relayd for lan servers with carp and pfsync
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.67 ( for pfsync )
fw2
em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.68 ( for pfsync )
LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
Configure fw1:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.67 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0
Configure fw2:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.68 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0
*/etc/pf.conf * looks like this on both nodes ( fw1 and fw2 )
# cat
/etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="em0"
pfsync_if="em1"
servers = "{ 192.168.0.66, 192.168.0.67 }"
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state
##END
pass log# to establish keep-state
# rules for spamd(8)
#table persist
#table persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from to any port smtp
#pass in log on egress proto tcp from to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*
/etc/relayd.conf* is like this on both nodes ( fw1 and fw2 )
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr="192.168.0.100"
webhost1="192.168.0.66"
webhost2="192.168.0.67"
table { $webhost1 $webhost2 }
redirect www {
listen on $ext_addr port 80
#forward to port 80 mode loadbalance check tcp
forward to port 80 mode roundrobin check tcp
}
redirect smtp {
listen on $ext_addr port 25
#forward to port 25 mode loadbalance check tcp
forward to port 25 mode roundrobin check tcp
}
redirect pop {
listen on $ext_addr port 110
#forward to port 110 mode loadbalance check tcp
forward to port 110 mode roundrobin check tcp
}
then I issued below 2 commands on both nodes (fw1 and fw2 )
# pfctl -f /etc/pf.conf
# relayd
then, from a lan PC ( actually my fedora 12 desktop), I executed below 2
commands
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
*Both worked round ribbon manner as I expected. *
then, I added these on both nodes ( fw1 and fw2 )
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd
/etc/hostname.pfsync0
up syncdev em1
Then, I rebooted both hosts (first fw1 and then fw2 )
Then, I run telnet command again to carp1 ip address ( 192.168.0.100 ) in
following way,
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
It does NOT work.
Could you pls let me know why?
since fw2 is backup, I think /etc/hostname.carp1 should be diffrent. ( with
advskew 128 ) in following way?
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd advskew 128
*relayctl show summary* gives in this way on both nodes ( Pls note that
port *pop3 is NOT yet configured* )
# relayctl show
summary
Id TypeNameAvlblty Status
1 redirectwww active
1 table servers:80 active (2
hosts)
1 host192.168.0.66100.00% up
Elaboración de Modelos Financieros con Excel
Elaboración de Modelos Financieros con Excel - Análisis e Interpretación Panama 22 de Agosto, 2012 SHERATON PANAMA HOTEL & CONVENTION CENTER Se demostrará paso a paso técnicas financieras con las herramientas o características de Excel. Aprenderá a utilizar Excel con el propósito de desarrollar sus habilidades en una amplia gama de situaciones de toma de decisiones financieras entre las que figuran, cómo - Preparar pronósticos financieros y proyecciones de flujo de efectivo más exactos - Simplificar problemas complejos de negocios - Elaborar estados financieros a partir de una balanza de comprobación - Crear estados financieros comparativos - Elaborar flujos de efectivo mediante información exportada de su portal bancario - Elaborar estados de resultados con factores variables - Elaborar un modelo de cálculo del VAN y TIR para sus proyectos de inversión - Usar hipervínculos para crear informes directivos en PowerPoint mediante Excel Reciba en este momento el folleto completo! Únicamente responda con su Nombre, Puesto, Empresa y Teléfono, o Comuníquese al (507) 279-1083 / 279-0258 / 279-0887 en donde con gusto le atenderé. Reciba un muy cordial saludo! Lic. Adriana Alvarez Líder de Proyectos Para des suscribirse de estas invitaciones, solo responda este correo con el SUBJECT noinv y automáticamente quedará fuera de nuestras listas.
Diseño de sitios web Autogestionables
Para contratar nuestro servicio presione aqui Si desea desuscribirse presione aqui [demime 1.01d removed an attachment of type image/jpeg which had a name of agostopcia.jpg]
Re: npppd and iOS 5.1.1 on OpenBSD 5.1
Yep, that was exactly it. Thank you, again. On Aug 15, 2012, at 16:01, YASUOKA Masahiko wrote: > Hi, > >> real.local.concentrate: tun0 > > this should be > > realm.local.concentrate: tun0 > > I hope this will help you. > > --yasuoka > > On Wed, 15 Aug 2012 09:11:06 -0700 > Johan Beisser wrote: >> I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. >> >> I've enabled pipex in kernel: >> # sysctl -a | grep -E '(pipex|gre)' >> net.inet.gre.allow=0 >> net.inet.gre.wccp=0 >> net.pipex.enable=1 >> >> Before anyone asks, yes, I had GRE enabled as well. But, I'm not >> looking to run PPTP via npppd, only L2TP. I've tested with it >> activated, and the config with pptpd.enabled: false >> >> I've configured a very basic npppd.conf, per the instructions in >> http://www.undeadly.org/cgi?action=article&sid=20120427125048 and >> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.tx t?rev=1.8 >> >> Everything connects, it appears to authenticate fine, but after that >> iOS attempts to negotiate ppp. I'm assuming this is the relevant part >> of the npppd debugging output (for my own privacy, I've replaced >> non-RFC addresses with A.B.C.D for the client and E.F.G.H for the >> server, respectively): >> >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ >> from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 >> hostname=users-thing vendor=(no vendorname) firm= >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN >> session_id=948 calling_number= tx_conn_speed=100 framing=async >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 >> 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started >> tunnel=L2TP(A.B.C.D:50002) >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened >> mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 >> logtype=Success username="user" realm=local >> 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol >> ip6cp, 32855(8057) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN >> result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by >> local PPP >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind >> 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE >> user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 >> auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets >> error_in=1 error_out=0 mppe=no iface=(not binding) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in >> unexpected state=cleanup-wait >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 >> error=UNKNOWN/28261 tunnel_id=21 message="cted" >> 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished >> 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad >> control message: tunnelId=2 is not found. mestype=CDN >> >> >> Isakmpd does throw some errors, but they don't seem to be related to >> anything except protocol negotiation. >> >> Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: >> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as >> responder): initiator id 10.70.108.213, responder id E.F.G.H, src: >> A.B.C.D dst: A.B.C.D >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as >> responder): src: E.F.G.H dst: A.B.C.D >> >> >> It acts the same if pf is enabled or disabled. I'm debating if I >> should update to a snapshot or not, at this point. Due to the hardware >> being weak, and kind of old, I'd rather not have the debugging flags, >> etc, running a snapshot would entail. >> >> Any pointers on where to look would be appreciated. >> >> -jb >> >> >> npppd.conf: >> >> interface_list: tun0 >> interface.tun0.ip4addr: 172.23.0.1 >> >> # IP Address Pool >> pool.dyna_pool: 172.23.0.0/25 >> pool.pool: 172.23.0.128/25 >> >> # local file auth >> auth.local.realm_list: local >> auth.local.realm.acctlist: /etc/npppd/npppd-users.csv >> real.local.concentrate: tun0 >> >> lcp.mru:1400 >> lcp.timeout:18 >> auth.method:mschapv2 >> # auth.method: mschapv2 chap pap >> ipcp.assign_fixed: true >> ipcp.assign_userselect:true >> >> pptpd.enabled: false >> pptpd.ip4_allow:0.0.0.0/0 >> #pptpd.listener_in: PPTP
Re: npppd and iOS 5.1.1 on OpenBSD 5.1
Thank you for the catch, I was prett damn tired when I wrote that. On Aug 15, 2012, at 16:01, YASUOKA Masahiko wrote: > Hi, > >> real.local.concentrate: tun0 > > this should be > > realm.local.concentrate: tun0 > > I hope this will help you. > > --yasuoka > > On Wed, 15 Aug 2012 09:11:06 -0700 > Johan Beisser wrote: >> I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. >> >> I've enabled pipex in kernel: >> # sysctl -a | grep -E '(pipex|gre)' >> net.inet.gre.allow=0 >> net.inet.gre.wccp=0 >> net.pipex.enable=1 >> >> Before anyone asks, yes, I had GRE enabled as well. But, I'm not >> looking to run PPTP via npppd, only L2TP. I've tested with it >> activated, and the config with pptpd.enabled: false >> >> I've configured a very basic npppd.conf, per the instructions in >> http://www.undeadly.org/cgi?action=article&sid=20120427125048 and >> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.tx t?rev=1.8 >> >> Everything connects, it appears to authenticate fine, but after that >> iOS attempts to negotiate ppp. I'm assuming this is the relevant part >> of the npppd debugging output (for my own privacy, I've replaced >> non-RFC addresses with A.B.C.D for the client and E.F.G.H for the >> server, respectively): >> >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ >> from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 >> hostname=users-thing vendor=(no vendorname) firm= >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN >> session_id=948 calling_number= tx_conn_speed=100 framing=async >> 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 >> 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started >> tunnel=L2TP(A.B.C.D:50002) >> 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened >> mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 >> logtype=Success username="user" realm=local >> 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. >> 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol >> ip6cp, 32855(8057) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN >> result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by >> local PPP >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind >> 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE >> user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 >> auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets >> error_in=1 error_out=0 mppe=no iface=(not binding) >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in >> unexpected state=cleanup-wait >> 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 >> error=UNKNOWN/28261 tunnel_id=21 message="cted" >> 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB >> 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished >> 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad >> control message: tunnelId=2 is not found. mestype=CDN >> >> >> Isakmpd does throw some errors, but they don't seem to be related to >> anything except protocol negotiation. >> >> Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: >> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as >> responder): initiator id 10.70.108.213, responder id E.F.G.H, src: >> A.B.C.D dst: A.B.C.D >> Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as >> responder): src: E.F.G.H dst: A.B.C.D >> >> >> It acts the same if pf is enabled or disabled. I'm debating if I >> should update to a snapshot or not, at this point. Due to the hardware >> being weak, and kind of old, I'd rather not have the debugging flags, >> etc, running a snapshot would entail. >> >> Any pointers on where to look would be appreciated. >> >> -jb >> >> >> npppd.conf: >> >> interface_list: tun0 >> interface.tun0.ip4addr: 172.23.0.1 >> >> # IP Address Pool >> pool.dyna_pool: 172.23.0.0/25 >> pool.pool: 172.23.0.128/25 >> >> # local file auth >> auth.local.realm_list: local >> auth.local.realm.acctlist: /etc/npppd/npppd-users.csv >> real.local.concentrate: tun0 >> >> lcp.mru:1400 >> lcp.timeout:18 >> auth.method:mschapv2 >> # auth.method: mschapv2 chap pap >> ipcp.assign_fixed: true >> ipcp.assign_userselect:true >> >> pptpd.enabled: false >> pptpd.ip4_allow:0.0.0.0/0 >> #pptpd.listener_in:
1u machine wanted..
Donation request: I am looking for 1 or 2 "very fast" 1u x86 machines (for instance fast-cpu dell r610) so that I can do a refresh of the ports tree amd64-build machines with newer hardware. The current machines are lagging in performance and I want to improve the build times. The two faster architectures (i386 and amd64) are used to spot build problems in the ports tree very quickly, before other slower architectures see them. The other slower architectures include some rather sensitive machines, though since "all the world is linux running on amd64" is becoming a problem , and therefore they suit that purpose. they act together to catch problems before developers waste time. If anyone can find a way to donate such machines, please drop me a note. thanks.
Re: npppd and iOS 5.1.1 on OpenBSD 5.1
Hi, > real.local.concentrate: tun0 this should be realm.local.concentrate: tun0 I hope this will help you. --yasuoka On Wed, 15 Aug 2012 09:11:06 -0700 Johan Beisser wrote: > I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. > > I've enabled pipex in kernel: > # sysctl -a | grep -E '(pipex|gre)' > net.inet.gre.allow=0 > net.inet.gre.wccp=0 > net.pipex.enable=1 > > Before anyone asks, yes, I had GRE enabled as well. But, I'm not > looking to run PPTP via npppd, only L2TP. I've tested with it > activated, and the config with pptpd.enabled: false > > I've configured a very basic npppd.conf, per the instructions in > http://www.undeadly.org/cgi?action=article&sid=20120427125048 and > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt?rev=1.8 > > Everything connects, it appears to authenticate fine, but after that > iOS attempts to negotiate ppp. I'm assuming this is the relevant part > of the npppd debugging output (for my own privacy, I've replaced > non-RFC addresses with A.B.C.D for the client and E.F.G.H for the > server, respectively): > > 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ > from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 > hostname=users-thing vendor=(no vendorname) firm= > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN > session_id=948 calling_number= tx_conn_speed=100 framing=async > 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 > 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started > tunnel=L2TP(A.B.C.D:50002) > 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB > 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened > mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b > 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 > logtype=Success username="user" realm=local > 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. > 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol > ip6cp, 32855(8057) > 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN > result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by > local PPP > 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind > 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE > user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 > auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets > error_in=1 error_out=0 mppe=no iface=(not binding) > 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in > unexpected state=cleanup-wait > 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 > error=UNKNOWN/28261 tunnel_id=21 message="cted" > 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB > 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished > 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad > control message: tunnelId=2 is not found. mestype=CDN > > > Isakmpd does throw some errors, but they don't seem to be related to > anything except protocol negotiation. > > Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as > responder): initiator id 10.70.108.213, responder id E.F.G.H, src: > A.B.C.D dst: A.B.C.D > Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as > responder): src: E.F.G.H dst: A.B.C.D > > > It acts the same if pf is enabled or disabled. I'm debating if I > should update to a snapshot or not, at this point. Due to the hardware > being weak, and kind of old, I'd rather not have the debugging flags, > etc, running a snapshot would entail. > > Any pointers on where to look would be appreciated. > > -jb > > > npppd.conf: > > interface_list: tun0 > interface.tun0.ip4addr: 172.23.0.1 > > # IP Address Pool > pool.dyna_pool: 172.23.0.0/25 > pool.pool: 172.23.0.128/25 > > # local file auth > auth.local.realm_list: local > auth.local.realm.acctlist: /etc/npppd/npppd-users.csv > real.local.concentrate: tun0 > > lcp.mru:1400 > lcp.timeout:18 > auth.method:mschapv2 > # auth.method: mschapv2 chap pap > ipcp.assign_fixed: true > ipcp.assign_userselect:true > > pptpd.enabled: false > pptpd.ip4_allow:0.0.0.0/0 > #pptpd.listener_in: PPTP 192.168.0.1 > > # L2TP daemon > l2tpd.enabled: true > l2tpd.ip4_allow:0.0.0.0/0 > #l2tpd.listener_in: L2TP 192.168.0.1 > l2tpd.purge_ips
Re: Question about redirecting to a multiple log files from pflogd
On Tue, Aug 14, 2012 at 10:00 AM, C. L. Martinez wrote: > Hi all, > > I have some rules that I would like to redirect in syslog format to a > log file. I don't need to touch /var/log/pflog. To accomplish this I > have tried to start pflogd daemon with the following options: > > "-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log" > > ... but it doesn't works. After, I have tried to start another pflogd > instance with "-s 256 -i pflog1 -f /tmp/test.log": > > 25317 ?? S 0:49.58 pflogd: [running] -s 256 -i pflog1 -f > /tmp/test.log (pflogd) > 13851 ?? Ss 0:00.23 ntpd: ntp engine (ntpd) > 16445 ?? Is 0:00.03 ntpd: dns engine (ntpd) > 11227 ?? Ss 0:00.02 ntpd: [priv] (ntpd) > 21752 ?? Is 0:00.05 /usr/sbin/sshd > 14014 ?? Ss 0:00.30 sendmail: accepting connections (sendmail) > 14724 ?? Is 0:00.01 /usr/sbin/ftp-proxy > 14277 ?? Ss 0:00.04 /usr/sbin/cron > 11070 ?? Ss 0:35.46 sshd: root@ttyp0 (sshd) > 18112 ?? Is 0:00.01 pflogd: [priv] (pflogd) > 14997 ?? S 0:01.08 pflogd: [running] -s 256 -i pflog0 -f > /var/log/pflog (pflogd) > > .. but it doesn't works. /var/log/pflog doesn't register activitvy > (pflog0 and pflog1 interfaces are up) > > At this stage, I only to need to try if this approach works using > tcpdump file format in both log files ... > > Is it possible to use several pflogX interfaces an redirect all logs > to several log files?? I am using OpenBSD 5.1 > > Thanks. Please, any tip??
iked.conf question - muplitple clients with certs.
Hello Misc, I'm having a small issue with my iked.conf on my openbsd 4.9 firewall. I have the following config and it works fine: Ikev2 "laptop" passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.2 I have a win 7 laptop with certs and I connect with no issue. Now I'd like to add a couple of more clients in the mix. So I created certs for them and distributed them correctly and now have the following: Ikev2 "home-PC" passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.3 Ikev2 "laptop" passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.2 But when I connect I cannot and starting iked -dvv shows it's trying to connect with the "laptop" policy. I'm afraid I have the config wrong. Is this the correct way to add multiple clients and if not what would I do? I can't seem to find any info on the web or man pages.
npppd and iOS 5.1.1 on OpenBSD 5.1
I've hit a bit of a wall digging around getting L2TP working with OpenBSD 5.1. I've enabled pipex in kernel: # sysctl -a | grep -E '(pipex|gre)' net.inet.gre.allow=0 net.inet.gre.wccp=0 net.pipex.enable=1 Before anyone asks, yes, I had GRE enabled as well. But, I'm not looking to run PPTP via npppd, only L2TP. I've tested with it activated, and the config with pptpd.enabled: false I've configured a very basic npppd.conf, per the instructions in http://www.undeadly.org/cgi?action=article&sid=20120427125048 and http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt?rev=1.8 Everything connects, it appears to authenticate fine, but after that iOS attempts to negotiate ppp. I'm assuming this is the relevant part of the npppd debugging output (for my own privacy, I've replaced non-RFC addresses with A.B.C.D for the client and E.F.G.H for the server, respectively): 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=A.B.C.D:50002/udp tunnel_id=2/21 protocol=1.0 winsize=4 hostname=users-thing vendor=(no vendorname) firm= 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendSCCRP 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 RecvSCCN 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICRQ session_id=948 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendICRP session_id=9490 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 RecvICCN session_id=948 calling_number= tx_conn_speed=100 framing=async 2012-08-15 08:37:03:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPBind ppp=1 2012-08-15 08:37:03:INFO: ppp id=1 layer=base logtype=Started tunnel=L2TP(A.B.C.D:50002) 2012-08-15 08:37:03:INFO: l2tpd ctrl=2 call=9490 SendZLB 2012-08-15 08:37:22:INFO: ppp id=1 layer=lcp logtype=Opened mru=1400/1400 auth=MS-CHAP-V2 magic=3adadd39/37d59f4b 2012-08-15 08:37:22:INFO: ppp id=1 layer=chap proto=mschap_v2 logtype=Success username="user" realm=local 2012-08-15 08:37:22:WARNING: ppp id=1 layer=base No interface binding. 2012-08-15 08:37:22:INFO: ppp id=1 layer=base unhandled protocol ip6cp, 32855(8057) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 SendCDN result=ERROR_CODE/2 error=GENERIC_ERROR/6 messsage=Disconnected by local PPP 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 call=9490 logtype=PPPUnbind 2012-08-15 08:37:22:NOTICE: ppp id=1 layer=base logtype=TUNNELUSAGE user="user" duration=19sec layer2=L2TP layer2from=A.B.C.D:50002 auth=MS-CHAP-V2 data_in=271bytes,12packets data_out=333bytes,15packets error_in=1 error_out=0 mppe=no iface=(not binding) 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 call=9490 Received CDN in unexpected state=cleanup-wait 2012-08-15 08:37:22:INFO: l2tpd ctrl=2 RecvStopCCN result=UNKNOWN/256 error=UNKNOWN/28261 tunnel_id=21 message="cted" 2012-08-15 08:37:22:DEBUG: l2tpd ctrl=2 SendZLB 2012-08-15 08:37:22:NOTICE: l2tpd ctrl=2 logtype=Finished 2012-08-15 08:37:23:INFO: l2tpd Received from=A.B.C.D:42138: bad control message: tunnelId=2 is not found. mestype=CDN Isakmpd does throw some errors, but they don't seem to be related to anything except protocol negotiation. Aug 15 08:37:00 soekris isakmpd[1079]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: phase 1 done (as responder): initiator id 10.70.108.213, responder id E.F.G.H, src: A.B.C.D dst: A.B.C.D Aug 15 08:37:02 soekris isakmpd[1079]: isakmpd: quick mode done (as responder): src: E.F.G.H dst: A.B.C.D It acts the same if pf is enabled or disabled. I'm debating if I should update to a snapshot or not, at this point. Due to the hardware being weak, and kind of old, I'd rather not have the debugging flags, etc, running a snapshot would entail. Any pointers on where to look would be appreciated. -jb npppd.conf: interface_list: tun0 interface.tun0.ip4addr: 172.23.0.1 # IP Address Pool pool.dyna_pool: 172.23.0.0/25 pool.pool: 172.23.0.128/25 # local file auth auth.local.realm_list: local auth.local.realm.acctlist: /etc/npppd/npppd-users.csv real.local.concentrate: tun0 lcp.mru:1400 lcp.timeout:18 auth.method:mschapv2 # auth.method: mschapv2 chap pap ipcp.assign_fixed: true ipcp.assign_userselect:true pptpd.enabled: false pptpd.ip4_allow:0.0.0.0/0 #pptpd.listener_in: PPTP 192.168.0.1 # L2TP daemon l2tpd.enabled: true l2tpd.ip4_allow:0.0.0.0/0 #l2tpd.listener_in: L2TP 192.168.0.1 l2tpd.purge_ipsec_sa: false l2tpd.require_ipsec:true l2tpd.accept_dialin:true pipex.enabled: true ipsec.conf: ike passive esp transport \ proto udp from A.B.C.D to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "PASSWORD"
Re: The ultimate OpenBSD email server
On Wednesday, August 15, 2012 at 10:16 PM, L. V. Lammert wrote: > Take a look at mailserv, https://github.com/mailserv. The admin interface > is nice, and all components are integrated. Here's another one: http://www.iredmail.org/ Works on OpenBSD 5.1. Installation guide is here: http://www.iredmail.org/install_iredmail_on_openbsd.html
Re: The ultimate OpenBSD email server
On Wed, 15 Aug 2012, Mikkel Bang wrote: > But with so many people recommending so many different tools, it gets hard > to come to a conclusion. Looks like I'm finally arriving at this though: > postfix (postfix-anti-UCE.txt) + dspam - what do you guys think? > Take a look at mailserv, https://github.com/mailserv. The admin interface is nice, and all components are integrated. Lee
Re: broken system with unknow command
Thanks Philip, I trow it in the trash and change the hd to a other box. OpenBSD seem happy now. It just happen at the bad time after typing a wrong command completed by tab that I never typed before. Sorry for the noise. Michel Le 2012-08-15 00:30, Philip Guenther a écrit : On Tue, Aug 14, 2012 at 9:12 PM, Michel Blais wrote: seem like I have type the wrong command by mistake using tab to complet the command. Don't know which command it was but I add a lot of output like this : Faulted ikernel: double fault trap, code=0 kernel: double fault trap, code=0 Faulted in DDB; continuing... --db_more--kernel: type 269 trap, code=0 ... Wow. Magic 8-ball says "ferociously broken hardware. Throw it in a ditch and try again" ...but the 8-ball is a pessimist. I would reseat all the cards and simms/dimms and see if it was happier afterwards. Philip Guenther -- Michel Blais Administrateur réseau / Network administrator Targo Communications www.targo.ca 514-448-0773
Re: The ultimate OpenBSD email server
On Wed, Aug 15, 2012 at 14:09, Mikkel Bang wrote: > - spamassassin: Too old, too huge and too hard to set up (but maybe those > who advised against it had more against Perl than anything else) Not that you have to use it, but spamassassin is still actively maintained. Maybe you shouldn't use OpenBSD, it's old too. Too huge? It pkg_adds in seconds. And in my experience, about 10x easier to setup than dspam.
Re: Q: username policy in install and in adduser
2012/8/14 Eike Lantzsch :
> On Monday 13 August 2012 12:23:51 Theo de Raadt wrote:
>> It is good sense to push unix users into a mentality that usernames
>> should be lower case by default.
> You sure pushed me into it ;-)
> I see it now:
> simplicity ("Administrator" is just awful "root" is a lot better)
You must of course mean "Administratör", which is what that Bluescreen
OS calls the root user in .se. Yeah, those guys were really onto
something neat. Change the username based on the locale of the install
CD.
Fun and games for every admin with computers from different countries.
We should emulate that in the installer. If you select "sv" keyboard
mapping, you must be a swede and therefore the admin account should be
named "rot" instead.
Now, how do we rename chroot() to chrot() in swedish boxes? And stop
calling / 'root'. So much to do, so little time
--
To our sweethearts and wives. May they never meet. -- 19th century toast
Re: The ultimate OpenBSD email server
On Wed, Aug 15, 2012 at 02:09:47PM +0200, Mikkel Bang wrote: > I'm trying to configure "the ultimate email server" for this webapp that > needs to send and receive / forward emails to and from thousands of users. > > Dropped: > > - spamdb+greytrapping: Not necessary if I'm already running dspam I beg to differ. spamd(8) in any configuration is a lot more lightweight than content filtering. You most likely will need content filtering in addition to greylisting+greytrapping, but stopping them earlier is a real plus. See eg http://undeadly.org/cgi?action=article&sid=20120604050025 -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
The ultimate OpenBSD email server
I'm trying to configure "the ultimate email server" for this webapp that needs to send and receive / forward emails to and from thousands of users. But with so many people recommending so many different tools, it gets hard to come to a conclusion. Looks like I'm finally arriving at this though: postfix (postfix-anti-UCE.txt) + dspam - what do you guys think? Dropped: - postscreen: Looked into http://www.postfix.org/POSTSCREEN_README.html but couldn't really find anything concrete to add to my setup - postgrey: Advised against by the dudes in Freenode #postfix - I've tried it before and it was really effective, but I don't think my users will like that 5 minute delay - opendkim+spf+dmarc: Advised against by the dudes in Freenode ##freebsd, saying its role in anti-spam protection is minimal - spamassassin: Too old, too huge and too hard to set up (but maybe those who advised against it had more against Perl than anything else) - spamdb+greytrapping: Not necessary if I'm already running dspam - mailscanner: Not necessary if I'm already running dspam Mikkel
