default transforms that Hans-Joerg recommened. > > # cat /etc/ipsec.conf > ike dynamic esp tunnel fr

Re: IPSec

Hi, On Mon, Sep 03, 2007 at 12:59:48PM +0100, Josi Costa wrote: > > Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 > port 500 due to notification type NO_PROPOSAL_CHOSEN > Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: > KEY_EXCH payload without a group

Re: IPSec

Hi, which transforms are configured on the ISA server for phase 2? On Mon, Sep 03, 2007 at 02:21:24PM +0100, Josi Costa wrote: > How can I solve this? Any docs about it? Debugging? > > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > > Hi, > > > > O

Re: IPSec

On Mon, Sep 03, 2007 at 02:45:46PM +0100, Josi Costa wrote: > 3des, sha1, PFS disabled. ok, then enable pfs, use modp1024

Re: IPSec

Hi, On Mon, Sep 03, 2007 at 03:11:35PM +0100, Josi Costa wrote: > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > KEY_EXCH payload without a group

Re: IPSEC.CONF with Dynamic IP address (parse HOST name) doesnt seem to work

Just use a recent snapshot. Support for names instead of ip addresses has been added, mh, at least a year ago. HJ. On Tue, Sep 04, 2007 at 12:32:55PM +0200, * VLGroup Forums wrote: > Hello everyone, > > I have several VPN tunnels between OBSD 3.8 systems (LAN to LAN via > VPN). These all have f

Re: IPSec

Hi, could you try the attached diff, please? Index: message.c === RCS file: /cvs/src/sbin/isakmpd/message.c,v retrieving revision 1.126 diff -u -p -r1.126 message.c --- message.c 2 Jun 2007 01:29:11 - 1.126 +++ message.c

Re: Help in Setting up "Open-ended" VPN connections

Hi, On Tue, Jun 13, 2006 at 04:10:08PM -0700, Spruell, Darren-Perot wrote: > > To follow that further, is it currently possible to do this kind of > road-warrior setup using ipsecctl/ipsec.conf? Doesn't it require aggressive > mode do to the unknown nature of the peer IP? since c2k6 it almost is

Re: VIA C7 hardware AES support in IPSEC(ctl)

On Thu, Jun 22, 2006 at 10:22:08AM -0700, Joe wrote: > Dries Schellekens wrote: > >Bihlmaier Andreas wrote: > > > >>>As I say earlier, the hardware is working, but the performance > >>>bottleneck is elsewhere (presumably kernel crypto framework). > > I'm interested in purchasing one of these boar

Re: Throughput Problem OpenBSD3.9 soekris 4801 isakmpd

On Wed, Jun 28, 2006 at 06:38:42PM +0200, Thomas Bvrnert wrote: > with the vpn1411 crypto card i get only > > 700 - 720 KB/s > CPU 30% > > by the way the driver of the crypto card is buggy. i have > a lot of cards here removed in the last year. i got several > hangs. hans-joerg has no time to fix

Re: isakmpd is not writing to a specified capture file

isakmpd is only allowed to write to files in the /var/run directory. I've updated the manpage accordingly. On Wed, Jun 28, 2006 at 04:37:16PM -0600, Stephen Bosch wrote: > Hi: > > Running OpenBSD 3.8, I cannot get isakmpd to write to a capture file. > > Here is my mount output: > > /dev/wd0a on

Re: tcpdump on enc0

On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote: > Does tcpdump work on enc0? > > -Stephen- > yes: <[EMAIL PROTECTED]:1>$ sudo tcpdump -n -i enc0 Password: tcpdump: WARNING: enc0: no IPv4 address assigned tcpdump: listening on enc0, link-type ENC 19:32:49.036465 (authentic,confiden

Re: VPN help needed: OpenBSD in the corporate environment instead of Linux

On Fri, Jul 28, 2006 at 03:57:02PM -0400, Steven Surdock wrote: > Stuart Henderson wrote: > > On 2006/07/28 06:30, jeraklo wrote: > >> sorry. got to go with the stable branch (3.9). > > > > disadvantages:- > > > > openvpn is more complicated to install on OpenBSD than ipsec > > lots of security f

Re: IKE DoS - factual?

On Fri, Jul 28, 2006 at 09:32:09AM -0700, Spruell, Darren-Perot wrote: > Word is, there is a flaw in IKEv1 that allows for an attacker to create IKE > sessions faster than previous attempts expire. The security research firm > who found the flaw only lists Cisco VPN devices as being vulnerable whil

Re: OPENBSD isakmpd VPN Problems

Hi, On Thu, Aug 10, 2006 at 12:04:08AM -0400, Steve Glaus wrote: > ... > One glaring difference that I can see is that when I connect to the > DLINK I use a passive connection and isakpmd sits and listens for > incoming connections. Could this be a lifetime issue? Tech support at > the other en

Re: ipsec.conf syntax error

this is on -current? On Tue, Aug 15, 2006 at 10:46:37PM -0400, Stefan wrote: > Can someone explain why this is giving a syntax error? > > > ike esp from 10.0.0.0/24 to 10.1.0.0/24 peer (remote IP CIDR) \ > main auth hmac-md5 enc 3des group modp1024 \

Re: ipsec.conf syntax error

Hi, On Wed, Aug 16, 2006 at 09:46:18AM -0400, Stefan wrote: > Hans-Joerg Hoexer wrote: > > this is on -current? > > Sorry, I should have mentioned it. It's 3.9 release. setting the group was added post 3.9.

Re: sasyncd and ISAKMP SA

On Tue, Aug 08, 2006 at 08:23:39PM +0200, Floroiu, John Williams wrote: > > does sasyncd enable the IPsec failover gateways to also share the ISAKMP SA > (so that DPD exchanges can proceed despite failures)? the ISAKMP SA is not > explicitly mentioned in the help page (and is actually distinct fro

Re: IPsec Configuration Questions

what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like? On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: > Hoping someone can point me in the right direction to get isakmpd working. > > The scenario: > - the router drops all traffic directe

Re: IKE Phase-II fails -> GETSPI: Operation not supported

please provide all information. On Tue, Sep 05, 2006 at 02:50:12PM -0400, John Ruff wrote: > I'm trying implement a IPSec/VPN tunnel and phase-II of the IKE > negotiation is failing with the following errors seen from 'isakmpd - > dKL -D A=90': > > 110340.763012 Default pf_key_v2_get_spi: GETS

Re: IPSec to Checkpoint

Support for specifying aes key sizes was added february 2008, thus 4.2 does not provide this. On Wed, Nov 12, 2008 at 03:17:17PM +, Joe Warren-Meeks wrote: > On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote: > > Hey there, > > OK, so I've switched to ipsec.conf and it is alot easier! >

Re: IPSec roadwarrior configuration?

On Thu, Oct 12, 2006 at 10:07:27AM +0200, viq wrote: >... > Now, there are two caveats to this I didn't yet figure out how to solve. > 1) VPN-B must be able to resolve vpn-b.my.domain to the address of > it's egress interface, otherwise the traffic won't get encapsulated. > Right now I was doing th

Re: ipsecctl parser behavior on OpenBSD 4.0 running generic kernel#1137

Hi, On Wed, Oct 11, 2006 at 02:17:42PM -0700, Prabhu Gurumurthy wrote: > > pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] > 10.200.0.46: [579]$ cat ipsec.conf > remote_gw = "192.168.0.1" > remote_net = "{ 10.0.100.0/22, 10.0.2/24 }" > local_net = "{ 172.16.18.0/26 } > > ike esp from

Re: VPN interoperability problem with Symantec Enterprise Firewall

Hi, could you please provide a pcap of such an exchange? Thanks, HJ. On Wed, Oct 18, 2006 at 11:57:53AM +0200, Mitja Mu?eni? wrote: > > Just a quick question if anybody has had the same problem, or contrary, if > anybody has a success story with SEF. I'm trying to establish an IPsec > tunnel bet

Re: Can't build VPN with ipsecctl

your tunnel is between 193.189.180.192/28 and 193.189.180.208/28 On Thu, Nov 23, 2006 at 01:10:13PM +0100, Mitja wrote: > ... > OpenBSD1 > # ipsecctl -s all > FLOWS: > flow esp in from 193.189.180.208/28 to 193.189.180.192/28 peer > 172.16.16.6 type require > flow esp out from 193.189.180.192/28 t

Re: ipsecctl setting up multiple SAs

Hi, On Fri, Nov 24, 2006 at 09:45:45AM +, Brian Candler wrote: > I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box > and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP > over IPSEC tunnels]. > > Each SA is between the same two IP endpoints bu

Re: ipsecctl setting up multiple SAs

more correct diff: Index: ike.c === RCS file: /cvs/src/sbin/ipsecctl/ike.c,v retrieving revision 1.54 diff -u -p -r1.54 ike.c --- ike.c 24 Nov 2006 08:07:18 - 1.54 +++ ike.c 24 Nov 2006 10:46:19 - @@ -38,17 +3

Re: VPN client connectivity issues with OBSD firewall

from any to any > pass out on $ExtIF inet proto udp all keep state > pass out on $ExtIF inet proto icmp all keep state > > Am I missing something? I am new to OpenBSD. I was very hopeful of > building a firewall that I could use with my small office setup that > co

Re: ipsecadm problem in 3.7?

Hi, tried to reproduce this with /usr/share/ipsec/rc.vpn between 3.6-stable and 3.7-current, but could not. The static vpn is working as expected. HJ. On Sun, Jun 12, 2005 at 11:30:11AM -0700, Jeff Simmons wrote: > I have a large VPN network using several OpenBSD 3.5 and 3.6 boxes, I'm > using

Re: Upgrade to 3.7 and VPN no longer works

apply all patches listed on the errata pages for your 3.4 and 3.6 machines. There are patches for this issue. On Sun, Jun 19, 2005 at 01:34:06PM +1000, Dave Harrison wrote: > I just upgraded my firewall to 3.7, but I've found my VPN is now not > working. I keep seeing "NAT detected" messages, bu

Re: route flush -encap // Flushing all ipsec flows

: > > > What is the equivalent for route flush -encap under openbsd 3.7 ? > > > > Manon > > > > [demime 1.01d removed an attachment of type application/pgp-signature] > > [demime 1.01d removed an attachment of type application/pgp-signature] > --

Re: Phase 2 problem between isakmpd and Netscreen

sent by the netscreen. As shown in the > packet capture the netscreen continues to send quick mode packets but > isakmpd never responds. I've logs at http://obstacle9.com/isakmpd/ . > I've tried different transforms and proposal settings but the result is > the same. This happens on a snapshot from a few days ago. > > > thanks, > sk > -- pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer <[EMAIL PROTECTED]> Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9

Re: IPSEC between OpenBSD (isakmpd) and Linux (FreeS/Wan)

Tschakert wrote: ... > I found the following page but the configfile for isakmpd is full of > bugs (looks like a lot of copy and paste without re-editing :-) ) > http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html ... -- pub 1024D/513AEFD9 1999-12-1

Re: ipsec.conf manpage

Hi, On Tue, Mar 21, 2006 at 07:27:45PM +1100, Rod Whitworth wrote: > > Total mention in the manpage: > srcid >This optional parameter defines a FQDN that will be used by >isakmpd(8) as the identity of the local peer. > > dstid >Similar to srcid, th

Re: certpatch on obsd 3.8

On Wed, Mar 22, 2006 at 11:30:40PM +0100, Lukas Drbohlav wrote: > > with this in x509v3.cnf > # default settings > CERTUFQDN = "what i have to give there ??!!" the UFQDN, eg. "[EMAIL PROTECTED]". Please take a look at isakmpd(8), where this is explained using FQDN. UFQDN is simila

Re: CRK_MOD_EXP on /dev/crypto

On Mon, Mar 27, 2006 at 03:37:42AM -0500, Christopher Thorpe wrote: > dmesg says: > hifn0 at pci0 dev 14 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 > MD5 SHA1 RNG AES PK, 32KB dram, irq 11 > > The drivers support modular exponentiation, but I'm having trouble > finding documentation o

Re: I need some help on frequently failing ipsec tunnel.

Hi, On Fri, Mar 31, 2006 at 11:01:03AM +0200, Stefan Sczekalla-Waldschmidt wrote: > > Some days ago one certain vpn-tunnel started failing for an > unpredictable time of some minutes up to an hour. > ( mostly just less than 5 minutes). All other site-link-tunnels stay up > and running. > > a lon

Re: IPSEC via isakmpd with identical source networks

On Wed, Apr 05, 2006 at 11:27:03AM +0200, Ingbert Zan wrote: > > Does anybody know how to distinguish between the two flows? you can't. > Of course it would be possible to NAT the two 10/8 networks > on Box 1 and 2. do that.

Re: OpenBSD to Cisco VPN - help needed

On Wed, Apr 05, 2006 at 05:13:36PM +1000, Karl Kopp wrote: > > Firstly, I thought I could just use /etc/ipsec.conf (right?) and a > line like this: > > ike esp from 10.1.1.0/24 to 202.1.1.0/24 peer 202.1.1.30 main auth > hmac-md5 enc 3des psk shhhSecret this looks correct. Additionally to the d

Re: Mounting remote filesystems from OpenBSD to OS X

On Thu, Apr 20, 2006 at 02:11:36PM +0100, Constantine A. Murenin wrote: > Hi, > > I have an OpenBSD (file-)server at a remote location on the internet > that is around 137ms away from an OS X 10.4 laptop. > > Is there a way to securely mount OpenBSD's filesystems from OS X in > such a setting? c

Re: IPsec / vpn configuration issues

On Thu, May 04, 2006 at 12:31:28PM -0500, Nathan Johnson wrote: ... > The problem is when I try to ping any machine from network A to > 192.168.51.0/24 (gateway B's internal network) besides the gateway > itsself (192.168.51.1), ping doesn't work. what does "doesn't" work mean? Do you see the icm

Re: isakmpd can't tear down phase 1 SA (3.8-beta/i386)

> # Client ID sections > > > [SonicWall-Phase1-ID] > ID-type= USER_FQDN > Name= GroupVPN > > [Default-Phase2-Local-ID] > ID-type= IPV4_ADDR > Address= default > > [Site1-Phase2-Remote-ID] &

Re: Jose Nazario's dmesg explained for OpenBSD

On Tue, Sep 06, 2005 at 12:25:23AM -0500, Andrew Daugherity wrote: > === > a) biomask e74d netmask ff4d ttymask ffef ... this are the interrupt masks (on i386) for the levels IPL_BIO, IPL_NET and IPL_TTY after autoconfiguration has finished. They will be modified again when clock and rtc are init

Re: 3.7: "INVALID PAYLOAD TYPE"

6.7.8.500 > > 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: d7059971fb358e93-> msgid: len: 40 > payload: NOTIFICATION len: 12 > notification: INVALID PAYLOAD TYPE (ttl 64, id 15834, len 68) > > >

Re: OpenBSD VPN SonicWall Problems

Hi, On Fri, Sep 30, 2005 at 05:57:14PM -0700, Trepliev wrote: > [Net-SonicWall] > ID-type= IPV4_ADDR_SUBNET > Network= 172.16.0.0 > Netmask= 255.255.0.0 ^ > > [Net-Corp] > ID-type= IPV4_ADDR_SUBNET > Network= 10.1.10

Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

On Wed, Oct 19, 2005 at 01:34:45PM +0200, Kim Nielsen wrote: > [greenbow-quick-mode] > DOI=IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE it's GRP2, not GR2 > > [AES-SHA-GRP2] > ENCRYPTION_ALGORITHM= AES_CBC > HASH_ALGORITHM= SHA > AUTHENT

Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

Hi, On Wed, Oct 19, 2005 at 01:34:45PM +0200, Kim Nielsen wrote: > [greenbow-main-mode] > DOI=IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= AES-SHA-GRP2 > > [greenbow-quick-mode] > DOI=IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE >

Re: Question about isakmpd on obsd 3.7

On Wed, Oct 26, 2005 at 10:24:25AM +0200, [EMAIL PROTECTED] wrote: > Hi all, > > Is ike over tcp supported under isakmpd on obsd 3.7?? where I can no

Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address

Hi, On Wed, Oct 26, 2005 at 02:40:52PM -0400, Roy Morris wrote: > I have been reading through the archives but have not found a reliable answer > yet. I have recently been converting vpns from manual to isakmpd, with one > of the other endpoints being a Cisco box. I can bring up a single subnet/IP

Re: isakmpd: invalid next payload type RESERVED_MIN in payload of type 10

If your other peer is 3.7, please apply all patches. HJ. On Fri, Nov 04, 2005 at 07:29:50PM +0100, Tobias Walkowiak wrote: > On Fri, Nov 04, 2005 at 06:42:11PM +0100, Michiel van der Kraats wrote: > > Today I upgraded a VPN gateway to 3.8-RELEASE. Anyway, when I put > > isakmpd.conf back and tried

Re: isakmpd: invalid next payload type RESERVED_MIN in payload of type 10

08:45:21PM +0100, Hans-Joerg Hoexer wrote: > > If your other peer is 3.7, please apply all patches. > > of course i applied all 5 patches from 3.7. or do you have sth different in > mind? > > -- > tobias

Re: isakmpd: invalid next payload type RESERVED_MIN in payload of type 10

Hi, On Fri, Nov 04, 2005 at 10:47:59PM +0100, Tobias Walkowiak wrote: > hm, i think i better update the other peer to 3.8, as well - although it's > 550 km from here ... > > > Other workaround, disable nat-t with the -T option. > > but that only works for 3.8 isakmpd, doesn't it? what about the

Re: Mplayer & DVD problem

On Wed, Nov 09, 2005 at 05:03:25PM -0500, Roy Morris wrote: > I think you need libdvdcss from ports. Both mplayer and ogle > work fine for me. or libdvd instead of libdvdcss.

Re: Mplayer & DVD problem

On Wed, Nov 09, 2005 at 07:44:29PM -0500, Roy Morris wrote: > >libdvdread: Could not open /dev/rcd0c with libdvd. > >libdvdread: Can't open /dev/rcd0c for reading > >ERROR[ogle_nav]: faild to open/read the DVD > >callbacks.on_opendvd_activate(): DVDSetDVDRoot: Root not set > > > >WHat am I supposed

Re: ISAKMPD errors n. 8 and n. 118

Hi, the errno shown be ipsecadm can be ignored, nothing to worry about (and this was fixed post 3.7-stable). Besides this message the vpn is working as expected? HJ. On Thu, Nov 10, 2005 at 11:30:58AM +0100, [EMAIL PROTECTED] wrote: > Hello! > >I set up a tunnel between two machines (conne

Re: ISAKMPD errors n. 8 and n. 118

man 3 errno On Thu, Nov 10, 2005 at 01:53:27PM +0100, [EMAIL PROTECTED] wrote: > Hello! > >Thanks for your reply, first of all. > > > > Hi, > > > > the errno shown be ipsecadm can be ignored, nothing to worry about > > (and this was fixed post 3.7-stable). Besides this message the vpn > >

Re: isakmpd fails on sun v100 ( dc nics )

please apply all patches for 3.7. I've lately added a patch for this issue to the 3.7 errata page. HJ. On Mon, Nov 21, 2005 at 05:01:28PM -0800, Dag Richards wrote: > Using the sample config straight from the vpn man page, my tunnel fails > to come up between GENERIC 3.8 or 3.7 on a sunfire v10

Re: ipsec.conf / What am I dooing wrong?

Hi, ok, please use "hmac-sha1" instead of "sha1" HJ. On Thu, Nov 24, 2005 at 11:04:45AM +0100, raff wrote: > following ipsec.conf(5) i was trying to set up connection between to > hosts 192.168.1.115 and 192.168.1.125 > I can set it using ipsecadm, and everything works fiine, but using > ipsecctl

Re: ipsec.conf / What am I dooing wrong?

A bit more explanation: Nowadays, HMAC-SHA1/MD5 is used with ESP/AH. Simple keyed SHA1/MD5 is only used with "old" ESP/AH, which is not supported by ipsecctl(8). Thus I'll remove "sha1" from ipsecctl, sorry for the inconvenience. HJ. On Thu, Nov 24, 2005 at 12:01:36PM

Re: ISAKMPD problem 3.7 <--> 3.8

make sure to apply all patches for 3.7, see errata37.html. I've added fix a few days ago. Moreover, I need the full out put of -DA=80 to see what's actually going on. HJ. On Tue, Nov 29, 2005 at 01:20:25PM +0100, [EMAIL PROTECTED] wrote: > Hello! > >I have a problem with ISAKMPD on a new m

Re: isakmpd fills my log

please show us your config files. On Wed, Nov 30, 2005 at 03:31:27PM +0100, martin wrote: > hi all, i use ipsec to replace wep for my wlan so the setup is pretty > simple and all and everything works. I used this page > http://www.dietlein.com/requisites/ipsec/ to get it to work and my > config

Re: isakmpd fills my log

On Wed, Nov 30, 2005 at 03:58:07PM +0100, martin wrote: ... > [Phase 1] > 10.10.10.9= ISAKMP-peer-ignition > > [Phase 2] > Connections=IPsec-ignition-soekris this should be a passive connection. Otherwise isakmpd will try to keep this connection up and when this fails it

Re: ipsec question

yes, you can. You need to encrypt traffic from/to your laptop to 0.0.0.0/0. So instead of using your gw address, use 0.0.0.0/0. HJ. On Thu, Dec 01, 2005 at 08:00:38AM +0100, raff wrote: > Hi, > I have wireless connection between my machine and router/gateway. > I can set up ipsec connection bet

Re: x509 keys & isakmpd in OBSD 3.8

Hi, On Fri, Dec 16, 2005 at 09:48:06AM +, Gordon Ross wrote: > I'm trying to setup an isakmpd VPN using x509 keys between two OpenBSD > 3.8 boxes. > > To start with, I followed the instructions at > http://www.openbsdsupport.org/vpn-ipsec.html to setup an initial VPN > using pre-shared secret

Re: VPN in OpenBSD 3.8, how to use new tools?

On Sun, Dec 18, 2005 at 06:58:22PM +0100, Lukasz Sztachanski wrote: > ipsecadm(8) isn't new ;) Probably ipsecctl isn't `mature' enough to > handle such setup. Imho, you'll have to use isakmpd- actually web is > full of tutorials and examples of isakmpd configurtion; plus, it's very > flexible and c

Re: ipsecctl writev failed

the defaults are hmac-sha2-256 and aesctr which uses a 160 bit key. On Wed, Dec 21, 2005 at 03:25:26PM -0500, Will H. Backman wrote: > OpenBSD 3.8 release. > I'm getting the same errors as this thread: > http://archives.neohapsis.com/archives/openbsd/2005-11/1980.html > I'm trying to use as many d

Re: ipsecctl writev failed

Hi, On Fri, Dec 23, 2005 at 11:58:14AM -0500, Will H. Backman wrote: > > Reducing the enckey to 160 bits worked. Interesting to note that if a > key is too short, you get a nice warning that the key is too short and > must be 160 bits long. If a key is too long, you don't get a warning, > ju

Re: Need advice about VPN

On Wed, Jan 18, 2006 at 11:20:55AM +0100, Joachim Schipper wrote: > > Each will work; OpenVPN is slightly easier to set up, but IPsec will > likely offer better performance. Forget about openvpn, there's no need to fiddle around with third party stuff. Just make sure to take a look at vpn(8). I

Re: fatal: evp_crypt: EVP_Cipher failed

yes, these cards have issues. The only advice I can give is to set kern.usercrypto=0. I tried to debug this several times, but I did not find a test case that produces this issue reliably. On Mon, Jan 30, 2006 at 04:46:49PM -0600, Sean Cody wrote: > I have been having issues lately with the HiFn

Re: ipsecctl and invalid phase 2 IDs

Can you show me the output of "ipsecctl -nvf ..." on both machines. HJ. On Wed, Feb 22, 2006 at 01:08:39PM -0500, Adam wrote: > I am trying to setup a simple vpn between two networks using ipsecctl. > One side is running 3.8 release, the other 3.8 stable. On both sides I > have copied over /etc/

Re: isakmpd, tunnel mode or transport mode?

both, see isakmpd(8) and isakmpd.conf(5) On Wed, May 04, 2005 at 04:19:37PM +0200, Abel Talaveron wrote: > Hi all, > > can isakmpd work in both modes? Or only in tunnel mode? > > Thanks

Re: General IPsec configuration vunerabilities (links)

with confidentiality only, or with integrity > > protection being provided by a higher layer protocol. Some > > configurations using AH to provide integrity protection are also > > vulnerable." > > > > Peter > -- pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer <[EMAIL PROTECTED]> Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9