lease (the same as on the CD).
If you don't mind getting your files from an non-official source, you
can install or update from
ftp://ftp.openbsd-stable.org./pub/OpenBSD-stable/4.9-stable/
The patch for isakmpd is included in these file sets.
Maurice
BTW: openbsd-stable.org is my pet proje
MG [mas...@fourseasonsnow.com] wrote:
> Forgive my ignorance, but does this mean that if I were to install
> OpenBSD 4.9 via FTP today, there shouldn't be random IPsec
> disconnects as described in bug PR6601? Thanks.
Only if it's 4.9-current (snapshot)
If you install 4.9 release, you have to up
On 7/14/2011 9:31 PM, Kenneth R Westerback wrote:
On Thu, Jul 14, 2011 at 11:28:44PM +0200, rancor wrote:
Are there many updates of the source that is not published as an
errata (on stable)?
Yes.
Ken
// rancor
2011/7/14 Stuart Henderson:
On 2011-07-14, Paul Suh wrote:
If it's easy t
On Thu, Jul 14, 2011 at 11:28:44PM +0200, rancor wrote:
> Are there many updates of the source that is not published as an
> errata (on stable)?
Yes.
Ken
>
> // rancor
>
> 2011/7/14 Stuart Henderson :
> > On 2011-07-14, Paul Suh wrote:
> >> If it's easy to pull the diff it shouldn't be h
Are there many updates of the source that is not published as an
errata (on stable)?
// rancor
2011/7/14 Stuart Henderson :
> On 2011-07-14, Paul Suh wrote:
>> If it's easy to pull the diff it shouldn't be hard to post it
>
> It's not about difficulty.
>
>> and it would be a nice thing to do for
On 2011-07-14, Paul Suh wrote:
> If it's easy to pull the diff it shouldn't be hard to post it
It's not about difficulty.
> and it would be a nice thing to do for folks have scripts that
> notify them on changes of the errata pages.
It's normal to have things in -stable where no erratum is issu
On Thu, Jul 14, 2011 at 11:49:16AM -0400, Paul Suh wrote:
> Folks,
>
> Hmm -- it's not showing on the 4.9 or 4.8 Errata pages:
>
> http://www.openbsd.org/errata49.html
> http://www.openbsd.org/errata48.html
>
> If it's easy to pull the diff it shouldn't be hard to post it, and it would be
> a n
changes of the
errata pages.
--Paul
On Jul 14, 2011, at 10:45 AM, Otto Moerbeek wrote:
> On Thu, Jul 14, 2011 at 10:36:54AM -0400, Wade, Daniel wrote:
>
>> It's tagged for 4.9-STABLE
>>
>> http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
>
> And I
On Thu, Jul 14, 2011 at 10:36:54AM -0400, Wade, Daniel wrote:
> It's tagged for 4.9-STABLE
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
And I just comitted a corresponding diff into 4.8 stable.
Dunno if this warrants a patch. It's easy to pul
It's tagged for 4.9-STABLE
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Steve
Sent: Thursday, July 14, 2011 9:41 AM
To: misc@openbsd.org
Subject: ISAKMPD
Hi all,
Sorry thi
On Thu, Jul 14, 2011 at 06:41:06AM -0700, Steve wrote:
> Hi all,
>
> Sorry this has been asked before but I can find no answer.
>
> Is there going to be an official patch for ISAKMPD for 4.8 4.9.
Do remedy what problem?
>
> I did see something in the bug tracking a whi
Hi all,
Sorry this has been asked before but I can find no answer.
Is there going to be an official patch for ISAKMPD for 4.8 4.9.
I did see something in the bug tracking a while back but I now get the
following error when I try to access it.
Not FoundThe requested URL /cgi-bin/query-pr
Hmm.. sounds like this might be a candidate for -STABLE?
--Paul
On Jul 8, 2011, at 10:09 AM, Stuart Henderson wrote:
> On 2011-07-08, Tony Sarendal wrote:
>>>> If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
>>>> up src/sbin/isakmpd/
On Fri, Jul 8, 2011 at 4:09 PM, Stuart Henderson wrote:
> On 2011-07-08, Tony Sarendal wrote:
> >> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
> >> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly
> >> > see
On 2011-07-08, Tony Sarendal wrote:
>> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
>> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly
>> > see problems from time to time.
>>
>
> Is this a cosmetic thing
We are not using the tunnels for production use yet and have not started to
measure uptime but we will do it soon. I have not noticed any problem when
Im using the tunnels, only the messages.
How ever. I was recommended by Stuart to pull up src/sbin/isakmpd/dh.c to
1.14 since there is a bug that
g this message i /var/log/messages once every hour or two
> >> Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid
> >> cookie(s) 57603c2
> >> Jul 2 08:14:54 isakmpd[28247]: dropped message from
> >> x.x.x.x port 500 due to notification type INVALID_COOKIE
&
Ah =) Thanks!
// rancor
2011/7/4 Stuart Henderson :
> On 2011-07-02, rancor wrote:
>> Hi.
>>
>> I have two separate ipsec tunnels from 4.9 boxes and both are
>> generating this message i /var/log/messages once every hour or two
>> Jul 2 08:14:54 isakmpd[28247]
On 2011-07-02, rancor wrote:
> Hi.
>
> I have two separate ipsec tunnels from 4.9 boxes and both are
> generating this message i /var/log/messages once every hour or two
> Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid
> cookie(s) 57603c2
> Jul 2 08:14:54 isakmpd[28
Hi.
I have two separate ipsec tunnels from 4.9 boxes and both are
generating this message i /var/log/messages once every hour or two
Jul 2 08:14:54 isakmpd[28247]: message_recv: invalid
cookie(s) 57603c2
Jul 2 08:14:54 isakmpd[28247]: dropped message from
x.x.x.x port 500 due to notification
On 2011-06-14, Paul Suh wrote:
> On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote:
>> I thought you could change those in isakmpd.conf:
>> # Certificates stored in PEM format
>> [X509-certificates]
>> CA-directory= /etc/isakmpd/ca/
>>
On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote:
> On 06/05/2011 02:37 AM, Paul Suh wrote:
>> Folks,
>>
>> I've been working with the flashrd system for booting from compact flash
>> media, and ran across a case where I'd like to make some changes to
isakmp
On Jun 5, 2011, at 2:42 PM, Stuart Henderson wrote:
> On 2011/06/05 13:09, Paul Suh wrote:
>> Stuart,
>>
>> I tried using a symlink, but isakmpd didn't seem to like it.
>
> For the file or the whole directory?
> It seems to work with /etc/isakmpd -> /som
On 06/05/2011 02:37 AM, Paul Suh wrote:
> Folks,
>
> I've been working with the flashrd system for booting from compact flash
> media, and ran across a case where I'd like to make some changes to isakmpd,
> but before I do so I'm not sure that it's a good idea.
On 2011/06/05 13:09, Paul Suh wrote:
> Stuart,
>
> I tried using a symlink, but isakmpd didn't seem to like it.
For the file or the whole directory?
It seems to work with /etc/isakmpd -> /somewhere/else.
Stuart,
I tried using a symlink, but isakmpd didn't seem to like it.
--Paul
On Jun 5, 2011, at 7:00 AM, Stuart Henderson wrote:
> Can't you just use symlinks?
>
> On 2011-06-05, Paul Suh wrote:
>> Folks,
>>
>> I've been working with the flashrd syst
Can't you just use symlinks?
On 2011-06-05, Paul Suh wrote:
> Folks,
>
> I've been working with the flashrd system for booting from compact flash
> media, and ran across a case where I'd like to make some changes to isakmpd,
> but before I do so I'm not
Folks,
I've been working with the flashrd system for booting from compact flash
media, and ran across a case where I'd like to make some changes to isakmpd,
but before I do so I'm not sure that it's a good idea.
The location for certificates, CA's, private keys, etc.
2011/1/10, Christoph Leser :
>
> I would like to ask:
>
> 1. Is it true, that isakmpd is supposed to accept any ID parameter of
> type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
> even when it is the 'default' route?
Yes, some people want all the
2011/1/10, Christoph Leser :
> Hello,
>
> I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
> like:
>
> ike active esp tunnel from to peer
>
>
>
> My isakmpd.policy file is
>
> # cat /etc/isakmpd/isakmpd.policy
> Keynote-version
Hello,
I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:
ike active esp tunnel from to peer
My isakmpd.policy file is
# cat /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
Am 14.12.2010 um 17:23 schrieb Mike Belopuhov:
mask2prefixlen functions are taken from bgpd. OK?
Thanks, Axel
---
axel@chaos1.de PGP-Key:29E99DD6 +49 151 2300 9283 computing @
chaos claudius
On Mon, Dec 13, 2010 at 18:50 +0100, Axel Rau wrote:
> Hi all,
>
> in the man page for iked.conf, I read:
> "Addresses can be specified in CIDR notation (matching netblocks), as
> symbolic host names, interface names, or interface group names."
>
> In my iked.conf, I have
>local pppoe0
>
Am 13.12.2010 um 18:50 schrieb Axel Rau:
no IP address found for pppoe0
This happens with all devices, I have tried.
Anybody succeeded in using an interface name as argument of option
local?
This is 4.8 stable on i386 generic.
Axel
---
axel@chaos1.de PGP-Key:29E99DD6 +49 151 230
Hi all,
in the man page for iked.conf, I read:
"Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names, interface names, or interface group names."
In my iked.conf, I have
local pppoe0
but iked -vn complains:
no IP address found for pppoe0
On 2010-05-26, Jacob Yocom-Piatt wrote:
> i'm looking for an alternative
still very early days, but Reyk just committed an ikev2 daemon, iked...
http://article.gmane.org/gmane.os.openbsd.cvs/97036
http://article.gmane.org/gmane.os.openbsd.cvs/97037
Michiel van Baak wrote:
And you want any help after talking to this list that way ?
i explained my problem pretty succinctly in the first email - isakmpd is
episodically unreliable, painful to debug, and i am looking for an
alternative if anyone is using something else on openbsd for
On May 26, 2010, at 1:58 PM, Jacob Yocom-Piatt wrote:
> Bryan wrote:
>> On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
>> wrote:
>>
>>> over the past several years i have encountered a variety of problems with
>>> isakmpd that range from difficult
Bryan wrote:
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
wrote:
over the past several years i have encountered a variety of problems with
isakmpd that range from difficult to translate error messages to tunnels
dropping without explanation.
Greetings,
Did you
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
wrote:
> over the past several years i have encountered a variety of problems with
> isakmpd that range from difficult to translate error messages to tunnels
> dropping without explanation.
>
>
>
Greetings,
Did you try
over the past several years i have encountered a variety of problems
with isakmpd that range from difficult to translate error messages to
tunnels dropping without explanation.
i have just recently had a rash of tunnel dropping, which can frequently
be fixed by one endpoint doing
pkill -x
This has been committed. Thanks.
-mark
lum@
===
Hello,
while playing with isakmpd, I found that it would be nice to have a
complement for the "isakmpd: exiting" log entry.
Index:
Looks like they are sending a delete. I guess I will delete and recreate
this tunnel
isakmpd: Peer 1.1.1.1 made us delete live SA for proto 1,
initiator id: 1.1.1.1, responde
r id: 2.2.2.2
On Tue, Nov 17, 2009 at 10:37 AM, Christoph Leser
wrote:
> Are you sure that obsd does not try
I have seen this same behaviour with a configured Cisco ASA endpoint.
The Cisco end needs to ping our network to initiate the connection, and
from watching the IPSEC negotiations from the isakmpd capture files, the
Cisco end rejects our proposal, but we accept their proposal. As Dag
says
running
tcpdump on the external interface ( or enable isakmpd packet capture, see the
-L switch of isakmpd ).
This will at least answer the question, whether openBSD attempts to establish
the connection when the tunnel is defined for the first time.
Regards
Christoph
-Urspr|ngliche Nac
desired or considered a bug.
I would try to delete the tunnel complete and configure it again while running
tcpdump on the external interface ( or enable isakmpd packet capture, see the
-L switch of isakmpd ).
This will at least answer the question, whether openBSD attempts to establish
the conne
We have many tunnels and for some reason I just set up a tunnel with a Cisco
ASA and we can not initiate the connection from the OpenBSD side. If the
Cisco side pings a device on the OpenBSD side the tunnel comes up. On the
Cisco side they have bidirectional enabled, and they are not seeing the
O
be the most critical subnet and so causes
quite a problem. The really odd thing is that when I run isakmpd in
debug mode (on the problem routers) the subnet route does not get
dropped. Even more odd/annoying is this problem is intermittent and
tends to only affect one of the routers at any one
restore it is to log into the remote side and do the following
shell commands:
# kill $(cat /var/run/isakmpd.pid)
# /sbin/isakmpd -K
# /sbin/ipsecctl -f /etc/ipsec.conf
I just spent an hour working on the remote side and I've come up with
more information on the problem. Pa
olled back to using public keys and
everything appears to be okay.
My question is this: When you use certficates does isakmpd still use
/etc/isakmpd/private/local.key
as the private key for the crypto negotiation or can that be changed.
Thanks for the followups. IT looks like local.key is the key
things to work so I've rolled back
> to using public keys and everything appears to be okay.
>
> My question is this: When you use certficates does isakmpd still use
>
> /etc/isakmpd/private/local.key
>
> as the private key for the crypto negotiation or can that be c
My question is this: When you use certficates does isakmpd still use
/etc/isakmpd/private/local.key
as the private key for the crypto negotiation or can that be changed.
-- Chris
Chris Hilton tildeChris -- http://myblog.vindaloo.com
Hey List !
quick question... Is there a way to clear one specific VPN in the
ipsecctl reference table or a really need to clear the entire table ? (
ipsecctl -F )
Example... I got a bunch of VPN ( 50 + ) , need to flush the state of
this particular one:
BSD 4.3 // config in /etc/ipsec.conf
Sorry,
I had a blackout, the time is obvious.
mp
-Original Message-
From: Petvalsky, Martin
Sent: Wednesday, April 22, 2009 11:14 AM
To: 'misc@openbsd.org'
Subject: isakmpd log file - time in human form?
Hello,
I am debugging an IPsec tunnel by running
isakmpd -L -d -DA=
Hello,
I am debugging an IPsec tunnel by running
isakmpd -L -d -DA=90 > /root/scripts/isakmpd.log 2>&1
and I can't find a way how to switch or convert the time to a human
readable form.
Logfile shows:
...
103749.319100 Default log_debug_cmd: log level changed from 0 to 90 fo
Hi misc,
I've been trying to configure the following IPSec client using
certificates, but with no success. I want to use it a roadwarrior setup:
http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html
Of course, I'm using isakmpd on the OpenBSD side (4
I found that some of my problems are related to 'DELETE' messages from the
peer ( cisco ASA's , for example ). There is another thread in this forum
discussion this issue.
Hans-Joerg Hoexer said that obsd/isakmpd should handle this case, but he will
look into it.
I would be intere
Christoph Leser wrote:
> I'm still struggling to keep my ipsec vpns running smoothly.
FWIW, I mostly use IPsec on my home WLAN and I observe a similar
lack of reliability. My laptop sets up two IPsec associations, one
IPv4 and one IPv6, and from time to time one of these or both fail
inexplicab
> -Urspr|ngliche Nachricht-
> Von: dug [mailto:d...@xgs-france.com]
> Gesendet: Montag, 19. Januar 2009 17:44
> An: Hans-Joerg Hoexer
> Cc: Christoph Leser; misc@openbsd.org
> Betreff: Re: Cisco IPSec Security Association Idle Timers and isakmpd
>
>
> Le 19 j
Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer a icrit :
Hi,
On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote:
I noticed that the cisco end of a VPN I configured on my openBSD
sends a
DELETE message after a certain amount of idle time.
Which SAs get deleted? isakmp, ipsec or both?
Hi,
On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote:
>
> I noticed that the cisco end of a VPN I configured on my openBSD sends a
> DELETE message after a certain amount of idle time.
Which SAs get deleted? isakmp, ipsec or both?
HJ.
Hi,
I noticed that the cisco end of a VPN I configured on my openBSD sends a
DELETE message after a certain amount of idle time.
This feature is described in
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle
.html#wp1045897
The effect is, that the VPN no longer works. open
)
when the exchanges proceed other than they normally do.
For example I see that 'normally' my isakmpd enters into phase-2
exchange immediately after phase-1 is established. But sometimes it
delays to initiate phase-2 for up to 10 minutes ater phase-1 completes,
and it often fails in thes
/etc/ipsec.conf and ipsecctl to
drive isakmpd, and /etc/isakmpd/isakmpd.conf directly, skipping
ipsecctl.
But I still see attribute LIFE_DURATION = 1200 in QUICK_MODE
exchanges and 3600 in ID_PROT exchanges.
What am I missing here? I'm at my wit's end, all suggestions welcome.
I include the
. Seklecki on 20081224 16:23.55, we have:
> All:
>
> Back in 01/2006, circa 3.8, there was a thread related to the use of
> gre(4) and Transport Mode ipsec(4) in isakmpd(8) to protect v4 tunnels.
>
> There was a repeatable kernel panic related to gre(4) packets needing a
> s
All:
Back in 01/2006, circa 3.8, there was a thread related to the use of
gre(4) and Transport Mode ipsec(4) in isakmpd(8) to protect v4 tunnels.
There was a repeatable kernel panic related to gre(4) packets needing a
smaller MTU as they are encapsualted in ipsec(4) packets, before being
Hi,
On Tue, 25.11.2008 at 12:11:42 +0100, Christoph Leser <[EMAIL PROTECTED]> wrote:
> But it uses 3, if it initiates the exchange.
>
> if so, I would guess that is the reason for the 'NO PROPOSAL CHOSEN' messages.
> Can I configure 61443 es encapsulation mode in isakmpd.conf?
I'm not aware of s
thanks for the clarification.
Indeed I can see in the traces that obsd isakmpd accepts 61443 and send out
it's reply with the same value.
But it uses 3, if it initiates the exchange.
if so, I would guess that is the reason for the 'NO PROPOSAL CHOSEN' messages.
Can I con
On 2008-11-25, Christoph Leser <[EMAIL PROTECTED]> wrote:
> I see the above message in the tcpdump of /var/run/isakmpd.pcap, when a
> cisco router establishes quick mode to my openbsd. The connect works ok,
> just wondering what this message could mean. I have only seen
> 'ENCAPSULATION MODE = TUNN
Hi,
I see the above message in the tcpdump of /var/run/isakmpd.pcap, when a
cisco router establishes quick mode to my openbsd. The connect works ok,
just wondering what this message could mean. I have only seen
'ENCAPSULATION MODE = TUNNEL' in this context.
As connect setup fails in the opposite
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Carlos Laviola
> Gesendet: Donnerstag, 6. November 2008 13:34
> An: misc@openbsd.org
> Betreff: isakmpd routing woes
>
>
> Hello,
>
>
>
> I have thr
Hello,
I have three /24 networks connected to each other through multihomed OpenBSD
4.0 servers using isakmpd(8). Recently, new point-to-point links have been
installed between each of those networks on separate interfaces, and I would
like to make it so traffic coming from/through specific
Tunnels were established well but, in case of internet connections
problems, the vpn went down and never came up again.
Once the vpn went down, the work around was simply to kill isakmpd and
restart it. Not very simple when the vpn went down at 2 AM (and users
complaining at 8)
Analysing an idle VP
gged a strange problem when
> the connection goes down. The tunnels won't come back after a
> small link shutdown.
>
> The problem was Cisco 3030 was doing DPD check and not the OpenBSD.
>
> If it's the case for you too, you should add these lines to
> /etc/isakmp
connection goes
down. The tunnels won't come back after a small link shutdown.
The problem was Cisco 3030 was doing DPD check and not the OpenBSD.
If it's the case for you too, you should add these lines to
/etc/isakmpd/isakmpd.conf :
--- isakmpd.conf ---
[General]
DPD-check-int
ope) we debugged a strange problem when the connection goes
down. The tunnels won't come back after a small link shutdown.
The problem was Cisco 3030 was doing DPD check and not the OpenBSD.
If it's the case for you too, you should add these lines to
/etc/isakmpd/isakmpd.conf :
--- i
z Makowski wrote:
Hello,
Firstly i want to mention that it's my begining with ipsec/isakmpd
tunneling.
My problem is about making connection from OpenBSD 4.3 to Cisco VPN
concentrator 3060.
Cisco concentrator is out of my range so i can't check log there and i
only wish that config
Hi,
On Sun, 21.09.2008 at 16:04:11 +0200, Mariusz Makowski <[EMAIL PROTECTED]>
wrote:
> a.a.a.a_net b.b.b.b_public_ip --- c.c.c.c_public_ip d.d.d.d_net
>
> What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net
> -- isakmpd.conf --
> [General]
> Listen-on= b.
On Fri, Sep 19, 2008 at 12:33:36AM +0200, Lukas Ratajski wrote:
> IPsec tunnel between two computers - a Soekris net5501 running
> [...]
> key_encrypt: bits 256:
The crypto driver for the net5501 does not support 256bit AES.
you have to switch to 128bit AES keys or backport revision 1.
Mariusz Makowski wrote:
Hello,
Firstly i want to mention that it's my begining with ipsec/isakmpd
tunneling.
My problem is about making connection from OpenBSD 4.3 to Cisco VPN
concentrator 3060.
Cisco concentrator is out of my range so i can't check log there and i
only
Hello,
Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling.
My problem is about making connection from OpenBSD 4.3 to Cisco VPN
concentrator 3060.
Cisco concentrator is out of my range so i can't check log there and i only
wish that configuration there is
\
main auth hmac-sha1 enc aes-256 group modp1536 \
quick auth hmac-sha1 enc aes-256 group modp1536 \
srcid $myip dstid [EMAIL PROTECTED]
This keeps isakmpd looking in
/etc/isakmpd/pubkeys//ufqdn/[EMAIL PROTECTED] for a public key
that I presumably have to create using keyn
Hello everyone,
I am experiencing a problem here which - despite of deep analysis,
RTFMing and trying to understand some portions of isakmpd code -
seems impossible to solve for me. I am trying to establish a simple
IPsec tunnel between two computers - a Soekris net5501 running
OpenBSD
Hi,
On Sat, 23.08.2008 at 13:30:28 +0200, Daniel Rapp <[EMAIL PROTECTED]> wrote:
> I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
> want to add a roadwarrior tunnel to..
this should work roughly like this:
[Phase 1]
1.2.3.4=Your-Main-Connection # that you have
On Sat, 2008-08-23 at 13:30 +0200, Daniel Rapp wrote:
> Hi, i am looking for example configs on isakmpd where there is more then one
> tunnel..
>
> I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
> want to add a roadwarrior tunnel to..
There should be a
jared r r spiegel wrote:
On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote:
Now someone would like to add a device which (like some other devices
connecting to this machine) is not on a fixed address so it needs to
use the "to any" rule. Though it supports AES in phase 2, only DE
On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote:
> Now someone would like to add a device which (like some other devices
> connecting to this machine) is not on a fixed address so it needs to
> use the "to any" rule. Though it supports AES in phase 2, only DES or
> 3DES are permit
On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote:
> Does anyone know of a way, either using ipsec.conf or isakmpd.conf,
> to permit use of _either_ AES _or_ 3DES in phase 1? Or do I need to go
> to all the other endpoints and reconfigure them to a common algorithm
> (i.e. 3DES)?
I've got a number of VPN clients using X.509 certs to access a
central site configured by ipsec.conf like this.
ike passive esp \
from {$SOMENET, 192.168.40.0/21} to any \
main auth hmac-sha1 enc aes group grp2 \
quick auth hmac-sha1 enc aes group grp2 \
tag ipsec-$
:[EMAIL PROTECTED] On Behalf
Of Stefan Sczekalla
Sent: Friday, August 22, 2008 5:40 PM
To: misc@openbsd.org
Subject: Any Ideas ? isakmpd loggs: exchange_setup_p1: unknown exchange
type QUICK_MODE
... and send no answer back to xxx.yyy.zzz.uuu
My Host is an OpenBSD 3.8, the other - remote
Hi, i am looking for example configs on isakmpd where there is more then one
tunnel..
I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
want to add a roadwarrior tunnel to..
I think i have seen some sample config before but i cant seem to find any
now..
Any help would be
... and send no answer back to xxx.yyy.zzz.uuu
My Host is an OpenBSD 3.8, the other - remote ( xxx.yyy.zzz.uuu ) is a
securepoint using strongswan.
17:11:22.476524 xxx.yyy.zzz.uuu.500 > aaa.bbb.ccc.ddd.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 26e5b1720844a0fa->0
Hi folks,
Tinyca allows to export a chain of CA certificates within
one file, but it took me quite some time to recognize that
isakmpd can't handle this. Or can it?
Regards
Harri
close the VPN
tunnel, install the new certificate, authenticate again and that'd be
it. But not so. isakmpd logs and sends back: isakmpd[26674]: dropped
message from aaa.bbb.ccc.ddd port 500 due to notification type
INVALID_ID_INFORMATION
On one machine, I had to restart isakmpd to get i
On 2008-06-30, Harald Dunkel <[EMAIL PROTECTED]> wrote:
> Mitja Mu>enih wrote:
>>
>> It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
>> /32.
>>
>> As I already explained to you in a private mail, ipsecctl will export both
PS: If I don't define any remote networks in NCP client, then it tries
to send all ip traffic via esp to the OpenBSD gateway, but isakmpd
whoes:
responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id
c0a801f9: 192.168.1.249, responder id /: 0.0.0.0/0.
Mitja Mu>enih wrote:
It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
/32.
As I already explained to you in a private mail, ipsecctl will export both
192.168.1.249 and 192.168.1.249/32 into IPV4_ADDR=192.168.1.249 while your
windows client is sending IPV4_ADDR_SUB
On 2008-06-30, Mitja Mu>enih <[EMAIL PROTECTED]> wrote:
> It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
> /32.
It would make more sense for isakmpd to treat IPV4_ADDR_SUBNET /32
and IPV4_ADDR as equivalent, otherwise I think you're unable to u
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Harald Dunkel
> Sent: Monday, June 30, 2008 9:17 AM
> To: [EMAIL PROTECTED]
> Cc: Misc OpenBSD
> Subject: Re: isakmpd -- NCP IPsec client: peer proposed
> invalid phase 2 IDs
&
. AFAICS the problem
is that isakmpd doesn't accept the proposal packet with
:
payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248)
:
If I setup an IPsec tunnel betw
201 - 300 of 667 matches
Mail list logo