date:20141009

Re: ipsecctl -d

2014-10-09 Thread Janne Johansson

This might help:
http://undeadly.org/cgi?action=articlesid=20131125041429


2014-10-08 23:18 GMT+02:00 Kevin Pate ke...@pateconsulting.com:

 I was hoping someone could help me with an issue I'm having regarding
 ipsecctl and multiple tunnels.

 I'm trying to delete a tunnel without restarting or flushing the SAs that
 are already in place.

 When I use:

 ipsecctl -d -vv -f /etc/ipsec-remove.conf, the routes remain and the SAs
 do not get deleted.

 My ipsec-remove.conf file:

 # Houston to Corpus
 ike esp from 192.168.2.0/25 to 192.168.82.0/24 peer xx.xx.xx.xx \
 main auth hmac-sha1 enc 3des group modp1024 \
 quick auth hmac-sha1 enc 3des \
 psk xx \
 tag vpn-corpus
 ike esp from 192.168.2.128/25 to 192.168.82.0/24 peer xx.xx.xx.xx \
 main auth hmac-sha1 enc 3des group modp1024 \
 quick auth hmac-sha1 enc 3des \
 psk xx \
 tag vpn-corpus

 Output of ipsecctl -s sa:

 esp tunnel from some remote host to local site spi 0x03761967 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x1cdd21a3 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x2e4aad48 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x3134cfbd auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x358e5310 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x47780dca auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x4e3069cf auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x56903d1d auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x617705c8 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x61e67eb3 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x6d29d48b auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x6e00df06 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x710e2a8f auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x74db2d10 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x834bdee7 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x93eb83e8 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0x984be19f auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xa0a8e08d auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xa1fd5966 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xa77f3834 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xaeab91ab auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xbdf1207d auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xbefa6c9f auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xce30ad17 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xe0d81015 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xe175e9c6 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xe460c5ce auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xef15c229 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xf0711651 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xf3d67ab8 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xfb031187 auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from some remote host to local site spi 0xff1bb0e6 auth
 hmac-sha1 enc 3des-cbc

 Output of netstat -rn (pertaining to the route in question):

 Encap:
 Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
 192.168.82/24  0 192.168.2.0/25 0 0
  xx.xx.xx.xx/esp/use/in
 192.168.2.0/25 0 192.168.82/24  0 0
  xx.xx.xx.xx/esp/require/out
 192.168.82/24  0 192.168.2.128/25   0 0
  xx.xx.xx.xx/esp/use/in
 192.168.2.128/25   0 192.168.82/24  0 0
  xx.xx.xx.xx/esp/require/out

 Shouldn't the SA and route get removed with the ipsecctl -d command?  If
 not, how should I go about doing this without interrupting the other
 existing tunnels?

 Thanks,

 Kevin Pate
 RHCE - CCNA
 Pate Consulting, Inc.
 www.pateconsulting.comhttp://www.pateconsulting.com
 ke...@pateconsulting.commailto:ke...@pateconsulting.com
 M 713.823.8845
 Skype kevdpate
 AIM lnxcnsltng




-- 
May the most significant bit of your life be positive.

pf removes automatic tables inside inline anchors

2014-10-09 Thread Lauri Tirkkonen

Synopsis:  pf removes automatic tables inside inline anchors
Category:  kernel
Environment:
System  : OpenBSD 5.5
Details : OpenBSD 5.5 (GENERIC) #271: Wed Mar  5 09:31:16 MST 2014
 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

Architecture: OpenBSD.amd64
Machine : amd64
Description:
With basic ruleset-optimization, pf combines multiple similar rules into a rule
on an automatic table. If that happens inside an anchor defined inline, the
table will get destroyed and thus the rules no longer work.
How-To-Repeat:
pf.conf:

set ruleset-optimization basic
block
anchor foo to 192.168.1.0/24 {
pass proto tcp to { 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 
192.168.1.5 192.168.1.6 } port 80
}
pass proto tcp to { 192.168.2.1 192.168.2.2 192.168.2.3 192.168.2.4 
192.168.2.5 192.168.2.6 }

Table is referred to in rules, but does not exist:

# pfctl -Fr -FT -f /etc/pf.conf
# pfctl -sr -a '*'
block drop all
anchor foo inet from any to 192.168.1.0/24 {
  pass inet proto tcp from any to __automatic_22d700ce_1 port = 80 flags 
S/SA
}
pass inet proto tcp from any to __automatic_44a5c9f7_0 port = 80 flags 
S/SA
# pfctl -a foo -t __automatic_22d700ce_1 -T show
pfctl: Table does not exist.
# pfctl -t __automatic_22d700ce_1 -T show
pfctl: Table does not exist.
# pfctl -sT 
__automatic_44a5c9f7_0
# pfctl -sT -a foo
# pfctl -sT -a '*' 
__automatic_44a5c9f7_0

If the table is loaded from a file, it will exist as expected - this
only seems to happen for inline anchors. In addition, while trying to
narrow this down I noticed that it is a syntax error to define tables in
inline anchors (that too works fine when the anchor is loaded from a
file). Should I send a separate bug report for that?

Fix:
'set ruleset-optimization none' can work around this.

-- 
Lauri Tirkkonen
Niksula systems specialist

Re: Samsung Notebook: acpitz0 critical temp since sept 25 snapshot

2014-10-09 Thread Remi Locherer

On Tue, Oct 07, 2014 at 10:10:54PM +0200, Remi Locherer wrote:
 Synopsis: Samsung Notebook: acpitz0 critical temp since sept 25 snapshot 
 Environment:
   System  : OpenBSD 5.6
   Details : OpenBSD 5.6-current (GENERIC.MP) #399: Sun Oct  5 
 21:53:59 MDT 2014

 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
 
   Architecture: OpenBSD.amd64
   Machine : amd64
 
 Description:
   The Samsung 900X3F shuts down after boot with the message:
 acpitz0: critical temperature exceeded 144C, shutting down. The snapshot
 from September 17 was working fine. Since snapshot September 25 I'm seeing
 this.
 
 Strange thing: when I'm now booting the sept 17 snapshot kernel the notebook
 also shuts itselfe down with the above message. Does th kernel modify the
 acpi tables?
 

Now this is really strange: today I booted the Samsung notebook several
times with the kernel from snapshot oct 5. The problem with acpitz0
never occured. Can it be that the kernel sometimes is using a wrong
address to read acpi stuff? Or is Samsung using a strange acpi
implementation?

Remi

Re: ipsecctl -d

pf removes automatic tables inside inline anchors

Re: Samsung Notebook: acpitz0 critical temp since sept 25 snapshot

3 matches

Site Navigation

Mail list logo

Footer information