Radek
In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's.
I also believe that defining specific proto's in your nat rule can decrease
interrupts.
You might consider the following to modification to your nat rule to
specificity allow UDP & ICMP.
match out log on $ext_if inet proto { tcp, udp, icmp } rom { $lan_rac_local,
$backup_local } nat-to $ext_if set prio (3, 7)
It appears that you have ICMP allow rules which is a good idea in my opinion.
Have you ever done any logging of these packets. Is there any legitimate
requests from your ISP?
Do you have an alternate DNS server you can test against? Are you using your
ISP’s DNS?
Perhaps the new OpenBSD unwind package is worth investigating ;)
]Regards
Patrick
> On Aug 25, 2019, at 1:31 PM, Radek <r...@int.pl> wrote:
>
> Hello Patrick,
>
>> In my opinion your net5501’s system calls per interval are relatively high.
>> The (traps sys) column on my firewall hovers between 40 & 50 quite
>> consistently.
>> My understanding is that system calls are things like program calls &
>> library access.
> Is there any way to decrease these values?
>
>> Many commercial routers run a customized kernel & rely on a striped down
>> user-land.
>> The kernel is also recompiled to run TCP/IP4 only & can no longer execute
>> things like storage or virtualization.
>> The OpenBSD O.S includes all the user-land tools such as ping & top in
>> addition to a standardized precompiled kernel.
> Ok, I get it.
>
>
> On Fri, 23 Aug 2019 21:12:35 -0500
> Patrick Dohman <dohmanpatr...@gmail.com> wrote:
>
>> In my opinion your net5501’s system calls per interval are relatively high.
>> The (traps sys) column on my firewall hovers between 40 & 50 quite
>> consistently.
>> My understanding is that system calls are things like program calls &
>> library access.
>>
>> In addition your net5501’s memory requests per second seem heavy.
>> You have fifty eight million 1024 bucket requests per second.
>> My firewall has a max of one hundred thousand 128 bucket requests per second.
>>
>> Many commercial routers run a customized kernel & rely on a striped down
>> user-land.
>> The kernel is also recompiled to run TCP/IP4 only & can no longer execute
>> things like storage or virtualization.
>> The OpenBSD O.S includes all the user-land tools such as ping & top in
>> addition to a standardized precompiled kernel.
>> Regards
>> Patrick
>> .
>>>
>>>
>>> On Thu, 22 Aug 2019 19:12:55 -0500
>>> Patrick Dohman <dohmanpatr...@gmail.com> wrote:
>>>
>>>> Radek
>>>>
>>>> I’ve found that fast networking is actually CPU & memory intensive.
>>>> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in
>>>> my opinion.
>>>> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio
>>>> with a commercial router.
>>>>
>>>> What are your context switches & interrupts doing while the VPN is up &
>>>> traffic is flowing?
>>>>
>>>> vmstat -w 4
>>>>
>>>> What is your memory high water mark during a peak traffic?
>>>>
>>>> vmstat -m
>>>>
>>>> Regards
>>>> Patrick
>>>>
>>>>> On Aug 21, 2019, at 12:34 AM, radek <r...@int.pl> wrote:
>>>>>
>>>>> Hello Patrick,
>>>>> I am sorry for the late reply.
>>>>>
>>>>>> Do you consider memory an issue?
>>>>> No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3,
>>>>> that I use for VPN testing.
>>>>> Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3
>>>>> Production set (6.3/i386) is net5501-70 <-> ALIX2d2
>>>>> Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs
>>>>> It is unlikely that every box has any hardware issue.
>>>>>
>>>>>> Unix load average can occasionally be deceiving.
>>>>> I did not know.
>>>>>
>>>>> #### net5501-70 ####
>>>>> $top -d1 | head -n 4
>>>>> load averages: 0.05, 0.01, 0.00 RAC-fw65-test.PRAC 10:58:14
>>>>> 38 processes: 1 running, 35 idle, 1 dead, 1 on processor up 3 days, 18:02
>>>>> CPU states: 0.5% user, 0.0% nice, 0.4% sys, 0.0% spin, 0.2% intr,
>>>>> 98.8% idle
>>>>> Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M
>>>>>
>>>>> #### ALIX2d3 ####
>>>>> $top -d1 | head -n 4
>>>>> load averages: 0.00, 0.00, 0.00 mon65.home 07:30:05
>>>>> 37 processes: 1 running, 35 idle, 1 on processor up 13:46
>>>>> CPU states: 0.3% user, 0.0% nice, 1.1% sys, 0.0% spin, 0.4% intr,
>>>>> 98.3% idle
>>>>> Memory: Real: 125M/223M act/tot Free: 14M Cache: 47M Swap: 73M/256M
>>>>>
>>>>>
>>>>>
>>>>>> What is the speed of your memory?
>>>>>> What make of Ethernets are you running?
>>>>> Dmesgs below
>>>>>
>>>>> #### net5501-70 ####
>>>>> OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019
>>>>> r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>>>>> real mem = 536363008 (511MB)
>>>>> avail mem = 511311872 (487MB)
>>>>> mpath0 at root
>>>>> scsibus0 at mpath0: 256 targets
>>>>> mainbus0 at root
>>>>> bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
>>>>> pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
>>>>> pcibios0: pcibios_get_intr_routing - function not supported
>>>>> pcibios0: PCI IRQ Routing information unavailable.
>>>>> pcibios0: PCI bus #0 is the last bus
>>>>> bios0: ROM list: 0xc8000/0xa800
>>>>> cpu0 at mainbus0: (uniprocessor)
>>>>> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
>>>>> 586-class) 500 MHz, 05-0a-02
>>>>> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
>>>>> mtrr: K6-family MTRR support (2 registers)
>>>>> amdmsr0 at mainbus0
>>>>> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
>>>>> 0:20:0: io address conflict 0x6100/0x100
>>>>> 0:20:0: io address conflict 0x6200/0x200
>>>>> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
>>>>> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
>>>>> vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
>>>>> address 00:00:24:cb:4f:cc
>>>>> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
>>>>> 0x004063, model 0x0034
>>>>> vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5,
>>>>> address 00:00:24:cb:4f:cd
>>>>> ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
>>>>> 0x004063, model 0x0034
>>>>> vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9,
>>>>> address 00:00:24:cb:4f:ce
>>>>> ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
>>>>> 0x004063, model 0x0034
>>>>> vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12,
>>>>> address 00:00:24:cb:4f:cf
>>>>> ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
>>>>> 0x004063, model 0x0034
>>>>> glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3,
>>>>> 32-bit 3579545Hz timer, watchdog, gpio, i2c
>>>>> gpio0 at glxpcib0: 32 pins
>>>>> iic0 at glxpcib0
>>>>> pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel
>>>>> 0 wired to compatibility, channel 1 wired to compatibility
>>>>> wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFH-008G>
>>>>> wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
>>>>> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
>>>>> pciide0: channel 1 ignored (disabled)
>>>>> ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15,
>>>>> version 1.0, legacy support
>>>>> ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
>>>>> usb0 at ehci0: USB revision 2.0
>>>>> uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev
>>>>> 2.00/1.00 addr 1
>>>>> isa0 at glxpcib0
>>>>> isadma0 at isa0
>>>>> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
>>>>> com0: console
>>>>> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
>>>>> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
>>>>> pckbc0: unable to establish interrupt for irq 12
>>>>> pckbd0 at pckbc0 (kbd slot)
>>>>> wskbd0 at pckbd0: console keyboard
>>>>> pcppi0 at isa0 port 0x61
>>>>> spkr0 at pcppi0
>>>>> nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
>>>>> gpio1 at nsclpcsio0: 29 pins
>>>>> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
>>>>> usb1 at ohci0: USB revision 1.0
>>>>> uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev
>>>>> 1.00/1.00 addr 1
>>>>> vscsi0 at root
>>>>> scsibus1 at vscsi0: 256 targets
>>>>> softraid0 at root
>>>>> scsibus2 at softraid0: 256 targets
>>>>> root on wd0a (2bf8b7abbbce37df.a) swap on wd0b dump on wd0b
>>>>>
>>>>>
>>>>> #### ALIX2d3 ####
>>>>> OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019
>>>>> r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>>>>> real mem = 267931648 (255MB)
>>>>> avail mem = 247779328 (236MB)
>>>>> mpath0 at root
>>>>> scsibus0 at mpath0: 256 targets
>>>>> mainbus0 at root
>>>>> bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
>>>>> pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
>>>>> pcibios0: pcibios_get_intr_routing - function not supported
>>>>> pcibios0: PCI IRQ Routing information unavailable.
>>>>> pcibios0: PCI bus #0 is the last bus
>>>>> bios0: ROM list: 0xe0000/0xa800
>>>>> cpu0 at mainbus0: (uniprocessor)
>>>>> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
>>>>> 586-class) 499 MHz, 05-0a-02
>>>>> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
>>>>> mtrr: K6-family MTRR support (2 registers)
>>>>> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
>>>>> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
>>>>> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
>>>>> vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10,
>>>>> address 00:0d:b9:1e:85:8c
>>>>> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
>>>>> 0x004063, model 0x0034
>>>>> vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
>>>>> address 00:0d:b9:1e:85:8d
>>>>> ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
>>>>> 0x004063, model 0x0034
>>>>> vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15,
>>>>> address 00:0d:b9:1e:85:8e
>>>>> ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
>>>>> 0x004063, model 0x0034
>>>>> glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3,
>>>>> 32-bit 3579545Hz timer, watchdog, gpio, i2c
>>>>> gpio0 at glxpcib0: 32 pins
>>>>> iic0 at glxpcib0
>>>>> maxtmp0 at iic0 addr 0x4c: lm86
>>>>> pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel
>>>>> 0 wired to compatibility, channel 1 wired to compatibility
>>>>> wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFH-008G>
>>>>> wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
>>>>> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
>>>>> pciide0: channel 1 ignored (disabled)
>>>>> ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12,
>>>>> version 1.0, legacy support
>>>>> ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
>>>>> usb0 at ehci0: USB revision 2.0
>>>>> uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev
>>>>> 2.00/1.00 addr 1
>>>>> isa0 at glxpcib0
>>>>> isadma0 at isa0
>>>>> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
>>>>> com0: console
>>>>> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
>>>>> pcppi0 at isa0 port 0x61
>>>>> spkr0 at pcppi0
>>>>> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
>>>>> usb1 at ohci0: USB revision 1.0
>>>>> uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev
>>>>> 1.00/1.00 addr 1
>>>>> nvram: invalid checksum
>>>>> vscsi0 at root
>>>>> scsibus1 at vscsi0: 256 targets
>>>>> softraid0 at root
>>>>> scsibus2 at softraid0: 256 targets
>>>>> root on wd0a (83b335c3c86bb80c.a) swap on wd0b dump on wd0b
>>>>> clock: unknown CMOS layout
>>>>>
>>>>> On Mon, 19 Aug 2019 18:17:48 -0500
>>>>> Patrick Dohman <dohmanpatr...@gmail.com> wrote:
>>>>>
>>>>>> Do you consider memory an issue?
>>>>>> What is the speed of your memory?
>>>>>> Unix load average can occasionally be deceiving.
>>>>>> What make of Ethernets are you running?
>>>>>> Regards
>>>>>> Patrick
>>>>>>
>>>>>>> On Aug 19, 2019, at 5:28 AM, radek <r...@int.pl> wrote:
>>>>>>>
>>>>>>> Hello Patrick,
>>>>>>>
>>>>>>>> Does your ISP implement authoritative DNS?
>>>>>>>> Do you suspect a UDP issue?
>>>>>>> My VPN is configured with IPs, not with domain names. Does DNS and/or
>>>>>>> UDP matter anyway?
>>>>>>>
>>>>>>>> Is a managed (switch) involved?
>>>>>>> No, it is not. I do not use any switches in my testing setup.
>>>>>>> GW1--ISP1_modem--.....--ISP2_modem--GW2
>>>>>>>
>>>>>>> Has duplex ever been an issue?
>>>>>>> I have never noticed any duplex issue.
>>>>>>>
>>>>>>>
>>>>>>> On Sun, 18 Aug 2019 16:07:14 -0500
>>>>>>> Patrick Dohman <dohmanpatr...@gmail.com> wrote:
>>>>>>>
>>>>>>>> Does your ISP implement authoritative DNS?
>>>>>>>> Do you suspect a UDP issue?
>>>>>>>> Is a managed (switch) involved? Has duplex ever been an issue?
>>>>>>>> Regards
>>>>>>>> Patrick
>>>>>>>>
>>>>>>>>> On Aug 18, 2019, at 1:03 PM, Radek <r...@int.pl> wrote:
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have two testing gateways (6.5/i386) with site-to-side VPN between
>>>>>>>>> its LANs (OpenIKED).
>>>>>>>>> Both gws are fully syspatched, have public IPs and the same iked/pf
>>>>>>>>> configuration.
>>>>>>>>>
>>>>>>>>> Unfortunately, the network traffic over the VPN tunnel stalls few
>>>>>>>>> times a day.
>>>>>>>>>
>>>>>>>>> On the one side I use a script to monitor VPN tunnel with ping, it
>>>>>>>>> restarts iked and emails me if there is no ping over the VPN tunnel.
>>>>>>>>> Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> In 6.3/i386 I have the same problem, but more frequently.
>>>>>>>>> Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
>>>>>>>>> Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)
>>>>>>>>>
>>>>>>>>> Do I have any bugs/deficiencies in my configs, missed something?
>>>>>>>>> Is there any way to make it work uninterruptedly?
>>>>>>>>> I would be very greatful if you could help me with this case.
>>>>>>>>>
>>>>>>>>> $cat /etc/hostname.enc0
>>>>>>>>> up
>>>>>>>>>
>>>>>>>>> $cat /etc/hostname.vr3
>>>>>>>>> inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
>>>>>>>>> group trust
>>>>>>>>>
>>>>>>>>> $cat /etc/iked.conf
>>>>>>>>> local_gw_RAC17 = "10.0.17.254" # lan_RAC
>>>>>>>>> local_lan_RAC17 = "10.0.17.0/24"
>>>>>>>>> remote_gw_MON = "1.2.3.5" # fw_MON
>>>>>>>>> remote_lan_MON = "172.16.1.0/24"
>>>>>>>>> ikev2 quick active esp \
>>>>>>>>> from $local_gw_RAC17 to $remote_gw_MON \
>>>>>>>>> from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
>>>>>>>>> childsa enc chacha20-poly1305 \
>>>>>>>>> psk "psk"
>>>>>>>>>
>>>>>>>>> $cat /etc/pf.conf
>>>>>>>>> # RAC-fwTEST
>>>>>>>>> ext_if = "vr0"
>>>>>>>>> lan_rac_if = "vr3" # vr3 -
>>>>>>>>> lan_rac_local = $lan_rac_if:network # 10.0.17.0/24
>>>>>>>>> backup_if = "vr2" # vr2 - lewy port
>>>>>>>>> backup_local = $backup_if:network # 10.0.117/24
>>>>>>>>>
>>>>>>>>> bud = "1.2.3.0/25"
>>>>>>>>> rdk_wy = "1.2.3.4"
>>>>>>>>> rdk_mon = "1.2.3.5"
>>>>>>>>> panac_krz = "1.2.3.6"
>>>>>>>>> panac_rac = "1.2.3.7"
>>>>>>>>>
>>>>>>>>> set fingerprints "/dev/null"
>>>>>>>>> set skip on { lo, enc0 }
>>>>>>>>> set block-policy drop
>>>>>>>>> set optimization normal
>>>>>>>>> set ruleset-optimization basic
>>>>>>>>>
>>>>>>>>> antispoof quick for {lo0, $lan_rac_if, $backup_if }
>>>>>>>>>
>>>>>>>>> match out log on $ext_if from { $lan_rac_local, $backup_local }
>>>>>>>>> nat-to $ext_if set prio (3, 7)
>>>>>>>>>
>>>>>>>>> block all
>>>>>>>>>
>>>>>>>>> match in all scrub (no-df random-id)
>>>>>>>>> match out all scrub (no-df random-id)
>>>>>>>>> pass out on egress keep state
>>>>>>>>>
>>>>>>>>> pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set
>>>>>>>>> prio (3, 7) keep state
>>>>>>>>>
>>>>>>>>> ssh_port = "1071"
>>>>>>>>> table <ssh_trust> const { $bud, $rdk_wy, $rdk_mon, $panac_krz,
>>>>>>>>> $panac_rac, 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
>>>>>>>>> table <bruteforce> persist counters
>>>>>>>>> block from <bruteforce>
>>>>>>>>> pass in log quick inet proto tcp from <ssh_trust> to $ext_if port
>>>>>>>>> $ssh_port flags S/SA \
>>>>>>>>> set prio (7, 7) keep state \
>>>>>>>>> (max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce>
>>>>>>>>> flush global)
>>>>>>>>>
>>>>>>>>> icmp_types = "{ echoreq, unreach }"
>>>>>>>>> pass inet proto icmp all icmp-type $icmp_types \
>>>>>>>>> set prio (7, 7) keep state
>>>>>>>>>
>>>>>>>>> table <vpn_peers> const { $rdk_mon, $panac_rac, $panac_krz }
>>>>>>>>> pass out quick on egress proto esp from (egress:0) to <vpn_peers>
>>>>>>>>> set prio (6, 7) keep state
>>>>>>>>> pass out quick on egress proto udp from (egress:0) to <vpn_peers>
>>>>>>>>> port {500, 4500} set prio (6, 7) keep state
>>>>>>>>> pass in quick on egress proto esp from <vpn_peers> to (egress:0)
>>>>>>>>> set prio (6, 7) keep state
>>>>>>>>> pass in quick on egress proto udp from <vpn_peers> to (egress:0)
>>>>>>>>> port {500, 4500} set prio (6, 7) keep state
>>>>>>>>> pass out quick on trust received-on enc0 set prio (6, 7) keep state
>>>>>>>>>
>>>>>>>>> pass in on egress proto udp from any to (egress:0) port
>>>>>>>>> {isakmp,ipsec-nat-t} set prio (6,7) keep state
>>>>>>>>> pass in on egress proto {ah,esp} set prio (6,7) keep state
>>>>>>>>>
>>>>>>>>> # By default, do not permit remote connections to X11
>>>>>>>>> block return in on ! lo0 proto tcp to port 6000:6010
>>>>>>>>>
>>>>>>>>> $cat iked_monitor.sh
>>>>>>>>> #!/bin/sh
>>>>>>>>> while true
>>>>>>>>> do
>>>>>>>>> vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk
>>>>>>>>> -F " " '{print $4}'`
>>>>>>>>>
>>>>>>>>> if [ "${vpn}" -eq 0 ] ; then
>>>>>>>>> mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " "
>>>>>>>>> '{print $4}'`
>>>>>>>>> wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'`
>>>>>>>>>
>>>>>>>>> if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then
>>>>>>>>> echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping
>>>>>>>>> through VPN RACTEST-MON! restartng iked!" em...@example.com
>>>>>>>>> rcctl restart iked
>>>>>>>>> fi
>>>>>>>>> fi
>>>>>>>>> sleep 32
>>>>>>>>> done
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Radek
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Radek
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Radek
>>>>>
>>>>
>>>
>>>
>>> --
>>> Radek
>>
>
>
> --
> Radek
>
