Re: IPSEC VPN performance
On Mon, Oct 1, 2012 at 5:55 PM, Russell Garrison russell.garri...@gmail.com wrote: Is iPerf running threaded? What about dd to null and a loopback listener? Beware: only -current (since Tue Sep 25) net/iperf port has threading enabled. ciao, David
Habilidades Gerenciales de Alto Impacto
Habilidades Gerenciales de Alto Impacto 10 al 12 de octubre de 2012 QUALITY TRAINING, presenta un extraordinario seminario que se llevará a cabo en la ciudad de PANAMA ¡No se pierda uno de los eventos más interesantes en el mundo gerencial actual! APROVECHE LA PRE VENTA ¡¡CUPO ESTRICTAMENTE LIMITADO!! Los árboles mueren desde lo alto reza el proverbio... Por ello hemos diseñado un evento que le ayudará a establecer prioridades absolutas, ser un LÍDER inspirador y tomar decisiones duras en tiempos de cambios y presión intensa. El hecho que haya demasiado en juego y usted sea el Gerente al mando, pone todos los ojos sobre su persona. En tiempos de presión, su actitud y habilidades podrían hacer la diferencia entre el éxito y el fracaso de su empresa. Este seminario le ofrece un programa que recargará sus habilidades y capacidades de LIDERAZGO, desde el manejo del estrés y la desmotivación del personal, hasta cómo hacer más con menos recursos, generar ideas creadoras para sus desafíos más grandes y ganar la autoayuda sólida para vencer cada obstáculo que se encuentra a su paso. * Cómo responder a la presión abrumadora y a los problemas aparentemente insuperables con confianza y serenidad. * Deje de preocuparse sobre qué camino de acción seguir Tome las decisiones del negocio de manera más rápida y efectiva. * Dirija con la confianza, el valor y la convicción que inspira a sus colaboradores a dar su mayor esfuerzo. * Identifique y elimine las barreras de la productividad. * Cómo reconocer los puntoso débiles en su personal y saber con seguridad cuándo dejar que las personas se vayan. * ¡Aprenda a negociar para GANAR! Para obtener el Folleto Informativo Responda este correo con los siguientes datos: Nombre, Teléfono y Empresa Este correo ha sido enviado a: misc@openbsd.org ?Si no desea invitaciones esporádicas, le pedimos responda con el asunto cancelhab
Re: OpenBSD does not initiate ipsec connection
You probably get NO_PROPOSAL_CHOSEN error?
From the info you gave, looks like Cisco-sides tries to talk AES_CBC
but your local side talks 3DES_CBC in Phase 1.
//mxb
On 10/01/2012 09:21 PM, Erwin Schliske wrote:
Hello,
I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
with a Cisco ASA 5505, which is not under my administration.
Here is the ipsec.conf
ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to {
172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
peer a.b.102.219 \
local c.d.3.254 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk password
If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
come up. If I look with tcpdump on the external interface or in the tcpdump
logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from
the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of
isakmpd I see this loglines
20:57:40.389157 a.b.102.219.500 c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2- msgid: len: 188
payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 84 proposal: 1 proto: ISAKMP spisz: 0
xforms: 2
payload: TRANSFORM len: 40
transform: 1 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 24 [ttl 0] (id 1, len 216)
20:57:40.389644 c.d.3.254.500 a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2-ad0c72b886cfb802 msgid: len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
20:57:40.414762 a.b.102.219.500 c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2-ad0c72b886cfb802 msgid: len: 304
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: VENDOR len: 20 (supports Cisco Unity)
payload: VENDOR len: 12 (supports
draft-ietf-ipsra-isakmp-xauth-06.txt)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 332)
20:57:40.416442 c.d.3.254.500 a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2-ad0c72b886cfb802 msgid: len: 232
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
20:57:40.440675 a.b.102.219.500 c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2-ad0c72b886cfb802 msgid: len: 84
payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR =
37.188.102.219
payload: HASH len: 24
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 112)
20:57:40.440740 c.d.3.254.500 a.b.102.219.500: [udp sum ok] isakmp v1.0
Re: IPSEC VPN performance
On 2 October 2012 08:57, David Coppa dco...@gmail.com wrote: On Mon, Oct 1, 2012 at 5:55 PM, Russell Garrison russell.garri...@gmail.com wrote: Is iPerf running threaded? What about dd to null and a loopback listener? Beware: only -current (since Tue Sep 25) net/iperf port has threading enabled. ciao, David Why not using tcpbench where you can actually specify the parameters and know what is going on :). Play with buffer sizes and you'll see a big difference, using -u will give you the actual PPS.
Re: OpenBSD does not initiate ipsec connection
On Tue, Oct 02, 2012 at 09:52:28AM +0200, mxb wrote:
You probably get NO_PROPOSAL_CHOSEN error?
From the info you gave, looks like Cisco-sides tries to talk AES_CBC
but your local side talks 3DES_CBC in Phase 1.
Nah, it seems the cisco offers two and OpenBSD picks the second for
phase 1.
I'd advice to ruin isakmpd in debug mode, and see what comes out. In
my experience -D A=5 often shows what is going on, if not, go higher.
The logs are not easy to read though.
Group none could be a problem if the cisco insists on PFS.
-Otto
//mxb
On 10/01/2012 09:21 PM, Erwin Schliske wrote:
Hello,
I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
with a Cisco ASA 5505, which is not under my administration.
Here is the ipsec.conf
ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 }
to {
172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
peer a.b.102.219 \
local c.d.3.254 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk password
If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
come up. If I look with tcpdump on the external interface or in the tcpdump
logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping
from
the Cisco side an host on OpenBSD side the tunnel comes up. In the logging
of
isakmpd I see this loglines
20:57:40.389157 a.b.102.219.500 c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2- msgid: len: 188
payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 84 proposal: 1 proto: ISAKMP spisz: 0
xforms: 2
payload: TRANSFORM len: 40
transform: 1 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 24 [ttl 0] (id 1, len 216)
20:57:40.389644 c.d.3.254.500 a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2-ad0c72b886cfb802 msgid: len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute GROUP_DESCRIPTION = MODP_1024
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
20:57:40.414762 a.b.102.219.500 c.d.3.254.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2-ad0c72b886cfb802 msgid: len: 304
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: VENDOR len: 20 (supports Cisco Unity)
payload: VENDOR len: 12 (supports
draft-ietf-ipsra-isakmp-xauth-06.txt)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 332)
20:57:40.416442 c.d.3.254.500 a.b.102.219.500: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: c5fe8a243e380ce2-ad0c72b886cfb802 msgid: len: 232
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: NAT-D-DRAFT
Re: OpenBSD does not initiate ipsec connection
2012/10/1 Erwin Schliske erwin.schli...@sevenval.com:
Hello,
I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
with a Cisco ASA 5505, which is not under my administration.
Here is the ipsec.conf
ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to {
172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
peer a.b.102.219 \
local c.d.3.254 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk password
If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
come up. If I look with tcpdump on the external interface or in the tcpdump
logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from
the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of
isakmpd I see this loglines
from the X side, does that mean you try to ping from the openbsd,
OR, from one of the networks listed in the from-line?
One of the common mistakes is to test from the ipsec-gw itself and not
accounting for the fact that the ipsec.conf lines mostly are
to talk from net A to net B, host X will do ipsec to peer Y. In such
a case, testing from host X will not go through the tunnel, since the
rule is from net A.
Most of the time the host X has a leg on net A and can ping -I
my-ip-at-NetA dest-on-net-B but not always.
Then again, since active esp is the default for ipsec.conf when you
write ike esp ..., it should start trying to set the tunnel up as
soon as you load the rules, and not wait until packets want to
traverse it.
--
To our sweethearts and wives. May they never meet. -- 19th century toast
Re: IPSEC VPN performance
On Tue, Oct 02, 2012 at 09:59:05AM +0200, Christiano F. Haesbaert wrote: Why not using tcpbench where you can actually specify the parameters and know what is going on :). Play with buffer sizes and you'll see a big difference, using -u will give you the actual PPS. I agree with this. Also, if you want to compare with other people's you should use the same tools and specific settings such as buffer sizes. Otherwise, no point in comparing and just decide on your own if 600Mbps with netcat is good enough for you. As I mentiend in http://marc.info/?l=openbsd-miscm=134033767126930, I tested with tcpbench -B 262144 -S 262144 -n 10
Re: kern.maxclusters vs syn proxy
* Илья Шипицин chipits...@gmail.com [2012-08-23 08:44]: 2012/8/23 Claudio Jeker cje...@diehard.n-r-g.com On Thu, Aug 23, 2012 at 12:17:04AM +0600, ??? wrote: why syn proxy is not enabled by default ? Because it has bad side-effects. Like accepting a connection before the actual server accepted it. So it is hard to signal closed ports back. any other side-effect ? claudio stated this way too nice. let me be super clear here: if you are running synproxy permamnently, you are an idiot. why is synproxy there? if you are under a synflood-style attack and need to protect a backend server, it can save your a**. running synproxy to protect an OpenBSD machine, more so the local host, is retarded and counterproductive. think through how synproxy works. it accepts a connection on behalf of the destination server. once the 3whs is complete, it tries to open a connection to the backend. now if the backend doesn't take that connection, the pf synproxy box can only drop the already established connection. the semantics of establishing and dropping a connection vs ot taking it from the beginning DO have different semantics. for example, if you use round-robin dns, the client will NOT move on to the next IP address if the connection had been accepted and dropped later. moreover, you are drawing deliberate decisions by the actual daemon, like the listen backlog, close to pointless. it gets worse when some form of loadbalancing is in the picture. synproxy is there because it ca save your a** WHEN YOU ARE UNDER ATTACK. it is not suitable for all-time all-case use, and can't be. it once again comes down to think before pushing random buttons. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: IPSEC VPN performance
On Tue, Oct 2, 2012 at 9:59 AM, Christiano F. Haesbaert haesba...@haesbaert.org wrote: Why not using tcpbench where you can actually specify the parameters and know what is going on :). Play with buffer sizes and you'll see a big difference, using -u will give you the actual PPS. I agree, I stopped using Iperf after tcpbench was in our tree and ready (I think it was at n2k8). Nice tool. While Iperf and tcpbench are good for testing the single- or even multi-TCP stream performance of the local test systems A and B, I wouldn't really count on them to test the real routing performance of a Device-Under-Test C in the middle. It is really hard to get meaningful max. PPS numbers, especially when you want to max out Gigabit or start playing with 10G. There will always be the limitations of the software and network stack of the test systems that will have difficulties to generate enough PPS to threaten a modern OpenBSD router (OK, IPsec is a different story...). A normal OpenBSD router does not involve any networking in userland which makes it MUCH faster than anything you can test with these tools. Of course, you can use many hosts on the A side or some fancy kernel-based packet generators, but this still doesn't give you any numbers because you will have to receive the packets and analyze the results somewhere on the B side... (and you simply cannot rely on systat if running on the OpenBSD router for that - another very basic but non-satisfying workaround would be to look at the performance counters of a managed switch in the middle). Most network and security vendors and larger data centers use these insanely expensive appliances for network performance testing that use FPGAs and customs chips to handle the load and give you accurate numbers. Many other vendors just depend on software testing, lie, round up or just make up numbers. These appliances can even test IPsec performance with thousands of simulated tunnels and/or millions of PPS and max. Mbps. We used to have an Ixia in my former company and it really helped to find and eliminate some bottlenecks in OpenBSD. We also tested IPsec performance on amd64, but this was before AES-NI and iked and I don't remember the numbers. Pure routing performance could go up to around 9Gbps on fast servers, but only with larger packets (1k-1.5k, not counting jumbos) because the max. PPS in OpenBSD was magically limited at this point (again, this is almost two years ago and many improvements happened afterwards). I would be very interested in getting updated numbers but I don't have access to such an appliance anymore. In summary, it is fine to run Iperf/tcpbench for getting an idea about your router performance up to a few hundred Mbps, but these numbers are not perfect and can go totally wrong when you reach Gigabit or 10G. Reyk
Re: kern.maxclusters vs syn proxy
but is this clear for newbies who read all the faqs? On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: * ?? chipits...@gmail.com [2012-08-23 08:44]: 2012/8/23 Claudio Jeker cje...@diehard.n-r-g.com On Thu, Aug 23, 2012 at 12:17:04AM +0600, ??? wrote: why syn proxy is not enabled by default ? Because it has bad side-effects. Like accepting a connection before the actual server accepted it. So it is hard to signal closed ports back. any other side-effect ? claudio stated this way too nice. let me be super clear here: if you are running synproxy permamnently, you are an idiot. why is synproxy there? if you are under a synflood-style attack and need to protect a backend server, it can save your a**. running synproxy to protect an OpenBSD machine, more so the local host, is retarded and counterproductive. think through how synproxy works. it accepts a connection on behalf of the destination server. once the 3whs is complete, it tries to open a connection to the backend. now if the backend doesn't take that connection, the pf synproxy box can only drop the already established connection. the semantics of establishing and dropping a connection vs ot taking it from the beginning DO have different semantics. for example, if you use round-robin dns, the client will NOT move on to the next IP address if the connection had been accepted and dropped later. moreover, you are drawing deliberate decisions by the actual daemon, like the listen backlog, close to pointless. it gets worse when some form of loadbalancing is in the picture. synproxy is there because it ca save your a** WHEN YOU ARE UNDER ATTACK. it is not suitable for all-time all-case use, and can't be. it once again comes down to think before pushing random buttons. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Réussissez vos appels d'offres publics
Pour consulter les programmes de formation et s'inscrire cliquez sur les liens suivants: Programme Passation/exécution Programme Dématérialisation Bulletin d'inscription en dernière page des documentsVoir la version en ligne Pour ne plus faire partie de la liste de diffusion de notre service : annulez votre inscription sur cette page
Re: kern.maxclusters vs syn proxy
On Tue, Oct 02, 2012 at 09:50:36PM +1000, David Diggles wrote: but is this clear for newbies who read all the faqs? Well, it's not default. And almost often that is a sign the option is not desirable for a typical setup.OB -0tto On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: * ?? chipits...@gmail.com [2012-08-23 08:44]: 2012/8/23 Claudio Jeker cje...@diehard.n-r-g.com On Thu, Aug 23, 2012 at 12:17:04AM +0600, ??? wrote: why syn proxy is not enabled by default ? Because it has bad side-effects. Like accepting a connection before the actual server accepted it. So it is hard to signal closed ports back. any other side-effect ? claudio stated this way too nice. let me be super clear here: if you are running synproxy permamnently, you are an idiot. why is synproxy there? if you are under a synflood-style attack and need to protect a backend server, it can save your a**. running synproxy to protect an OpenBSD machine, more so the local host, is retarded and counterproductive. think through how synproxy works. it accepts a connection on behalf of the destination server. once the 3whs is complete, it tries to open a connection to the backend. now if the backend doesn't take that connection, the pf synproxy box can only drop the already established connection. the semantics of establishing and dropping a connection vs ot taking it from the beginning DO have different semantics. for example, if you use round-robin dns, the client will NOT move on to the next IP address if the connection had been accepted and dropped later. moreover, you are drawing deliberate decisions by the actual daemon, like the listen backlog, close to pointless. it gets worse when some form of loadbalancing is in the picture. synproxy is there because it ca save your a** WHEN YOU ARE UNDER ATTACK. it is not suitable for all-time all-case use, and can't be. it once again comes down to think before pushing random buttons. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: kern.maxclusters vs syn proxy
* David Diggles da...@elven.com.au [2012-10-02 13:51]: but is this clear for newbies who read all the faqs? On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: it once again comes down to think before pushing random buttons. this basic principle SHOULD not need documentation :) quite seriously, this goes deep into the workings of tcp. OpenBSD documentation cannot and does not document the details of the implemented protocols. There are entire books about tcp. Read them to understand tcp, and read the OpenBSD documentation for the OpenBSD specific bits. There isn't much we can do to prevent people from pushing buttons they don't understand but not providing them - which is what we do where possible. But by not providing synproxy we'd steal an important tool for fighting attacks from those who understand what they're doing. We're not saving you from stabbing your eye with the spoon left in your coffee mug either. We can't. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBSD does not initiate ipsec connection
Do a ping -I as Janne advised and take a on the enc0 device and on your
external interface ( both with ip host a.b.102.219 parameter ).
You should
see the icmp packet on enc0 and some esp paket at the same time on the
external interface.
If one or both are missing, you may have a problem with
your pf.conf. If you see both, I would believe your tunnel is ok and the
remote side is filtering your icmp or does not route your packet properly into
the (remote) internal net.
Christoph Leser
SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logistik.de
Von: owner-m...@openbsd.org
[owner-m...@openbsd.org]quot; im Auftrag von quot;Janne Johansson
[icepic...@gmail.com]
Gesendet: Dienstag, 2. Oktober 2012 11:01
An: Erwin
Schliske
Cc: misc@openbsd.org
Betreff: Re: OpenBSD does not initiate ipsec
connection
2012/10/1 Erwin Schliske erwin.schli...@sevenval.com:
Hello,
I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
with a Cisco ASA 5505, which is not under my administration.
Here is the
ipsec.conf
ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24,
10.77.4.0/24 } to {
172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
peer a.b.102.219 \
local c.d.3.254 \
main auth hmac-sha1 enc 3des group
modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk password
If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
come up. If I look with tcpdump on the external interface or in the tcpdump
logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from
the Cisco side an host on OpenBSD side the tunnel comes up. In the logging
of
isakmpd I see this loglines
from the X side, does that mean you try to
ping from the openbsd,
OR, from one of the networks listed in the from-line?
One of the common mistakes is to test from the ipsec-gw itself and not
accounting for the fact that the ipsec.conf lines mostly are
to talk from net
A to net B, host X will do ipsec to peer Y. In such
a case, testing from host
X will not go through the tunnel, since the
rule is from net A.
Most of the
time the host X has a leg on net A and can ping -I
my-ip-at-NetA
dest-on-net-B but not always.
Then again, since active esp is the default
for ipsec.conf when you
write ike esp ..., it should start trying to set the
tunnel up as
soon as you load the rules, and not wait until packets want to
traverse it.
--
To our sweethearts and wives. May they never meet. -- 19th
century toast
Re[2]: Suspend stuff on TOSHIBA laptop.
Tue, 04 Sep 2012 03:36:50 -0400 от Ted Unangst t...@tedunangst.com: On Tue, Sep 04, 2012 at 16:23, David Walker wrote: I've set the options in wsconsctl.conf to blank the screen which also works but this thing has I think what's called a backlight which means the screen constantly glows. I'm planning to go set this thing up, let the screen blank and close the lid. I'd like to remove the backlight and the eerie glow. I'm unfamiliar with laptops but I've tried zzz and apm -S both kill the backlight which is great but network functions cease, yes I did not know that. I also can't seem to bring it back up form either state short of a power cycle but that's moot. Is there a way to turn off the backlight? Is there anything else I can do to sedate this machine? I've never seen a laptop that kept the light on when the lid was closed. Is it really still on? Well I had this for YEARS on my Compaq NC6000. The only cure I found is to disable acpivideo. If acpivideo was loaded during boot time, the screen is lit even when the lid is closed. I can even press the switch (it is mechanical), and the screen backlight is not turned off if acpivideo was enabled.
Re: kern.maxclusters vs syn proxy
I think when a lot of newbies read the pf manual, they think oh... synproxy looks like it does good things, and without really understanding it, enable it by default? On Tue, Oct 02, 2012 at 02:33:11PM +0200, Henning Brauer wrote: * David Diggles da...@elven.com.au [2012-10-02 13:51]: but is this clear for newbies who read all the faqs? On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: it once again comes down to think before pushing random buttons. this basic principle SHOULD not need documentation :) quite seriously, this goes deep into the workings of tcp. OpenBSD documentation cannot and does not document the details of the implemented protocols. There are entire books about tcp. Read them to understand tcp, and read the OpenBSD documentation for the OpenBSD specific bits. There isn't much we can do to prevent people from pushing buttons they don't understand but not providing them - which is what we do where possible. But by not providing synproxy we'd steal an important tool for fighting attacks from those who understand what they're doing. We're not saving you from stabbing your eye with the spoon left in your coffee mug either. We can't. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBSD does not initiate ipsec connection
Please forget about my last response. I didn't read the original message
properly.
The original post states clearly that the VPN tunnel works, when it
is initiated from the remote side, but does not get initiated from the obsd
side when needed ( by a ping packet for instance ).
This somehow suggests
that obsd initiates tunnels on demand ( when a packet for a remote network
arrives ). I do not believe that this is how obsd works, but perhaps those who
know can tell as for sure.
As for why obsd does not try to initiate the
tunnel actively, as suggested by the isakmpd.pcap: What did the debug output
in messages shows for this?
Best Regards / Mit freundlichen Grüßen
Christoph Leser
SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart
Fasanenhof
EMail: le...@sup-logistik.de
Von: Christoph Leser
Gesendet:
Dienstag, 2. Oktober 2012 14:50
An: Janne Johansson; Erwin Schliske
Cc:
misc@openbsd.org
Betreff: AW: OpenBSD does not initiate ipsec connection
Do a
ping -I as Janne advised and take a on the enc0 device and on your external
interface ( both with ip host a.b.102.219 parameter ).
You should see the
icmp packet on enc0 and some esp paket at the same time on the external
interface.
If one or both are missing, you may have a problem with your
pf.conf. If you see both, I would believe your tunnel is ok and the remote
side is filtering your icmp or does not route your packet properly into the
(remote) internal net.
Christoph Leser
SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logistik.de
Von: owner-m...@openbsd.org
[owner-m...@openbsd.org]quot; im Auftrag von quot;Janne Johansson
[icepic...@gmail.com]
Gesendet: Dienstag, 2. Oktober 2012 11:01
An: Erwin
Schliske
Cc: misc@openbsd.org
Betreff: Re: OpenBSD does not initiate ipsec
connection
2012/10/1 Erwin Schliske erwin.schli...@sevenval.com:
Hello,
I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
with a Cisco ASA 5505, which is not under my administration.
Here is the
ipsec.conf
ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24,
10.77.4.0/24 } to {
172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
peer a.b.102.219 \
local c.d.3.254 \
main auth hmac-sha1 enc 3des group
modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk password
If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
come up. If I look with tcpdump on the external interface or in the tcpdump
logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from
the Cisco side an host on OpenBSD side the tunnel comes up. In the logging
of
isakmpd I see this loglines
from the X side, does that mean you try to
ping from the openbsd,
OR, from one of the networks listed in the from-line?
One of the common mistakes is to test from the ipsec-gw itself and not
accounting for the fact that the ipsec.conf lines mostly are
to talk from net
A to net B, host X will do ipsec to peer Y. In such
a case, testing from host
X will not go through the tunnel, since the
rule is from net A.
Most of the
time the host X has a leg on net A and can ping -I
my-ip-at-NetA
dest-on-net-B but not always.
Then again, since active esp is the default
for ipsec.conf when you
write ike esp ..., it should start trying to set the
tunnel up as
soon as you load the rules, and not wait until packets want to
traverse it.
--
To our sweethearts and wives. May they never meet. -- 19th
century toast
Re: kern.maxclusters vs syn proxy
I would vote no based on: http://www.openbsd.org/faq/pf/example1.html For an added bit of safety, we'll make use of the TCP SYN Proxy to further protect the web server. which links to: http://www.openbsd.org/faq/pf/filter.html#synproxy which gets far from saying what Henning said. On 10/2/2012 6:30 AM, David Diggles wrote: I think when a lot of newbies read the pf manual, they think oh... synproxy looks like it does good things, and without really understanding it, enable it by default? On Tue, Oct 02, 2012 at 02:33:11PM +0200, Henning Brauer wrote: * David Diggles da...@elven.com.au [2012-10-02 13:51]: but is this clear for newbies who read all the faqs? On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: it once again comes down to think before pushing random buttons. this basic principle SHOULD not need documentation :) quite seriously, this goes deep into the workings of tcp. OpenBSD documentation cannot and does not document the details of the implemented protocols. There are entire books about tcp. Read them to understand tcp, and read the OpenBSD documentation for the OpenBSD specific bits. There isn't much we can do to prevent people from pushing buttons they don't understand but not providing them - which is what we do where possible. But by not providing synproxy we'd steal an important tool for fighting attacks from those who understand what they're doing. We're not saving you from stabbing your eye with the spoon left in your coffee mug either. We can't. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/ -- Tyler Morgan Systems Administrator Trade Tech Inc. tyl...@tradetech.net office: 425-837-9000 (ext. 1022) cell/sms: 206-310-8340 fax: 425-837-9008
Re: CARP and transit network to ISP
On Oct 1, 2012, at 7:42 PM, Henning Brauer lists-open...@bsws.de wrote: that is some time ago? Yes, it was. We were probably still running 4.3 (or so) when we made the change to having the ISP hand everything off to a single address. Jason -- Jason Healy|jhe...@logn.net| http://www.logn.net/
Re: kern.maxclusters vs syn proxy
On Tue, Oct 02, 2012 at 09:30, Tyler Morgan wrote: I would vote no based on: http://www.openbsd.org/faq/pf/example1.html For an added bit of safety, we'll make use of the TCP SYN Proxy to further protect the web server. which links to: http://www.openbsd.org/faq/pf/filter.html#synproxy which gets far from saying what Henning said. Congratulations, you just found a way to make the documentation better. :)
fopen.3
Hi, Diff below would make fopen.3 description more consistent, i think. while it's more repetitive, it does get rid of 'create text file'. -Artturi Index: fopen.3 === RCS file: /cvs/src/lib/libc/stdio/fopen.3,v retrieving revision 1.25 diff -u -p -r1.25 fopen.3 --- fopen.3 22 Jan 2012 13:02:45 - 1.25 +++ fopen.3 3 Oct 2012 01:01:21 - @@ -64,7 +64,8 @@ Open file for reading. .It Dq Li r+ Open for reading and writing. .It Dq Li w -Truncate file to zero length or create text file for writing. +Open for writing. +The file is created if it does not exist, otherwise it is truncated. .It Dq Li w+ Open for reading and writing. The file is created if it does not exist, otherwise it is truncated.
misc@openbsd.org , Sua Oportunidade
Prezado(a) misc@openbsd.org , voce foi convidado , para participar do Programa de vantagens Cielo. [IMAGE] Rodrigo Faro - (Campanha Publicitária) [IMAGE] Caso não esteja vendo as imagens desse e-mail, clique aqui 2264722647
Re: Suspend stuff on TOSHIBA laptop.
On Tue, Oct 2, 2012 at 10:55 PM, Mo Libden m0lib...@mail.ru wrote: Tue, 04 Sep 2012 03:36:50 -0400 от Ted Unangst t...@tedunangst.com: On Tue, Sep 04, 2012 at 16:23, David Walker wrote: I've set the options in wsconsctl.conf to blank the screen which also works but this thing has I think what's called a backlight which means the screen constantly glows. I'm planning to go set this thing up, let the screen blank and close the lid. I'd like to remove the backlight and the eerie glow. I'm unfamiliar with laptops but I've tried zzz and apm -S both kill the backlight which is great but network functions cease, yes I did not know that. I also can't seem to bring it back up form either state short of a power cycle but that's moot. Is there a way to turn off the backlight? Is there anything else I can do to sedate this machine? I've never seen a laptop that kept the light on when the lid was closed. Is it really still on? Well I had this for YEARS on my Compaq NC6000. The only cure I found is to disable acpivideo. If acpivideo was loaded during boot time, the screen is lit even when the lid is closed. I can even press the switch (it is mechanical), and the screen backlight is not turned off if acpivideo was enabled. Plan B would be to remove the screen altogether - if it needs attention that you can't provide over the Internets, bring a monitor or (if the Toshiba has a COM port) a laptop with a COM port and a null modem cable. Shoots the problem in the foot and cuts power consumption too. I've noticed Compaq NX6120s don't cut over to VGA automagically and require you to do the Fn key magic to change to VGA, so keep that in mind. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: AMD64 on a W500 Thinkpad seems sluggish
On Mon, Oct 01, 2012 at 15:13, STeve Andre' wrote: I have one rather annoying problem however, which is that I'm running about 25+% slower than in i386 mode. A kernel compile used to take about 3:20 under i386 mode, and now takes about about 4:10 or so. There are also random freezes of a second to perhaps 20 seconds; they never kill the machine, just freeze it. Not always easy to tell because compiling does a lot of thing. You can trying running some basic benchmarks like md5 -t or untar the ports tree to isolate CPU or filesystem. But it's entirely possible that gcc itself is just slower on amd64. Compilers probably benefit the least from 64-bits.
Re: Suspend stuff on TOSHIBA laptop.
On Wed, Oct 3, 2012 at 12:42 PM, Aaron Mason simplersolut...@gmail.com wrote: On Tue, Oct 2, 2012 at 10:55 PM, Mo Libden m0lib...@mail.ru wrote: Tue, 04 Sep 2012 03:36:50 -0400 от Ted Unangst t...@tedunangst.com: On Tue, Sep 04, 2012 at 16:23, David Walker wrote: I've set the options in wsconsctl.conf to blank the screen which also works but this thing has I think what's called a backlight which means the screen constantly glows. I'm planning to go set this thing up, let the screen blank and close the lid. I'd like to remove the backlight and the eerie glow. I'm unfamiliar with laptops but I've tried zzz and apm -S both kill the backlight which is great but network functions cease, yes I did not know that. I also can't seem to bring it back up form either state short of a power cycle but that's moot. Is there a way to turn off the backlight? Is there anything else I can do to sedate this machine? I've never seen a laptop that kept the light on when the lid was closed. Is it really still on? Well I had this for YEARS on my Compaq NC6000. The only cure I found is to disable acpivideo. If acpivideo was loaded during boot time, the screen is lit even when the lid is closed. I can even press the switch (it is mechanical), and the screen backlight is not turned off if acpivideo was enabled. Plan B would be to remove the screen altogether - if it needs attention that you can't provide over the Internets, bring a monitor or (if the Toshiba has a COM port) a laptop with a COM port and a null modem cable. Shoots the problem in the foot and cuts power consumption too. I've noticed Compaq NX6120s don't cut over to VGA automagically and require you to do the Fn key magic to change to VGA, so keep that in mind. Addendum: if you need a serial port, this one ( http://www.blackbox.com/Store/Detail.aspx/USB-Solo-USB-to-Serial-DB9-with-Cab le-44-in-111-76-cm/IC199A%C4%82R3 ) is good and it works in OpenBSD, showing up as uftdi(4). -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
