Re: pf and two ADSL links
Hi, yes you need Load Balance Outgoing Traffic section in http://www.openbsd.com/faq/pf/pools.html . I use two ADSL connection with OpenBSD PF for employers and managers.. 2005/12/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi All, Is merging two ADSL connections (from two different ISPs) into one OpenBSD router to serve local LAN a possible thing to do? Is pf load balancing the answer? Is this what we call load sharing or load balancing? I am still not clear if load sharing or load balancing is the correct term for what I am trying to do. Thanks heaps for any advice. -- Huzeyfe VNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/
OpenBSD related wallpaper
hi, I've found some nice wallpapers here: http://www.bsdnexus.com/wallpapers.htm Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: pf and two ADSL links
Hi Huzeyfe, Is the solutions really that simple? Any pointers as to where I can read more about what works or what does not work in this scenario? I read somewhere that true load balancing can only work if the two ADSL connections end up at one ISP. Are your two links coming from two different ISPs? I am not really knowledgeable in this matter (load balancing or load sharing), so please let me know if there are any solid articles somewhere. I have googled this topic, but there is not even a handful discussion about this topic. How do we know if it does work as a load balancer? How do we test it? Would download/upload become faster? Would the second link become a hot-swappable backup? Thanks very much for your reply. Yance Hi, yes you need Load Balance Outgoing Traffic section in http://www.openbsd.com/faq/pf/pools.html . I use two ADSL connection with OpenBSD PF for employers and managers.. 2005/12/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi All, Is merging two ADSL connections (from two different ISPs) into one OpenBSD router to serve local LAN a possible thing to do? Is pf load balancing the answer? Is this what we call load sharing or load balancing? I am still not clear if load sharing or load balancing is the correct term for what I am trying to do. Thanks heaps for any advice. -- Huzeyfe VNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/
Re: SGI Port, Partition P
On Sun, 18 Dec 2005, Mark Nelson wrote: I've just installed OpenBSD 3.8 on an SGI O2, somehow by accident I have deleted partition p and therefore the machine will not boot into OpenBSD. How do I re-create partition P? It's been a while, but I once made this mistake too. To recover, you'll need an IRIX cd set. Just boot from the bootable cd in this set. You'll then have the option to initialize a fresh disk (don't know how it's called anymore); that will recreate the P partition, among other things (it also creates an XFS filesystem if I recall correctly). Sorry I can't give you a more exact description of what to do; I just remember that I fixed this problem once by using an IRIX cd set, and I didn't fully reinstall IRIX. Good luck, Sebastiaan Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: pf and two ADSL links
Hi, 2 ADSL connection is same ISP but I use ADSL modem for them.. |-Modem1(ADSL1)-- Users---OpenBSD |ISP |--Modem2(ADSL2)-- My solution isn't really Load balancing ,only it separates Manager's and employer's internet connection.. It doesn't provide HA. 2005/12/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi Huzeyfe, Is the solutions really that simple? Any pointers as to where I can read more about what works or what does not work in this scenario? I read somewhere that true load balancing can only work if the two ADSL connections end up at one ISP. Are your two links coming from two different ISPs? I am not really knowledgeable in this matter (load balancing or load sharing), so please let me know if there are any solid articles somewhere. I have googled this topic, but there is not even a handful discussion about this topic. How do we know if it does work as a load balancer? How do we test it? Would download/upload become faster? Would the second link become a hot-swappable backup? Thanks very much for your reply. Yance Hi, yes you need Load Balance Outgoing Traffic section in http://www.openbsd.com/faq/pf/pools.html . I use two ADSL connection with OpenBSD PF for employers and managers.. 2005/12/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi All, Is merging two ADSL connections (from two different ISPs) into one OpenBSD router to serve local LAN a possible thing to do? Is pf load balancing the answer? Is this what we call load sharing or load balancing? I am still not clear if load sharing or load balancing is the correct term for what I am trying to do. Thanks heaps for any advice. -- Huzeyfe VNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ -- Huzeyfe VNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/
Re: solutions that interoperate with win xp
Hello I'm trying to do the same thing as you are. LAN - OpenBSD - internet - NAT - windows_xp_client I followed http://openbsd.cz/~pruzicka/vpn.html but I have still problem. I don't know what's wrong maybe something with NAT-T. Here is a debug log from isakmpd 115924.644366 Default log_debug_cmd: log level changed from 0 to 999 for class 9 [priv] 115924.645080 Default log_debug_cmd: log level changed from 0 to 999 for class 8 [priv] 115924.645376 Default log_debug_cmd: log level changed from 0 to 999 for class 7 [priv] 115924.645695 Default log_debug_cmd: log level changed from 0 to 999 for class 6 [priv] 115924.645989 Default log_debug_cmd: log level changed from 0 to 999 for class 5 [priv] 115924.646283 Default log_debug_cmd: log level changed from 0 to 999 for class 4 [priv] 115924.646577 Default log_debug_cmd: log level changed from 0 to 999 for class 3 [priv] 115924.649575 Sdep 80 pf_key_v2_write: iov[0]: [priv] 115924.650116 Sdep 80 02070002 0200 0100 f534 [priv] 115924.650730 Sdep 80 pf_key_v2_read: msg: [priv] 115924.651096 Sdep 80 02070002 1500 0100 f534 07000e00 0300a000 a000 [priv] 115924.651457 Sdep 80 02008000 8000 0800a000 a000 0501 0001 06008001 8001 [priv] 115924.651817 Sdep 80 0702 0002 09000f00 0b00 02404000 4000 [priv] 115924.652176 Sdep 80 0340c000 c000 07402800 c001 06402800 8000 f9405000 5000 [priv] 115924.652536 Sdep 80 0c808000 0001 0d80a000 2001 03001e00 0200 [priv] 115924.652845 Sdep 80 0300 [priv] 115924.653152 Sdep 80 pf_key_v2_write: iov[0]: [priv] 115924.653465 Sdep 80 02070001 0200 0200 f534 [priv] 115924.653810 Sdep 80 pf_key_v2_read: msg: [priv] 115924.654163 Sdep 80 02070001 1500 0200 f534 07000e00 0300a000 a000 [priv] 115924.654523 Sdep 80 02008000 8000 0800a000 a000 0501 0001 06008001 8001 [priv] 115924.654887 Sdep 80 0702 0002 09000f00 0b00 02404000 4000 [priv] 115924.655475 Sdep 80 0340c000 c000 07402800 c001 06402800 8000 f9405000 5000 [priv] 115924.655842 Sdep 80 0c808000 0001 0d80a000 2001 03001e00 0200 [priv] 115924.656150 Sdep 80 0300 [priv] 115924.656456 Sdep 80 pf_key_v2_write: iov[0]: [priv] 115924.656771 Sdep 80 02070009 0200 0300 f534 [priv] 115924.657189 Sdep 80 pf_key_v2_read: msg: [priv] 115924.657546 Sdep 80 02070009 1500 0300 f534 07000e00 0300a000 a000 [priv] 115924.657907 Sdep 80 02008000 8000 0800a000 a000 0501 0001 06008001 8001 [priv] 115924.658268 Sdep 80 0702 0002 09000f00 0b00 02404000 4000 [priv] 115924.658629 Sdep 80 0340c000 c000 07402800 c001 06402800 8000 f9405000 5000 [priv] 115924.658989 Sdep 80 0c808000 0001 0d80a000 2001 03001e00 0200 [priv] 115924.659298 Sdep 80 0300 [priv] 115924.925524 Default conf_parse: last line unterminated, ignored. 115925.240648 Plcy 30 policy_init: initializing 115925.241648 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/ 115925.242232 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/certs/ 115925.242710 Cryp 40 x509_read_crls_from_dir: reading CRLs from /etc/isakmpd/crls/ 115925.245324 Cryp 60 hash_get: requested algorithm 0 115925.245667 Exch 50 nat_t_setup_hashes: MD5(draft-ietf-ipsec-nat-t-ike-02 ) (16 bytes) 115925.245948 Exch 50 nat_t_setup_hashes: 115925.246253 Exch 50 90cb8091 3ebb696e 086381b5 ec427b1f 115925.246540 Exch 50 nat_t_setup_hashes: MD5(draft-ietf-ipsec-nat-t-ike-03) (16 bytes) 115925.246822 Exch 50 nat_t_setup_hashes: 115925.247127 Exch 50 7d9419a6 5310ca6f 2c179d92 15529d56 115925.247418 Exch 50 nat_t_setup_hashes: MD5(RFC 3947) (16 bytes) 115925.247698 Exch 50 nat_t_setup_hashes: 115925.248002 Exch 50 4a131c81 07035845 5c5728f2 0e95452f 115943.844877 SA 90 sa_find: no SA matched query 115943.845472 Timr 10 timer_add_event: event exchange_free_aux(0x7c497900) added last, expiration in 120s 115943.845787 Cryp 60 hash_get: requested algorithm 1 115943.846262 Exch 10 exchange_setup_p1: 0x7c497900 ISAKMP-clients win-main-mode policy responder phase 1 doi 1 exchange 2 step 0 115943.846574 Exch 10 exchange_setup_p1: icookie 85c5cc7a21a50111 rcookie e8127aeaf5c96719 115943.846856 Exch 10 exchange_setup_p1: msgid 115943.847157 SA 80 sa_reference: SA 0x7c497a00 now has 1 references 115943.847438 SA 70 sa_enter: SA 0x7c497a00 added to SA list 115943.847724 SA 80 sa_reference: SA 0x7c497a00 now has 2 references 115943.848007 SA 60 sa_create: sa 0x7c497a00 phase 1 added to exchange 0x7c497900 (ISAKMP-clients) 115943.848301 SA 80 sa_reference: SA 0x7c497a00 now has 3 references 115943.848660 Exch 90 dpd_check_vendor_payload: bad size 20 != 16 115943.848947
Re: balancing traffic with two links
Marcos Marconcini wrote: I not sure, I saw someone ask a similar question some weeks ago, but mail from the openbsd list was incidentally deleted. /.../ With so many fine archives that should not be a problem, right? ;-d Here's one: http://marc.theaimsgroup.com/?l=openbsd-misc /Alexander
Re: disklabel and ext3 partitions on amd64
On 18/12/05, steven mestdagh [EMAIL PROTECTED] wrote: I see the same happening on 3.8-release vs. 3.8-current on i386 for systems with foreign filesystems. Not sure why. Think it could be a bug?
Re: VPN: solutions that interoperate with win xp
On 12/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hello I am looking at doing the same thing, from a conversation i had over the weekend i think you need to use virtual-id's and run proxy arp on the internal interface. Hope that helps Cheers Steve
Re: solutions that interoperate with win xp
Hi, Hello I'm trying to do the same thing as you are. LAN - OpenBSD - internet - NAT - windows_xp_client maybe you should get the NAT out of the way first and get it working without, getting IPSEC to work over nat ist not trivial and depending on the natter sometimes impossible. bye, siggi.
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hi jake, I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4. You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2. As for windows debug output, look for oakley log in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx This works with certificates (somewhat tricky to setup) as well as with preshared secret. HTH, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
USB Hard Drive
Where can I find a list of USB hard drives supported by openbsd? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: openbgpd + neighbor configuration
* Philip Olsson [EMAIL PROTECTED] [2005-12-18 00:25]: If I add prepend-self etc to a neighbor while openbgpd is running and then doing I a reload, should openbgpd understand that this has changed and manipulate the routingtable accordingly ? no, it will prepend-self however on all routes learned from that neighbor from the point on where you reload the config -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). as for me, howto described in http://openbsd.cz/~pruzicka/vpn.html works with no problems. here are my config files: ##isakmpd.conf## [General] Policy-file=/etc/isakmpd/isakmpd.policy Retransmits=4 Listen-On= ext_if_ip [Phase 1] perr1_ext_ip= peer1 [Phase 2] Passive-Connections=peer2 [peer1] Phase= 1 Transport= udp Configuration= Default-main-mode Authentication= somepass [peer2] Phase= 2 ISAKMP-peer=perr1 Configuration= Default-quick-mode Local-ID= local-net Remote-ID= peer-net [peer-net] ID-type=IPV4_ADDR Address=peer_ext_ip [local-net] ID-type=IPV4_ADDR_SUBNET Network=192.168.1.0 Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE ##isakmpd.policy## KeyNote-Version: 2 Authorizer: POLICY Licensees: passphrase:somepass Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; ##xp settings## ipseccmd.exe -u ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -t obsd_ext_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -t xp_client_local_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 if you want to preserve (after reboot for eg.) ipseccmd setting you can add '-w reg -p somename' to your cmd line to store ipseccmd settings in windows registry, and so they be'll also visible via mmc/ipsec console. on obsd firewall you have to pass traffic on enc0 and on ext_ip incoming udp on ports 500 (and 4500 if your xp clients are behind nat witch changes source ports numbers) read also: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx http://support.microsoft.com/default.aspx?kbid=885407 hope it will help you. sorry for my english ;) -- raff
Re: Ruby queries
On 19/12/05, Gerardo Santana Gsmez Garrido [EMAIL PROTECTED] wrote: Did it work? Nope, we have breakage :o Will post a bug report to ports@ Best Regards Edd
Re: VPN: solutions that interoperate with win xp
On Sun, 18 Dec 2005, [EMAIL PROTECTED] wrote: i would love a howto for the win xp boxes ... Charles Dietlein has written a document[1] detailing how to get WinXP's native IPSec talking with OpenBSD, using MMC and the IPSec snapin. (While it's focus is replacing WEP with IPSec, the information is relevant to your situation.) Regards, Greg [1] http://www.dietlein.com/requisites/ipsec/ \|/ ___ \|/[EMAIL PROTECTED]+- 2048R/38BD6CAB -+ @~./'O o`\.~@| 02BD EF81 91B3 1B33 64C2 | /__( \___/ )__\ | 3247 6722 7006 38BD 6CAB | `\__`U_/' +--+
Re: openbgpd + neighbor configuration
On Sun, Dec 18, 2005 at 12:24:09AM +0100, Philip Olsson wrote: Hello If I add prepend-self etc to a neighbor while openbgpd is running and then doing I a reload, should openbgpd understand that this has changed and manipulate the routingtable accordingly ? On -current bgpd supports softreconfig out (output filters are updated on reload). softreconfig in is more problematic -- the RIB needs to be modified and extended to hold the original prefixes. prepend-self is implemented as outbound filter and so it should get adjusted automaticaly (most other attributes are set on incomming messages, those will not yet get updated). -- :wq Claudio
Re: VIA fanless motherboard - NICS
On Sat, 17 Dec 2005, martin wrote: I'm looking at a VIA motherboard with the following NICS. 3 x INTEL 82551QM 1x 82540EM (Gigabit) Any issues with these ? (Commell LE-564 - Eden 533MHz) If you intend on using the fxp NICs to do bridging with pf + scrub rules, you'll get kernel panics[1]. It's unclear what's actually causing them, though[2]. Other than that, they're fast little boxes. Regards, Greg [1] http://marc.theaimsgroup.com/?l=openbsd-bugsm=113138720504668w=2 [2] http://marc.theaimsgroup.com/?l=openbsd-bugsm=113257636330953w=2 \|/ ___ \|/[EMAIL PROTECTED]+- 2048R/38BD6CAB -+ @~./'O o`\.~@| 02BD EF81 91B3 1B33 64C2 | /__( \___/ )__\ | 3247 6722 7006 38BD 6CAB | `\__`U_/' +--+
Re: perl - problem 'checksum mismatch' almost solved
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Uwe Dippel wrote: [You find this repeatedly in the archive] Since I had this throughout the versions, including 3.8, I looked into this a bit deeper: cpan -MCPAN -e shell and everything subsequent bombs out with a checksum mismatch. [...] A shortcut to this: you install p5-Compress-Zlib from the ports or packages, and cpan will use this as its native application early on. (Which explains why some have never experienced this problem: all those who had it installed from ports or packages before attempting cpan). Another workaround that worked for me: install gtar and tell cpan to use it. /m iD8DBQFDps1B8BX/d8pVi/cRAraEAKCgPl53XHtaj9KkG2ThAyYv2Bjd5ACfQkh7 sXqOAwKbeBp4qJbvO0Q1dE0= =igDA -END PGP SIGNATURE-
Re: VIA fanless motherboard - NICS
Does it happen on *all* fxp cards? Even on other boxes using different motherboards/CPU's? Greg Mortensen wrote: On Sat, 17 Dec 2005, martin wrote: I'm looking at a VIA motherboard with the following NICS. 3 x INTEL 82551QM 1x 82540EM (Gigabit) Any issues with these ? (Commell LE-564 - Eden 533MHz) If you intend on using the fxp NICs to do bridging with pf + scrub rules, you'll get kernel panics[1]. It's unclear what's actually causing them, though[2]. Other than that, they're fast little boxes. Regards, Greg [1] http://marc.theaimsgroup.com/?l=openbsd-bugsm=113138720504668w=2 [2] http://marc.theaimsgroup.com/?l=openbsd-bugsm=113257636330953w=2 \|/ ___ \|/[EMAIL PROTECTED]+- 2048R/38BD6CAB -+ @~./'O o`\.~@| 02BD EF81 91B3 1B33 64C2 | /__( \___/ )__\ | 3247 6722 7006 38BD 6CAB | `\__`U_/' +--+
Re: pf and two ADSL links
On Mon, Dec 19, 2005 at 11:29:25AM +0200, Huzeyfe Onal wrote: Hi, 2 ADSL connection is same ISP but I use ADSL modem for them.. |-Modem1(ADSL1)-- Users---OpenBSD |ISP |--Modem2(ADSL2)-- My solution isn't really Load balancing ,only it separates Manager's and employer's internet connection.. It doesn't provide HA. Unfortunately, 2 ADSLs/SDSL cannot provide high availability due to the same infrastructure being used. If you need redundancy, try a DSL and a cable TV broadband or leased line. That way if the exchange has problems (and they do), you are using different media for the other line. Craig.
Re: pf and two ADSL links
On 19 December 2005 at 15:39:44, in message [EMAIL PROTECTED], Craig Skinner [EMAIL PROTECTED] wrote: Unfortunately, 2 ADSLs/SDSL cannot provide high availability due to the same infrastructure being used. If you need redundancy, try a DSL and a cable TV broadband or leased line. Ensuring that the leased line goes through different exchanges to the ADSL circuit That way if the exchange has problems (and they do), you are using different media for the other line. Been there. Got stuffed. GTG
Re: ettercap
Don't play with toys which you could not uderstand. I think that playing is the most likely way to learn how to use the toys. Why you don't back to Microsoft Windows(tm) desktop? Well, I think everyone could answer that! Please start with http://wikibooks.org and learn about basic unix using and then read manual pages mentioned below. You have big gap in your current operating system (OpenBSD) knowlege. Sorry, but that are facts. I don't reply anymore to your mail when I don't see any progress. I know that is a BIG gap in my knowledge, if I don't have this gap I'm actually not disturbing this list, I'm here to learn, just that, If you're not able to answer me, ok that's your right. $ man afterboot learned $ man man learned $ man ksh about to read $ man vi learned $ man ports about to read My best regards for you -- Abragos Ricardo Lucas We have to stop been egoist and think more on ourselves.
Increasing Maximum Number of Groups per User
Hi, I have an OpenBSD 3.8 system that I have reached the default maximum number of groups allowed per user (16). I need to increase this amount which I believe is controlled by the constant value NGROUPS_MAX in the sys/syslimits.h include file. So I have increased the NGROUPS_MAX value and rebuilt the kernel but it seems like this kernel has problems mounting the different hard drive partitiions. In order for me to increase the maximum number of groups allowed per user, do I also need to rebuild the world? Do I need to make any other changes beside NGROUPS_MAX? Or is there an alternative way to accomplish this? Any recommendations or procedures on how to do this would be greatly appreciated. Thanks Mike
Re: pf and two ADSL links
[EMAIL PROTECTED] wrote: Unfortunately, 2 ADSLs/SDSL cannot provide high availability due to the same infrastructure being used. If you need redundancy, try a DSL and a cable TV broadband or leased line. Ensuring that the leased line goes through different exchanges to the ADSL circuit ...and that they don't all cross the country on the same fibre route. (though, you probably won't be able to determine this in the case of these consumer-grade connections). Multiple ADSL, even on copper from just one telco, can easily have: 1. different kit terminating PPP sessions 2. different modem/router at your end 3. different interconnect point with the telco 4. in areas with unbundled connections, different dslams. In the case of the UK using BT, putting them on different contention ratios is meant to help too (aaisp mention this, istr). These measures don't always help (e.g. in the case of a telco using radius proxies which are malfunctioning) but probably are worthwhile for some users. The problems I personally have seen the most of are 1 and 2, which are solved quite nicely by natting a connection with a source address of whichever of two providers is functional (or tunnelling to a 3rd point on a highly-reliable network if you want to use real addresses).
Re: VIA fanless motherboard - NICS
On Mon, 19 Dec 2005, RedShift wrote: Does it happen on *all* fxp cards? Even on other boxes using different motherboards/CPU's? I can confirm that it also occurs on a HP Kayak XU800 (x86) with fxp interfaces, from 3.6 onwards. Regards, Greg \|/ ___ \|/[EMAIL PROTECTED]+- 2048R/38BD6CAB -+ @~./'O o`\.~@| 02BD EF81 91B3 1B33 64C2 | /__( \___/ )__\ | 3247 6722 7006 38BD 6CAB | `\__`U_/' +--+
New Message from Capital One
[IMAGE] Dear Capital One Client, This is your official notification from Capital One that the service(s) listed below will be deactivated and deleted if not renewed immediately. Previous notifications have been sent to the Billing Contact assigned to this account. As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted. Renew Now your Capital One Bill Pay Services. If you are not enrolled at Online Banking, please enter your SSN as Username, and account number as Password. SERVICE : Capital One Bill Pay. EXPIRATION: December 30, 2005 Thank you, sincerely, Tricia Doyle Customer Service IMPORTANT CUSTOMER SUPPORT INFORMATION Document Reference: (87051203). Capital One Bank, Capital One, F.S.B., members FDIC. )2005 Capital One Services, Inc. Capital One is a federally registered service mark. All rights reserved. * Please do not reply to this message. For any inquiries, contact Customer Service. [IMAGE][IMAGE]
Re: OpenBSD beep
On Sunday 18 December 2005 03:05, you wrote: And my machine is old, it's Celeron 500 on Chaintech CT-6BTA3 with Intel 82440BX chipset, and my motherboard didn't provide any information about cpu/system temp... I'd suggest opening the case and seeing if all cooling fans are running; on older machines the moving parts often start to wear out. I'm not familiar with your exact hardware, but many motherboards will emit a speaker beep if there is a problem. If you have the manual for the board, try looking up the beep code; you'll need to pay attention to how often it happens and the pattern of beeps when it does. Dan Ramaley Network Programmer/Analyst (515) 271-4540 Dial Center 118, Drake University
OpenBSD on virtual machine community page
My OpenBSD 3.8 virtual machine image has made it on to the VMWare community virtual machine page. Perhaps this means that more people will be trying out OpenBSD. My page does warn people not to expect the OpenBSD project to support this. I hope this will be a benefit to the OpenBSD community by giving people an easy way to try it out. If this causes headaches, let me know and I'll pull the image from my site. http://www.vmware.com/vmtn/vm/community.html -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: OpenBSD beep
Daniel A. Ramaley wrote: On Sunday 18 December 2005 03:05, you wrote: And my machine is old, it's Celeron 500 on Chaintech CT-6BTA3 with Intel 82440BX chipset, and my motherboard didn't provide any information about cpu/system temp... I'd suggest opening the case and seeing if all cooling fans are running; on older machines the moving parts often start to wear out. I'm not familiar with your exact hardware, but many motherboards will emit a speaker beep if there is a problem. If you have the manual for the board, try looking up the beep code; you'll need to pay attention to how often it happens and the pattern of beeps when it does. Dan Ramaley Network Programmer/Analyst (515) 271-4540 Dial Center 118, Drake University I'll look in case, but I don't think that it's only hardvare, openbsd is impact on this, because in past, when my mini-server were running on linux there were no such beeps...
Re: OpenBSD beep
On 19/12/05, dimaz [EMAIL PROTECTED] wrote: I'll look in case, but I don't think that it's only hardvare, openbsd is impact on this, because in past, when my mini-server were running on linux there were no such beeps... Why do you think Daniel said wear out? Things wear out over time (fans being a prime example, especially the cheap shit ones that seem to be par of the course these days), not because of the transition from one operating system to another.
Re: pf and two ADSL links
On Mon, Dec 19, 2005 at 03:57:08PM +, Gordon Ross wrote: If you need redundancy, try a DSL and a cable TV broadband or leased line. Ensuring that the leased line goes through different exchanges to the ADSL circuit Since we are both in the UK, did you consider Telewest Leased Lines? All the lines that we provision with them, they use their own POPs to connect to dark fibre, and never go to BT's network, and hence an exchange. We also provision BT and Thus/Scottish Telecom Leased Lines, which do use BT exchanges, so no help in that regard. Colo is still the best option for HA. That way if the exchange has problems (and they do), you are using different media for the other line. Been there. Got stuffed. Bugger. GTG
Re: pf and two ADSL links
On Mon, Dec 19, 2005 at 05:57:58PM +, Stuart Henderson wrote: If you need redundancy, try a DSL and a cable TV broadband or leased line. Ensuring that the leased line goes through different exchanges to the ADSL circuit ...and that they don't all cross the country on the same fibre route. (though, you probably won't be able to determine this in the case of these consumer-grade connections). Which is why multi DSL is not a HA solution. BT do not offer a SLA on any ADSL service, and all UK ADSL is operated by them, with the minor exception of LLU. At work, we do LLU SDSL, not ADSL, but most of our DSLAMS reside in BT exchanges, and hook into backhauls from varoius providers. BT still operates the copper from the exchange to the EU building with LLU. Small ISPs don't have the ability to lay cables though central business districts. Multiple ADSL, even on copper from just one telco, can easily have: 1. different kit terminating PPP sessions 2. different modem/router at your end 3. different interconnect point with the telco No, copper from one address always runs to the same exchange. 4. in areas with unbundled connections, different dslams. AFAIK there is only one UK operator unbundling for ADSL, in some southern exchanges (eg London there abouts). Many ISPs unbundle for SDSL in areas that they operate in, but no-one does it nationally. But the ADSL and SDSL will still run down the same copper bundle under the street to the same exchange, so there is no physical redundancy. I've seen it often enough where a firm has both ADSL and SDSL into their HQ, and a JCB has dug though the footpath and taken the lot out. I've had rats chew though leased lines on the Forth Road Bridge and organised the cops to stop traffic so that Telewest can patch the cable. We run leased lines from 1meg up to 100meg, and some firms think that one line is enough, until it goes down. Look to different media alltogether for HA. In the case of the UK using BT, putting them on different contention ratios is meant to help too (aaisp mention this, istr). These measures don't always help (e.g. in the case of a telco using radius proxies which are malfunctioning) but probably are worthwhile for some users. The problems I personally have seen the most of are 1 and 2, which are solved quite nicely by natting a connection with a source address of whichever of two providers is functional (or tunnelling to a 3rd point on a highly-reliable network if you want to use real addresses). This is all fine for messing about at home or in a small style, no SLA business. You need multiple routes for HA, and Telewest don't do static IPs on consumer cable blueyonder. If you contact TW for a business connection, and you can't afford a LL, they will resell BT's ADSL with a static IP. Different ISPs, but same media, so no good. ADSL and blueyonder is a good cheap SOHO outbound solution (dynamic IPs). Each is cheap enough so that it doesn't matter if one or the other is down for a week. And the chances of both going down at the same time is good enough for SOHO situations. When an ADSL is faulted to BT via eCo once a fault has been detected though Woosh, the GPMS case will sit in the diagnostics queue for 48 hours before it is even looked at. Then resolution will typically take another 3-5 days. SDSL is a bit quicker, with turn arounds in about 2 days. If you want to offer your customers an SLA, go colo and manage your boxes via ADSL, ISDN, cable, whatever. In London, you can get a U for #500 PA, while one SDSL will cost #200 per month, and be less reliable. Just my 2p after supporting ASDL, SDSL, Leased Lines, colo space, etc. Craig.
Candidature pour vous, votre entreprise ou à transmettre
(AN ENGLISH VERSION IS AFTER THE FRENCH ONE) Candidature pour vous, votre entreprise ou ` transmettre Madame/Monsieur, Le 30 novembre 2001, mon poste de diveloppeur informatique chez Technology Transfer and Training SA (3T), ` Nyon (VD), a iti fini. Mon travail chez cette entreprise a iti de rialiser une application sous Access destinie ` la gestion de contrats. En plus d'une interface faite avec des formulaires d'Access coordonnis avec ses tables, cette application offre aux utilisateurs de produire automatiquement des factures et des itats (reports) prisentant les donnies de la base organisies de manihres adiquates pour ripondre ` diffirents besoins : liste des factures, charges de managements, taxes, crianciers durables, ... L'ensemble est intigri et automatisi grbce ` du Visual Basic. Il faut noter que cela a inclus le diveloppement d'un module permettant de ginirer des fichiers au format DTA (Datentrdgeraustausch, Echange de Supports de donnies) qui sont utilisis pour effectuer les versements bancaires et d'un module qui est capable de reprendre les donnies de versements bancaires fournies par le logiciel Mammut connecti ` l'UBS. Mon travail a commenci le 24 octobre 2001. Auparavant, le 12 octobre 2001 avait iti la fin de mon engagement auprhs d'Arcade Site, ` Genhve (GE), qui m'avait engagi ` compter du 17 septembre 2001 et pour qui j'ai diveloppi un serveur Web utilisant une base de donnies MySql et des scripts PHP. Outre une partie publique prisentant des oeuvres, des artistes et des galeries classis par catigories, ce site dispose d'une interface d'administration permettant de girer les catigories, les galeries, les artistes et les oeuvres prisentis ainsi que les liens entre ces divers iliments selon une manihre conviviale et aisie pour des non-spicialistes. Avant cela, j'ai travailli pour Mediasoft SA, ` Rolle (VD). Mon contrat a couru du 11 au 22 juin 2001. A cette occasion, j'ai appris en partie le systhme intigri Progress. Avant cela, entre octobre 2000 et janvier 2001, pour FTM Technology, ` Echandens (VD), j'avais effectui un travail de diveloppement internet de taille relativement importante puisque c'itait tout un systhme de sondage et de marketing par internet en vue notamment de permettre ` des entreprises d'acquirir des clients. Ceci avait nicessiti l'ilaboration d'une base de donnies complexe avec diffirents applicatifs rialisis en PHP, Flash et Java interagissant avec celle-ci. Avant cela, au dibut d'octobre 2000, pour la mjme entreprise, j'avais congu une base de donnie pour boutique ilectronique configurable selon les caractiristiques spicifiques ` diffirents projets. Durant mon engagement auprhs de cette start-up, je me suis occuppi de serveurs windows 2000. Avant cela, durant l'iti 2000, j'ai diveloppi des scripts ASP notamment pour EIC SA et j'ai aussi travailli pour l'ONU. Auparavant j'ai iti assistant ` l'EPFL et j'ai diveloppi une application Java d'aide ` la conception dans le cadre du projet MicroCE qui est constitui d'un ensemble de modules destinis ` systimatiser et ` automatiser les dimarches de conceptions de machines et de systhmes. Voila en quelques mots l'illustration de mes compitences dans les domaines de l'informatique et de l'internet. Avant la fin de mes itudes secondaires, j'ai suivi une formation professionnelle de comptabiliti qui a aboutit ` un stage. Ainsi, outre d'avoir des comptitences dans l'informatique et l'internet, je suis un comptable tout ` fait capable. Mon CV, joins en attachement, vous donnera d'autres ditails cependant comme je reste tenu au secret professionnel, je n'y dis pas tout. Ouvert et capable, je vous prisente ma candidature pour travailler avec vous ou toute personne intiressie. Je vous remercie d'avance de votre riponse. Je vous prisente, Madame, Monsieur, mes plus cordiales salutations. Gilles Bornet dit Vorgeat Postulation for you, your enterprise or to transmit Dear Madam/Sir, On the 30th of november 2001, my position of informatic developer in Technology Transfer and Training SA (3T), in Nyon (Vaud Canton, Switzerland), has been ended. My work in this enterprise was to realise an application under Access aimed to contract management. In plus of an interface done with forms of Access coordinnated with its tables, this application offers the users to produce automatically invoices and reports presenting the datas of the base organised according to an adequate manner for answering various needs : list of invoices, costs of management, taxes, durables debitors, ... The whole is integrated and automated thanks to Visual Basic. It must be noted that it has included the devoloppment of a module permitting to generate files at the format DTA (Datentrdgeraustausch, Data carrier exchange) which are used for doing the banking paiments and of a module which is able to take the data of banking paiments furnished by the Mammut Software connected to the UBS. My job sated on the 24th of october 2001.
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. I would definately stick with the openvpn solution. It's simplier to implement, and i didn't understood the part that the configuration cannot survive a reboot. Is this a problem on the user side? If it is, the same potential to damage the openvpn setup, could be used to dmage the ipsec setup. And i do have many clients of mine, that use a openvpn solution on windows XP without problems. You can even make your own instalation package (http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html), that places your certificates and conf files in the right place, so the setup can be corrected with a few clicks of the user. It can even run without administrator rights (http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html). Now about the kerio firewall, you should try to completely disable the flitering on the tun/tap interface and/or disabilitating filtering on the port that openvpn uses. Yes, that's another advantage, it use only ONE port, and is NAT friendly. So i always recomend openvpn. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: pf and two ADSL links
all UK ADSL is operated by them, with the minor exception of LLU. What? AFAIK there is only one UK operator unbundling for ADSL, in some southern exchanges (eg London there abouts). What? I've seen it often enough where [...] a JCB has dug though the footpath and taken the lot out There are cheap enough alternatives. Look to different media alltogether for HA. Don't exclude the cheap, predictable thing right under your nose. This is all fine for messing about at home or in a small style, no SLA business. It's better than you think. When an ADSL is faulted to BT via eCo once a fault has been detected though Woosh, the GPMS case will sit in the diagnostics queue for 48 hours before it is even looked at. Then resolution will typically take another 3-5 days. BS. Shame on you. If you want to offer your customers an SLA We know.
How can I switch the terminal?
How to switch the terminal in OpenBSD, it looks is not Alt+F[1-7] likes Linux. Thanks Shen
Re: How can I switch the terminal?
On 12/19/05, openbsd shen [EMAIL PROTECTED] wrote: How to switch the terminal in OpenBSD, it looks is not Alt+F[1-7] likes Linux. http://www.openbsd.org/faq/faq7.html#SwitchConsole Try reading the damn documentation first. Also try reading http://www.openbsd.org/mail.html as well, thoroughly since you didn't do it right the first time, you would have to have read it to get on this mailing list. Btw, CTRL+ALT+F[1-7] worked on Linux before just Alt+F[1-7] did. Jason
isakmpd does not enter phase 2
hello, dec 18 snap, running on i386 given is an ipsec gateway (i think it's running some older openswan or some other swan) to which i need to connect, establishing a net-net tunnel. the parameters needed are IKE rekeying 1440 minutes (24 hours), IPSEC 3600 seconds (1 hour), both with 3DES/SHA1, no PFS, and these are carved in stone, i was told. i can't seem to get isakmpd to establish a tunnel with that site. it seems as if phase 1 would have been negotiatied fine, but when isakmpd then sends an `initial contact', then gets back an ipv4_addr, then things literally stop happening here. i checked isakmpd packet dumps on other machines, and from what i gather, here my isakmpd is the one who should start entering into phase 2 negotiations, but that never happens. that's what the packet log tells me (X.Y.Z.185 is isakmpd, the local side; A.B.C.42 is the remote side) Dec 20 03:45:23.465777 0.0.0.0.500 A.B.C.42.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 636b40261faa87b0- msgid: len: 164 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00015180 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192) Dec 20 03:45:23.530916 A.B.C.42.500 X.Y.Z.185.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 636b40261faa87b0-83821d77d8a07cd2 msgid: len: 84 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00015180 [ttl 0] (id 1, len 112) Dec 20 03:45:23.548557 X.Y.Z.185.500 A.B.C.42.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 636b40261faa87b0-83821d77d8a07cd2 msgid: len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 [ttl 0] (id 1, len 208) Dec 20 03:45:24.141436 A.B.C.42.500 X.Y.Z.185.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 636b40261faa87b0-83821d77d8a07cd2 msgid: len: 184 payload: KEY_EXCH len: 132 payload: NONCE len: 24 [ttl 0] (id 1, len 212) Dec 20 03:45:24.162027 X.Y.Z.185.500 A.B.C.42.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 636b40261faa87b0-83821d77d8a07cd2 msgid: len: 92 payload: ID len: 12 type: IPV4_ADDR = X.Y.Z.185 payload: HASH len: 24 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (636b40261faa87b0-83821d77d8a07cd2) [ttl 0] (id 1, len 120) Dec 20 03:45:24.899941 A.B.C.42.500 X.Y.Z.185.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 636b40261faa87b0-83821d77d8a07cd2 msgid: len: 68 payload: ID len: 12 type: IPV4_ADDR = A.B.C.42 payload: HASH len: 24 [ttl 0] (id 1, len 96) and then silence. there's nothing not even down the road (i waited for like 20 minutes for something, anything to happen) as `no proposal chosen', or any other kind of message that would give a clue as to where to start. with an other peer, at this point i also see Dec 20 03:55:29.817971 me.500 otherpeer.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 857f6ffe85cd2ad6-3d173193c107d434 msgid: len: 228 payload: KEY_EXCH len: 132 payload: NONCE len: 20 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 256) Dec 20 03:55:29.914622 otherpeer.500 me.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 857f6ffe85cd2ad6-3d173193c107d434 msgid: len: 228 payload: KEY_EXCH len: 132 payload: NONCE len: 20 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 256) and this is when phase2 negotiations actually begin, and eventually complete, and a tunnel is established. the
Re: VPN: solutions that interoperate with win xp
Heinrich Rebehn wrote: [EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hi jake, I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4. You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2. As for windows debug output, look for oakley log in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx This works with certificates (somewhat tricky to setup) as well as with preshared secret. HTH, Heinrich The tool mentioned by Henrich has worked for me quite well. I have used it against a Linux freewswan server for three years, and OBSD for the last six months. The following link eplains how to use x509 certs http://mirror.huxley.org.ar/ipsec/isakmpd.htm The script he provided on the page had a small type-o that prevented it from working, he seems to have fixed it now. You will find certs to be simple actually, more secure, and easier to manage. Although I have yet to get a certificate revocation list to work with isakmpd. http://mirror.huxley.org.ar/ipsec/isakmpd.htm
Hardware RNG speed
Hello to the list, I'm working on a cryptography project, and one of the things the project requires is a moderately high-bandwidth source of truly random numbers. To accomplish this, I set up OpenBSD on a board with a (Soekris) Hifn 7955 accelerator card, but the rate I'm getting by reading out of /dev/srandom is pretty low (200B/s). However, this has to be coming from the card, because the machine has no other reasonable source of entropy other than the network: no hard drive, no keyboard, etc. Now, unless the card's specs are deceptive, its random number generator must support a higher rate than this: it claims 70 1024-bit Diffie-Hellman key exchanges per second, and each such key exchange requires a full 1024-bit random number, which comes out to 8.8kB/s. The minimum data rate for my application is about 1k/s, and I would strongly prefer not to use a PRNG. Is there a more direct way to query the RNG? random(4) claims that the RNG is not mapped directly to a device (/dev/random is not currently implemented), but rather that it periodically refreshes the system entropy pool. Is there a way to force this to occur more often, or to transfer more data? Or do the numbers lie, and I'm getting all the data I can? Thanks for your time, Mike Hamburg P.S. I'm looking at different sources of random numbers, and cost and integration are important factors. Would an AMD Geode LX or VIA C3 or C7 processor's on-board RNG provide a significantly higher data rate than a Soekris card, at a comparable quality?
Re: Hardware RNG speed
I'm working on a cryptography project, and one of the things the project requires is a moderately high-bandwidth source of truly random numbers. ... P.S. I'm looking at different sources of random numbers, and cost and integration are important factors. Would an AMD Geode LX or VIA C3 or C7 processor's on-board RNG provide a significantly higher data rate than a Soekris card, at a comparable quality? Until you can justify actual real scientific reasons why you cannot use it, I think you should use arc4random(). And I am entirely serious. The entire idea in OpenBSD is to have many consumers, as this strengthens the source.
Re: CM9 problems with 802.11g (mode 11g)
Jonathan Gray [EMAIL PROTECTED] wrote: 11g modes are not yet supported on ath, 11b or 11a only iirc. 11a (OFDM) doesn't work on CM9 (or newer cards), reverse engineering the HAL is not easy at all
Re: Hardware RNG speed
On 12/19/05, Michael Alexander Hamburg [EMAIL PROTECTED] wrote: Hello to the list, I'm working on a cryptography project, and one of the things the project requires is a moderately high-bandwidth source of truly random numbers. To accomplish this, I set up OpenBSD on a board with a (Soekris) Hifn 7955 accelerator card, but the rate I'm getting by reading out of /dev/srandom is pretty low (200B/s). However, this has to be coming from the card, because the machine has no other reasonable source of entropy other than the network: no hard drive, no keyboard, etc. Now, unless the card's specs are deceptive, its random number generator must support a higher rate than this: it claims 70 1024-bit Diffie-Hellman key exchanges per second, and each such key exchange requires a full 1024-bit random number, which comes out to 8.8kB/s. The minimum data rate for my application is about 1k/s, and I would strongly prefer not to use a PRNG. Is there a more direct way to query the RNG? random(4) claims that the RNG is not mapped directly to a device (/dev/random is not currently implemented), but rather that it periodically refreshes the system entropy pool. Is there a way to force this to occur more often, or to transfer more data? Or do the numbers lie, and I'm getting all the data I can? Thanks for your time, Mike Hamburg P.S. I'm looking at different sources of random numbers, and cost and integration are important factors. Would an AMD Geode LX or VIA C3 or C7 processor's on-board RNG provide a significantly higher data rate than a Soekris card, at a comparable quality? What about taking a cord that's plugged into the sound card port and microphone port, and reading in from the microphone? I've heard that is a pretty good source of randomness (all that annoying feedback), although I may be completely wrong, feel free to correct me if I am. Jason
MN-520 802.11b wireless PCMCIA card not found in -CURRENT on AMD Sempron?
Hey folks, I've never been lucky enough to actually own my own laptop until yesterday, when a friend pointed me at a special at Staples. I picked up a Compaq Presario V2405US (AMD Sempron) for a pretty good price. Yes, I know, Compaq and Staples, fear. But for $500, I can cope. I installed Saturday's snapshot, crossing my fingers and hoping the magical 802.11b/g fairy would grace me and it would recognize the built-in wireless. Alas, it's a Broadcom BCM4318. That's OK, I didn't expect the one that's built in to work. Stupid Broadcom. However, I was a little surprised when my Microsoft MN-520 PCMCIA adapter isn't found. This is the same physical adapter that works great with my work laptop (a straight Pentium-M Dell). It's this one, and works flawlessly with my D600: http://marc.theaimsgroup.com/?l=openbsd-miscm=109286218613735w=2 So, here is the dmesg from the new laptop, running Saturday's snapshot (pardon any funkiness from cut-n-paste): OpenBSD 3.8-current (GENERIC) #320: Sat Dec 17 10:09:10 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Mobile AMD Sempron(tm) Processor 3000+ (AuthenticAMD 686-class, 128KB L2 cache) 1.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD Powernow: TS FID VID TTP TM STC cpu0: AMD PowerNow! K8 available states (35400,70700,79500) real mem = 233349120 (227880K) avail mem = 206016512 (201188K) using 2874 buffers containing 11771904 bytes (11496K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(51) BIOS, date 08/04/05, BIOS32 rev. 0 @ 0xfd660 pcibios0 at bios0: rev 2.1 @ 0xfd660/0x9a0 pcibios0: PCI BIOS has 10 Interrupt Routing table entries pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x1 0xd/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ATI RS480 Host rev 0x01 ppb0 at pci0 dev 1 function 0 ATI RS480 PCIE rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 ATI Radeon XPRESS 200M rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ohci0 at pci0 dev 19 function 0 ATI IXP400 USB rev 0x00: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ohci1 at pci0 dev 19 function 1 ATI IXP400 USB rev 0x00: irq 11, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered ehci0 at pci0 dev 19 function 2 ATI IXP400 USB2 rev 0x00: irq 11 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: ATI EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 8 ports with 8 removable, self powered ATI IXP400 SMBus rev 0x11 at pci0 dev 20 function 0 not configured pciide0 at pci0 dev 20 function 1 ATI IXP400 IDE rev 0x00: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: TOSHIBA MK4025GAS wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-4244N, 1.01 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 pcib0 at pci0 dev 20 function 3 ATI IXP400 ISA rev 0x00 ppb1 at pci0 dev 20 function 4 ATI IXP400 PCI rev 0x00 pci2 at ppb1 bus 2 rl0 at pci2 dev 0 function 0 Realtek 8139 rev 0x10: irq 5, address 00:c0:9f:d3:62:b4 rlphy0 at rl0 phy 0: RTL internal phy Broadcom BCM4318 rev 0x02 at pci2 dev 2 function 0 not configured cbb0 at pci2 dev 9 function 0 Texas Instruments PCI7XX1 CardBus rev 0x00pci_in tr_map: no mapping for pin A : couldn't map interrupt auixp0 at pci0 dev 20 function 5 ATI IXP400 AC97 rev 0x02: irq 10 auixp0: soft resetting aclink ATI IXP400 Modem rev 0x02 at pci0 dev 20 function 6 not configured pchb1 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb4 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 biomask ebdd netmask ebfd ttymask fbff pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300
Re: isakmpd does not enter phase 2
given is an ipsec gateway (i think it's running some older openswan or some other swan) to which i need to connect, establishing a net-net tunnel. the parameters needed are IKE rekeying 1440 minutes (24 hours), IPSEC 3600 seconds (1 hour), both with 3DES/SHA1, no PFS, and these are carved in stone, i was told. The 3DES-SHA1 is included with isakmpd's default main-mode and quick-mode definitions, try those instead of redefining them. i can't seem to get isakmpd to establish a tunnel with that site. it seems as if phase 1 would have been negotiatied fine, but when isakmpd then sends an `initial contact', then gets back an ipv4_addr, then things literally stop happening here. What version of OpenBSD? 3.8? Can you show us: sudo ipsecctl -s all after isakmpd has been started and stops making progress? Thanks, -Matt-
Re: CM9 problems with 802.11g (mode 11g)
Bart Kus [EMAIL PROTECTED] wrote: 11a (OFDM) doesn't work on CM9 (or newer cards), reverse engineering the HAL is not easy at all How about the Ubiquiti Networks SR2 SR5? I'm guessing since they're both AR5213-based, neither of them would work in 11g/11a respectively. Yeah, it's the same Atheros chip as the CM9 Is there an option to use the binary HAL instead? Considering that the driver was originally written to use it, that could be done. The HAL is basically where a lot of magic numbers are used to initialize different versions of the chip. Unfortunately people have to take steps like this just to figure out how the chip works. Apparently Atheros thinks the general public is too stupid or malicious to have direct access to the chip and be able to do things like change frequencies or whatever. I wonder if Teresa Meng would find this attitude to be in the original spirit that she founded the company with. Maybe some calls to her at Stanford could open up some more possibilities. This situation is very annoying. -- You were about to change the channel when God healed you -- Benny Hinn
Re: CM9 problems with 802.11g (mode 11g)
On Mon, 19 Dec 2005, Chris Cappuccio wrote: Jonathan Gray [EMAIL PROTECTED] wrote: 11g modes are not yet supported on ath, 11b or 11a only iirc. 11a (OFDM) doesn't work on CM9 (or newer cards), reverse engineering the HAL is not easy at all How about the Ubiquiti Networks SR2 SR5? I'm guessing since they're both AR5213-based, neither of them would work in 11g/11a respectively. Is there an option to use the binary HAL instead? --Bart
