Re: IPSEC from behind NAT stage 2 failure
On 02/01/2017 10:21 PM, Yury Shefer wrote: Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE identifier (IDi/initiator id) to be able to establish the SA. IMHO, the better option for your remote clients would be a use of different ID type like ID_RFC822_ADDR. Thanks for your answer. Could you explain better how can I do this, because I don't see any settings in native Windows VPN client to specify current external IP. Moreover what to do if this is a road warrior case and external IP changes each time for every client?
Re: How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)
On 2017-02-02 10:27, Tinker wrote: .. My motivation here for wanting the boot code on the USB stick, is that I trust the USB stick more than my harddrive. Motivation: What I meant to say here is that I like the notion of the harddrive as unsecure by definition, so that I only will trust its content through the "firewall" of the softraid crypto mechanism. This is why I'm OK with storing softraid crypto data on the HDD but not the boot code. The only thing, supposedly, that the HDD could do would be to give me fake partition tables or partition data, and goofy partition data could only meaningfully amount to a replay attack, so those would be harmless in both cases. So this would (supposedly) cut out the harddrive from the chain of attack vectors, and that can be an important step in the direction of security. Of course there is a plethora of security problems in addition to this one in any computer.
How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)
Hi! I would like to have my system set up as follows: * My USB memory card contains the boot code (MBR etc.) and the softraid crypto keydisk partition. And maybe the kernel. * My HDD contains the root filesystem in a crypto softraid. (And no boot code!) How do I make this so? The architecture is AMD64 now but could be ARM later. My motivation here for wanting the boot code on the USB stick, is that I trust the USB stick more than my harddrive. The probability that someone would alter the harddrive's boot code is way higher than the probability that someone would alter the USB stick's boot code. In my OpenBSD environment, * sd0 is my HDD (sd0a is the crypto softraid represented as sd1, and sd0b is my swap partition), * sd1 is the crypto softraid (which is contained in sd0a, and, it contains partitions sd1a, sd1d, etc. with my root partition, home partition etc.), and * sd2 is my USB flash drive (sd2a is my crypto softraid keydisk partition). When I do "installboot sd2", I get the error "installboot: cross-device install". This seems to come from line 723 in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/installboot/i386_installboot.c?annotate=1.29 : 721:if (sysctl(mib, 3, , , NULL, 0) >= 0) { 722:if (fsb.st_dev / MAXPARTITIONS != dev / MAXPARTITIONS) 723:errx(1, "cross-device install"); 724:} So.. installboot has been intentionally conditioned to not allow me to make my USB stick bootable. But I don't understand the context here, like, what's actually possible, why does it fail here, and what would be "supported" ways around it. It must be doable somehow. Can you please instruct me how to do this? It seems that the boot code is looking for an UFS filesystem (bare or inside a softraid crypto partition), which has a "/boot" file in it, and that "/boot" file will then load the kernel. Could I make a small softraid crypto partition on the USB stick and put an UFS filesystem with a /boot file in it to make installboot work out, and then somehow make it pick up the kernel from the main harddrive? Also, loading the kernel from the USB drive would be all fine, perhaps even preferable, and then just so that the kernel understands that it should use the HDD as root partition. Please suggest how to make these two variants work. Thanks! Tinker
Re: "pass all flags S/SA" from default pf.conf is logging, why?
On Mon, Jan 30, 2017 at 11:46:32AM +, Stuart Henderson wrote: > > I'm surprised that I get logging in pflog even I have *no* 'log' > > in my pf.conf. > > > > # pfctl -vvsr -R 14 > > @14 pass all flags S/SA > > [ Evaluations: 30082 Packets: 569255Bytes: 365488723 States: 23 > >] > > [ Inserted: uid 0 pid 71493 State Creations: 29574 ] > > > > According to pf.conf(5) 'all' in above should be, though still > > not having 'log': > > > > " all This is equivalent to `from any to any'." > > > > # tcpdump -r /var/log/pflog -n -e -ttt rulenum 14 | tail -n1 > > tcpdump: WARNING: snaplen raised from 116 to 160 > > Jan 30 11:52:45.295489 rule 14/(ip-option) pass in on vlan0: > > 192.168.254.101 > 224.0.0.22: igmp-2 [v2] [ttl 1] > > > > # sysctl kern.version > > kern.version=OpenBSD 6.0-current (GENERIC.MP) #153: Tue Jan 24 19:06:50 MST > > 2017 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > Is this a bug or feature? Thx. > > afaik, feature. It's a packet with ip-options which is blocked outright > by PF unless you have an "allow-opts" rule. OK, but there's nothing about logging ip-options packets in pf.conf under 'allow-opts'. j.
panic: kernel diagnostic assertion "sc->sc_carpdev != NULL" failed: file "../../../../netinet/ip_carp.c", line 2312
Two physical machines with a bunch of vlans and carp interfaces with pfsync. I have a script that pushes pf.conf to the machines and runs pfctl -f /etc/pf.conf on them. One of the invocations killed both of them and left a crash dump. I’m mostly wondering if this is a known issue or not. If not, I’m curious about what methods I’d best use to debug the issue? I don’t have a bsd.gdb available - I was testing syspatch a while ago so I never had a chance to build it myself. Thanks for any help! dmesg -N /var/crash/bsd.0 -M /var/crash/bsd.0.core says: OpenBSD 6.0 (GENERIC.MP) #2: Mon Nov 28 23:02:49 CET 2016 r...@syspatch.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80 real mem = 8396206080 (8007MB) avail mem = 8137265152 (7760MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe5320 (51 entries) bios0: vendor Dell Inc. version "1.4.0" date 10/23/2014 bios0: Dell Inc. PowerEdge R220 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP UEFI UEFI ASF! ASPT BOOT DBGP HPET APIC MCFG SLIC WDAT SSDT SPMI SSDT SSDT SSDT DMAR SSDT FPDT HEST ERST BERT EINJ acpi0: wakeup devices P0P1(S4) UAR1(S3) ECIR(S4) GLAN(S4) EHC1(S4) EHC2(S4) XHC_(S4) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3592.44 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT ,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT ,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT ,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT ,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 cpu4 at mainbus0: apid 4 (application processor) cpu4: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT ,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 2, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT ,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 1, core 2, package 0 cpu6 at mainbus0: apid 6 (application processor) cpu6: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
Re: IPSEC from behind NAT stage 2 failure
Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE identifier (IDi/initiator id) to be able to establish the SA. IMHO, the better option for your remote clients would be a use of different ID type like ID_RFC822_ADDR. On Wed, Feb 1, 2017 at 4:19 AM, lilit-aibolitwrote: > On 12/06/2016 11:04 AM, Florian Ermisch wrote: > >> And I guess that's the problem: the client >> goes "hi I'm 10.1.1.58 and I'd like to >> connect" and isakmpd doesn't know no >> 10.1.1.58. IKEv1 is very picky about those >> things: When it doesn't expect an ID no >> peer presenting one will be allowed to >> connect AFAIK. >> >> Maybe adding local/peer or srcid/dstid >> will help. You can try with using the >> clients current local IP of 10.1.1.58 >> as ID to expect. >> >> Hi folks, I faced with same issue. Here are my details. > > 1) Win7 which is behind 3G wireless router(192.168.5.250) > >Connection-specific DNS Suffix . : >Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN >Physical Address. . . . . . . . . : 00-1F-00-12-00-91 >DHCP Enabled. . . . . . . . . . . : No >Autoconfiguration Enabled . . . . : Yes >IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred) >Subnet Mask . . . . . . . . . . . : 255.255.255.0 >Default Gateway . . . . . . . . . : 192.168.5.250 >DNS Servers . . . . . . . . . . . : 192.168.5.250 >NetBIOS over Tcpip. . . . . . . . : Enabled > > Myip lookup in browser gives me 78.111.187.234 as my real > public IP in Internet. > > VPN connection details: > Security: L2TP, > Advanced settings: Use preshared key (one from ipsec.conf), > Data encryption: Require encryption, > Authentication: Allow CHAP, MS-CHAP v2 > > 2) OpenBSD side. > > ipsec.conf: > > ike passive esp transport \ > proto udp from any to any port 1701 \ > main auth hmac-sha1 enc aes group modp2048 \ > quick auth hmac-sha1 enc 3des \ > psk "secret" > > pf.conf: > > set skip on { lo0, tun0 } > pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 } > pass in on $ext_if proto { esp, ah } from any to re1 > pass on enc0 from any to any keep state (if-bound) > > npppd.conf: > > authentication LOCAL type local { > users-file "/etc/npppd/npppd-users" > } > tunnel L2TP protocol l2tp { > listen on 195.68.x.y > } > ipcp IPCP { > pool-address 192.168.222.2-192.168.222.254 > dns-servers 192.168.8.254 > } > interface tun0 address 192.168.222.1 ipcp IPCP > bind tunnel from L2TP authenticated by LOCAL to tun0 > > 3) Action. > I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf > and then connect from Win7 client. > > # npppd -d > 2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0 > 2017-02-01 13:28:10:NOTICE: Load configuration > from='/etc/npppd/npppd.conf' successfully. > 2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1 > 2017-02-01 13:28:10:INFO: ipcp=IPCP pool dyn_pool=[192.168.222.2/31,192 > .168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168. > 222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222 > .192/27,192.168.222.224/28,192.168.222.240/29,192.168.222. > 248/30,192.168.222.252/31,192.168.222.254/32] pool=[ > 192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192 > .168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168. > 222.128/26,192.168.222.192/27,192.168.222.224/28,192.168. > 222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32] > 2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses > 2017-02-01 13:28:10:INFO: Loading pool config successfully. > 2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS) > [L2TP] > > # isakmpd -Kdv > 133951.389348 Default isakmpd: starting [priv] > 134008.194204 Default isakmpd: phase 1 done (as responder): initiator id > 192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234 > 134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed invalid > phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y > 134008.307509 Default dropped message from 78.111.187.234 port 4500 due to > notification type INVALID_ID_INFORMATION > ^C134045.852435 Default isakmpd: shutting down... > 134045.852621 Default isakmpd: exit > > # tcpdump -i re1 -nvvv host 78.111.187.234 > tcpdump: listening on re1, link-type EN10MB > 13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 > exchange ID_PROT > cookie: f226e0502ef70be5-> msgid: len: > 384 > payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412) > 13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 > exchange ID_PROT > cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: > 188 > payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad ip > cksum 0! -> 676d) > 13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 > exchange ID_PROT > cookie: f226e0502ef70be5->377d76144ad08a15 msgid:
Re: IPSEC from behind NAT stage 2 failure
On 12/06/2016 11:04 AM, Florian Ermisch wrote: And I guess that's the problem: the client goes "hi I'm 10.1.1.58 and I'd like to connect" and isakmpd doesn't know no 10.1.1.58. IKEv1 is very picky about those things: When it doesn't expect an ID no peer presenting one will be allowed to connect AFAIK. Maybe adding local/peer or srcid/dstid will help. You can try with using the clients current local IP of 10.1.1.58 as ID to expect. Hi folks, I faced with same issue. Here are my details. 1) Win7 which is behind 3G wireless router(192.168.5.250) Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN Physical Address. . . . . . . . . : 00-1F-00-12-00-91 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.5.250 DNS Servers . . . . . . . . . . . : 192.168.5.250 NetBIOS over Tcpip. . . . . . . . : Enabled Myip lookup in browser gives me 78.111.187.234 as my real public IP in Internet. VPN connection details: Security: L2TP, Advanced settings: Use preshared key (one from ipsec.conf), Data encryption: Require encryption, Authentication: Allow CHAP, MS-CHAP v2 2) OpenBSD side. ipsec.conf: ike passive esp transport \ proto udp from any to any port 1701 \ main auth hmac-sha1 enc aes group modp2048 \ quick auth hmac-sha1 enc 3des \ psk "secret" pf.conf: set skip on { lo0, tun0 } pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 } pass in on $ext_if proto { esp, ah } from any to re1 pass on enc0 from any to any keep state (if-bound) npppd.conf: authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on 195.68.x.y } ipcp IPCP { pool-address 192.168.222.2-192.168.222.254 dns-servers 192.168.8.254 } interface tun0 address 192.168.222.1 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to tun0 3) Action. I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf and then connect from Win7 client. # npppd -d 2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0 2017-02-01 13:28:10:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1 2017-02-01 13:28:10:INFO: ipcp=IPCP pool dyn_pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32] pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32] 2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses 2017-02-01 13:28:10:INFO: Loading pool config successfully. 2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS) [L2TP] # isakmpd -Kdv 133951.389348 Default isakmpd: starting [priv] 134008.194204 Default isakmpd: phase 1 done (as responder): initiator id 192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234 134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y 134008.307509 Default dropped message from 78.111.187.234 port 4500 due to notification type INVALID_ID_INFORMATION ^C134045.852435 Default isakmpd: shutting down... 134045.852621 Default isakmpd: exit # tcpdump -i re1 -nvvv host 78.111.187.234 tcpdump: listening on re1, link-type EN10MB 13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5-> msgid: len: 384 payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412) 13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 188 payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad ip cksum 0! -> 676d) 13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 388 payload: KEY_EXCH len: 260 [|isakmp] (ttl 123, id 6812, len 416) 13:40:08.045493 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 exchange ID_PROT cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 388 payload: KEY_EXCH len: 260 [|isakmp] (ttl 64, id 11204, len 416, bad ip cksum 0! -> bb64) 13:40:08.193866 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: f226e0502ef70be5->377d76144ad08a15 msgid: len: 76 (ttl 122, id 6815,
Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session
On Wed, Feb 01, 2017 at 05:09:43PM +0200, Lars Noodén wrote: > On 02/01/2017 05:06 PM, Erling Westenvik wrote: > > On Wed, Feb 01, 2017 at 03:58:51PM +0100, Manuel Giraud wrote: > >> Erling Westenvikwrites: > >> > >>> However, I got inspired and when I disabled pf (pfctl -d) I got full > >>> contact! (But -- when I turned pf back on (pfctl -e) I lost the one > >>> connection I had... Now I have to wait 48 minutes for the server to > >>> reboot. Not much more to do now except for crossing my fingers...) > >> > >> Err, yes but won't pf be enabled at boot time? Hopefully, some of your > >> pf tables will be reset. > > > > True. But before I turned pf off and back on, I couldn't be sure what > > was causing the problem. If it was an external problem I would've been > > better off with the one active existing ssh connection. > > > > I hope it reboots ok. If you end up with a similar situation again you > might set up 2 or more at jobs that build reverse tunnels from port 22 > to an outside machine. That way you can still connect back via a tunnel > if the main SSH session drops. That won't solve the problem but might > buy you more time to investigate. > > /Lars Thanks. Good advice and I actually HAD such a tunnel to a remote machine earlier to day but took it down due to experimenting, but without remembering to reactivate it. Won't forget that again! -- Erling Westenvik
Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session
On Wed, Feb 01, 2017 at 03:58:51PM +0100, Manuel Giraud wrote: > Erling Westenvikwrites: > > > However, I got inspired and when I disabled pf (pfctl -d) I got full > > contact! (But -- when I turned pf back on (pfctl -e) I lost the one > > connection I had... Now I have to wait 48 minutes for the server to > > reboot. Not much more to do now except for crossing my fingers...) > > Err, yes but won't pf be enabled at boot time? Hopefully, some of your > pf tables will be reset. True. But before I turned pf off and back on, I couldn't be sure what was causing the problem. If it was an external problem I would've been better off with the one active existing ssh connection. -- Erling Westenvik
Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session
Erling Westenvikwrites: > However, I got inspired and when I disabled pf (pfctl -d) I got full > contact! (But -- when I turned pf back on (pfctl -e) I lost the one > connection I had... Now I have to wait 48 minutes for the server to > reboot. Not much more to do now except for crossing my fingers...) Err, yes but won't pf be enabled at boot time? Hopefully, some of your pf tables will be reset. -- Manuel Giraud
Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session
On Wed, Feb 01, 2017 at 04:26:15PM +0200, lilit-aibolit wrote: > On 02/01/2017 03:41 PM, Erling Westenvik wrote: > > I have an OpenBSD 5.9 server at a colocation. It stopped accepting new > > connections (ping, ssh, http, whatever) yesterday night but fortunately > > I had one ssh session open from my workstation from which I can still > > access it. > > > Did you think about creation of second sshd instance > on other port and start it in debug mode? Thank you for answering. No, it didn't occur to me since I could not reach the machine by any service or port. Tried your suggestion immediately without success. However, I got inspired and when I disabled pf (pfctl -d) I got full contact! (But -- when I turned pf back on (pfctl -e) I lost the one connection I had... Now I have to wait 48 minutes for the server to reboot. Not much more to do now except for crossing my fingers...) Thanks anyway! :-) -- Erling Westenvik
Re: getting data from degraded RAID 1 boot disk
On Wed, Feb 01, 2017 at 08:32:44AM -0500, ji...@devio.us wrote: > On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote: > > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > > > Should have kernel automatically create 'sd4' for degraded RAID 1 > > > but it does not? > > > > I believe it will auto assemble if the disk is present at boot time. > > ^^ This does work, I tried to plug the disk as boot device into QEMU VM. > > > But not when you hotplug the disk. > > Pity. Could it be reconsidered? It would ease data recovery (ie. trying > to get a box to boot the disk or using VM.) It will be particularly usefull at installation time when you plan to create a RAID1 / RAID5 setup and you don't have all the disks yet. RAIDframe had the 'absent' device name that could be used for this particular case.
Re: getting data from degraded RAID 1 boot disk
On Wed, Feb 01, 2017 at 08:32:44AM -0500, Jiri B wrote: > On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote: > > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > > > Should have kernel automatically create 'sd4' for degraded RAID 1 > > > but it does not? > > > > I believe it will auto assemble if the disk is present at boot time. > > ^^ This does work, I tried to plug the disk as boot device into QEMU VM. > > > But not when you hotplug the disk. > > Pity. Could it be reconsidered? It would ease data recovery (ie. trying > to get a box to boot the disk or using VM.) Sure. I am not saying the way it works now is best. Just trying to help. Patches welcome, as usual :)
Help with server not accepting new connections but is still accessible through ONE existing open ssh-session
I have an OpenBSD 5.9 server at a colocation. It stopped accepting new connections (ping, ssh, http, whatever) yesterday night but fortunately I had one ssh session open from my workstation from which I can still access it. Funny thing is that the server has full access OUT to the internet. I can open web pages through lynx, ssh to everywhere, and so on. It just won't accept any new connections IN. The colocation provider claim that nothing has changed at their side. (Gateway, firewall, DNS, etc.) Since the location for the server is not easily accessible, and in a worst case scenario wouldn't be accessible for many days or even a week, I'd rather try to find and solve the problem before having to resort to a reboot. (In case the machine doesn't come up again, leaving me without the one ssh session that is alive as for now.) Pflog/tcpdump shows absolutely NO activity, neither in nor out. That is strange IMO and I'm suspecting that some states in pf may be the problem. I'm tempted to do a pfctl -F all, but that may also kill the only ssh session I have open. (I'm resetting shutdown -r +60 every now and then so that the server will at least do a reboot if the ssh connection should fail.) Any ideas as to where to begin? -- Erling Westenvik $ uptime 2:39PM up 253 days, 2:15, 1 user, load averages: 0.27, 0.28, 0.22 $ dmesg OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8505982976 (8111MB) avail mem = 8243998720 (7862MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xfbae0 (60 entries) bios0: vendor American Megatrends Inc. version "080011" date 06/30/2006 bios0: Supermicro H8DSP-8 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC OEMB SRAT acpi0: wakeup devices P1P2(S4) USB0(S1) USB1(S1) USB2(S1) PS2K(S4) PS2M(S4) BR14(S4) BR1E(S4) BR28(S4) BR3C(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 250, 2394.33 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD erratum 89 present, BIOS upgrade may be required mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 250, 2394.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: AMD erratum 89 present, BIOS upgrade may be required ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 16 pins ioapic1 at mainbus0: apid 3 pa 0xfec01000, version 11, 16 pins ioapic2 at mainbus0: apid 4 pa 0xfec02000, version 11, 16 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus 2 (P1P2) acpiprt3 at acpi0: bus 3 (BR14) acpiprt4 at acpi0: bus 4 (BR1E) acpiprt5 at acpi0: bus 5 (BR28) acpiprt6 at acpi0: bus 6 (BR32) acpiprt7 at acpi0: bus 7 (BR3C) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB pci0 at mainbus0 bus 0 ppb0 at pci0 dev 1 function 0 "ServerWorks HT-1000 PCI" rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci1 dev 13 function 0 "ServerWorks HT-1000 PCIX" rev 0xb2 pci2 at ppb1 bus 2 pciide0 at pci1 dev 14 function 0 "ServerWorks HT-1000 SATA" rev 0x00: DMA pciide0: using apic 2 int 11 for native-PCI interrupt pciide0: port 0: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 pciide0: port 1: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: wd1: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 6 pciide0: port 2: 1.5Gb/s wd2 at pciide0 channel 2 drive 0: wd2: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd2(pciide0:2:0): using PIO mode 4, Ultra-DMA mode 6 pciide0: port 3: 1.5Gb/s wd3 at pciide0 channel 3 drive 0: wd3: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd3(pciide0:3:0): using PIO mode 4, Ultra-DMA mode 6 pciide1 at pci1 dev 14 function 1 "ServerWorks HT-1000 SATA" rev 0x00 piixpm0 at pci0 dev 2 function 0 "ServerWorks HT-1000" rev 0x00: polling iic0 at piixpm0 iic0: addr 0x1b 0f=18
Re: getting data from degraded RAID 1 boot disk
On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote: > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > > Should have kernel automatically create 'sd4' for degraded RAID 1 > > but it does not? > > I believe it will auto assemble if the disk is present at boot time. ^^ This does work, I tried to plug the disk as boot device into QEMU VM. > But not when you hotplug the disk. Pity. Could it be reconsidered? It would ease data recovery (ie. trying to get a box to boot the disk or using VM.) Thanks. j.
Re: getting data from degraded RAID 1 boot disk
On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote: > Should have kernel automatically create 'sd4' for degraded RAID 1 > but it does not? I believe it will auto assemble if the disk is present at boot time. But not when you hotplug the disk.
Re: getting data from degraded RAID 1 boot disk
On Tue, Jan 31, 2017 at 11:55:21PM +0100, Stefan Sperling wrote: > On Tue, Jan 31, 2017 at 05:23:10PM -0500, Jiri B wrote: > > I have a disk which used to be boot disk of a degraded RAID 1 (softraid). > > The second disk is totally gone. > > > > I don't want to use this disk as RAID 1 disk anymore, just to get data > > from it. > > > > I'm asking because when I plugged the disk, bioctl said 'not enough disks'. > > > > Do we really have to necessary require two disks when attaching already > > existing > > degraded RAID 1 with only one disk available? > > Can you describe in more detail what you did to "plug the disk"? > It sounds like you ran 'bioctl' in a way that tries to create a > new RAID1 volume. Why? > > If the disk is present during system boot, is it not auto-assembled > as a degraded RAID1 volume? I would expect a degraded softraid RAID1 > disk to show up which you can copy data from. Thank you very much for reply. Here are the steps: 1. original disk which used to be part of degraded RAID 1 (softraid) boot disk attached via USB->SATA adapter: umass1 at uhub0 port 10 configuration 1 interface 0 "JMicron AXAGON USB to SATA Adapter" rev 3.00/81.05 addr 10 umass1: using SCSI over Bulk-Only scsibus5 at umass1: 2 targets, initiator 0 sd3 at scsibus5 targ 1 lun 0: SCSI4 0/direct fixed serial.49718017 sd3: 715404MB, 512 bytes/sector, 1465149168 sectors 2. trying to put degraded RAID 1 online: # fdisk sd3 | grep OpenBSD *3: A6 0 1 2 - 91200 254 63 [ 64: 1465144001 ] OpenBSD # disklabel sd3 | grep RAID a: 1465144001 64RAID # bioctl -c 1 -l /dev/sd3a softraid0 bioctl: not enough disks man bioctl unfortunatelly states: ~~~ The RAID 0, RAID 1 and CONCAT disciplines require a minimum of two devices to be provided via -l... ~~~ Should have kernel automatically create 'sd4' for degraded RAID 1 but it does not? As bioctl requires "a minimin of two devices" for RAID 1... IMO if RAID 1 could be constructed with on disk via bioctl it would be better also for people doing migration to RAID 1. j.