Re: mbuf leak with rl

2006-09-14 Thread Abel Talaverón Estevez 
El Jueves, 14 de Septiembre de 2006 17:38, escribiC3:
 Is anyone using a Realtek 8139 card with OpenBSD 3.9?  I noticed that mbufs
 will slowly leak when using it.  I noticed this after switching to 3.9.  I
 don't know if something happened to the card or not... maybe there is a
 hardware error now that is making it behave funky.

 If you're using a rl* can you take a look at your mbuf usage (netstat
 -m)? Me and another person both see something similar.

 Thanks,
 Chris


 dmesg:
 rl0 at pci0 dev 8 function 0 Realtek 8139 rev 0x10: irq 11, address
 00:48:54:65:39:5a
 rlphy0 at rl0 phy 0: RTL internal PHY

Look, I have a realtek NIC in OpenBSD 3.7 and OpenBSD 3.9:

OpenBSD 3.9:

# dmesg | grep rl
rl0 at pci0 dev 13 function 0 D-Link Systems 530TX+ rev 0x10: irq 11, 
address 00:0d:88:1a:8e:3a
rlphy0 at rl0 phy 0: RTL internal PHY
rlphy1 at vr0 phy 1: RTL8201L 10/100 PHY, rev. 1
# netstat -m
4 mbufs in use:
1 mbuf allocated to packet headers
3 mbufs allocated to socket names and addresses
0/10/6144 mbuf clusters in use (current/peak/max)
28 Kbytes allocated to network (3% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
#


OpenBSD 3.7:

# netstat -m
12 mbufs in use:
1 mbuf allocated to packet headers
11 mbufs allocated to socket names and addresses
0/64/6144 mbuf clusters in use (current/peak/max)
168 Kbytes allocated to network (1% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
# dmesg | grep rl
rl0 at pci0 dev 8 function 0 Realtek 8139 rev 0x10: irq 12 address 
00:03:2d:04:60:40
rlphy0 at rl0 phy 0: RTL internal phy
rl1 at pci0 dev 9 function 0 Realtek 8139 rev 0x10: irq 10 address 
00:03:2d:04:60:3f
rlphy1 at rl1 phy 0: RTL internal phy
rl2 at pci0 dev 10 function 0 Realtek 8139 rev 0x10: irq 11 address 
00:03:2d:04:60:3e
rlphy2 at rl2 phy 0: RTL internal phy
rl3 at pci0 dev 11 function 0 Realtek 8139 rev 0x10: irq 15 address 
00:03:2d:04:60:3d
rlphy3 at rl3 phy 0: RTL internal phy

What do you think?

-- 
Abel TalaverC3n Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Know CPU usage

2006-08-28 Thread Abel Talaverón Estevez 
Hi all,

I'd like to know if there's a way to know the CPU usage. I can see it with 
'top' but I need to script it and 'top -n' doesn't show this info.

Does anybody know any other command?

I've tried to download and run 'cpud' and 'cpuctl' but they don't show the 
%CPU.

Thanks a lot
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Re: Know CPU usage

2006-08-28 Thread Abel Talaverón Estevez 
El Lunes, 28 de Agosto de 2006 12:23, escribis:
 On Aug 28, 2006, at 5:45 AM, Abel Talaversn Estevez wrote:
  Hi all,
 
  I'd like to know if there's a way to know the CPU usage. I can see
  it with
  'top' but I need to script it and 'top -n' doesn't show this info.
 
  Does anybody know any other command?
 
  I've tried to download and run 'cpud' and 'cpuctl' but they don't
  show the
  %CPU.

 man 8 vmstat


Thanks a lot! 'vmstat' is perfect!

 --
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

binat + table

2006-05-18 Thread Abel Talaverón Estevez 
Hi all,

I'd like to use binat rules with tables. For example:

table IPExterna persist file 
/var/securityhome/securityfiles/objects/user/IPExterna

table enrutador1 persist file 
/var/securityhome/securityfiles/objects/user/enrutador1

binat on $DMZ_if from enrutador1 to any  - IPExterna

where:

#cat /var/securityhome/securityfiles/objects/user/IPExterna
#10.0.0.10
#cat /var/securityhome/securityfiles/objects/user/enrutador1
#192.168.0.10

It doesn't work. But it works:

binat on $DMZ_if from 192.168.0.10 to any  - 10.0.0.10

Why?

Thanks
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Re: binat + table

2006-05-18 Thread Abel Talaverón Estevez 
Hi all,

I'd like to use binat rules with tables. For example:

table IPExterna persist file
/var/securityhome/securityfiles/objects/user/IPExterna

table enrutador1 persist file
/var/securityhome/securityfiles/objects/user/enrutador1

binat on $DMZ_if from enrutador1 to any  - IPExterna

where:

#cat /var/securityhome/securityfiles/objects/user/IPExterna
#10.0.0.10
#cat /var/securityhome/securityfiles/objects/user/enrutador1
#192.168.0.10

It doesn't work. But it works:

binat on $DMZ_if from 192.168.0.10 to any  - 10.0.0.10

Why?

I've read man pf.conf and it says:

 Tables can be used as the source or destination of filter rules, scrub
 rules or translation rules such as nat or rdr (see below for details on
 the various rule types).  Tables can also be used for the redirect ad-
 dress of nat and rdr rules and in the routing options of filter rules,
 but only for round-robin pools.

But... why tables can't be used with binat?

Thanks
--
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

http://www.openwired.com

Cavium crypto card

2006-03-27 Thread Abel Talaverón Estevez 
Hi all,

Has anybody a 'High performance IPSec and SSL accelerator PCI card with Cavium 
CN1010' running on OpenBSD?

I am looking for a crypto card and it could be an option but it isn't in the 
hardware supported list in http://www.openbsd.org/i386.html#hardware

Thanks!
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Problems with unsupported hardware

2006-01-13 Thread Abel Talaverón Estevez 
Hi all,

I'd like to know if someone knows about a not standard driver for the ethernet 
cards: Marvell Yukon 8053. 

I'm running OpenBSD 3.7 and my dmesg shows:

skc0 at pci1 dev 0 function 0 Marvell Yukon 8053 rev 0x19: irq 12
skc0: bad VPD resource id: expected 82 got 0
skc0: unknown media type: 0x31
skc1: ... (similar lines) 

Many thanks!

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: pf anchor problem (not working as expected)

2005-12-22 Thread Abel Talaverón Estevez 
El Jueves, 22 de Diciembre de 2005 13:37, escribis:
 Hi,

 I would like to load/unload an emule anchor when needed.
 Unfortunately it does not work as expected as ort tcp 4662 traffic coming
 back to my router is still blocked.
 Dec 22 13:05:36.720276 rule 2/(match) block in on pppoe0:
 80.239.200.108.34965  158.64.125.147.4662: [|tcp] (DF)
 Dec 22 13:05:37.330539 rule 2/(match) block in on pppoe0:
 212.112.238.82.13114  158.64.125.147.4662: [|tcp] (DF)
 Dec 22 13:05:39.720729 rule 2/(match) block in on pppoe0:
 80.239.200.108.34965  158.64.125.147.4662: [|tcp] (DF)
 Dec 22 13:05:40.330485 rule 2/(match) block in on pppoe0:
 212.112.238.82.13114  158.64.125.147.4662: [|tcp] (DF)

 May be I misunderstood the anchors manual, but I honestly don't know what
 is wrong. I would really appreciate if you can help me on this issue.

 Why is the traffic still blocked via this rule block log (all) all,
 shoudn't it pass through as the anchor rules allow the traffic?

 Here is my pf.conf:
 # VARIABLES SECTION #
 int_if=sis0
 ext_if=pppoe0
 localnet=172.16.43.0/24
 outftp=53000:53450

 icmp_types=echoreq
 icmp_types = echoreq

 # TABLES SECTION #
 table friends {x,y}
 table hostile persist

 # OPTIONS SECTION #
 set block-policy drop
 set loginterface $ext_if

 # SCRUBBING SECTION #
 scrub in on $ext_if all
 scrub out on $ext_if max-mss 1440

 # NAT SECTION #
 nat on $ext_if from $localnet to any - ($ext_if) static-port

 # REDIRECTION #
 rdr on $int_if proto tcp from !$ext_if to !$localnet port ftp \
 - 127.0.0.1 port ftp-proxy
 rdr on $int_if proto tcp from $localnet to $int_if port ssh \
 - $int_if port 8022

 rdr-anchor authpf/*
 rdr-anchor emule


This rdr-anchor is ok

 #pass quick all
 block quick from hostile
 block quick inet6 all

but here you are blocking the emule traffic
You should put here this:
anchor emule
anchor authpf/*

and not below

 block log (all) all

 #loopback and internal interface are ok
 pass quick on lo0 all
 pass quick on $int_if all

  EXTERNAL INTERFACE 
 pass out on $ext_if inet proto tcp from ($ext_if) to any \
 flags S/SA modulate state
 pass out on $ext_if inet proto udp from ($ext_if) to any \
 keep state
 pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
 port  1023 user proxy modulate state label ftpproxy
 pass on $ext_if inet proto icmp icmp-type $icmp_types keep state
 anchor emule
 anchor authpf/*

 END OF PF RULE

 Here is my emule anchor (/etc/emule.pf):
 ext_if = pppoe0
 MuleIP= 172.16.43.10
 localnet= 172.16.43.0/24
 InMuleTCP = { 4661, 4662 }
 InMuleUDP = { 4665, 4672 }

 rdr on $ext_if proto tcp from !$localnet to any port 4661:4662 - $MuleIP
 port 4661:*
 rdr on $ext_if proto udp from !$localnet to any port 4665 - $MuleIP port
 4665 rdr on $ext_if proto udp from !$localnet to any port 4672 - $MuleIP
 port 4672

 pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
 $InMuleTCP\ flags S/SA keep state label eMuleTCP
 pass in quick on $ext_if inet proto udp from any to ($ext_if) port
 $InMuleUDP\ keep state label eMuleUDP

 END OF EMULE ANCHOR

 The anchor is loaded when I need it via:
 pfctl -v -a emule -f /etc/emule.pf
 and unloaded
 pfctl -v -a emule -Fa -sn  pfctl -v -a emule -Fa -sr

 THX A LOT FOR HELPING

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

PPTP + PPPoE ?

2005-12-05 Thread Abel Talaverón Estevez 
Hi all,

I'm running OpenBSD 3.7. I use my OpenBSD machine as a firewall, including a 
PPTP server and it runs ok. But...

I want to connect to my ISP with PPPoE and configure my router as bridge and 
I've achieve it!! But now my PPTP server is not running, I cannot connect 
from a Windows client as before. Does anybody know why? Can I use ppp.conf 
with two different applications? Or the problem is with the tun devices?

Thanks a lot.


My ppp.conf:

pptp:
 #set ifaddr 172.16.1.100 172.16.1.10-172.16.1.20
 enable proxy
 set timeout 0
 enable MSChapV2
 disable ipv6cp
 disable ipv6

default:
 set log Phase Chat LCP IPCP CCP tun command
 set device /dev/cua01
 set speed 115200
# set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\ AT OK-AT-OK ATE1Q0 OK 
\\dATDT\\T TIMEOUT 40 CONNECT


CHAPserver:
 enable chap
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31
 accept dns

pppoe:
 set device !/usr/sbin/pppoe -i rl0
 set mtu max 1492
 set mru max 1492
 set speed sync
 disable acfcomp protocomp
 deny acfcomp
 set authname [EMAIL PROTECTED]
 set authkey adslppp
 add default HISADDR
 enable dns
 enable mssfixup


-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: OpenBSD's 10th birthday

2005-10-18 Thread Abel Talaverón Estevez 
El Martes, 18 de Octubre de 2005 11:00, escribiC3:
 Now it is really OpenBSD's 10th birthday ;)

It's simply, CONGRATULATIONS. This OS is the best choice I could'nt do to 
build a firewall.

-- 
Abel TalaverC3n Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPACA
TelC)fono: 91 300 51 09
Fax: B 91 300 28 13
http://www.openwired.com

Re: USB to RS232

2005-10-07 Thread Abel Talaverón Estevez 
El Viernes, 7 de Octubre de 2005 12:07, escribis:
 Hi,

 I'll soon buy a soekris, but just realized i have no serial port on my
 laptop (duh!), has someone already tried to use a usb serial adapter?
 Most of the time this works as a traditional com port on windows, but
 what about openbsd, will it be ok for a serial console?

Yes I do. It runs ok! I've tried a 

laptop running Windows XP + usb-serial + serial-serial + firewall running 
openbsd 

and it works

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

resize a partition

2005-10-05 Thread Abel Talaverón Estevez 
Hi all,

How could I resize an OpenBSD partition?

I have a /var partition of 20 GB and I want to have it of about 1 GB and I 
don't know how to do it.

thanks a lot

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: Create my own shell? SOLVED

2005-07-27 Thread Abel Talaverón Estevez 
Many thanks to all people of this mailing list for all the replies.

Finally, I have edited the files I've downloaded from 

http://mongers.org/gw_menu

and make my own shell.

Thanks ;)

El Lunes, 25 de Julio de 2005 21:03, escribis:
 On 2005-07-25 16:01:49 +0200, Abel Talaversn Estevez wrote:
  I need to create a particular but simple shell for a firewall running
  OpenBSD 3.6. The idea is create a user whose shell is a very limited one.
  This shell or command line interpreter (CLI) must have permissions only
  in the home directory.
 
  How could I do this? Any ideas? Editing the source code of sh?, for
  example. Make my own cli?

 http://mongers.org/gw_menu

 But that might be too restricted for you.

 Have a nice day
  Morten

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos
OpenWired, S.L.
C/ Caballero, 87 - 08029 - Barcelona (Spain)
Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91

Re: Create my own shell? SOLVED

2005-07-27 Thread Abel Talaverón Estevez 
With Ctrl-c the shell doesn't finish.

The shell file is showed here:


#!/bin/sh
# $Id: menu,v 1.5 2004/05/20 12:15:57 holsta Exp $
#
# Menu wrapper for FireWired. Ctrl-C is ignored and user input is never
# passed to the command line.

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM

umask 077

HELP=/home/console/menu.help
GREETING=/home/console/menu.greeting


trap  2

grep -v ^# $GREETING

while true
do
echo FireWired \c
if read line
then
case $line in
) continue;;
esac

set -- $line
case $1 in

CASAV.bash) CASAV.bash;;
CAcceso.bash)   CAcceso.bash;;
CActivarPolitica.sh)CActivarPolitica.sh;;
CAnadirFiltroProxy.sh)  CAnadirFiltroProxy.sh;;
CAnadirPuertoProxy.sh)  CAnadirPuertoProxy.sh;;
CAnadirRedProxy.sh) CAnadirRedProxy.sh;;
CApaga.sh)  CApaga.sh;;
CAplicarRFPProxy.sh)CAplicarRFPProxy.sh;;
CAyuda.sh)  CAyuda.sh;;
CBorrarEncam.sh)CBorrarEncam.sh;;
CBorrarEstad.sh)CBorrarEstad.sh;;
CBorrarFiltroProxy.sh)  CBorrarFiltroProxy.sh;;
CBorrarObjeto.bash) CBorrarObjeto.bash;;
CBorrarPolitica.sh) CBorrarPolitica.sh;;
CBorrarPuertoProxy.sh)  CBorrarPuertoProxy.sh;;
CBorrarRedProxy.sh) CBorrarRedProxy.sh;;
CBorrarRegla.bash)  CBorrarRegla.bash;;
CBorrarReglaBINAT.bash) CBorrarReglaBINAT.bash;;
CBorrarReglaNAT.bash)   CBorrarReglaNAT.bash;;
CBorrarReglaPF.bash)CBorrarReglaPF.bash;;
CBorrarReglaRDR.bash)   CBorrarReglaRDR.bash;;
CBorrarReglaVPN.bash)   CBorrarReglaVPN.bash;;
CBorrarRuta.bash)   CBorrarRuta.bash;;
CBridges.bash)  CBridges.bash;;
CConfFabrica.sh)CConfFabrica.sh;;
CConsola.bash)  CConsola.bash;;
CCrearObjeto.bash)  CCrearObjeto.bash;;
CCrearPolitica.bash)CCrearPolitica.bash;;
CCrearReglaBINAT.bash)  CCrearReglaBINAT.bash;;
CCrearReglaNAT.bash)CCrearReglaNAT.bash;;
CCrearReglaPF.bash) CCrearReglaPF.bash;;
CCrearReglaRDR.bash)CCrearReglaRDR.bash;;
CCrearReglaVPN.bash)CCrearReglaVPN.bash;;
CCrearRuta.bash)CCrearRuta.bash;;
CDNS.sh)CDNS.sh;;
CDepurar.sh)CDepurar.sh;;
CDesactivarPolitica.sh) CDesactivarPolitica.sh;;
CGW.sh) CGW.sh;;
CInterfacesIP.bash) CInterfacesIP.bash;;
CListaObj.sh)   CListaObj.sh;;
CLogout.sh) CLogout.sh;;
CManuales.sh)   CManuales.sh;;
CModificarObjeto.bash)  CModificarObjeto.bash;;
CModificarReglaBINAT.bash)  CModificarReglaBINAT.bash;;
CModificarReglaNAT.bash)CModificarReglaNAT.bash;;
CModificarReglaPF.bash) CModificarReglaPF.bash;;
CModificarReglaRDR.bash)CModificarReglaRDR.bash;;
CModificarReglaVPN.bash)CModificarReglaVPN.bash;;
CMostrarPolActiva.sh)   CMostrarPolActiva.sh;;
CMostrarPoliticas.sh)   CMostrarPoliticas.sh;;
CMostrarPoliticasUser.sh)   CMostrarPoliticasUser.sh;;
CMostrarReglas.sh)  CMostrarReglas.sh;;
CMostrarReglasBINAT.sh) CMostrarReglasBINAT.sh;;
CMostrarReglasNAT.sh)   CMostrarReglasNAT.sh;;
CMostrarReglasPF.sh)CMostrarReglasPF.sh;;
CMostrarReglasRDR.sh)   CMostrarReglasRDR.sh;;
CMostrarReglasVPN.sh)   CMostrarReglasVPN.sh;;
CMoverReglaPF.bash) CMoverReglaPF.bash;;
CMoverReglaVPN.bash)CMoverReglaVPN.bash;;
CPassword.sh)   CPassword.sh;;
CPing.sh)   CPing.sh;;
CProxy.sh)  CProxy.sh;;
CProxyFtp.sh)   CProxyFtp.sh;;
CProxyTransp.sh)CProxyTransp.sh;;
CReboot.sh) CReboot.sh;;
CReloj.sh)  CReloj.sh;;
CSMTP.bash) CSMTP.bash;;
CSsh.sh)CSsh.sh;;
CTraceroute.sh) CTraceroute.sh;;
CVPN.bash)  CVPN.bash;;
CVPNAnadirSucursal.bash)CVPNAnadirSucursal.bash;;
CVPNClientes.bash)

Create my own shell?

2005-07-25 Thread Abel Talaverón Estevez 
Hi all,

I need to create a particular but simple shell for a firewall running OpenBSD 
3.6. The idea is create a user whose shell is a very limited one. This shell 
or command line interpreter (CLI) must have permissions only in the home 
directory.

How could I do this? Any ideas? Editing the source code of sh?, for example. 
Make my own cli?
-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos
OpenWired, S.L.
C/ Caballero, 87 - 08029 - Barcelona (Spain)
Tel (+34) 93/410 75 70 - Fax (+34) 93/419 45 91

isakmpd only works if one side begins the communication

2005-06-22 Thread Abel Talaverón Estevez 
Hi all,

I'm working with a firewall running OpenBSD with isakmpd. When I want to 
connect 2 or more firewalls, I can see the tunnels via: netstat -rn | grep 
encap but the only way to begin the real communication is starting it by one 
of the sides. If a try to begin with the other side it doesn't work until I 
do a ping (or some kind of communication) from the other side.

Is it normal? Can I solve it with a parameter like Retransmit or Timeout? 
I know that it happens something similar with D-Link Firewalls.

Thanks!!

Re: isakmpd only works if one side begins the communication

2005-06-22 Thread Abel Talaverón Estevez 
El Miircoles, 22 de Junio de 2005 15:33, jared r r spiegel escribis:
 On Wed, Jun 22, 2005 at 02:01:43PM +0200, Abel Talaversn Estevez wrote:
  Is it normal? Can I solve it with a parameter like Retransmit or
  Timeout? I know that it happens something similar with D-Link
  Firewalls.

   need configs to answer accurately, please.

   shouldn't need to dinker with retransmit or timeout values., shouldn't
   need to 'kickstart' the connection with a ping or so, unless it was
 so-configured to begin with.

   jared

 -

 [ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]



isakmpd.conf on one side:

[General]
Exchange-max-time=  30
Check-interval= 30
DPD_check_interval= 30


[Phase 1]
10.0.0.57=  PEER-VPNPrueba2
Default=ISAKMP-clients

[Phase 2]
Connections=IPsec-clients,CONN-VPNPrueba2


# Phase 1 mobile client peer sections
#
[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  Client-main-mode
Authentication= vpnclientopenwired

# Phase 2 mobile client connection sections
###
[IPsec-clients]
Phase=  2
Configuration=  Client-quick-mode
Local-ID=   local-subnet
Remote-ID=  remote-client

# Mobile client ID sections
###
[local-subnet]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[remote-client]
ID-type=IPV4_ADDR
Address=0.0.0.0

# Mobile client modes
#
[Client-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Client-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

[Sucursal-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Sucursal-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

# Sucursales
#PEER Section VPNPrueba2
[PEER-VPNPrueba2]
Phase=  1
Transport=  udp
Address=10.0.0.57
Configuration=  Sucursal-main-mode
Authentication= hen3ex

#CONNECTION SECTION VPNPrueba2
[CONN-VPNPrueba2]
Phase=  2
ISAKMP-peer=PEER-VPNPrueba2
Configuration=  Sucursal-quick-mode
Local-ID=   ID-LocalSubnet-VPNPrueba2
Remote-ID=  ID-RemoteSubnet-VPNPrueba2

#Local ID Section
[ID-LocalSubnet-VPNPrueba2]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.40.0
Netmask=255.255.255.0

#Remote ID Section
[ID-RemoteSubnet-VPNPrueba2]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.10.0
Netmask=255.255.255.0



isakmpd.conf on the other side:

[General]
Exchange-max-time=  30
Check-interval= 30
DPD_check_interval= 30




[Phase 1]
10.0.0.67=  PEER-VPNPrueba
Default=ISAKMP-clients

[Phase 2]
Connections=IPsec-clients,CONN-VPNPrueba


# Phase 1 mobile client peer sections
#
[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  Client-main-mode
Authentication= vpnclientopenwired

# Phase 2 mobile client connection sections
###
[IPsec-clients]
Phase=  2
Configuration=  Client-quick-mode
Local-ID=   local-subnet
Remote-ID=  remote-client

# Mobile client ID sections
###
[local-subnet]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[remote-client]
ID-type=IPV4_ADDR
Address=0.0.0.0

# Mobile client modes
#
[Client-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Client-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

[Sucursal-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Sucursal-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

# Sucursales
#PEER Section VPNPrueba
[PEER-VPNPrueba]
Phase=  1
Transport=  udp
Address=10.0.0.67
Configuration=  Sucursal-main-mode
Authentication= hen3ex

#CONNECTION SECTION VPNPrueba
[CONN-VPNPrueba]
Phase=  2
ISAKMP-peer=PEER-VPNPrueba
Configuration=  Sucursal-quick-mode
Local-ID=   ID-LocalSubnet-VPNPrueba
Remote-ID=  ID-RemoteSubnet-VPNPrueba

#Local ID Section
[ID-LocalSubnet-VPNPrueba]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.10.0
Netmask=255.255.255.0

#Remote ID Section
[ID-RemoteSubnet-VPNPrueba]
ID-type=IPV4_ADDR_SUBNET
Network=10.0.40.0
Netmask=255.255.255.0



Any idea?
I've been trying some values in check-interval and exchange-max-time with no 
success