Re: IPSEC from behind NAT stage 2 failure

2017-02-01 Thread lilit-aibolit 

On 02/01/2017 10:21 PM, Yury Shefer wrote:

Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE
identifier (IDi/initiator id) to be able to establish the SA. IMHO, the
better option for your remote clients would be a use of different ID type
like ID_RFC822_ADDR.



Thanks for your answer.

Could you explain better how can I do this,
because I don't see any settings in native
Windows VPN client to specify current external IP.

Moreover what to do if this is a road warrior case
and external IP changes each time for every client?

Re: How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

2017-02-01 Thread Tinker 

On 2017-02-02 10:27, Tinker wrote:
..

My motivation here for wanting the boot code on the USB stick, is that
I trust the USB stick more than my harddrive.


Motivation:

What I meant to say here is that I like the notion of the harddrive as 
unsecure by definition, so that I only will trust its content through 
the "firewall" of the softraid crypto mechanism.


This is why I'm OK with storing softraid crypto data on the HDD but not 
the boot code.


The only thing, supposedly, that the HDD could do would be to give me 
fake partition tables or partition data, and goofy partition data could 
only meaningfully amount to a replay attack, so those would be harmless 
in both cases.


So this would (supposedly) cut out the harddrive from the chain of 
attack vectors, and that can be an important step in the direction of 
security. Of course there is a plethora of security problems in addition 
to this one in any computer.

How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

2017-02-01 Thread Tinker 

Hi!

I would like to have my system set up as follows:

 * My USB memory card contains the boot code (MBR etc.) and the softraid 
crypto keydisk partition.


   And maybe the kernel.

 * My HDD contains the root filesystem in a crypto softraid. (And no 
boot code!)


How do I make this so?


The architecture is AMD64 now but could be ARM later.

My motivation here for wanting the boot code on the USB stick, is that I 
trust the USB stick more than my harddrive.


The probability that someone would alter the harddrive's boot code is 
way higher than the probability that someone would alter the USB stick's 
boot code.


In my OpenBSD environment,

 * sd0 is my HDD (sd0a is the crypto softraid represented as sd1, and 
sd0b is my swap partition),


 * sd1 is the crypto softraid (which is contained in sd0a, and, it 
contains partitions sd1a, sd1d, etc. with my root partition, home 
partition etc.), and


 * sd2 is my USB flash drive (sd2a is my crypto softraid keydisk 
partition).


When I do "installboot sd2", I get the error "installboot: cross-device 
install".


This seems to come from line 723 in 
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/installboot/i386_installboot.c?annotate=1.29 
:


 721:if (sysctl(mib, 3, , , NULL, 0) >= 0) {
 722:if (fsb.st_dev / MAXPARTITIONS != dev / 
MAXPARTITIONS)

 723:errx(1, "cross-device install");
 724:}


So.. installboot has been intentionally conditioned to not allow me to 
make my USB stick bootable.


But I don't understand the context here, like, what's actually possible, 
why does it fail here, and what would be "supported" ways around it.


It must be doable somehow.


Can you please instruct me how to do this?

It seems that the boot code is looking for an UFS filesystem (bare or 
inside a softraid crypto partition), which has a "/boot" file in it, and 
that "/boot" file will then load the kernel.


Could I make a small softraid crypto partition on the USB stick and put 
an UFS filesystem with a /boot file in it to make installboot work out, 
and then somehow make it pick up the kernel from the main harddrive?


Also, loading the kernel from the USB drive would be all fine, perhaps 
even preferable, and then just so that the kernel understands that it 
should use the HDD as root partition.


Please suggest how to make these two variants work.

Thanks!
Tinker

Re: "pass all flags S/SA" from default pf.conf is logging, why?

2017-02-01 Thread Jiri B 
On Mon, Jan 30, 2017 at 11:46:32AM +, Stuart Henderson wrote:
> > I'm surprised that I get logging in pflog even I have *no* 'log'
> > in my pf.conf.
> >
> > # pfctl -vvsr -R 14
> > @14 pass all flags S/SA
> >   [ Evaluations: 30082 Packets: 569255Bytes: 365488723   States: 23 
> >]
> >   [ Inserted: uid 0 pid 71493 State Creations: 29574 ]
> >
> > According to pf.conf(5) 'all' in above should be, though still
> > not having 'log':
> >
> > " all This is equivalent to `from any to any'."
> >
> > # tcpdump -r /var/log/pflog -n -e -ttt rulenum 14 | tail -n1
> > tcpdump: WARNING: snaplen raised from 116 to 160
> > Jan 30 11:52:45.295489 rule 14/(ip-option) pass in on vlan0: 
> > 192.168.254.101 > 224.0.0.22: igmp-2 [v2] [ttl 1]
> >
> > # sysctl kern.version
> > kern.version=OpenBSD 6.0-current (GENERIC.MP) #153: Tue Jan 24 19:06:50 MST 
> > 2017
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > Is this a bug or feature? Thx.
> 
> afaik, feature. It's a packet with ip-options which is blocked outright
> by PF unless you have an "allow-opts" rule.

OK, but there's nothing about logging ip-options packets in pf.conf
under 'allow-opts'.

j.

panic: kernel diagnostic assertion "sc->sc_carpdev != NULL" failed: file "../../../../netinet/ip_carp.c", line 2312

2017-02-01 Thread Brent Graveland 
Two physical machines with a bunch of vlans and carp interfaces with pfsync. I
have a script that pushes pf.conf to the machines and runs pfctl -f
/etc/pf.conf on them. One of the invocations killed both of them and left a
crash dump.

I’m mostly wondering if this is a known issue or not. If not, I’m curious
about what methods I’d best use to debug the issue? I don’t have a bsd.gdb
available - I was testing syspatch a while ago so I never had a chance to
build it myself.

Thanks for any help!


dmesg -N /var/crash/bsd.0 -M /var/crash/bsd.0.core says:

OpenBSD 6.0 (GENERIC.MP) #2: Mon Nov 28 23:02:49 CET 2016
r...@syspatch.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error 80
real mem = 8396206080 (8007MB)
avail mem = 8137265152 (7760MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe5320 (51 entries)
bios0: vendor Dell Inc. version "1.4.0" date 10/23/2014
bios0: Dell Inc. PowerEdge R220
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP UEFI UEFI ASF! ASPT BOOT DBGP HPET APIC MCFG SLIC WDAT
SSDT SPMI SSDT SSDT SSDT DMAR SSDT FPDT HEST ERST BERT EINJ
acpi0: wakeup devices P0P1(S4) UAR1(S3) ECIR(S4) GLAN(S4) EHC1(S4) EHC2(S4)
XHC_(S4) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4)
PXSX(S4) RP04(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3592.44 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB
ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB
ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB
ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB
ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
cpu4 at mainbus0: apid 4 (application processor)
cpu4: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB
ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 2, package 0
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSB
ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 2, package 0
cpu6 at mainbus0: apid 6 (application processor)
cpu6: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz

Re: IPSEC from behind NAT stage 2 failure

2017-02-01 Thread Yury Shefer 
Your behind-NAT IPsec client should use external IP (78.111.187.234) as IKE
identifier (IDi/initiator id) to be able to establish the SA. IMHO, the
better option for your remote clients would be a use of different ID type
like ID_RFC822_ADDR.

On Wed, Feb 1, 2017 at 4:19 AM, lilit-aibolit  wrote:

> On 12/06/2016 11:04 AM, Florian Ermisch wrote:
>
>> And I guess that's the problem: the client
>> goes "hi I'm 10.1.1.58 and I'd like to
>> connect" and isakmpd doesn't know no
>> 10.1.1.58. IKEv1 is very picky about those
>> things: When it doesn't expect an ID no
>> peer presenting one will be allowed to
>> connect AFAIK.
>>
>> Maybe adding local/peer or srcid/dstid
>> will help. You can try with using the
>> clients current local IP of 10.1.1.58
>> as ID to expect.
>>
>> Hi folks, I faced with same issue. Here are my details.
>
> 1) Win7 which is behind 3G wireless router(192.168.5.250)
>
>Connection-specific DNS Suffix  . :
>Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
>Physical Address. . . . . . . . . : 00-1F-00-12-00-91
>DHCP Enabled. . . . . . . . . . . : No
>Autoconfiguration Enabled . . . . : Yes
>IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred)
>Subnet Mask . . . . . . . . . . . : 255.255.255.0
>Default Gateway . . . . . . . . . : 192.168.5.250
>DNS Servers . . . . . . . . . . . : 192.168.5.250
>NetBIOS over Tcpip. . . . . . . . : Enabled
>
> Myip lookup in browser gives me 78.111.187.234 as my real
> public IP in Internet.
>
> VPN connection details:
> Security: L2TP,
> Advanced settings: Use preshared key (one from ipsec.conf),
> Data encryption: Require encryption,
> Authentication: Allow CHAP, MS-CHAP v2
>
> 2) OpenBSD side.
>
> ipsec.conf:
>
> ike passive esp transport \
> proto udp from any to any port 1701 \
> main auth hmac-sha1 enc aes group modp2048 \
> quick auth hmac-sha1 enc 3des \
> psk "secret"
>
> pf.conf:
>
> set skip on  { lo0, tun0 }
> pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 }
> pass in on $ext_if proto { esp, ah } from any to re1
> pass on enc0 from any to any keep state (if-bound)
>
> npppd.conf:
>
> authentication LOCAL type local {
> users-file "/etc/npppd/npppd-users"
> }
> tunnel L2TP protocol l2tp {
> listen on 195.68.x.y
> }
> ipcp IPCP {
> pool-address 192.168.222.2-192.168.222.254
> dns-servers 192.168.8.254
> }
> interface tun0  address 192.168.222.1 ipcp IPCP
> bind tunnel from L2TP authenticated by LOCAL to tun0
>
> 3) Action.
> I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf
> and then connect from Win7 client.
>
> # npppd -d
> 2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0
> 2017-02-01 13:28:10:NOTICE: Load configuration
> from='/etc/npppd/npppd.conf' successfully.
> 2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1
> 2017-02-01 13:28:10:INFO: ipcp=IPCP pool dyn_pool=[192.168.222.2/31,192
> .168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.
> 222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222
> .192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.
> 248/30,192.168.222.252/31,192.168.222.254/32] pool=[
> 192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192
> .168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.
> 222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.
> 222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32]
> 2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses
> 2017-02-01 13:28:10:INFO: Loading pool config successfully.
> 2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS)
> [L2TP]
>
> # isakmpd -Kdv
> 133951.389348 Default isakmpd: starting [priv]
> 134008.194204 Default isakmpd: phase 1 done (as responder): initiator id
> 192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234
> 134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed invalid
> phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y
> 134008.307509 Default dropped message from 78.111.187.234 port 4500 due to
> notification type INVALID_ID_INFORMATION
> ^C134045.852435 Default isakmpd: shutting down...
> 134045.852621 Default isakmpd: exit
>
> # tcpdump -i re1 -nvvv host 78.111.187.234
> tcpdump: listening on re1, link-type EN10MB
> 13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0
> exchange ID_PROT
> cookie: f226e0502ef70be5-> msgid:  len:
> 384
> payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412)
> 13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0
> exchange ID_PROT
> cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len:
> 188
> payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad ip
> cksum 0! -> 676d)
> 13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0
> exchange ID_PROT
> cookie: f226e0502ef70be5->377d76144ad08a15 msgid:

Re: IPSEC from behind NAT stage 2 failure

2017-02-01 Thread lilit-aibolit 

On 12/06/2016 11:04 AM, Florian Ermisch wrote:

And I guess that's the problem: the client
goes "hi I'm 10.1.1.58 and I'd like to
connect" and isakmpd doesn't know no
10.1.1.58. IKEv1 is very picky about those
things: When it doesn't expect an ID no
peer presenting one will be allowed to
connect AFAIK.

Maybe adding local/peer or srcid/dstid
will help. You can try with using the
clients current local IP of 10.1.1.58
as ID to expect.


Hi folks, I faced with same issue. Here are my details.

1) Win7 which is behind 3G wireless router(192.168.5.250)

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-1F-00-12-00-91
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.5.88(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.5.250
   DNS Servers . . . . . . . . . . . : 192.168.5.250
   NetBIOS over Tcpip. . . . . . . . : Enabled

Myip lookup in browser gives me 78.111.187.234 as my real
public IP in Internet.

VPN connection details:
Security: L2TP,
Advanced settings: Use preshared key (one from ipsec.conf),
Data encryption: Require encryption,
Authentication: Allow CHAP, MS-CHAP v2

2) OpenBSD side.

ipsec.conf:

ike passive esp transport \
proto udp from any to any port 1701 \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-sha1 enc 3des \
psk "secret"

pf.conf:

set skip on  { lo0, tun0 }
pass in on $ext_if inet proto udp from any to re1 port { 1701, 500, 4500 }
pass in on $ext_if proto { esp, ah } from any to re1
pass on enc0 from any to any keep state (if-bound)

npppd.conf:

authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on 195.68.x.y
}
ipcp IPCP {
pool-address 192.168.222.2-192.168.222.254
dns-servers 192.168.8.254
}
interface tun0  address 192.168.222.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0

3) Action.
I start npppd, isakmpd and apply ipsecctl -f /etc/ipsec.conf
and then connect from Win7 client.

# npppd -d
2017-02-01 13:28:10:NOTICE: Starting npppd pid=2226 version=5.0.0
2017-02-01 13:28:10:NOTICE: Load configuration 
from='/etc/npppd/npppd.conf' successfully.

2017-02-01 13:28:10:INFO: tun0 Started ip4addr=192.168.222.1
2017-02-01 13:28:10:INFO: ipcp=IPCP pool 
dyn_pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32] 
pool=[192.168.222.2/31,192.168.222.4/30,192.168.222.8/29,192.168.222.16/28,192.168.222.32/27,192.168.222.64/26,192.168.222.128/26,192.168.222.192/27,192.168.222.224/28,192.168.222.240/29,192.168.222.248/30,192.168.222.252/31,192.168.222.254/32]

2017-02-01 13:28:10:INFO: Added 13 routes for new pool addresses
2017-02-01 13:28:10:INFO: Loading pool config successfully.
2017-02-01 13:28:10:INFO: l2tpd Listening 195.68.x.y:1701/udp (L2TP LNS) 
[L2TP]


# isakmpd -Kdv
133951.389348 Default isakmpd: starting [priv]
134008.194204 Default isakmpd: phase 1 done (as responder): initiator id 
192.168.5.88, responder id 195.68.x.y, src: 195.68.x.y dst: 78.111.187.234
134008.307485 Default responder_recv_HASH_SA_NONCE: peer proposed 
invalid phase 2 IDs: initiator id 192.168.5.88, responder id 195.68.x.y
134008.307509 Default dropped message from 78.111.187.234 port 4500 due 
to notification type INVALID_ID_INFORMATION

^C134045.852435 Default isakmpd: shutting down...
134045.852621 Default isakmpd: exit

# tcpdump -i re1 -nvvv host 78.111.187.234
tcpdump: listening on re1, link-type EN10MB
13:40:07.820658 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5-> msgid:  len: 384
payload: SA len: 212 [|isakmp] (ttl 123, id 6811, len 412)
13:40:07.821374 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 188
payload: SA len: 60 [|isakmp] (ttl 64, id 32899, len 216, bad 
ip cksum 0! -> 676d)
13:40:08.007137 78.111.187.234.14717 > 195.68.x.y.500: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 388
payload: KEY_EXCH len: 260 [|isakmp] (ttl 123, id 6812, len 416)
13:40:08.045493 195.68.x.y.500 > 78.111.187.234.14717: isakmp v1.0 
exchange ID_PROT

cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 388
payload: KEY_EXCH len: 260 [|isakmp] (ttl 64, id 11204, len 
416, bad ip cksum 0! -> bb64)
13:40:08.193866 78.111.187.234.4500 > 195.68.x.y.4500: udpencap: isakmp 
v1.0 exchange ID_PROT encrypted
cookie: f226e0502ef70be5->377d76144ad08a15 msgid:  len: 
76 (ttl 122, id 6815,

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

2017-02-01 Thread Erling Westenvik 
On Wed, Feb 01, 2017 at 05:09:43PM +0200, Lars Noodén wrote:
> On 02/01/2017 05:06 PM, Erling Westenvik wrote:
> > On Wed, Feb 01, 2017 at 03:58:51PM +0100, Manuel Giraud wrote:
> >> Erling Westenvik  writes:
> >>
> >>> However, I got inspired and when I disabled pf (pfctl -d) I got full
> >>> contact! (But -- when I turned pf back on (pfctl -e) I lost the one
> >>> connection I had... Now I have to wait 48 minutes for the server to
> >>> reboot. Not much more to do now except for crossing my fingers...)
> >>
> >> Err, yes but won't pf be enabled at boot time? Hopefully, some of your
> >> pf tables will be reset.
> >
> > True. But before I turned pf off and back on, I couldn't be sure what
> > was causing the problem. If it was an external problem I would've been
> > better off with the one active existing ssh connection.
> >
>
> I hope it reboots ok.  If you end up with a similar situation again you
> might set up 2 or more at jobs that build reverse tunnels from port 22
> to an outside machine.  That way you can still connect back via a tunnel
> if the main SSH session drops.  That won't solve the problem but might
> buy you more time to investigate.
>
> /Lars

Thanks. Good advice and I actually HAD such a tunnel to a remote
machine earlier to day but took it down due to experimenting, but
without remembering to reactivate it. Won't forget that again!

--
Erling Westenvik

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

2017-02-01 Thread Erling Westenvik 
On Wed, Feb 01, 2017 at 03:58:51PM +0100, Manuel Giraud wrote:
> Erling Westenvik  writes:
>
> > However, I got inspired and when I disabled pf (pfctl -d) I got full
> > contact! (But -- when I turned pf back on (pfctl -e) I lost the one
> > connection I had... Now I have to wait 48 minutes for the server to
> > reboot. Not much more to do now except for crossing my fingers...)
>
> Err, yes but won't pf be enabled at boot time? Hopefully, some of your
> pf tables will be reset.

True. But before I turned pf off and back on, I couldn't be sure what
was causing the problem. If it was an external problem I would've been
better off with the one active existing ssh connection.

--
Erling Westenvik

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

2017-02-01 Thread Manuel Giraud 
Erling Westenvik  writes:

> However, I got inspired and when I disabled pf (pfctl -d) I got full
> contact! (But -- when I turned pf back on (pfctl -e) I lost the one
> connection I had... Now I have to wait 48 minutes for the server to
> reboot. Not much more to do now except for crossing my fingers...)

Err, yes but won't pf be enabled at boot time? Hopefully, some of your
pf tables will be reset.
-- 
Manuel Giraud

Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

2017-02-01 Thread Erling Westenvik 
On Wed, Feb 01, 2017 at 04:26:15PM +0200, lilit-aibolit wrote:
> On 02/01/2017 03:41 PM, Erling Westenvik wrote:
> > I have an OpenBSD 5.9 server at a colocation. It stopped accepting new
> > connections (ping, ssh, http, whatever) yesterday night but fortunately
> > I had one ssh session open from my workstation from which I can still
> > access it.
> >
> Did you think about creation of second sshd instance
> on other port and start it in debug mode?

Thank you for answering.

No, it didn't occur to me since I could not reach the machine by any
service or port. Tried your suggestion immediately without success.

However, I got inspired and when I disabled pf (pfctl -d) I got full
contact! (But -- when I turned pf back on (pfctl -e) I lost the one
connection I had... Now I have to wait 48 minutes for the server to
reboot. Not much more to do now except for crossing my fingers...)

Thanks anyway! :-)

--
Erling Westenvik

Re: getting data from degraded RAID 1 boot disk

2017-02-01 Thread Olivier Cherrier 
On Wed, Feb 01, 2017 at 08:32:44AM -0500, ji...@devio.us wrote:
> On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote:
> > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote:
> > > Should have kernel automatically create 'sd4' for degraded RAID 1
> > > but it does not?
> > 
> > I believe it will auto assemble if the disk is present at boot time.
> 
> ^^ This does work, I tried to plug the disk as boot device into QEMU VM.
> 
> > But not when you hotplug the disk.
> 
> Pity. Could it be reconsidered? It would ease data recovery (ie. trying
> to get a box to boot the disk or using VM.)

It will be particularly usefull at installation time when you plan
to create a RAID1 / RAID5 setup and you don't have all the disks yet.
RAIDframe had the 'absent' device name that could be used for this
particular case.

Re: getting data from degraded RAID 1 boot disk

2017-02-01 Thread Stefan Sperling 
On Wed, Feb 01, 2017 at 08:32:44AM -0500, Jiri B wrote:
> On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote:
> > On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote:
> > > Should have kernel automatically create 'sd4' for degraded RAID 1
> > > but it does not?
> > 
> > I believe it will auto assemble if the disk is present at boot time.
> 
> ^^ This does work, I tried to plug the disk as boot device into QEMU VM.
> 
> > But not when you hotplug the disk.
> 
> Pity. Could it be reconsidered? It would ease data recovery (ie. trying
> to get a box to boot the disk or using VM.)

Sure. I am not saying the way it works now is best. Just trying to help.
Patches welcome, as usual :)

Help with server not accepting new connections but is still accessible through ONE existing open ssh-session

2017-02-01 Thread Erling Westenvik 
I have an OpenBSD 5.9 server at a colocation. It stopped accepting new
connections (ping, ssh, http, whatever) yesterday night but fortunately
I had one ssh session open from my workstation from which I can still
access it. Funny thing is that the server has full access OUT to the
internet. I can open web pages through lynx, ssh to everywhere, and so
on. It just won't accept any new connections IN.

The colocation provider claim that nothing has changed at their side.
(Gateway, firewall, DNS, etc.) Since the location for the server is not
easily accessible, and in a worst case scenario wouldn't be accessible
for many days or even a week, I'd rather try to find and solve the
problem before having to resort to a reboot. (In case the machine
doesn't come up again, leaving me without the one ssh session that is
alive as for now.)

Pflog/tcpdump shows absolutely NO activity, neither in nor out. That is
strange IMO and I'm suspecting that some states in pf may be the
problem. I'm tempted to do a pfctl -F all, but that may also kill the
only ssh session I have open. (I'm resetting shutdown -r +60 every now
and then so that the server will at least do a reboot if the ssh
connection should fail.)

Any ideas as to where to begin?

--
Erling Westenvik


$ uptime
 2:39PM  up 253 days,  2:15, 1 user, load averages: 0.27, 0.28, 0.22


$ dmesg
OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8505982976 (8111MB)
avail mem = 8243998720 (7862MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xfbae0 (60 entries)
bios0: vendor American Megatrends Inc. version "080011" date 06/30/2006
bios0: Supermicro H8DSP-8
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC OEMB SRAT
acpi0: wakeup devices P1P2(S4) USB0(S1) USB1(S1) USB2(S1) PS2K(S4) PS2M(S4) 
BR14(S4) BR1E(S4) BR28(S4) BR3C(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 250, 2394.33 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: AMD erratum 89 present, BIOS upgrade may be required
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Opteron(tm) Processor 250, 2394.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 
16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: AMD erratum 89 present, BIOS upgrade may be required
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 16 pins
ioapic1 at mainbus0: apid 3 pa 0xfec01000, version 11, 16 pins
ioapic2 at mainbus0: apid 4 pa 0xfec02000, version 11, 16 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P1)
acpiprt2 at acpi0: bus 2 (P1P2)
acpiprt3 at acpi0: bus 3 (BR14)
acpiprt4 at acpi0: bus 4 (BR1E)
acpiprt5 at acpi0: bus 5 (BR28)
acpiprt6 at acpi0: bus 6 (BR32)
acpiprt7 at acpi0: bus 7 (BR3C)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
pci0 at mainbus0 bus 0
ppb0 at pci0 dev 1 function 0 "ServerWorks HT-1000 PCI" rev 0x00
pci1 at ppb0 bus 1
ppb1 at pci1 dev 13 function 0 "ServerWorks HT-1000 PCIX" rev 0xb2
pci2 at ppb1 bus 2
pciide0 at pci1 dev 14 function 0 "ServerWorks HT-1000 SATA" rev 0x00: DMA
pciide0: using apic 2 int 11 for native-PCI interrupt
pciide0: port 0: 1.5Gb/s
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
pciide0: port 1: 1.5Gb/s
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 6
pciide0: port 2: 1.5Gb/s
wd2 at pciide0 channel 2 drive 0: 
wd2: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd2(pciide0:2:0): using PIO mode 4, Ultra-DMA mode 6
pciide0: port 3: 1.5Gb/s
wd3 at pciide0 channel 3 drive 0: 
wd3: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd3(pciide0:3:0): using PIO mode 4, Ultra-DMA mode 6
pciide1 at pci1 dev 14 function 1 "ServerWorks HT-1000 SATA" rev 0x00
piixpm0 at pci0 dev 2 function 0 "ServerWorks HT-1000" rev 0x00: polling
iic0 at piixpm0
iic0: addr 0x1b 0f=18

Re: getting data from degraded RAID 1 boot disk

2017-02-01 Thread Jiri B 
On Wed, Feb 01, 2017 at 01:33:54PM +0100, Stefan Sperling wrote:
> On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote:
> > Should have kernel automatically create 'sd4' for degraded RAID 1
> > but it does not?
> 
> I believe it will auto assemble if the disk is present at boot time.

^^ This does work, I tried to plug the disk as boot device into QEMU VM.

> But not when you hotplug the disk.

Pity. Could it be reconsidered? It would ease data recovery (ie. trying
to get a box to boot the disk or using VM.)

Thanks.

j.

Re: getting data from degraded RAID 1 boot disk

2017-02-01 Thread Stefan Sperling 
On Wed, Feb 01, 2017 at 04:12:26AM -0500, Jiri B wrote:
> Should have kernel automatically create 'sd4' for degraded RAID 1
> but it does not?

I believe it will auto assemble if the disk is present at boot time.
But not when you hotplug the disk.

Re: getting data from degraded RAID 1 boot disk

2017-02-01 Thread Jiri B 
On Tue, Jan 31, 2017 at 11:55:21PM +0100, Stefan Sperling wrote:
> On Tue, Jan 31, 2017 at 05:23:10PM -0500, Jiri B wrote:
> > I have a disk which used to be boot disk of a degraded RAID 1 (softraid).
> > The second disk is totally gone.
> > 
> > I don't want to use this disk as RAID 1 disk anymore, just to get data
> > from it.
> > 
> > I'm asking because when I plugged the disk, bioctl said 'not enough disks'.
> > 
> > Do we really have to necessary require two disks when attaching already 
> > existing
> > degraded RAID 1 with only one disk available?
> 
> Can you describe in more detail what you did to "plug the disk"?
> It sounds like you ran 'bioctl' in a way that tries to create a
> new RAID1 volume. Why?
> 
> If the disk is present during system boot, is it not auto-assembled
> as a degraded RAID1 volume? I would expect a degraded softraid RAID1
> disk to show up which you can copy data from.

Thank you very much for reply. Here are the steps:

1. original disk which used to be part of degraded RAID 1 (softraid)
   boot disk attached via USB->SATA adapter:
   
umass1 at uhub0 port 10 configuration 1 interface 0 "JMicron AXAGON USB to SATA 
Adapter" rev 3.00/81.05 addr 10
umass1: using SCSI over Bulk-Only
scsibus5 at umass1: 2 targets, initiator 0
sd3 at scsibus5 targ 1 lun 0:  SCSI4 0/direct 
fixed serial.49718017
sd3: 715404MB, 512 bytes/sector, 1465149168 sectors

2. trying to put degraded RAID 1 online:

# fdisk sd3 | grep OpenBSD
*3: A6  0   1   2 -  91200 254  63 [  64:  1465144001 ] OpenBSD
# disklabel sd3 | grep RAID
  a:   1465144001   64RAID
  # bioctl -c 1 -l /dev/sd3a softraid0
  bioctl: not enough disks

man bioctl unfortunatelly states:

~~~
The RAID 0, RAID 1 and CONCAT disciplines require a minimum of
two devices to be provided via -l...
~~~

Should have kernel automatically create 'sd4' for degraded RAID 1
but it does not? As bioctl requires "a minimin of two devices" for
RAID 1...

IMO if RAID 1 could be constructed with on disk via bioctl it would
be better also for people doing migration to RAID 1.

j.