Re: ipsecctl -d
This might help: http://undeadly.org/cgi?action=articlesid=20131125041429 2014-10-08 23:18 GMT+02:00 Kevin Pate ke...@pateconsulting.com: I was hoping someone could help me with an issue I'm having regarding ipsecctl and multiple tunnels. I'm trying to delete a tunnel without restarting or flushing the SAs that are already in place. When I use: ipsecctl -d -vv -f /etc/ipsec-remove.conf, the routes remain and the SAs do not get deleted. My ipsec-remove.conf file: # Houston to Corpus ike esp from 192.168.2.0/25 to 192.168.82.0/24 peer xx.xx.xx.xx \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk xx \ tag vpn-corpus ike esp from 192.168.2.128/25 to 192.168.82.0/24 peer xx.xx.xx.xx \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk xx \ tag vpn-corpus Output of ipsecctl -s sa: esp tunnel from some remote host to local site spi 0x03761967 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x1cdd21a3 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x2e4aad48 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x3134cfbd auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x358e5310 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x47780dca auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x4e3069cf auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x56903d1d auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x617705c8 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x61e67eb3 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x6d29d48b auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x6e00df06 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x710e2a8f auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x74db2d10 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x834bdee7 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x93eb83e8 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0x984be19f auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xa0a8e08d auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xa1fd5966 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xa77f3834 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xaeab91ab auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xbdf1207d auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xbefa6c9f auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xce30ad17 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xe0d81015 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xe175e9c6 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xe460c5ce auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xef15c229 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xf0711651 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xf3d67ab8 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xfb031187 auth hmac-sha1 enc 3des-cbc esp tunnel from some remote host to local site spi 0xff1bb0e6 auth hmac-sha1 enc 3des-cbc Output of netstat -rn (pertaining to the route in question): Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 192.168.82/24 0 192.168.2.0/25 0 0 xx.xx.xx.xx/esp/use/in 192.168.2.0/25 0 192.168.82/24 0 0 xx.xx.xx.xx/esp/require/out 192.168.82/24 0 192.168.2.128/25 0 0 xx.xx.xx.xx/esp/use/in 192.168.2.128/25 0 192.168.82/24 0 0 xx.xx.xx.xx/esp/require/out Shouldn't the SA and route get removed with the ipsecctl -d command? If not, how should I go about doing this without interrupting the other existing tunnels? Thanks, Kevin Pate RHCE - CCNA Pate Consulting, Inc. www.pateconsulting.comhttp://www.pateconsulting.com ke...@pateconsulting.commailto:ke...@pateconsulting.com M 713.823.8845 Skype kevdpate AIM lnxcnsltng -- May the most significant bit of your life be positive.
pf removes automatic tables inside inline anchors
Synopsis: pf removes automatic tables inside inline anchors Category: kernel Environment: System : OpenBSD 5.5 Details : OpenBSD 5.5 (GENERIC) #271: Wed Mar 5 09:31:16 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC Architecture: OpenBSD.amd64 Machine : amd64 Description: With basic ruleset-optimization, pf combines multiple similar rules into a rule on an automatic table. If that happens inside an anchor defined inline, the table will get destroyed and thus the rules no longer work. How-To-Repeat: pf.conf: set ruleset-optimization basic block anchor foo to 192.168.1.0/24 { pass proto tcp to { 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 192.168.1.6 } port 80 } pass proto tcp to { 192.168.2.1 192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6 } Table is referred to in rules, but does not exist: # pfctl -Fr -FT -f /etc/pf.conf # pfctl -sr -a '*' block drop all anchor foo inet from any to 192.168.1.0/24 { pass inet proto tcp from any to __automatic_22d700ce_1 port = 80 flags S/SA } pass inet proto tcp from any to __automatic_44a5c9f7_0 port = 80 flags S/SA # pfctl -a foo -t __automatic_22d700ce_1 -T show pfctl: Table does not exist. # pfctl -t __automatic_22d700ce_1 -T show pfctl: Table does not exist. # pfctl -sT __automatic_44a5c9f7_0 # pfctl -sT -a foo # pfctl -sT -a '*' __automatic_44a5c9f7_0 If the table is loaded from a file, it will exist as expected - this only seems to happen for inline anchors. In addition, while trying to narrow this down I noticed that it is a syntax error to define tables in inline anchors (that too works fine when the anchor is loaded from a file). Should I send a separate bug report for that? Fix: 'set ruleset-optimization none' can work around this. -- Lauri Tirkkonen Niksula systems specialist
Re: Samsung Notebook: acpitz0 critical temp since sept 25 snapshot
On Tue, Oct 07, 2014 at 10:10:54PM +0200, Remi Locherer wrote: Synopsis: Samsung Notebook: acpitz0 critical temp since sept 25 snapshot Environment: System : OpenBSD 5.6 Details : OpenBSD 5.6-current (GENERIC.MP) #399: Sun Oct 5 21:53:59 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 Description: The Samsung 900X3F shuts down after boot with the message: acpitz0: critical temperature exceeded 144C, shutting down. The snapshot from September 17 was working fine. Since snapshot September 25 I'm seeing this. Strange thing: when I'm now booting the sept 17 snapshot kernel the notebook also shuts itselfe down with the above message. Does th kernel modify the acpi tables? Now this is really strange: today I booted the Samsung notebook several times with the kernel from snapshot oct 5. The problem with acpitz0 never occured. Can it be that the kernel sometimes is using a wrong address to read acpi stuff? Or is Samsung using a strange acpi implementation? Remi