Re: ikev2_resp_create_child_sa: no proposal chosen
Thanks for your responses. Try adding some non-modp2048 options. Maybe look at the SA installed from the initial negotiation (ipsecctl -vvsa) for ideas. I think this is the right answer. The log tells you what the other side sent: spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256 spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128 spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA1_96 spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ESN=NONE There isn't any DH group for PFS here, so drop the modp2048 or add it on the other side. I tried countless different childsa lines, without success. Modp2048 didn't show up because I deactivated PFS. I didn't knew this was correlated. Now it shows up: ikev2_log_proposal: ESP #1 DH=MODP_2048 I than removed SHA1 and AES-CBC-256 from the IKE-/Child-SA hash/chiper list on the VPN-router. Having now only: DH group: DH14 (MODP-2048) PFS: Yes IKE-/Child-SA: Chiper: AES-GCM-256, Hash: SHA-256 (Available settings are described here https://www.lancom-systems.com/docs/LCOS/Refmanual/EN/#topics/lanconfig_vpn_ikev2-ipsec_encryption.html ) And this line in iked.conf: childsa enc aes-256-gcm group modp2048 \ At first it looks ok. iked reports: spi=0xf3e9aaf0b7009e4e: recv CREATE_CHILD_SA req 0 peer 88.14.XXX.YYY:4500 local 192.168.1.210:4500, 461 bytes, policy 'rathaus' spi=0xf3e9aaf0b7009e4e: send CREATE_CHILD_SA res 0 peer 88.14.XXX.YYY:4500 local 192.168.1.210:4500, 497 bytes, NAT-T spi=0xf3e9aaf0b7009e4e: ikev2_childsa_enable: loaded SPIs: 0x2f843f59, 0x18f271c6 (enc aes-256-gcm group modp2048) But the VPN-Router has a IKE-I-General-failure 0x21ff. All of the sudden it's a problem that I only want to route specific networks?! IPSec is so exhausting. For those who are interested, this is what the VPN-router reports: ... [VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,040 Peer O2 [responder]: Received an CREATE_CHILD_SA-RESPONSE of 497 bytes (encrypted) Gateways: 88.14.XXX.YYY:4500<--84.17.XXX.ZZZ:4500 SPIs: 0xF3E9AAF0B7009E4E6A017F990A97DF8F, Message-ID 0 Determining best intersection for TSi Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255) Received TS :( 0, 0-65535, 0.0.0.0-255.255.255.255) Intersection:( 0, 0-65535, 0.0.0.0-255.255.255.255) Determining best intersection for TSi Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255) Received TS :( 0, 0-65535, 192.168.0.0-192.168.0.255 ) Intersection:( 0, 0-65535, 192.168.0.0-192.168.0.255 ) Determining best intersection for TSi Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255) Received TS :( 0, 0-65535, 192.168.11.55-192.168.11.55 ) Intersection:( 0, 0-65535, 192.168.11.55-192.168.11.55 ) Best:( 0, 0-65535, 0.0.0.0-255.255.255.255) Determining best intersection for TSr Expected TS :( 0, 0-65535, 192.168.0.206-192.168.0.206 ) Received TS :( 0, 0-65535, 192.168.0.0-192.168.0.255 ) Intersection:( 0, 0-65535, 192.168.0.206-192.168.0.206 ) Determining best intersection for TSr Expected TS :( 0, 0-65535, 192.168.0.206-192.168.0.206 ) Received TS :( 0, 0-65535, 0.0.0.0-0.0.0.0) -No intersection Best:( 0, 0-65535, 192.168.0.206-192.168.0.206 ) -Received Traffic selectors are super set of proposed traffic selectors -> abort Proposed TSi: ( 0, 0-65535, 0.0.0.0-255.255.255.255) Proposed TSr: ( 0, 0-65535, 192.168.0.206-192.168.0.206 ) [VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,041 Hard lifetime event occurred for '' (initiator flags 0x4008) CHILD_SA ESP No IKE_SA found for [VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,041 VPN: policy manager error indication: O2 (84.17.XXX.ZZZ), cause: 8703 [VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,048 VPN: Error: IKE-I-General-failure (0x21ff) for O2 (84.17.XXX.ZZZ) IKEv2
Re: Learning pure OpenBSD
> I agree with Anderson, I dont see the need for this, especially in > Canada. If we need OpenBSD VMs that we dont just fire up our own machine, > there are lots of options for OpenBSD VMs for free in Canada, and there > are paid options where the funds come back to the OpenBSD Foundation (ex. > OpenBSD Amsterdam). > > Sincerely, > Katie > Yes, i live in Canada, and i have 3 VMs in my Laptop; but the idea is create a bunch of servers (bare metal hosts administered by teams) to build a system that permit to learn for free, using 1 VM; how to use OpenBSD appropriately. The benefit that i see, is that in this case; OpenBSD is going to be used as an OpenBSD Operating System! Not as if it were Linux, what is not really bad! Please look their work: https://wiki.ircnow.org/index.php?n=Minutemin.Bootcamp > From: owner-m...@openbsd.org on behalf of Anders > Andersson > Sent: Friday, February 24, 2023 5:35:36 AM > To: misc@openbsd.org > Cc: latin...@vcn.bc.ca > Subject: Re: Learning pure OpenBSD > > Attention : courriel externe | external email > > On Thu, Feb 23, 2023 at 11:38 PM wrote: > >> Hello Misc >> >> I have used OpenBSD, Slackware and Debian for almost 23 years, just as a >> User! But i think that Linux is a Linus Kernel with many app; and >> OpenBSD >> is a complete OS, then the Administration in Linux could be Test and >> Error, but in OpenBSD must be on the base of know what you are doing! It >> means one have to learn properly! >> >> I am curios about this Learning Pure OpenBSD project at ircnow.org! >> >> The basic idea is to pay for a qualified Server to host certain number >> of >> VMs for exclusive porpose to learn pure OpenBSD. >> > > I don't understand the purpose of this, it is trivial for anyone today to > fire up a VM on their own computer and test different aspects of any > operating system. Why would anyone need external paid hosting? >
Re: Learning pure OpenBSD
> On Thu, Feb 23, 2023 at 11:38 PM wrote: > >> Hello Misc >> >> I have used OpenBSD, Slackware and Debian for almost 23 years, just as a >> User! But i think that Linux is a Linus Kernel with many app; and >> OpenBSD >> is a complete OS, then the Administration in Linux could be Test and >> Error, but in OpenBSD must be on the base of know what you are doing! It >> means one have to learn properly! >> >> I am curios about this Learning Pure OpenBSD project at ircnow.org! >> >> The basic idea is to pay for a qualified Server to host certain number >> of >> VMs for exclusive porpose to learn pure OpenBSD. >> > > I don't understand the purpose of this, it is trivial for anyone today to > fire up a VM on their own computer and test different aspects of any > operating system. Why would anyone need external paid hosting? > The purpose is Freedom, independence! and OpenBSD could be the appropriated OS, please look; users offering services to users: https://oddprotocol.org/ https://bsdforall.org/
Re: Learning pure OpenBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Iff you don't have the hardware to spare and want to play with various OBSD () Incarnations, try a cheap cloud service like https://www.vultr.com/ Dhu On Fri, 24 Feb 2023 16:10:28 + Katherine Mcmillan wrote: > I agree with Anderson, I don’t see the need for this, especially in Canada. > If we need OpenBSD VMs that we don’t just fire up our own machine, there are > lots of options for OpenBSD VMs for free in Canada, and there are paid > options where the funds come back to the OpenBSD Foundation (ex. OpenBSD > Amsterdam). > > Sincerely, > Katie > > From: owner-m...@openbsd.org on behalf of Anders > Andersson > Sent: Friday, February 24, 2023 5:35:36 AM > To: misc@openbsd.org > Cc: latin...@vcn.bc.ca > Subject: Re: Learning pure OpenBSD > > Attention : courriel externe | external email > > On Thu, Feb 23, 2023 at 11:38 PM wrote: > > > Hello Misc > > > > I have used OpenBSD, Slackware and Debian for almost 23 years, just as a > > User! But i think that Linux is a Linus Kernel with many app; and OpenBSD > > is a complete OS, then the Administration in Linux could be Test and > > Error, but in OpenBSD must be on the base of know what you are doing! It > > means one have to learn properly! > > > > I am curios about this Learning Pure OpenBSD project at ircnow.org! > > > > The basic idea is to pay for a qualified Server to host certain number of > > VMs for exclusive porpose to learn pure OpenBSD. > > > > I don't understand the purpose of this, it is trivial for anyone today to > fire up a VM on their own computer and test different aspects of any > operating system. Why would anyone need external paid hosting? > -- Je suis Canadien. Ce n'est pas Francais ou Anglais. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) Duncan Patton a Campbell -BEGIN PGP SIGNATURE- iQGzBAEBCAAdFiEEqge1PVqb4YiiKJRjW+0jaAWoWygFAmP4/oAACgkQW+0jaAWo WyhpBgv/WJB2/mVTfVA4A6g1hyQNgZplyOREWjStvQj5yEeIrwsmghjctPUkI0Kr OvVzojVAGLt3z2J7NiXQAavgGWLdXYPYwuLwqrd983iZmDWpYAPCswco4UlthkaK Sq249p487NvCgUNQ2cmFlfYkGUCDezM5fHCqKyVIOWcni2PrxLb66ZguKrMFDlN+ iE5Wvk2xeV5z4TcEmo6dIgMIbfWTYsoPBDQpcmw2RghP0ToQqDu7eBiEXlTz3AEu tt5wj0WlG02RDtKgGFVbib1BexFQE0jFYAgMsOdahbEkk8/jstP2eSGow62LDnqc o9pR03/64UdhgrPbA0u89a7B3wH3fVsJtTcsGkz1cT5q6mkZMlDqXguKZSRJTRjS mQ6SBJydIzFy5JrAZbRS2Sqh7lrSj6NEgwC+OD00lZtqV8+9xGshOxef/QU3zGdl eZnLzZiloyzK2AjNqdwkSofwPYB/uLiIL1R8FKUHtM1yujniUQ6wzvCPgw9bu2WF CrhtaVzF =HeJs -END PGP SIGNATURE-
Re: Learning pure OpenBSD
I agree with Anderson, I don’t see the need for this, especially in Canada. If we need OpenBSD VMs that we don’t just fire up our own machine, there are lots of options for OpenBSD VMs for free in Canada, and there are paid options where the funds come back to the OpenBSD Foundation (ex. OpenBSD Amsterdam). Sincerely, Katie From: owner-m...@openbsd.org on behalf of Anders Andersson Sent: Friday, February 24, 2023 5:35:36 AM To: misc@openbsd.org Cc: latin...@vcn.bc.ca Subject: Re: Learning pure OpenBSD Attention : courriel externe | external email On Thu, Feb 23, 2023 at 11:38 PM wrote: > Hello Misc > > I have used OpenBSD, Slackware and Debian for almost 23 years, just as a > User! But i think that Linux is a Linus Kernel with many app; and OpenBSD > is a complete OS, then the Administration in Linux could be Test and > Error, but in OpenBSD must be on the base of know what you are doing! It > means one have to learn properly! > > I am curios about this Learning Pure OpenBSD project at ircnow.org! > > The basic idea is to pay for a qualified Server to host certain number of > VMs for exclusive porpose to learn pure OpenBSD. > I don't understand the purpose of this, it is trivial for anyone today to fire up a VM on their own computer and test different aspects of any operating system. Why would anyone need external paid hosting?
Re: ikev2_resp_create_child_sa: no proposal chosen
On 2023/02/24 12:49, Tobias Heider wrote: > On Fri, Feb 24, 2023 at 09:24:29AM -, Stuart Henderson wrote: > > On 2023-02-23, Thomas Bohl wrote: > > > I have several OpenBSD 7.2 connected to a commercial VPN-Router (LANCOM > > > 1781EW+) using iked. It works, except every time the Child SA > > > negotiation starts, iked answers NO_PROPOSAL_CHOSEN to the router. Which > > > leads to closed connections and a new IKE SA negotiation. > > > I don't understand this because the proposal looks supported to me. > > > > Child SA failing after the initial tunnel comes up usually relates to a > > mismatch with PFS (DH groups). > > Right, it is a huge fail in the protocol desing that those incompatibilities > aren't detected until the first refresh which can happen hours after it > seemingly worked just fine. > > The only solution I could think of to make it more obvious would be > forcing a rekey handshake right after the initial one, but that would > increase the network load and might have other downsides. I think I have seen some vendor with an "renegotiate child SA at connect" option but I forget who.. > > > > > I got desperate and tried adding this to iked.conf, which didn't help: > > > > > > childsa group modp2048 \ > > > childsa group modp2048 noesn\ > > > childsa enc aes-256-gcm group modp2048 \ > > > childsa enc aes-256-gcm group modp2048 noesn \ > > > childsa enc aes-256 group modp2048 \ > > > childsa enc aes-256 group modp2048 noesn \ > > > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 \ > > > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 noesn \ > > > childsa enc aes-256 group modp2048 prf hmac-sha2-256 \ > > > childsa enc aes-256 group modp2048 prf hmac-sha2-256 noesn \ > > > childsa enc aes-256 group modp2048 prf hmac-sha1 \ > > > childsa enc aes-256 group modp2048 prf hmac-sha1 noesn \ > > > > > > Any ideas? > > > > Try adding some non-modp2048 options. Maybe look at the SA installed > > from the initial negotiation (ipsecctl -vvsa) for ideas. > > I think this is the right answer. The log tells you what the other side sent: > > spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256 > spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128 > spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA1_96 > spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ESN=NONE > > There isn't any DH group for PFS here, so drop the modp2048 or add it on the > other side. > > > > > > > -- > > Please keep replies on the mailing list. > >
Re: ikev2_resp_create_child_sa: no proposal chosen
On Fri, Feb 24, 2023 at 09:24:29AM -, Stuart Henderson wrote: > On 2023-02-23, Thomas Bohl wrote: > > I have several OpenBSD 7.2 connected to a commercial VPN-Router (LANCOM > > 1781EW+) using iked. It works, except every time the Child SA > > negotiation starts, iked answers NO_PROPOSAL_CHOSEN to the router. Which > > leads to closed connections and a new IKE SA negotiation. > > I don't understand this because the proposal looks supported to me. > > Child SA failing after the initial tunnel comes up usually relates to a > mismatch with PFS (DH groups). Right, it is a huge fail in the protocol desing that those incompatibilities aren't detected until the first refresh which can happen hours after it seemingly worked just fine. The only solution I could think of to make it more obvious would be forcing a rekey handshake right after the initial one, but that would increase the network load and might have other downsides. > > > I got desperate and tried adding this to iked.conf, which didn't help: > > > > childsa group modp2048 \ > > childsa group modp2048 noesn\ > > childsa enc aes-256-gcm group modp2048 \ > > childsa enc aes-256-gcm group modp2048 noesn \ > > childsa enc aes-256 group modp2048 \ > > childsa enc aes-256 group modp2048 noesn \ > > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 \ > > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 noesn \ > > childsa enc aes-256 group modp2048 prf hmac-sha2-256 \ > > childsa enc aes-256 group modp2048 prf hmac-sha2-256 noesn \ > > childsa enc aes-256 group modp2048 prf hmac-sha1 \ > > childsa enc aes-256 group modp2048 prf hmac-sha1 noesn \ > > > > Any ideas? > > Try adding some non-modp2048 options. Maybe look at the SA installed > from the initial negotiation (ipsecctl -vvsa) for ideas. I think this is the right answer. The log tells you what the other side sent: spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256 spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128 spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA1_96 spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ESN=NONE There isn't any DH group for PFS here, so drop the modp2048 or add it on the other side. > > > -- > Please keep replies on the mailing list. >
Re: Learning pure OpenBSD
On Thu, Feb 23, 2023 at 11:38 PM wrote: > Hello Misc > > I have used OpenBSD, Slackware and Debian for almost 23 years, just as a > User! But i think that Linux is a Linus Kernel with many app; and OpenBSD > is a complete OS, then the Administration in Linux could be Test and > Error, but in OpenBSD must be on the base of know what you are doing! It > means one have to learn properly! > > I am curios about this Learning Pure OpenBSD project at ircnow.org! > > The basic idea is to pay for a qualified Server to host certain number of > VMs for exclusive porpose to learn pure OpenBSD. > I don't understand the purpose of this, it is trivial for anyone today to fire up a VM on their own computer and test different aspects of any operating system. Why would anyone need external paid hosting?
Re: ikev2_resp_create_child_sa: no proposal chosen
On 2023-02-23, Thomas Bohl wrote: > I have several OpenBSD 7.2 connected to a commercial VPN-Router (LANCOM > 1781EW+) using iked. It works, except every time the Child SA > negotiation starts, iked answers NO_PROPOSAL_CHOSEN to the router. Which > leads to closed connections and a new IKE SA negotiation. > I don't understand this because the proposal looks supported to me. Child SA failing after the initial tunnel comes up usually relates to a mismatch with PFS (DH groups). > I got desperate and tried adding this to iked.conf, which didn't help: > > childsa group modp2048 \ > childsa group modp2048 noesn\ > childsa enc aes-256-gcm group modp2048 \ > childsa enc aes-256-gcm group modp2048 noesn \ > childsa enc aes-256 group modp2048 \ > childsa enc aes-256 group modp2048 noesn \ > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 \ > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 noesn \ > childsa enc aes-256 group modp2048 prf hmac-sha2-256 \ > childsa enc aes-256 group modp2048 prf hmac-sha2-256 noesn \ > childsa enc aes-256 group modp2048 prf hmac-sha1 \ > childsa enc aes-256 group modp2048 prf hmac-sha1 noesn \ > > Any ideas? Try adding some non-modp2048 options. Maybe look at the SA installed from the initial negotiation (ipsecctl -vvsa) for ideas. -- Please keep replies on the mailing list.
Re: Disabling .core file generation
On 2023-02-24, Daniele Bonini wrote: > And I set login.conf adding the following: > > default:\ > .. > :coredumpsize-max=1M:\ > :coredumpsize-cur=1M: That is in blocks not bytes. -- Please keep replies on the mailing list.
Re: Disabling .core file generation
On Fri, Feb 24, 2023 at 08:49:59AM +0100, David Demelier wrote: > On Fri, 2023-02-24 at 05:38 +0100, Daniele Bonini wrote: > > Crystal Kolipe wrote: > > > > > > On Mon, Feb 20, 2023 at 05:15:30PM +0100, Daniele Bonini wrote: > > > > > Is it still possible to disable file .core generation at all? > > > > > > > > > > Yes, it is. > > > > > > > > ok, thx > > > > > > > > NB: see /etc/rc.conf.local > > > > > > And also /etc/login.conf > > > > > > I did set rc.local.conf with the following: > > > > savecore_flags=-c /dev/null > > > > This is about kernel panic core dump, not userland core dumps > > > And I set login.conf adding the following: > > > > default:\ > > .. > > :coredumpsize-max=1M:\ > > :coredumpsize-cur=1M: You can just set: :coredumpsize=0:\ to completely disable all core dump generation. > > but nothing change after a reboot, I'm always in good company > > of my 1 giga WebKitProcess.core.. > > Did you call cap_mkdb /etc/login.conf? For users who are not familar with cap_mkdb and using hashed versions of capability database files, this advice without further explanation is going to cause further confusion when they find that changes to the ascii version of the file in question suddenly 'no longer work'. You should only run cap_mkdb against a file if you're already using a database version of that file, or intend to do so from now on, in which case you'll need to run cap_mkdb after each change. For most users of small personal systems, there is no benefit to doing so and they would be better off using the ascii file directly. But then at some point they follow a random guide to something on a webpage somewhere which tells them to run cap_mkdb, and find that they mysteriously have to run it every time they edit the corresponding file afterwards. So in this case, it would have been better to ask if he has an existing /etc/login.conf.db file that needed to be updated. > You also need to login again. Presumably he has, because he said, "after a reboot".