Re: ipsec vpn?
On Thu, Aug 16, 2007 at 06:43:34PM -0700, Steve B wrote: I made a few changes and did some more testing this evening. 1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow default transforms that Hans-Joerg recommened. # cat /etc/ipsec.conf ike dynamic esp tunnel from any to 192.168.1.0/24 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk abc123 2. I created the basic polciy file: # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY 3. Being lazy I rebooted the server and tried starting isakmpd manually without the -K. It would not start. When I tried starting it with -dLv I got the message: 180252.969043 Default check_file_secrecy_fd: not loading /etc/isakmpd/isakmpd.policy - too open permissions 180252.970281 Default policy_init: cannot read /etc/isakmpd/isakmpd.policy: Operation not permitted So I went back and started it with -K. please go back to step 2, however this time set the permissions of /etc/isakmpd/isakmpd.policy to 600. 4. I then turned on packet tracing as Stuart suggested, tried logging in, turned packet tracing off and ran tcpdump on the file: # echo p on /var/run/isakmpd.fifo # echo p off /var/run/isakmpd.fifo # tcpdump -r /var/run/isakmpd.pcap -vvn tcpdump: WARNING: snaplen raised from 96 to 65536 18:08:57.938430 64.119.40.170.500 64.119.37.74.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: ed67c89ed96545fb- msgid: len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 188) 18:08:57.944015 64.119.37.74.500 64.119.40.170.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: cfef30980a709fe2- msgid: len: 40 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 68) 5. OK, no good. Nothing jumped out at me in the tcpdump so I changed from dynamic to passive, and tried again: # cat /etc/ipsec.conf ike passive esp tunnel from any to 192.168.1.0/24 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk abc123 # ipsecctl -f /etc/ipsec.conf killed the isakmpd daemon and restarted it with -K, turned packet tracing back on and tried everything again. Got more detail but nothing jumps out at me. # tcpdump -r /var/run/isakmpd.pcap -vvn tcpdump: WARNING: snaplen raised from 96 to 65536 18:08:57.938430 64.119.40.170.500 64.119.37.74.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: ed67c89ed96545fb- msgid: len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 188) 18:08:57.944015 64.119.37.74.500 64.119.40.170.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: cfef30980a709fe2- msgid: len: 40 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 68) 18:24:12.441476 64.119.40.170.500 64.119.37.74.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 7c923ecb8d9a90f0- msgid: len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40
Re: ipsec vpn?
On Thu, Aug 16, 2007 at 06:43:34PM -0700, Steve B wrote: I made a few changes and did some more testing this evening. 1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow default transforms that Hans-Joerg recommened. # cat /etc/ipsec.conf ike dynamic esp tunnel from any to 192.168.1.0/24 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk abc123 2. I created the basic polciy file: # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY 3. Being lazy I rebooted the server and tried starting isakmpd manually without the -K. It would not start. When I tried starting it with -dLv I got the message: 180252.969043 Default check_file_secrecy_fd: not loading /etc/isakmpd/isakmpd.policy - too open permissions 180252.970281 Default policy_init: cannot read /etc/isakmpd/isakmpd.policy: Operation not permitted So I went back and started it with -K. wrong. just fix the permissions of the policy file: chmod 600 /etc/isakmpd/isakmpd.policy
pkg_add can't install a package
Hi list, I'm having some trouble installing clamav-0.90.3.tgz package. I'm using OpenBSD_4_1. My steps: 1. export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386 2. sudo pkg_add -v clamav-0.90.3.tgz And I have this error: parsing clamav-0.90.3 Can't install clamav-0.90.3 because of conflicts (.libs-clamav-0.90) Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/: ftp: -: short write 421 Service not available, remote server has closed connection. /usr/sbin/pkg_add: clamav-0.90.3.tgz:Fatal error There was installed clamav-0.90 before, but then it was removed with pkg_delete And now even when I trie to install clamav-0.90.tgz package, I get the same error: 1. sudo pkg_add -v clamav-0.90.tgz parsing clamav-0.90 Can't install clamav-0.90 because of conflicts (.libs-clamav-0.90) Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/: ftp: -: short write 421 Service not available, remote server has closed connection. /usr/sbin/pkg_add: clamav-0.90.tgz:Fatal error
You just recieved a Electronic Greeting.
Hello , A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address: http://www.all-yours.net/u/view.php?id=a0190313376667 visit E-Greetings at http://www.all-yours.net/ and enter your pickup code, which is: a0190313376667 (Your postcard will be available for 60 days.)
Re: pkg_add can't install a package
On Fri, Aug 17, 2007 at 11:48:34AM +0300, Tomas wrote:
I'm having some trouble installing clamav-0.90.3.tgz package. I'm using
OpenBSD_4_1.
My steps:
1. export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386
2. sudo pkg_add -v clamav-0.90.3.tgz
And I have this error:
parsing clamav-0.90.3
Can't install clamav-0.90.3 because of conflicts (.libs-clamav-0.90)
^
Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/:
ftp: -: short write
421 Service not available, remote server has closed connection.
/usr/sbin/pkg_add: clamav-0.90.3.tgz:Fatal error
Use pkg_delete(1) to remove the .libs- package.
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: pkg_add can't install a package
Thank you Will, it worked. But then again... Why .libs-clamav-0.90 was left behind when I removed clamav-0.90.tgz with pkg_delete ? Will Maier wrote: On Fri, Aug 17, 2007 at 11:48:34AM +0300, Tomas wrote: I'm having some trouble installing clamav-0.90.3.tgz package. I'm using OpenBSD_4_1. My steps: 1. export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386 2. sudo pkg_add -v clamav-0.90.3.tgz And I have this error: parsing clamav-0.90.3 Can't install clamav-0.90.3 because of conflicts (.libs-clamav-0.90) ^ Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/: ftp: -: short write 421 Service not available, remote server has closed connection. /usr/sbin/pkg_add: clamav-0.90.3.tgz:Fatal error Use pkg_delete(1) to remove the .libs- package. -- B [IMAGE] Pagarbiai, Direktorius Tomas StankeviD ius Tel:.B B +370 37 408709 Faks.: +370 37 408709 Mob.:B +370 650 33329 E-mail: [EMAIL PROTECTED] Web: www.infovertas.lt B [demime 1.01d removed an attachment of type image/jpeg which had a name of image002.jpg]
Re: Hoststated SSL Relay Issue Resolved?
hi!
On Thu, Aug 16, 2007 at 03:15:47PM -0700, Michael Taggart wrote:
Hello everyone. Recently I have made it a project to get hoststated running
on my OpenBSD firewalls. Before I had a php script I wrote to accomplish
this task of L7 health checking and let's just say it was less than
efficient.
Anyway I was able to get the whole thing running correctly, but I noticed a
small bug and I was able to alleviate it with a small change to
/usr/src/usr.sbin/hoststated/relay.c
I noticed that the https relay worked great in Firefox and even IE. However,
when I tried to go to the https domain in Opera or IE4 Mac. I got a nice fat
error screen about something screwed up with the security certificate. I
noticed that whenever I hit the page in Opera hoststated -d would spit this
out:
relay acclogic_www_secure, session 45 (1 active), 208.106.57.200 - :0, SSL
accept timeout
this is not a bug, it is just a stupid behaviour of opera... (btw. WHY
do you use IE4 Mac???). but you can tweak it, see below...
So naturally, I dove into /usr/src/usr.sbin/hoststated/relay.c and found
that error message around line 1978. I tried to figure out exactly what was
going on, but decided to just give this a try:
[Lines 1978 - 1981]
if (event == EV_TIMEOUT) {
//relay_close(con, SSL accept timeout);
//return;
}
As you can see, all I did was comment out the two lines inside the if
statement. Well, I am happy to report that Opera, FF, IE (Win Mac) all
work beautifully now and I haven't noticed any other problems. I guess my
question is does anyone know what the long term side effects of this code
change would be? I am guessing that I just completely short circuited all
timeout ability for SSL.
please don't do this, this is just wrong. you cannot ignore the
timeout condition, it will either have some strange side effects or
eat all your ressources... you cannot just disable a timeout handler!
Any feedback would be greatly appreciated.
i admit that the timeout configuration is a little bit confusing.
we're probably going to split the timeout options in different
dedicated values after 4.2.
see comments in your configuration below
Thanks,
Mike
thanks for you feedback!
reyk
Here is my /etc/hoststated.conf file for those that are interested:
# $OpenBSD: hoststated.conf,v 1.6 2007/02/26 20:43:32 reyk Exp $
#
# Macros
#
#ext_addr=192.168.1.1
#webhost1=10.0.0.1
#webhost2=10.0.0.2
#
# Global Options
#
interval 5
# timeout 200
the accept timeout is inherited from the global timeout option, and
the default is a little bit low for crappy ssl implementations (see
above) or slow connections, try to set it to
timeout 4000
(it has to be a little bit less than the interval)
# prefork 5
#
# Each table will be mapped to a pf table.
#
##
table era_cluster {
real port http
check http / code 200
host 192.168.2.212
host 192.168.2.213
host 192.168.2.214
}
##
table acclogic_cluster {
real port http
check http / code 200
host 192.168.2.215
host 192.168.2.216
host 192.168.2.217
}
##
table trklogic_cluster {
real port http
check http / code 200
host 192.168.2.218
host 192.168.2.219
host 192.168.2.220
}
##
#table fallback {
#real port http
#check icmp
#host 127.0.0.1
#}
#
# Services will be mapped to a rdr rule.
#
##
service era_www {
virtual host 38.101.110.212 port http interface em0
# tag every packet that goes thru the rdr rule with HOSTSTATED
tag HOSTSTATED
table era_cluster
#backup table fallback
}
##
service trklogic_www {
virtual host 38.101.110.214 port http interface em0
# tag every packet that goes thru the rdr rule with HOSTSTATED
tag HOSTSTATED
table trklogic_cluster
#backup table fallback
}
service acclogic_www {
virtual host 38.101.110.213 port http interface em0
# tag every packet that goes thru the rdr rule with HOSTSTATED
tag HOSTSTATED
table acclogic_cluster
#backup table fallback
}
##
#
# Relays and protocols are used for Layer 7 loadbalancing
#
protocol httpssl {
protocol http
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
header change HTTPS to on
header change Connection to close
header remove Keep-Alive
i figured out that it sometimes is a good idea to allow keep-alives
(hoststated does support keep-alive sessions with multiple requests),
because it reduces the internal load on the webservers. but you can
decrease the timeout to keep the number of concurrent sessions on the
loadbalancer low:
header change Keep-Alive to $TIMEOUT
Swap priority and paging strategy... a couple of questions
I'm wondering if anybody could shed any light on the behaviour of swapping priorities and what happens to paged state data that remains largely unreferenced. I am tinkering with swap priority having had my Zaurus building the Ruby port for about 20 hours now. Basically I have a 128Mb swap partition on this Zaurus and to provide capacity whilst building large builds I have a 128Mb swap file. There is a significant performance difference between swapping to the file or to the partition and I noticed that based upon the default priorities (both devices as 0) the paging load was being evenly distributed between the devices as one might expect. Having used swapctl -c -p to change the swap priority on the swap file I am starting to see migration of load away from the page file to the swap partition and things have started to speed up. My question is really around unreferenced state data that has been pushed out to swap and isn't being demand paged back in. Is there functionality in the swap strategy to migrate such pages to a lower priority device so that you can bias performance of pages referenced more often against the higher priority swap device? If not then how can you maximise the benefits of the prioritisation mechanism to ensure the majority of the working set is on the highest priority partition and that the highest priority partition is not consumed on a first come first serve basis by unreferenced state data that falls outside of the general idle working set of processes. Any information is much appreciated, Regards, -Andy
Re: pkg_add can't install a package
On Fri, Aug 17, 2007 at 12:58:34PM +0300, Tomas Stankevicius wrote:
But then again... Why .libs-clamav-0.90 was left behind when I
removed clamav-0.90.tgz with pkg_delete ?
This has been covered in the archives[0]. When you delete a package
that may still have shared libraries in use by other packages, a
.libs stub is kept for compatibility purposes with older stuff.
[0] http://marc.info/?l=openbsd-miscm=117742456031949w=2
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Problems installing OpenBSD to Soekris
Just tried to install OpenBSD 4.1 to my Soekris 4801 box but I'm having little difficulties in it. I added the CF card to a reader and connected it to my laptop which runs openbsd. It finds the reader and the card (sd3) in it. I tried to create partitions to the disk with disklabel -E sd3. It then listed the MS-DOS partition on the disk. I create the partitions as normal but after I quit writing the changes and try to make the filesystems it gives error. When using the disklabel again it lists again the MS-DOS partition so it appears that it won't write the changes to the disk at all for some reason. Any idea how to get past it? And am I correct to assume that I get my soekris working by just extracting the sets manually to the created partitions and modifying the config files? So I don't have to do anything beyond that? I got 1GB CF disk so I will have plenty of space. Also which sets can I drop? games and man sets are obvious but which x sets can I drop? Everything else besides xbase or could I drop even that? Timo Myyrd
Re: Problems installing OpenBSD to Soekris
On 2007/08/17 15:01, Timo Myyrd wrote: I tried to create partitions to the disk with disklabel -E sd3. fdisk first. And am I correct to assume that I get my soekris working by just extracting the sets manually to the created partitions and modifying the config files? Don't forget -p, though it's easier to follow pxeboot(8) and use the normal bsd.rd installer (you'll also need a 'set tty com0' at the boot loader, and answer the questions the installer asks about a serial console). Also which sets can I drop? games and man sets are obvious but which x sets can I drop? man is pretty small, having done the soekris thing for years (and the small-system-on-CF-on-a-PC before then) I would recommend installing it, it's often useful to have the manual pages to match the exact OS version you're using. Especially if it tends to get fewer-than-normal updates as it's a fairly stable system. I normally choose base, man, xbase, etc. Sometimes comp too.
IPsec problems with multiple clients behind same NAT
Hello misc, I'm having problems with two IPsec tunnels from two different peers behind the same NAT, to the same responder. All hosts are running OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just fine, but when the other tries to establish a tunnel (with a different tunneled network), the first SA is just deleted. The two peers are now continuously competing. I get a lot of INVALID_COOKIE messages from isakmpd. It's the same problem as reported in this post: http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html However, the Shared-SADB parameter mentioned doesn't have any effect for me. I've sort of tracked this down to a call to sa_delete() in ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This function calls sa_lookup_by_peer() which apparently matches both of my SAs. I disabled the sa_delete() loop and now both of my SAs stay up fine, but I'm not really sure what I've done. Does anyone (developer?) have any thoughts about this? TIA /Martin
Re: pkg_add can't install a package
On Fri, Aug 17, 2007 at 11:48:34AM +0300, Tomas wrote: 1. export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386 I know your question has been answered, so I'll just say: use a mirror. http://www.openbsd.org/ftp.html -ME
Re: IPsec problems with multiple clients behind same NAT
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Martin Hedenfalk Sent: Friday, August 17, 2007 09:22 AM To: OpenBSD Subject: IPsec problems with multiple clients behind same NAT Hello misc, I'm having problems with two IPsec tunnels from two different peers behind the same NAT, to the same responder. All hosts are running OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just fine, but when the other tries to establish a tunnel (with a different tunneled network), the first SA is just deleted. The two peers are now continuously competing. I get a lot of INVALID_COOKIE messages from isakmpd. It's the same problem as reported in this post: http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html However, the Shared-SADB parameter mentioned doesn't have any effect for me. I've sort of tracked this down to a call to sa_delete() in ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This function calls sa_lookup_by_peer() which apparently matches both of my SAs. I disabled the sa_delete() loop and now both of my SAs stay up fine, but I'm not really sure what I've done. Does anyone (developer?) have any thoughts about this? TIA /Martin Ok... my IPSEC foo is really not all that powerful so if anyone out there finds me to be completely wrong, please point and laugh, but here is the problem you are having as far as I understand it. IPSec does not create more than one VPN tunnel coming from the same IP address. With your IPSec server being behind the NAT, every connection that comes to it looks (to the IPSec server) as coming from the IP address of the NAT firewall. So, it isn't all that surprising that it is dropping one connection as soon as the next comes in. Now, as to how to fix this... You are probably going to need someone with a little more experience setting this up to help you. I'm sure I could do it if I needed to (given enough time) but I'd have to do a crap load of reading to figure it out, and well... you can read... and I don't have the time. No offence intended. As for possible issues with the fix that you have created for yourself by disabling the sa_delete() loop. Golly gee mister, I donno. As a personal policy I don't muck around in OpenBSD's code because quite frankly I aint all that smart. Hope this helped at least a little. s
Re: Hoststated SSL Relay Issue Resolved?
Anyway I was able to get the whole thing running correctly, but I noticed a small bug and I was able to alleviate it with a small change to /usr/src/usr.sbin/hoststated/relay.c I noticed that the https relay worked great in Firefox and even IE. However, when I tried to go to the https domain in Opera or IE4 Mac. I got a nice fat error screen about something screwed up with the security certificate. I noticed that whenever I hit the page in Opera hoststated -d would spit this out: relay acclogic_www_secure, session 45 (1 active), 208.106.57.200 - :0, SSL accept timeout this is not a bug, it is just a stupid behaviour of opera... (btw. WHY do you use IE4 Mac???). but you can tweak it, see below... Heh. The one and *only* thing for which we use IE4 on Mac is for generating wonky edge cases like these. :-) If any browser can be counted on to break things and show where there might be a problem elsewhere, it's IE4 on a Mac. In this case Opera, too, shows the same issues (regardless of platform), so it's something we had to address. Thanks for the comments/suggestions, Reyk (and for the great work on hoststated. ;-) We'll see what happens with your suggestions and post results later. Kevin -- http://www.ebiinc.com : Background Screening from EBI Corporate background checks, worldwide.
Re: IPsec problems with multiple clients behind same NAT
On 8/17/07, stuart van Zee [EMAIL PROTECTED] wrote: (snip original message) Ok... my IPSEC foo is really not all that powerful so if anyone out there finds me to be completely wrong, please point and laugh, but here is the problem you are having as far as I understand it. IPSec does not create more than one VPN tunnel coming from the same IP address. With your IPSec server being behind the NAT, every connection that comes to it looks (to the IPSec server) as coming from the IP address of the NAT firewall. So, it isn't all that surprising that it is dropping one connection as soon as the next comes in. Hi Stuart, Well, I do think it is a bit surprising that it won't distinguish between connections from the same IP but with different udpencap ports. Now, as to how to fix this... You are probably going to need someone with a little more experience setting this up to help you. I'm sure I could do it if I needed to (given enough time) but I'd have to do a crap load of reading to figure it out, and well... you can read... and I don't have the time. No offence intended. As for possible issues with the fix that you have created for yourself by disabling the sa_delete() loop. Golly gee mister, I donno. As a personal policy I don't muck around in OpenBSD's code because quite frankly I aint all that smart. Well, it's just code :-) I added a debug printf around the suspected code: Aug 17 16:12:18 bzero isakmpd[30231]: XXX: looking for a matching peer to 83.176.211.105:57628 Aug 17 16:12:18 bzero isakmpd[30231]: XXX: found matching peer 83.176.211.105:60903 Aug 17 16:12:18 bzero isakmpd[30231]: ipsec_handle_leftover_payload: INITIAL-CONTACT made us delete SA 0x896c2b00 The SA lookup function calls net_addrcmp(3). From the manpage: ... if each socket address structure's sa_len and sa_family fields match, the protocol-specific data (the sa_data field) is compared But only the sin_addr (for INET family, and similar for INET6) is compared, not the port. Why? I'm now testing with the following patch: http://bzero.se/patches/isakmpd-multi-nat-peers-patch.diff (the first two hunks are just debug logging) Hope this helped at least a little. Thank you for your reply! /Martin
Re: Odd Bus/Seg Faults on Sparc64 Hardware
Hi, This machine has run Solaris 10 for the last 4 years or so with no problems, so i believe all hardware is working properly (Apart from the little LED on the front doesn't come on as it does with Solaris :P ). There are no hardware faults whatsoever according to: diag-level max diag-switch true ---8- @(#)OBP 4.11.4 2003/07/23 08:04 Sun Fire V210/V240,Netra 240 Clearing TLBs Loading Configuration Membase: .0013.. MemSize: ..4000. Init CPU arrays Done Init E$ tags Done Setup TLB Done MMUs ON Scrubbing Tomatillo tags... 0 1 Block Scrubbing Done Dropin checksum: OK Find dropin, Copying Done, Size ...5c60 PC = .07ff.f000.4c84 PC = ...4cf8 Dropin checksum: OK Find dropin, (copied), Decompressing Done, Size ..0006.46e0 ttya initialized System Reset: CPU Reset JBUS-PCI bridge JBUS-PCI bridge Probing jbus at 0,0 SUNW,UltraSPARC-IIIi (1002 MHz @ 6:1, 1 MB) memory-controller Probing jbus at 1,0 SUNW,UltraSPARC-IIIi (1002 MHz @ 6:1, 1 MB) memory-controller Probing jbus at 1f,0 pci Probing jbus at 1e,0 pci Probing jbus at 1c,0 pci Probing jbus at 1d,0 pci Loading Support Packages: kbd-translator obp-tftp SUNW,i2c-ram-device SUNW,fru-device SUNW,asr Loading onboard drivers: Probing /[EMAIL PROTECTED],60 Device 7 isa flashprom rtc i2c i2c-bridge i2c-bridge motherboard-fru-prom chassis-fru-prom power-supply-fru-prom dimm-spd dimm-spd dimm-spd dimm-spd dimm-spd dimm-spd rscrtc nvram idprom gpio gpio gpio gpio power serial serial serial rmc-comm CPU 0 Bank 0 base 0 size 2048 MB CPU 1 Bank 0 base 10 size 1024 MB CPU 1 Bank 1 base 11 size 1024 MB CPU 1 Bank 2 base 12 size 1024 MB CPU 1 Bank 3 base 13 size 1024 MB SUNW,Sun-Fire-V210 Probing /[EMAIL PROTECTED],70 Device 2 network network Probing /[EMAIL PROTECTED],70 Device 2 network network Probing /[EMAIL PROTECTED],60 Device 6 pmu i2c gpio Probing /[EMAIL PROTECTED],60 Device a usb Probing /[EMAIL PROTECTED],60 Device d ide disk cdrom Probing /[EMAIL PROTECTED],60 Device 2 Nothing there Probing /[EMAIL PROTECTED],60 Device 3 Nothing there Probing /[EMAIL PROTECTED],60 Device 2 scsi disk tape scsi disk tape Probing /[EMAIL PROTECTED],60 Device 1 Nothing there Probing /[EMAIL PROTECTED],70 Device 1 Nothing there Sun Fire V210, No Keyboard Copyright 1998-2003 Sun Microsystems, Inc. All rights reserved. OpenBoot 4.11.4, 6144 MB memory installed, Serial #58530245. Ethernet address 0:3:ba:7d:19:c5, Host ID: 837d19c5. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Odd Bus/Seg Faults on Sparc64 Hardware
Hi misc@ (and Laurie on cc - this affects you), I have generously been lent a SunFire V210 for testing some ports (texlive deps). I have installed a snapshot (from about 3 days ago) and port build are acting very oddly. They will tend to either seg or bus error like this: --- 8-- o gtktoolbar.lo gtktoolbutton.lo gtktoolitem.lo gtktooltips.lo gtktree.lo gtktreedatalist.lo gtktreednd.lo gtktreeitem.lo gtktreemodel.lo gtktreemodelfilter.lo gtktreemodelsort.lo gtktreeselection.lo gtktreesortable.lo gtktreestore.lo gtktreeview.lo gtktreeviewcolumn.lo gtktypebuiltins.lo gtktypeutils.lo gtkuimanager.lo gtkvbbox.lo gtkvbox.lo gtkviewport.lo gtkvpaned.lo gtkvruler.lo gtkvscale.lo gtkvscrollbar.lo gtkvseparator.lo gtkwidget.lo gtkwindow-decorate.lo gtkwindow.lo gtkclipboard.lo gtkdnd.lo gtkfilesystemunix.lo gtkpagesetupunixdialog.lo gtkprinter.lo gtkprinteroption.lo gtkprinteroptionset.lo gtkprinteroptionwidget.lo gtkprintjob.lo gtkprintoperation-unix.lo gtkprintunixdialog.lo gtkprintbackend.lo gtkplug-x11.lo gtksocket-x11.lo gtkxembed.lo gtktrayicon-x11.lo ../gdk-pixbuf/libgdk_pixbuf-2.0.la ../gdk/libgdk-x11-2.0.la -L/usr/local/lib -L/usr/X11R6/lib -lpangocairo-1.0 -lpangoft2-1.0 -lpango-1.0 -lXfixes -latk-1.0 -lgobject-2.0 -lgmodule-2.0 -lglib-2.0 -lintl -liconv -lcairo -lfreetype -lfontconfig -lexpat -lglitz -lpng -lz -lm -lXrender -lX11 -lXau -lXdmcp -lm xdgmime/libxdgmime.la Bus error (core dumped) gmake[4]: *** [libgtk-x11-2.0.la] Error 1 gmake[4]: Leaving directory `/usr/ports/x11/gtk+2/w-gtk+-2.10.13/gtk+-2.10.13/gtk' gmake[3]: *** [all-recursive] Error 1 gmake[3]: Leaving directory `/usr/ports/x11/gtk+2/w-gtk+-2.10.13/gtk+-2.10.13/gtk' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/ports/x11/gtk+2/w-gtk+-2.10.13/gtk+-2.10.13/gtk' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/usr/ports/x11/gtk+2/w-gtk+-2.10.13/gtk+-2.10.13' gmake: *** [all] Error 2 *** Error code 2 -8 I wasn't sure if ktrace was a good way to debug this as it can sometimes build for a long time therefore filling up disk partitions with ktrace.out? But then you can run make again and it will continue past the error and eventually hit another. So far in building evince, this has happened 4 times (3 segs, 1 bus). I am building as root, systrace is disabled. This machine has run Solaris 10 for the last 4 years or so with no problems, so i believe all hardware is working properly (Apart from the little LED on the front doesn't come on as it does with Solaris :P ). This is a dual CPU machine, running only one for BSD (for obvious reasons). Not sure if that makes a difference. Dmesg: ---8- console is /[EMAIL PROTECTED],60/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2007 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.2 (GENERIC) #1415: Mon Aug 13 21:24:29 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC real mem = 18446744071562067968 (6144MB) avail mem = 1958920192 (5964MB) mainbus0 at root: Sun Fire V210 cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 2.4) @ 1002 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) memory-controller at mainbus0 not configured memory-controller at mainbus0 not configured schizo0 at mainbus0: Tomatillo, version 4, ign 7c0, bus B 0 to 0 schizo0: dvma map c000-dfff, iotdb 513e000-51be000 pci0 at schizo0 bge0 at pci0 dev 2 function 0 Broadcom BCM5704C rev 0x00, BCM5704 A3 (0x2003): ivec 0x7c8, address 00:03:ba:7d:19:c5 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci0 dev 2 function 1 Broadcom BCM5704C rev 0x00, BCM5704 A3 (0x2003): ivec 0x7c9, address 00:03:ba:7d:19:c6 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 schizo1 at mainbus0: Tomatillo, version 4, ign 780, bus A 0 to 0 schizo1: dvma map c000-dfff, iotdb 58a4000-5924000 pci1 at schizo1 ebus0 at pci1 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 flashprom at ebus0 addr 0-f, 290-290 not configured rtc0 at ebus0 addr 70-71: m5819p pcfiic0 at ebus0 addr 320-321 ipl 46 iic0 at pcfiic0 SUNW,i2c-imax at iic0 addr 0xb not configured SUNW,i2c-imax at iic0 addr 0xc not configured ds1307 at iic0 addr 0x68 not configured pca9555 at iic0 addr 0x22 not configured pca9555 at iic0 addr 0x23 not configured pca9555 at iic0 addr 0x34 not configured pca9556 at iic0 addr 0x38 not configured power0 at ebus0 addr 800-82f ipl 32 --8 Any ideas? Many Thanks -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: IPsec problems with multiple clients behind same NAT
Hey, Can you UDP encapsulate the IPSEC ESP packets ? I believe most IPSEC servers and clients can support this feature, which also helps when going through NAT gateways. http://www.faqs.org/rfcs/rfc3948.html http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzaja/rzajaudpencap.htm Michael Martin Hedenfalk wrote: Hello misc, I'm having problems with two IPsec tunnels from two different peers behind the same NAT, to the same responder. All hosts are running OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just fine, but when the other tries to establish a tunnel (with a different tunneled network), the first SA is just deleted. The two peers are now continuously competing. I get a lot of INVALID_COOKIE messages from isakmpd. It's the same problem as reported in this post: http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html However, the Shared-SADB parameter mentioned doesn't have any effect for me. I've sort of tracked this down to a call to sa_delete() in ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This function calls sa_lookup_by_peer() which apparently matches both of my SAs. I disabled the sa_delete() loop and now both of my SAs stay up fine, but I'm not really sure what I've done. Does anyone (developer?) have any thoughts about this? TIA /Martin -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. What we need are more people who specialize in the impossible. - Theodore Roethke
Install OpenBSD without physical access
Hi! I was wondering if anybody had any experience with installing OpenBSD on a remote system without physical access to the machine. I have a virtual server in Germany which runs Debian Etch and I'm pretty fed up with it and I want to install OpenBSD on it. This is a virtual server which runs under a Virtuozzo environment. I can boot it with a Linux live system. My idea was to set up an OpenBSD system at home, dump it, upload the image to the server and restore the image to the hard drive using the live system. I don't know how to install the boot loader yet. This server is just a free time project of me and a friend of mine so it's not so important if it's down for some time. If anything goes wrong I can restore the original Debian system or boot it with a live system. I'd appreciate if you could give me some pointers. Best regards, Jona Joachim
Re: Install OpenBSD without physical access
Jona Joachim wrote: Hi! I was wondering if anybody had any experience with installing OpenBSD on a remote system without physical access to the machine. I have a virtual server in Germany which runs Debian Etch and I'm pretty fed up with it and I want to install OpenBSD on it. This is a virtual server which runs under a Virtuozzo environment. I can boot it with a Linux live system. My idea was to set up an OpenBSD system at home, dump it, upload the image to the server and restore the image to the hard drive using the live system. I don't know how to install the boot loader yet. This server is just a free time project of me and a friend of mine so it's not so important if it's down for some time. If anything goes wrong I can restore the original Debian system or boot it with a live system. I'm pretty sure Virtuozzo/OpenVZ only support Linux, and not *BSD virtual machines. Best regards, Jona Joachim -- Chris 'Xenon' Hanson | Xenon @ 3D Nature | http://www.3DNature.com/ I set the wheels in motion, turn up all the machines, activate the programs, and run behind the scenes. I set the clouds in motion, turn up light and sound, activate the window, and watch the world go 'round. -Prime Mover, Rush.
Re: Install OpenBSD without physical access
On 8/17/07, Jona Joachim [EMAIL PROTECTED] wrote: Hi! I was wondering if anybody had any experience with installing OpenBSD on a remote system without physical access to the machine. I have a virtual server in Germany which runs Debian Etch and I'm pretty fed up with it and I want to install OpenBSD on it. This is a virtual server which runs under a Virtuozzo environment. I can boot it with a Linux live system. My idea was to set up an OpenBSD system at home, dump it, upload the image to the server and restore the image to the hard drive using the live system. I don't know how to install the boot loader yet. This server is just a free time project of me and a friend of mine so it's not so important if it's down for some time. If anything goes wrong I can restore the original Debian system or boot it with a live system. I'd appreciate if you could give me some pointers. http://marc.info/?l=openbsd-miscm=118635777505801w=2 I think what you are looking for is Yaifo 0.4.
Re: IPsec problems with multiple clients behind same NAT
On 8/17/07, Michael Gale [EMAIL PROTECTED] wrote: Hey, Can you UDP encapsulate the IPSEC ESP packets ? Yes, isakmpd do that automatically. ESP doesn't traverse NAT at all. -martin I believe most IPSEC servers and clients can support this feature, which also helps when going through NAT gateways. http://www.faqs.org/rfcs/rfc3948.html http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzaja/rzajaudpencap.htm Michael Martin Hedenfalk wrote: Hello misc, I'm having problems with two IPsec tunnels from two different peers behind the same NAT, to the same responder. All hosts are running OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just fine, but when the other tries to establish a tunnel (with a different tunneled network), the first SA is just deleted. The two peers are now continuously competing. I get a lot of INVALID_COOKIE messages from isakmpd. It's the same problem as reported in this post: http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html However, the Shared-SADB parameter mentioned doesn't have any effect for me. I've sort of tracked this down to a call to sa_delete() in ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This function calls sa_lookup_by_peer() which apparently matches both of my SAs. I disabled the sa_delete() loop and now both of my SAs stay up fine, but I'm not really sure what I've done. Does anyone (developer?) have any thoughts about this? TIA /Martin -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. What we need are more people who specialize in the impossible. - Theodore Roethke
Re: Install OpenBSD without physical access
On Fri, 17 Aug 2007 15:25:34 -0600 Chris 'Xenon' Hanson [EMAIL PROTECTED] wrote: Jona Joachim wrote: Hi! I was wondering if anybody had any experience with installing OpenBSD on a remote system without physical access to the machine. I have a virtual server in Germany which runs Debian Etch and I'm pretty fed up with it and I want to install OpenBSD on it. This is a virtual server which runs under a Virtuozzo environment. I can boot it with a Linux live system. My idea was to set up an OpenBSD system at home, dump it, upload the image to the server and restore the image to the hard drive using the live system. I don't know how to install the boot loader yet. This server is just a free time project of me and a friend of mine so it's not so important if it's down for some time. If anything goes wrong I can restore the original Debian system or boot it with a live system. I'm pretty sure Virtuozzo/OpenVZ only support Linux, and not *BSD virtual machines. Oh, that would be really sad. The guy from the support told us you can run almost anything on it when we called several months ago. I does support Windows but that's not much of a surprise. We're going to call tomorrow and see what they answer. I hope the answer will not be What is BSD?. Regards, Jona
Re: Install OpenBSD without physical access
Jona Joachim wrote: I'm pretty sure Virtuozzo/OpenVZ only support Linux, and not *BSD virtual machines. Oh, that would be really sad. The guy from the support told us you can run almost anything on it when we called several months ago. I does support Windows but that's not much of a surprise. We're going to call tomorrow and see what they answer. I hope the answer will not be What is BSD?. http://en.wikipedia.org/wiki/Virtuozzo#Comparison_to_other_technologies http://wiki.openvz.org/Introduction_to_virtualization Regards, Jona -- Chris 'Xenon' Hanson | Xenon @ 3D Nature | http://www.3DNature.com/ I set the wheels in motion, turn up all the machines, activate the programs, and run behind the scenes. I set the clouds in motion, turn up light and sound, activate the window, and watch the world go 'round. -Prime Mover, Rush.
