Re: IPSEC from behind NAT stage 2 failure

On 02/01/2017 10:21 PM, Yury Shefer wrote: Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE identifier (IDi/initiator id) to be able to establish the SA. IMHO, the better option for your remote clients would be a use of different ID type like ID_RFC822_ADDR. Thanks

Re: How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

On 2017-02-02 10:27, Tinker wrote: .. My motivation here for wanting the boot code on the USB stick, is that I trust the USB stick more than my harddrive. Motivation: What I meant to say here is that I like the notion of the harddrive as unsecure by definition, so that I only will trust its

How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

Hi! I would like to have my system set up as follows: * My USB memory card contains the boot code (MBR etc.) and the softraid crypto keydisk partition. And maybe the kernel. * My HDD contains the root filesystem in a crypto softraid. (And no boot code!) How do I make this so? The

Re: "pass all flags S/SA" from default pf.conf is logging, why?

On Mon, Jan 30, 2017 at 11:46:32AM +, Stuart Henderson wrote: > > I'm surprised that I get logging in pflog even I have *no* 'log' > > in my pf.conf. > > > > # pfctl -vvsr -R 14 > > @14 pass all flags S/SA > > [ Evaluations: 30082 Packets: 569255Bytes: 365488723 States: 23 > >

panic: kernel diagnostic assertion "sc->sc_carpdev != NULL" failed: file "../../../../netinet/ip_carp.c", line 2312

Two physical machines with a bunch of vlans and carp interfaces with pfsync. I have a script that pushes pf.conf to the machines and runs pfctl -f /etc/pf.conf on them. One of the invocations killed both of them and left a crash dump. I’m mostly wondering if this is a known issue or not. If not,

Re: IPSEC from behind NAT stage 2 failure

Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE identifier (IDi/initiator id) to be able to establish the SA. IMHO, the better option for your remote clients would be a use of different ID type like ID_RFC822_ADDR. On Wed, Feb 1, 2017 at 4:19 AM, lilit-aibolit

Re: IPSEC from behind NAT stage 2 failure

On 12/06/2016 11:04 AM, Florian Ermisch wrote: And I guess that's the problem: the client goes "hi I'm 10.1.1.58 and I'd like to connect" and isakmpd doesn't know no 10.1.1.58. IKEv1 is very picky about those things: When it doesn't expect an ID no peer presenting one will be allowed to connect

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

On Wed, Feb 01, 2017 at 05:09:43PM +0200, Lars Noodén wrote: > On 02/01/2017 05:06 PM, Erling Westenvik wrote: > > On Wed, Feb 01, 2017 at 03:58:51PM +0100, Manuel Giraud wrote: > >> Erling Westenvik writes: > >> > >>> However, I got inspired and when I disabled pf

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

On Wed, Feb 01, 2017 at 03:58:51PM +0100, Manuel Giraud wrote: > Erling Westenvik writes: > > > However, I got inspired and when I disabled pf (pfctl -d) I got full > > contact! (But -- when I turned pf back on (pfctl -e) I lost the one > > connection I had... Now I

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

Erling Westenvik writes: > However, I got inspired and when I disabled pf (pfctl -d) I got full > contact! (But -- when I turned pf back on (pfctl -e) I lost the one > connection I had... Now I have to wait 48 minutes for the server to > reboot. Not much more to do

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

On Wed, Feb 01, 2017 at 04:26:15PM +0200, lilit-aibolit wrote: > On 02/01/2017 03:41 PM, Erling Westenvik wrote: > > I have an OpenBSD 5.9 server at a colocation. It stopped accepting new > > connections (ping, ssh, http, whatever) yesterday night but fortunately > > I had one ssh session open

Re: getting data from degraded RAID 1 boot disk

On Wed, Feb 01, 2017 at 08:32:44AM -0500, ji...@devio.us wrote: > On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote: > > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > > > Should have kernel automatically create 'sd4' for degraded RAID 1 > > > but it does not? > > > > I

Re: getting data from degraded RAID 1 boot disk

On Wed, Feb 01, 2017 at 08:32:44AM -0500, Jiri B wrote: > On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote: > > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > > > Should have kernel automatically create 'sd4' for degraded RAID 1 > > > but it does not? > > > > I believe

Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

I have an OpenBSD 5.9 server at a colocation. It stopped accepting new connections (ping, ssh, http, whatever) yesterday night but fortunately I had one ssh session open from my workstation from which I can still access it. Funny thing is that the server has full access OUT to the internet. I can

Re: getting data from degraded RAID 1 boot disk

On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote: > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > > Should have kernel automatically create 'sd4' for degraded RAID 1 > > but it does not? > > I believe it will auto assemble if the disk is present at boot time. ^^ This

Re: getting data from degraded RAID 1 boot disk

On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > Should have kernel automatically create 'sd4' for degraded RAID 1 > but it does not? I believe it will auto assemble if the disk is present at boot time. But not when you hotplug the disk.

Re: getting data from degraded RAID 1 boot disk

On Tue, Jan 31, 2017 at 11:55:21PM +0100, Stefan Sperling wrote: > On Tue, Jan 31, 2017 at 05:23:10PM -0500, Jiri B wrote: > > I have a disk which used to be boot disk of a degraded RAID 1 (softraid). > > The second disk is totally gone. > > > > I don't want to use this disk as RAID 1 disk