Re: Split zone DNS?
On Fri, Jul 28 2017 at 58:07, Steve Williams wrote: > Hi, Hello, > I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD > versions over 10 years) fine tune my home network. > > I would like to run a local resolver on my internal network that will > resolve all my hosts on my local network to IP addresses on my local > network(s) rather than resolving to their public IP addresses. > > I believe it's called a "split zone" DNS, where my domain is resolved > locally, but everyone else is resolved using normal resolution processes. > > I set this up at one of my previous jobs using BIND, but that was 7 years > ago. I've never gone to the trouble of doing it at home, but I would like > to exercise my brain a bit as well as having my home network set up > "better". > > What is the best tool to accomplish this these days? Is NSD the "modern" > tool to be using on OpenBSD? I went for nsd for external domain informations and Unbound for local cache and local resolutions override. bind was a DNS resolver and a forwarder at the same time. If you want both options, you need to setup NSD and Unbound. Unbound alone can do the trick for few records, but I found it easier to have a dedicated resolver in case I wanted to sync zones with a slave. > Are there any hooks for dhcpd to update records? Dunno, I use static MAC - IP mapping. > I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to > go, but I thought I'd check the wisdom here to see if there is a better > approach. As said, just pay attention that nsd is a resolver only. > Thanks, > Steve Williams Nowadays, I try to avoid using the same domain for internal and external. From my ops point of view, having a domain.local and a domain.ext is easier to maintain. Regards, Claer
Re: ospf gre carp
On Sun, Jun 18 2017 at 47:12, Marko Cupać wrote: > On Sun, 18 Jun 2017 09:52:13 + (UTC) > Stuart Henderson wrote: > > > On 2017-06-18, Marko Cupać wrote: > > > Hi, > > > > > > I have setup similar to: > > > > > > R1 > > > bnx0--bnx1 > > >| |R3 > > > LAN1---carp0 carp1--em0--em2---LAN2 > > >| | > > > bnx0--bnx1 > > > R2 > > > > > > How can I run OSPF between R3 and carped R1 and R2? I tried with gre > > > tunnel from carp1 to em0 but it doesn't work well. > > > > > > Thank you in advance, > > > > Try this: > > > > Run ospf on bnx1 on R1/2. You will need separate IP addresses on bnx1 > > for each of R1/R2, you can't just use a single address on the carp1 > > interface. (iirc you want it like carp1 10.0.0.1/32, r1-bnx1 > > 10.0.0.2/24, r2-bnx1 10.0.0.3/24, but it may be /24 on all of them). > > > > For carp0/bnx0 interfaces, run ospf passive on carp0, and the subnet's > > prefix (/24 or whatever) needs to be on carp0. > > > > Hi, > > thank you for looking into it. I forgot to mention crucial fact - > there's no direct link between carp1 and em0 - those interfaces have > public IP addresses and communicate over Internet. > > I guess I could create two gre tunnels - from em0 to each bnx1, and run > ospf over them. Passive ospf interface carp0 would then make sure to > announce LAN1 over active carp member. I could then protect gre traffic > with transport mode ipsec. > > If someone has experience with similar setup please chime in. I built this kind of setup in the past, still running after all those years. So the configuration you want to build is robust. If you plan to have multiple R3 routers and don't interract with other ospf routers outside your responsabilities, I advise you to move to bgp. It's not way harder to learn and it is more powerful regarding route filtering. Claer
Re: Multi-path router with ftp-proxy problem
On Fri, Jun 02 2017 at 42:07, cdix wrote: > I have the same problem. > Did you ever found a resolution for your problem? > If so what was it? > Hi, FTP has one command tcp connection and one dynamic data connection that makes an entire applicative session. In order FTP to work, it needs both connections to be established on the same dsl link. With that information, you can try to buil a setup to achieve that goal or, as I did years ago, ended with lines as active/passive modes because load balancing of FTP can result in a very complicated setup. Depending on the aim, having a simpler setup is sometimes better than having an overengineered one. Think of maintaining your setup through years. Also, don't forget we are in 2017, not 2013 anymore. Personally I removed FTP support from my gateways. Regards,
Re: Isakmpd and NAT-T
Hello, On Fri, Mar 17 2017 at 22:07, Stuart Henderson wrote: > On 2017-03-16, Sébastien Morand wrote: > > Thank you Mike for your answer. There is nothing more like you said. > > Actually we succeed in phase 1 but not in phase 2. > .. > > It's look like good to me and conform to the provided specs. Phase 1 is ok > > but no phase 2: > > 155851.640374 Default ipsec_validate_id_information: dubious ID information > > accepted > > 155851.640478 Default isakmpd: phase 1 done: initiator id 196.207.241.154, > > responder id 80.125.165.142, src: 192.168.254.2 dst: 80.125.165.142 > > 155918.682560 Default transport_send_messages: giving up on exchange > > from-10.85.98.16/29-to-10.249.0.0/21, no response from peer > > 80.125.165.142:4500 > .. > > so it means to me they don't answer to my packet but I don't know why : > > 16:01:41.673599 192.168.254.2.4500 > 80.125.165.142.4500:udpencap: isakmp > > v1.0 exchange QUICK_MODE encrypted > .. > > Any idea what can be done or a way to get more information on what's going > > on? They are using CISCO 6509 with IOS 12.2-33.SXH3a. > > isakmpd sends the wrong encapsulation mode (always TUNNEL, not > UDP_ENCAPSULATED_TUNNEL). But also last time I tried this (in 2011) > Cisco hadn't caught up with the RFC and actually required the > UDP_ENCAPSULATED_TUNNEL_DRAFT value from the draft nat-t spec. > > This would cause a phase 2 failure, an ASA reports it like > "[IKEv1]Phase 2 failure: Mismatched attribute types for class > Encapsulation Mode: Rcv'd: Tunnel Cfg'd: UDP Tunnel(NAT-T)" > > Here's an old post about it with an isakmpd diff that was working > against Cisco. What I don't know is whether it harms interop with > anything else. > > http://marc.info/?l=openbsd-tech&m=131244805816474 I ran with this patch on production for nearly 2 years. It didn't cause any issue interoperating with few kind of devices. I successfully configured VPN with ASA, Juniper, Fortinet, StormShield and Windows on the other side. If there were some side effects, they were not visible. Claer
Re: Hardware recommendations for compact 1U firewall
On Sat, Dec 17 2016 at 08:13, Damian McGuckin wrote: > While everybody is talking about hardware, I noticed that some of you > have flicked your Soekris Net 5501 boards. > > We are upgrading from 20Mbps links to 100Mbps links and as a result of this > discussion, I am wondering whether it would be a wise move on or part to > consider replacing them. Rock solid little units. > > What is the max throughput people have seen on these? In my $job[n-2], I had the chance to test the alix pcengines, wich is quite simmilar in terms of performance. With 4.5 on it, it started to drop packets around 70Mbps with the IMIX test. Consult https://en.wikipedia.org/wiki/Internet_Mix to know more. > Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 > board sustain 100Mbps? It will be "good enougth" if you are transferring big files, not for common web browsing (usually smaller packets). Best regards, Claer
Re: ipsec+tunnel vs. 'pure' ipsec
On Thu, Jul 28 2016 at 24:09, Kim Zeitler wrote: > Hello Hello, > having run a 'pure' ipsec tunnel for some years now I was wondering if there > are more advantages in using a tunnel like gre(4),gif(4) or ehterip(4) over > ipsec except being able to set the mtu or pass Layer2 traffic? If you don't see the advantages, chances that you dont *need* it. Adding another encapsulation layer is seen as a bad move if you don't need it (more fragmentation or more reduced mtu). I have done setups with gif for L2 connectivity over internet (also a bad idea but sometimes you dont have choices) and for handling easy ipsec redundancy. Let me explain the last statement. I've build 2 tunnels from each remote to main site, added gif encapsulation over ipsec. That mean I have 2 paths for the same destiantion. In order to choose path automatically in a symetric way, I used OSPF over gif to determine the best path. In this setup, gif/gre encapsulation is mandatory because OSPF uses multicast to discover peers and native IPSEC dont support it. OSPF also gave me route redistribution for free. If you have only 2 sites, you can use other ways to check link connectivity rather than OSPF. You can use GRE keepalives (careful, it is not supported on Linux), ifstated to check and take actions in case of link failure or just routes with different weights. OpenBSD gives you tools, you have the responsability to understand them and find the best one for your usecase. > > Thanks for your answer > > Kim Best regards, Claer
Re: Balanced and failover IPSEC
On Thu, May 12 2016 at 47:18, Info wrote: > Hello, this is my first post on OpenBSD, so do not riddle me, please... Hello, Welcome to the lists. > I have one infrastructure with one tunnel IPSEC. This works ok, but I think I > can duplicate the transfers. My topology is like this: > > * One ADSL 20Mb on Site A > * Two ADSL 10Mb on Site B > * Consists on one OpenBSD by site, attached the router directly > > I need share Network A with Network B with ipsec like now, but > balanced/failovered. I search solutions and found 3 methods, but I'm not sure > which use and this seems a little complicated: > > * CARP (I haven't two server by site) > * PF (with ipsec i'm lost) > * ifstated (I dont know nothing of this) > > I will send my topology graphically on attachment (it will read with system > or fixed font). I implemented solutions like that in the past. The easier method with IPSEC is using encapsulation. I tried two different setups: gif(4)+ifstated and gif(4)+OSPF The latter is simpler to maintain, and for us scaled over 50 sites. With just 2 sites, you can use gre(4) encapsulation instead of gif and use gre keepalives instead of setting up ospfd. We didn't use that solution because GRE keepalives are not implemented on Linux and we needed interoperability. Basically, you create 2 ipsec tunnels between A and your 2 pub IP addresses on B. Then you setup 2 GRE tunnels above IPSEC. On site A, you configure 2 routes with different weights to access your network on B. Do the same on site B. In case of failure, the primary GRE tunnel will go down (because of missing keepalives).Your BSD boxes will disable the 1st GRE tunnel interface and use the 2nd route entry available. > #20.0.0.0 > #--- ## > ##### 10Mb |DSL|\ ## ## > #--- | ## > #####/ | ## ## > #### 20Mb## /|.2 ## > --- .2 --- .1 ##--/--- >|BSD|---|DSL|# INET # |BSD|--- > --- --- ##--\--- \ > | ## \|.2| > | 10.0.0.0 #\ | --- > --- #--- | NET > NET # 10Mb |DSL|/ --- > --- # ---101.0.0.0 > 100.0.0.0 #21.0.0.0 Best regards, Claer
Bug in network stack on 2015/12/19 snapshot?
Hello,
These days I'm playing with npppd trying to setup a nice VPN gateway for
windows users. I managed to have a simple working configuration that
authenticates users in a local file (later on, I'll try with RADIUS).
With the configuration listed below, I can successfully connect a Win7
client to OpenBSD 5.8 and I can ping the tun IP from the Win7 host.
If I try that same configuration on the snapshot from 2015/12/19 the npppd
daemon enters on a strange case and I cannot kill it anymore with ^C when I
started it in foreground (npppd -d -f ...)
Note that the configuration works with pppx & pipex, but failed with tun.
Any advice is welcome :)
Here are the configurations:
l2tp58:/etc # ifconfig em0
em0: flags=8843 mtu 1500
lladdr 08:00:27:c8:6d:77
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.1.108 netmask 0xff00 broadcast 172.16.1.255
l2tp58:/etc # cat /etc/ipsec.conf
ip_pub="172.16.1.108"
PSK="test123123"
ike passive esp transport proto udp from $ip_pub to any port 1701 \
main auth hmac-md5 enc 3des group modp2048 \
quick auth hmac-md5 enc 3des \
psk $PSK
ike passive esp transport proto udp from $ip_pub to any port 1701 \
main auth hmac-sha enc aes group modp2048 \
quick auth hmac-sha enc aes \
psk $PSK
ike passive esp transport proto udp from $ip_pub to any port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des \
psk $PSK
ike passive esp transport proto udp from $ip_pub to any port 1701 \
main auth hmac-md5 enc aes group modp1024 \
quick auth hmac-md5 enc 3des \
psk $PSK
l2tp58:/etc # cat npppd/npppd.conf
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 172.16.1.108
l2tp-accept-dialin yes
l2tp-vendor-name "OpenBSD"
authentication-method mschapv2
tcp-mss-adjust yes
pipex no
mppe no
}
ipcp IPCP {
pool-address 10.11.1.2-10.11.1.7
dns-servers 192.168.78.201 192.168.78.202
}
interface tun1 address 10.11.1.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun1
l2tp58:/etc # cat sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.gre.allow=1
# isakmpd -4K
# ipsecctl -f /etc/ipsec.conf
# npppd -f /etc/npppd/npppd.conf
#
Claer
Re: Playing with rdomains and bridge on 5.8 and current
Hello, Thanks guys for the pointer on pair. My mail was intended to show (what IMO is) an issue in the bridge code. With the recent post on n2k15 by Reyk[0], I'll keep an eye on the following developments :) Claer [O] http://undeadly.org/cgi?action=article&sid=20151217134417 On Thu, Dec 17 2015 at 19:12, Claer wrote: > Hello, > > I'm trying a "strange" setup with rdomains, bridge and vether. As there is > something I don't understand, I'd like to know if the behavior is normal or if > it is an issue. This is not a production system, just experimentations. > > Here is what I'm trying to do. With 1 NIC connected to a "physical" network, I > wish to have several rdomains connected to the same uplink VLAN. > As this uplink VLAN provides DHCP, it facilitates the configuration. > > When everything is up, I can ping the default router from either rdomain but I > can't ping rdomain 1 from rdomain 2 or vice versa. Arp is failing to resolve > the IP addresses eventhough the arp packet is received on vether interface. > With 2 NICs, the communication succeeds. > > The results are the same with 5.8 and current (snapshot downloaded yesterday) > > Here is the setup : > > 1/ configure the interfaces > testhost:~ # cat /etc/hostname.em0 > dhcp > > testhost:~ # cat /etc/hostname.em1 > rdomain 1 > !route -T 1 exec dhclient em1 > testhost:~ # > > testhost:~ # cat /etc/hostname.vether2 > rdomain 2 > !route -T 2 exec dhclient vether2 > up > testhost:~ # > > 2/ Build the bridge : > testhost:~ # cat /etc/hostname.bridge0 > add em1 > add vether2 > up > testhost:~ # > > 3/ Verify configuration : > testhost:~ # ifconfig bridge0 > bridge0: flags=41 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > designated: id 00:00:00:00:00:00 priority 0 > em1 flags=3 > port 2 ifpriority 0 ifcost 0 > vether2 flags=3 > port 5 ifpriority 0 ifcost 0 > Addresses (max cache: 100, timeout: 240): > 08:00:27:2c:87:f2 em1 1 flags=0<> > 00:50:b6:67:9c:82 em1 1 flags=0<> > [...] > testhost:~ # ifconfig em0 > em0: flags=8843 mtu 1500 > lladdr 08:00:27:2c:87:f2 > priority: 0 > groups: egress > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet 192.168.79.39 netmask 0xff00 broadcast 192.168.79.255 > testhost:~ # ifconfig em1 > em1: flags=8b43 > rdomain 1 mtu 1500 > lladdr 08:00:27:36:20:e8 > priority: 0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet 192.168.79.159 netmask 0xff00 broadcast 192.168.79.255 > testhost:~ # ifconfig vether2 > vether2: flags=8943 rdomain 2 > mtu 1500 > lladdr fe:e1:ba:d0:45:3b > priority: 0 > groups: vether > media: Ethernet autoselect > status: active > inet 192.168.79.193 netmask 0xff00 broadcast 192.168.79.255 > testhost:~ # route -n show -inet > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default192.168.79.254 UGS0 788 - 8 em0 > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHl00 32768 1 lo0 > 192.168.79/24 192.168.79.39 UC 412990 - 4 em0 > 192.168.79.39 08:00:27:2c:87:f2 UHLl 0 22 - 1 em0 > 192.168.79.123 70:5a:b6:af:a0:42 UHLc 1 6503 - 4 em0 > 192.168.79.159 08:00:27:36:20:e8 UHLc 011027 - 4 em0 > 192.168.79.193 fe:e1:ba:d0:45:3b UHLc 011795 - 4 em0 > 192.168.79.254 2c:76:8a:30:2b:00 UHLc 1 1192 - 4 em0 > 192.168.79.255 192.168.79.39 UHb0 5764 - 1 em0 > 224/4 127.0.0.1 URS0 195 32768 8 lo0 > > testhost:~ # route -nT1 show > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default192.168.79.254 UGS0 1752 - 8 em1 > 192.168.79/24 192.168.79.159 UC 115026 - 4 em1 > 192.168.79.159 08:00:27:36:20:e8 UHLl 00 - 1 em1 > 192.168.79.254 2c:76:8a:30:2b:00 UHLc 1 1167 - 4 em1 > 192.168.79.255 192.168.79.159 UHb0 734 - 1 em1 > > testhost:~ # route -nT2 show > Rout
Playing with rdomains and bridge on 5.8 and current
.297/0.329 ms testhost:~ # ping -c 2 192.168.79.193 PING 192.168.79.193 (192.168.79.193): 56 data bytes 64 bytes from 192.168.79.193: icmp_seq=0 ttl=255 time=0.820 ms 64 bytes from 192.168.79.193: icmp_seq=1 ttl=255 time=0.617 ms --- 192.168.79.193 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.617/0.718/0.820/0.102 ms testhost:~ # ping -c2 -V1 192.168.79.39 PING 192.168.79.39 (192.168.79.39): 56 data bytes 64 bytes from 192.168.79.39: icmp_seq=0 ttl=255 time=0.587 ms 64 bytes from 192.168.79.39: icmp_seq=1 ttl=255 time=0.633 ms --- 192.168.79.39 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.587/0.610/0.633/0.023 ms testhost:~ # ping -c2 -V1 192.168.79.193 PING 192.168.79.193 (192.168.79.193): 56 data bytes --- 192.168.79.193 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss 5/ Arp tables testhost:~ # arp -na Host Ethernet Address Netif Expire Flags 192.168.79.3908:00:27:2c:87:f2em0 permanent l 192.168.79.123 70:5a:b6:af:a0:42em0 19m54s 192.168.79.159 08:00:27:36:20:e8em0 14m47s 192.168.79.193 fe:e1:ba:d0:45:3bem0 16m18s 192.168.79.254 2c:76:8a:30:2b:00em0 20m0s testhost:~ # arp -nV1 -a Host Ethernet Address Netif Expire Flags 192.168.79.3908:00:27:2c:87:f2em1 15m33s 192.168.79.159 08:00:27:36:20:e8em1 permanent l 192.168.79.193 (incomplete) em1 expired 192.168.79.254 2c:76:8a:30:2b:00em1 19m59s testhost:~ # arp -nV2 -a Host Ethernet Address Netif Expire Flags 192.168.79.3908:00:27:2c:87:f2 vether2 14m6s 192.168.79.193 fe:e1:ba:d0:45:3b vether2 permanent l 192.168.79.254 2c:76:8a:30:2b:00 vether2 20m0s 6/ tcpdump on the vether side On one terminal : # ping -V1 192.168.79.193 On another terminal : testhost:~ # tcpdump -neli vether2 arp | grep 192.168.79.193 tcpdump: listening on vether2, link-type EN10MB 12:14:18.050311 08:00:27:36:20:e8 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.79.193 tell 192.168.79.159 12:14:19.054795 08:00:27:36:20:e8 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.79.193 tell 192.168.79.159 12:14:20.054016 08:00:27:36:20:e8 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.79.193 tell 192.168.79.159 Thanks for reading that far :) Claer
Re: IPSEC with Juniper SRX220
On Sun, Sep 27 2015 at 42:13, Alexandre Westfahl wrote:
> Hi,
Hello,
>
> I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a
> carrier router (Juniper).
> SA seems to work well, I see packets going out on em0 and also see them on
> enc0. However, the other side said nothing come but they also see SA
> working and can see traffic going out.
>
> There may be explanation for this situation:
>
>- I have another IPSEC tunnel on same public IP (both on em0/enc0)
>- the carrier IPs seems to be on same network so OBSD may be lost with it
>
>
> *network*
> dmz network (DDD.EEE.FFF.0/28) <--(AAA.BBB.CCC.192)-->Internet<--(
> GGG.HHH.III.150)--> server (GGG.HHH.III.149)
If you dont want to show your real address, at least use real numbers.
> *ipsec.conf:*
> //working ipsec tunnel
> ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to
> 192.168.1.0/24 \
> local AAA.BBB.CCC.192 \
> main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \
> quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \
> srcid "gtfwpo192" dstid "pojimusho169" \
> psk secret
>
> //carrier ipsec (not working)
> ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \
> local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \
> main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \
> quick auth hmac-sha2-256 enc aes group none lifetime 86400 \
> srcid "AAA.BBB.CCC.192" dstid "GGG.HHH.III.150" \
> psk secret2
src and dst ids are not needed.
> I tried to enable or disable PF and use super permissive rules but nothing
> change.
>
> Do you have some ideas on what it could be?
When debuging ipsec, it is really easy to turn on ike packet capture
unencrypted then analysing them with tcpdump.
See isakmpd -L or 'p=on' on the fifo file.
By default the capture file is located in /var/run/isakmpd.pcap
I usually type tcpdump -nevvs 1550 -r /var/run/isakmpd.pcap |less
to check what's wrong.
With ScreenOS software (not JunOS like you, but they should be similar)
the "encryption domain" is usually set to 0/0 and the OS manages routes
to determine what to send to the tunnel. This will not work with your
configuration and the network/sys admin on the other side needs to do
some ajustments. Do you have the configuration of the other side?
Good luck with troubleshooting.
Claer
Isakmpd NAT-T interoperability
Hello,
As asked by Stuart, here are our exchanges regarding a problem I encountered
with isakmpd.
After applying the patch, I'm here to report my progress. I applied the patch
by hand on a stable 5.6 tree and didn't encountered any issue merging it.
In my first try, the VPN didnt went up. I was advertising
UDP_ENCAP_TUNNEL_DRAFT and that was not working. I updated the patch to
transmit UDP_ENCAP_TUNNEL instead (the same string the ASA was emmiting), then
the 3 SAs went up right away.
Here is the final patch I'm using :
Common subdirectories: src/sbin/isakmpd/CVS and src2/sbin/isakmpd/CVS
diff -uN src/sbin/isakmpd/attribute.c src2/sbin/isakmpd/attribute.c
--- src/sbin/isakmpd/attribute.cSat Apr 9 00:32:09 2005
+++ src2/sbin/isakmpd/attribute.c Tue Feb 3 12:29:04 2015
@@ -37,6 +37,9 @@
#include "log.h"
#include "isakmp.h"
#include "util.h"
+#if 1 /* XXX hshoexer */
+#include "sa.h"
+#endif
u_int8_t *
attribute_set_basic(u_int8_t *buf, u_int16_t type, u_int16_t value)
@@ -108,3 +111,30 @@
*attr = attribute_set_basic(*attr, attr_class, value);
return 0;
}
+
+#if 1 /* XXX hshoexer */
+int
+attribute_set_encap(char *section, char *tag, struct constant_map *map,
+ int attr_class, u_int8_t **attr, u_int32_t flags)
+{
+ char *name;
+ int value;
+
+ name = conf_get_str(section, tag);
+ if (!name) {
+ LOG_DBG((LOG_MISC, 70,
+ "attribute_set_constant: no %s in the %s section", tag,
+ section));
+ return -1;
+ }
+ if (flags & SA_FLAG_NAT_T_ENABLE) {
+ if (strcmp(name, "TUNNEL") == 0)
+ name = "UDP_ENCAP_TUNNEL";
+ else if (strcmp(name, "TRANSPORT") == 0)
+ name = "UDP_ENCAP_TRANSPORT";
+ }
+ value = constant_value(map, name);
+ *attr = attribute_set_basic(*attr, attr_class, value);
+ return 0;
+}
+#endif
diff -uN src/sbin/isakmpd/attribute.h src2/sbin/isakmpd/attribute.h
--- src/sbin/isakmpd/attribute.hFri May 14 10:42:56 2004
+++ src2/sbin/isakmpd/attribute.h Tue Feb 3 12:30:36 2015
@@ -41,6 +41,10 @@
extern u_int8_t*attribute_set_basic(u_int8_t *, u_int16_t, u_int16_t);
extern int attribute_set_constant(char *, char *, struct constant_map *,
int, u_int8_t **);
+#if 1 /* XXX hshoexer */
+extern int attribute_set_encap(char *, char *, struct constant_map *,
+ int, u_int8_t **, u_int32_t);
+#endif
extern u_int8_t*attribute_set_var(u_int8_t *, u_int16_t, u_int8_t *,
u_int16_t);
diff -uN src/sbin/isakmpd/ike_quick_mode.c src2/sbin/isakmpd/ike_quick_mode.c
--- src/sbin/isakmpd/ike_quick_mode.c Mon Dec 12 08:35:29 2011
+++ src2/sbin/isakmpd/ike_quick_mode.c Tue Feb 3 12:33:27 2015
@@ -621,9 +621,16 @@
}
conf_free_list(life_conf);
}
+ #if 1 /* XXX hshoexer */
+ attribute_set_encap(xf->field,
+ "ENCAPSULATION_MODE", ipsec_encap_cst,
+ IPSEC_ATTR_ENCAPSULATION_MODE, &attr,
+ msg->isakmp_sa->flags);
+ #else
attribute_set_constant(xf->field,
"ENCAPSULATION_MODE", ipsec_encap_cst,
IPSEC_ATTR_ENCAPSULATION_MODE, &attr);
+ #endif
if (proto_id != IPSEC_PROTO_IPCOMP) {
attribute_set_constant(xf->field,
Common subdirectories: src/sbin/isakmpd/obj and src2/sbin/isakmpd/obj
Common subdirectories: src/sbin/isakmpd/sysdep and src2/sbin/isakmpd/sysdep
- Forwarded message from Stuart Henderson -
From: Stuart Henderson
To: Claer
Subject: Re: Isakmpd NAT-T interoperability
Date: Mon, 9 Feb 2015 09:42:51 +
User-Agent: Mutt/1.5.23 (2014-03-12)
Thanks - would you mind posting results on the mailing list thread too, please?
It would be nice to draw more attention to this problem and it's more likely to
generate interest when multiple people are running into it ;-)
On 2015/02/09 10:40, Claer wrote:
> Hello,
>
> No problem, I built a stable release with the patch and will test it in the
> following days. I already got the acknowledge from the other IPSec endpoint.
>
> I'll keep you informed of the results.
> Thanks for the quick answer! (quicker than mine ;))
>
> Regards,
>
> Claer
>
> On Fri, Jan 30 2015 at 17:18, Stuart Henderson wrote:
>
> > Sorry no time to look at this now. Personally
Re: CARP cluster: howto keep pf.conf in sync?
On Sat, Aug 02 2014 at 09:01, Nick Holland wrote:
> On 08/01/14 08:12, Claer wrote:
> > On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
> ...
> >> I'll leave you to develop the script.
>
> >> My design philosophy:
> >> 1) No additional hw, other than the two firewalls.
> >> 2) EITHER machine should be able to act as master.
> >> 3) EITHER machine should be able to provide all the info to rebuild the
> >> failed machine.
> >> 4) Change control is good, just not how managers usually like to
> >> implement it.
> >> 5) uses no other packages (rsync to move pf.conf around? I don't think
> >> that's needed)
> >
> > Could you share it please ?
>
> well, no, in large part because I left the employment of that employer
> rather suddenly, and it seems I didn't save a copy of THAT script,
> though I do have some notes that will help (my DNS version). (and yes,
> it's legit -- it wasn't a software company, and I had an understanding
> with the people that hired me that I could use any of the stuff I wrote
> however I wished. The person who escorted me out I'm sure would
> disagree, but he got escorted out shortly afterwards. BTW: if you ever
> find yourself being escorted out of a job for doing what you are
> confident is right, a great line is to politely ask, "would you like me
> to deactivate my accounts, as you don't have anyone else left here to
> do it?" That's when the yelling began).
>
> Here are some code snippits that might be useful. Nothing magical here,
> but there are a few tidbits I had to work out, but be forewarned, I
> probably did it the hard way (I'm proud of the ssh diff between two
> boxes, but that probably means I made it way too difficult. This script
> is completely untested, I'm sure it won't work as is, and you get to
> provide your own error handling. I'd call what I did an "administration
> script" not a "user application".
> I'm assuming you have sudo access, and are SSH'ing to the first firewall
> with -A (agent forwarding) and have key access on both systems.
>
> # start. Note the lack of #!/bin/sh, I'm not calling this a
> # complete script!
>
> TMPLOG="/tmp/~config.log"
>
> # /backup was a file system on a second disk in each FW.
> CHGLOG="/backup/changelog/`date "+%Y-%m-%d-%H%M%S"`.diff"
>
> # Figure out who I am and who my partner machine is.
> # Our name -- easy.
> HERE=`hostname -s`
> # Other machine's name. Assumption: machine names are in the form
> # *1 and *2, so that swapping the 1 and 2 will indicate the other machine.
> # This is a non-trivial assumption...but it works for us - fwa-1 <-> fwa-2
> OTHER=`echo $HERE |tr 12 21`
>
> # Generate a temp file with the diff between the old and new
> # file. Should probably be with mktemp, but as there is a lack
> # of locking to protect against multiple users, there are bigger
> # issues here.
> echo %% Change by ${LOGNAME}@${HERE} on `date`: >$TMPLOG
> echo >>$TMPLOG
> echo >>$TMPLOG
>
> ssh $OTHER "sudo cat /etc/pf.conf" | sudo diff -u - /etc/pf.conf >>$TMPLOG
>
> # Toss a marker to indicate when the change file was first made.
> touch ${TMPLOG}.tag
> chmod 664 ${TMPLOG}.tag # makes it easier for other admins to delete.
>
> # Call up editor
> vi -c ":3" $TMPLOG
>
> # If the temp log file is not newer than the .tag file, it apparently wasn't
> # edited, which means the commit was aborted. Bail. Note: IIRC, there were
> # some rough edges here.
> if [ ! $TMPLOG -nt ${TMPLOG}.tag ]; then
>echo
>echo
>echo "** Sync with $OTHER aborted!! **"
>echo "NOTE: DNS servers are likely out of sync!"
>echo
>rm $TMPLOG ${TMPLOG}.tag
>exit
> fi
>
> Save the change log HERE.
> mv $TMPLOG $CHGLOG
>
> # Copy stuff over to $OTHER server
> echo Syncing with other server
> scp $CHGLOG $OTHER:$CHGLOG
> scp /etc/pf.conf $OTHER:/tmp/pf.conf
> ssh $OTHER "sudo mv /tmp/pf.conf /etc"
>
> # install. you DID test this, right? Note the lack of error handling!
> ssh $OTHER "sudo pfctl -f /etc/pf.conf"
>
> rm ${TMPLOG}.tag
>
>
> That's pretty much the strategy. Lots of site specific assumptions,
> lots of things that could be done better in the script. As noted,
> one major flaw is the handling when two admins are making
> changes at the same time, but then, at this site, the two of us were
> both familiar with the OpenBSD ways, and always tried to get an "ok"
&g
Re: CARP cluster: howto keep pf.conf in sync?
Hello, On Mon, Jul 28 2014 at 07:23, Nick Holland wrote: > On 07/28/14 07:50, Peus, Christoph wrote: > > Hi all, > > > > > > > > is there a standard or recommended way to keep the pf.conf on the CARP > > cluster > > members in sync? > > > > Thanks! > > No one standard or recommended way, but lots of ideas, as you can see. > > Here's mine, but for the moment, I'll leave you to develop the script. > > My design philosophy: > 1) No additional hw, other than the two firewalls. > 2) EITHER machine should be able to act as master. > 3) EITHER machine should be able to provide all the info to rebuild the > failed machine. > 4) Change control is good, just not how managers usually like to > implement it. > 5) uses no other packages (rsync to move pf.conf around? I don't think > that's needed) Could you share it please ? > So... I wrote a relatively simple little script which > * Figures out which the "other" machine is > * does a "diff -u" of the changes between the local machine and the > "other" machine (assuming the "other" machine is the old config) > * Displays the diff to the user, and asks you to explain the change. > * records the diff and your explanation to a file with a date and time > stamp as a file name into a change log directory. > * copies the pf.conf and the change log file to the corresponding > directory in the "other" machine. > * pfctl -f /etc/pf.conf's the other machine. > > So...you make a change on one box (EITHER!), test it, when satisified, > you run the sync script. It compares the changed file to the other > system, shows you the diff, and you can: > 1) comment it and save it to both > 2) Realize you made a typo, and deleted something you didn't intend to > or fat-fingered something you didn't intend to, fix. > 3) Realize that you made some other changes that weren't sync'd on > either machine > 4) etc. > > The script is identical between machines, so if you lose EITHER > firewall, the other can be used to rebuild the missing system, including > the history. > > If something goes horribly wrong, you just dig out the history file, and > revert the change. If something goes horribly wrong before you sync it, > log into the "other" firewall, and push the changes back. > > Wonder why a rule is in the firewall? Look back through the change log > and read the comments. > > I've done the same thing with DNS zone files and config files, (in my > opinion) better than the BIND "master/slave" model -- set up each node > as a master, and sync the data through scripts like this. > > Nick. Claer
Re: OpenBSD5.3/PF Settings help request
On Wed, Sep 25 2013 at 40:16, Adelin Balou wrote: > Dear Sir/Madame, > > > I am a student in pending Master's degree in Network and Security at > University of Valenciennes (France), I am currently encountering problems > while setting up a Firewall with Packet Filter on OpenBSD 5.3. > > > I wall a PC with 3 network interfaces ( xl0 : connected to WAN , xl1 : > connected to WLAN , xl2 : connected to LAN ). I need that this PC works like a > firewall. I have installed OpenBSD and setting up rules in /etc/pf.conf > (please to find attached to this mail my pf.conf file it is commented in > French, if any questions just let me know). > > > The problem is : The Firewall has Internet and hosts on WLAN and LAN can't > connect to internet. I don't know if my NAT and Filtering rules are not > matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is > working correctly. My xl0 interface has got IP from DHCP server from the ADSL > Internet Box so no need to create a file /etc/mygate to specify the ADSL > Internet Box default gateway. The command route show shows me my default > gateway. Hi, Did you enable IP forwarding in sysctl.conf? DNS has nothing to do with packets going through a firewall. > I have contacted http://www.evolix.fr/ one of the OpenBSD support link > http://www.openbsd.org/support.html in Marseille (France) they have read the > file but they can't find the problem. I will be grateful if you could help me. > > > Please find attached my pf.conf file. Attachements are blocked on this list ;-) You can read the PF book http://home.nuug.no/~peter/pf/ to find good informations on PF. Regards, Claer
Re: OT using absolute paths in scripts
On Sun, Jan 13 2013 at 04:11, Maximo Pech wrote: > At work, we have an "information security" area for IT. > > They mandate that on all shell scripts we have to use absolute paths for > every single command. > > I feel that this does not provide real security and only makes scripts > somewhat more painful to write. > > What's your opinion on this? I saw that technique used, but not for security reasons. Is it the only recomendation they've done or there are others? Because if it is the only one, then you can break through this pretty easily: $ export IFS='/ ' Regards
Re: DNS Google ?
On Tue, Nov 22 2011 at 13:16, Jan Stary wrote: > On Nov 22 08:16:21, Nick Holland wrote: > > Long term, BIND is done. > > Long term, unbound will probably be replacing it in OpenBSD. > > > > IF you are doing anything beyond a simple resolver, I'd agree > > completely...take the time to learn unbound/nsd (or djbdns or ...) > > > > However, right now, unbound is a package requiring separate install and > > maintenance. > > Nick, would you please clarify: > > nsd(8) is in base, unbound is a package; > yet it is unbound who's gonna be the default resolver? > What is the status of nsd then? (I am just about to try > it on one of my resolvers). NSD is just an autoritative name server that doesn't do cache and does not answer recursive queries. nsd and unbound are complementary. Claer
Re: Quad-Gigabit 1U mini-itx board recommendations?
On Tue, Oct 04 2011 at 42:21, Stuart Henderson wrote: > On 2011-10-03, Claer wrote: > > On Sat, Oct 01 2011 at 18:08, Joe S wrote: > > > >> On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius wrote: > >> > I have used Soekris for a few years and are very happy with them. They > >> > have a new board that will start shipping soon: > >> > http://soekris.com/net6501.htm > >> > > >> > >> Curious if anyone has tried these boards out. I'm looking for > >> something similar (low power, small size, em nics). These boards seem > >> really expensive for having an Atom processor. I guess the 4 NICs > >> drives up the cost. > >> > >> Since I don't actually need 4 NICs, I'm looking at the new Intel > >> S1200KP (mini-itx 1155 board with dual intel nics). I can put a g620t > >> and get the same power consumption rates as an atom d525, for the same > >> prices as the Soekris. Plus I can always upgrade my processor down the > >> line. > > The 4 Intel NIC chipsets are expensive. But it's the cost for running very > > well under OpenBSD. > > "very well" Hmm? At least it's been a while I had problem with them unlike vr :) What problem did you get with em ? (so I can anticipate things here ;)) Claer
Re: Quad-Gigabit 1U mini-itx board recommendations?
On Sat, Oct 01 2011 at 18:08, Joe S wrote: > On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius wrote: > > I have used Soekris for a few years and are very happy with them. They have > > a new board that will start shipping soon: http://soekris.com/net6501.htm > > > > Curious if anyone has tried these boards out. I'm looking for > something similar (low power, small size, em nics). These boards seem > really expensive for having an Atom processor. I guess the 4 NICs > drives up the cost. > > Since I don't actually need 4 NICs, I'm looking at the new Intel > S1200KP (mini-itx 1155 board with dual intel nics). I can put a g620t > and get the same power consumption rates as an atom d525, for the same > prices as the Soekris. Plus I can always upgrade my processor down the > line. The 4 Intel NIC chipsets are expensive. But it's the cost for running very well under OpenBSD. Without 4 Intel NICs, no doubt you will find a cheaper board.
Re: Dual WAN / IPSec Tunnel
On Tue, Sep 20 2011 at 24:18, Dora Pa wrote: > Hi list, Hi, > Recently I have installed openbsd routers at our six locations. > All of these boxes have two internet connections from two different > ISPs and are connected via IPSsec with each other. > Currently I'm using the one of the two internet uplinks as the > endpoint for the VPN. This has the disadvantage that the VPN > goes down if the internet connection of the IPSec uplink fails. Is > there a way to fail over to the second inetnetlink or even better > use both ISP uplink as a tunnel endpoint. > > I've thought about creating a tunnel from both internetuplinks to each > uplink but this > generates a lot of tunnels and I'm not sure if this best way to do this. > > Is there any advice / best pratice on how to establish a IPSec tunnel > failover over two different ISP connections? Here we use gif+ospf over IPSEC to manage fail over. It's working well for us. For the redundancy part, the rule we follow is to not think about double breakdown scenarii. We manage to survive only one fail link at a time. Monitoring + solving problem should be OK before another link fail. This way, the complexity on the central site is only 2 tunnels per site and not 4. Claer
Re: 4.7 ospfd FIB/RIB synchronization
On Sun, Jul 24 2011 at 27:21, David Gwynne wrote: > On 24/07/2011, at 8:27 PM, Jonathan Lassoff wrote: > > > On Wed, Apr 20, 2011 at 7:10 AM, David Gwynne wrote: > >> > >> On 20/04/2011, at 11:08 PM, Jonathan Lassoff wrote: > >> > >>> On Wed, Apr 20, 2011 at 4:22 AM, David Gwynne wrote: > >>>> you might be able to upgrade your passive firewall to 4.9 next to the > active 4.7 one. it looks like the protocol stayed the same so they should be > able to talk to each other. > >>> > >>> This would seem to be the case. > >>> > >>> This (http://undeadly.org/cgi?action=article&sid=20090301211402) is an > >>> absolutely excellent bit of writing about the improvements to pfsync, > >>> BTW. Thanks for letting that be shared. > >>> > >>>> however, it looks like bulk updates were broken in 4.7, which would > explain your failover problems. you can work around that by going "pfctl -S > /dev/stdout | ssh activefw pfctl -L /dev/stdin" as root on the passive fw. > >>> > >>> As an initial seeding of state? It seems to me that only some of my > >>> flows get affected when failing over (not everything is reset and > >>> traffic can still flow). > >> > >> yes. the pfctl commands will do a bulk update since the in kernel > implementation was unreliable back then. > >> > >>> It appears that both firewalls have an approximately congruent set of > >>> states, but usually a "pfctl -ss | wc -l" can be off by several > >>> hundred, to several thousand states at times. My hunch is that state > >>> creation and counter updates are not updated synchronously, so when > >>> failing over there are still some updates in-flight, and for flows > >>> that are moving their sequence numbers at a decent clip I could see > >>> why they might get reset. > >> > >> pf has a bit of fuzz when it does its tcp window matching, so packets can > get ahead of the firewall and be ok. > > > > Do you know if there is a way to see how much this fuzz is or if > > there's an offset? > > from memory its 1000 bytes. > > > If dropped for being out of a window, will (or can) it get logged to pflog? > > again, from memory its just dropped. > > >> i wrote defer, so yes... > >> > >> on my boxes the increase in latency is about .2 to .3ms. if a firewall is > missing its peer(s) it will go up to about 1/100th of a second. > > > > So does defer wait for a peer to acknowledge a new state just at the > > time of creation, or does it include state updates about sequence > > numbers as well? > > defer only delays the first packet. > > > I suspect I'm hitting a similar issue as you were with long-lived > > flows getting reset at failover. > > i think my problem is that i run both firewalls with the carp demotion counter > set low. when a box is rebooted the carp default is at 0 or 1, which means it > takes over traffic before it gets all the states. later code in rc.local > demotes it, but by that time some packets have been eaten by the new box. i > should fix it, but im lazy. > > >> thats exactly how i have my stuff configured. > > > > Have you ever had trouble when re-numbering an interface? It seems to > > me like ospfd doesn't pick up changes in interface numbering if > > changed out from under it. Most other OSPF daemons I use would pick > > this up as it changes, but as far I as can tell there's no way to tell > > ospfd to reload interface addressing. > > interfaces and addresses moving around hurts me too. > > > I'm often needing to add more and more interfaces and ospf interfaces, > > necessitating failing over so as to make it safe to kill and re-start > > ospfd -- in the process it just seems to nip some flows from flowing. > > i do that too. lets annoy claudio together! In my world, it happends to change interface numbering. The solution we found is - remove the interface from ospfd.conf, - reload configuration with ospfctl reload - destroy the interface (our ospf interfaces are mainly gif ones), - recreate interface with new IPs - add conf to ospfd.conf, - reload configuration with ospfctl reload This may sound a bit too much, but it works and seems to be reliable for the moment and it does not require to kill and restart the daemon :) Claer
Re: Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710
On Tue, Jun 07 2011 at 49:20, Stefan N wrote: > Hi All, > > Have you ever tried to install OpenBSD 4.9/amd64 on the Dell > PowerEdge Server > R210,R410,R610,R710 (2.5" SAS Disk) with additional Intel. > Gigabit ET Quad Port > Server Adapter? If yes, are those servers fully > compatible with OpenBSD > 4.9/amd64? I tested R310, R410 and R610 with quad port nics (82571 and 82576) with i386 kernel. All servers work fine. I don't think you'll have much difference in 64 bit mode. The R210 refuses to boot on official install49.iso. Maybe it's a bios parameter to change, I didn't took time to investigate (and bug report) yet. It's on my todo list :) Regards, Claer
Re: ipsec vpn 'colouring'
On Fri, May 27 2011 at 07:16, Oeschger Patrick wrote: > *hmmm* *hmmm*, > i did a test using ipsec vpn colouring aka. tagging > ipsec.conf offers the option to tag the vpn traffic for further PF filtering > using these tags i can instruct PF to use different public NAT addresses > (outgoing to internet) for each VPN > but when you have overlapping subnets behind the VPNs then it it difficult to > get the reply traffic into the right VPN > maybe i am missing something here... Why not using the "local" keyword of ipsec.conf for outgoing address instead of NAT ? > I expected some feature so tagged traffic will be routed into the VPN carrying > the same tag (...somehow...) > did some tests using 'reply-to' in pf rules but that did not work... - an a > default route will not help because i have many VPN all overlapping in worst > case > any ideas? an important option i missed? Using ipsec tunnels in different rdomains to manage overlapping easily? (Thanks to Reyk to clarify the usage of ipsec+rdomain) Claer
Re: routing domain limit (128)
On Thu, May 26 2011 at 48:23, Oeschger Patrick wrote: > hi all > obsd 4.9 seems to support 128 routing domains > is this a hard limit or is it configurable? > how about 512/1024/2048 routing domains? (silly idea?) > ...i want to consolidate more than 128 small firewalls on one hardware and > routing domains would be nice to prevent data leaking between the FWs... Hi, The max rdomain value is controled with a define sys/socket.h:#defineRT_TABLEID_MAX 255 If you think the limit is 128, maybe you were encoutering a bug where 128 is hardcoded. I found one in ifconfig configuring gif, reported to devs, and now it's fixed in current. Try current and report the bug if it's still present. As I didn't try more than 200 rdomains in a test machine, I could not tell if 512/1024/2048 is a silly idea or not. Claer
Re: Terminate IPSEC tunnel in virtual routing domain
On Tue, May 17 2011 at 39:21, patrick.oesch...@bluewin.ch wrote: > ...gives me some headache... > > system1: (openbsd 4.9) > em0 192.168.1.54 (same /24 subnet as system2) > /etc/isakmpd/isakmpd. > conf: > Listen-on= 192.168.1.54 > isakmpd -K > > system2: (openbsd 4.9) > em0 192.168.1.200 (same /24 subnet as system1) > > /etc/isakmpd/isakmpd.conf > Listen-on= 192.168.1.200 > isakmpd -K > > as long as em0 on system2 is in rdomain 0 (zero) > everything seems fine and using tcpdump i can see bi-directional traffic on > UDP/500 > as soon as i put em0 on system2 > into rdomain 1 using 'ifconfig em0 192.168.1.200 rdomain 1' my headache > starts... Did you run isakmpd on rdomain 1? (as precised in another mail) route -T1 exec isakmpd -K The second step would be more problematic, I dont think that enc(4) supports rdomain yet. [...] > anybody having experience in > terminating a IPSEC tunnel in a routing domain? (virtual firewall setup) > maybe i should try GRE with IPSEC on top of > that...(?) Setting up gif on rdomain on top of ipsec works. Hope this helps :) Claer
Re: OpenBSD4.9 / Virtual Routing Domains
On Sun, May 15 2011 at 24:14, Oeschger Patrick wrote: > i was playing with virtual routing on openbsd4.9 recently > first results using vlans are impressive > now i am asking myself if virtual routing is possible > - without using dedicated physical interfaces for each routing domain > - without using dedicated vlans for each routing domain > > idea behind this: > i have a network appliance with 3 interface (int/ext/mgmt) > i want to configure 5 routing domains > i have limited number of physical interfaces > i do not want to use vlans > > so what i would need in this case is something like a virtual ethernet > interface > - which can be bound to a physical ethernet interface (similar to vlans) > - and the virtual virtual ethernet interface should be assignable to a routing > domain > > any ideas? > guess aliases of an interface are not assignable to a routing domain...(?) > maybe something in progress in the dev tree? On testing machines I use couple of loX + gifX to route traffic between rdomains. It works great :) - define 1 loopback address for each rdomain, all addresses in rdomain 0 - define gif tunnel from one loopback to another and affect the gif interface to the right rdomain. Don't forget to define gif tunnels in both directions! Ex: gif1 in rdomain 1, lo1 -> lo2 gif2 in rdomain 2, lo2 -> lo1 .. Claer
Re: Redundant IPSEC tunnels
On Tue, Mar 01 2011 at 30:03, Steve wrote: > Hi all, > > We have a high speed Internet link at a primary site that has had some > stability issues. We would like to set up an adsl link as a backup to maintain > the ipsec tunnels to the secondary sites if we have further issues. > > Currently clients at site B talk to servers at site A through Tunnel A. If > tunnel A breaks we need them to talk through tunnel B. I was going to run > multiple ipsec.conf files at the secondary sites and in the event of failure > log in and tear down the tunnel A and fire up tunnel B. Although this process > can be scripted easily enough I was hoping to automate this as much as > possible. > > Any suggestions ? You setup permanently tunnels A and B, you add gif over both tunnels, then you run ospf on to of gif on both end points, assigning different weights for the links. Claer
Re: network bandwith with em(4)
On Thu, Feb 24 2011 at 28:19, RLW wrote: [...] > > ok, so the conclusion might be, that if one want to have transfers > bigger than 300mbit/s on em(4), one should tuning the em(4) driver > source code? False Here are the tests I've done with a packet generator. http://marc.info/?l=openbsd-misc&m=129534605406967&w=2 Claer
Problems with ospfd and multiple clients
Dear list,
Recently I built a new VPN hub and it seems I reached a limit in ospfd.
The configuration is the following :
2 central OpenBSD (4.7 on production, 4.8 and latest snapshot in our
lab). they both run ospfd on LAN side.
49 OpenBSD clients, running IPSEC + gif encapsulation over to each
central server. Each client is running ospfd too. Everyone is in
area 0.0.0.0.
On the 50th client, the central daemon stop to function normally and
emit a *LOT* of traffic to each client.
The only solution is to kill simultaneously ospfd on each central server
and restart the daemon after the packet storm ended.
I was able to reproduce the problem with 2 servers :
- the first one has a single ospfd daemon for all 50 gif,
- the second one has 50 rdomains and each rdomain contains one gif
and an ospfd daemon
- pf was configured with "pass all"
- no IPSEC
Note also that the problem only occurs if the ospf states are FULL/P2P,
We had to establish each 50 peering in order to reproduce the problem.
Nothing useful can be found on the log files, ("ospfd -vd")
Here is a sample of what is emitted continuously (look at the timestamp
to see how aggressive the flood is) :
17:49:46.220024 10.10.254.140 > 172.16.0.138: 192.168.200.153 > 224.0.0.6:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
58146, len 48) [tos 0xc0] (ttl 64, id 34204, len 68)
17:49:46.220035 10.10.254.140 > 172.16.0.106: 192.168.200.25 > 192.168.200.26:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
9168, len 48) [tos 0xc0] (ttl 64, id 53652, len 68)
17:49:46.220047 10.10.254.140 > 172.16.0.111: 192.168.200.45 > 224.0.0.6:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
34368, len 48) [tos 0xc0] (ttl 64, id 57261, len 68)
17:49:46.220066 10.10.254.140 > 172.16.0.100: 192.168.200.1 > 192.168.200.2:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
22329, len 48) [tos 0xc0] (ttl 64, id 44263, len 68)
17:49:46.220077 10.10.254.140 > 172.16.0.147: 192.168.200.189 >
192.168.200.190: OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos
0xc0] [ttl 1] (id 39764, len 48) [tos 0xc0] (ttl 64, id 21228, len 68)
17:49:46.220093 10.10.254.140 > 172.16.0.115: 192.168.200.61 > 224.0.0.6:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
65435, len 48) [tos 0xc0] (ttl 64, id 43562, len 68)
17:49:46.220105 10.10.254.140 > 172.16.0.102: 192.168.200.9 > 224.0.0.6:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
21586, len 48) [tos 0xc0] (ttl 64, id 38683, len 68)
17:49:46.220118 10.10.254.140 > 172.16.0.144: 192.168.200.177 > 224.0.0.6:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
8955, len 48) [tos 0xc0] (ttl 64, id 2926, len 68)
17:49:46.220135 10.10.254.140 > 172.16.0.126: 192.168.200.105 >
192.168.200.106: OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos
0xc0] [ttl 1] (id 52430, len 48) [tos 0xc0] (ttl 64, id 27209, len 68)
17:49:46.220146 10.10.254.140 > 172.16.0.134: 192.168.200.137 >
192.168.200.138: OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos
0xc0] [ttl 1] (id 18572, len 48) [tos 0xc0] (ttl 64, id 46924, len 68)
17:49:46.220157 10.10.254.140 > 172.16.0.102: 192.168.200.9 > 192.168.200.10:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
26438, len 48) [tos 0xc0] (ttl 64, id 51262, len 68)
17:49:46.220168 10.10.254.140 > 172.16.0.129: 192.168.200.117 >
192.168.200.118: OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos
0xc0] [ttl 1] (id 8920, len 48) [tos 0xc0] (ttl 64, id 38270, len 68)
17:49:46.220187 10.10.254.140 > 172.16.0.124: 192.168.200.97 > 192.168.200.98:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
61062, len 48) [tos 0xc0] (ttl 64, id 50506, len 68)
17:49:46.220198 10.10.254.140 > 172.16.0.120: 192.168.200.81 > 192.168.200.82:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
38498, len 48) [tos 0xc0] (ttl 64, id 50045, len 68)
17:49:46.220213 10.10.254.140 > 172.16.0.143: 192.168.200.173 >
192.168.200.174: OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos
0xc0] [ttl 1] (id 28513, len 48) [tos 0xc0] (ttl 64, id 45727, len 68)
17:49:46.220226 10.10.254.140 > 172.16.0.117: 192.168.200.69 > 224.0.0.6:
OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos 0xc0] [ttl 1] (id
53678, len 48) [tos 0xc0] (ttl 64, id 49607, len 68)
17:49:46.220237 10.10.254.140 > 172.16.0.133: 192.168.200.133 >
192.168.200.134: OSPFv2-ls_upd 28: rtrid 10.8.2.53 backbone auth "XX" [tos
0xc0] [ttl 1] (id 30748, len 48) [tos 0xc0] (ttl 64, id 15801, len 68)
Sample master ospfd.conf :
password="XX"
router-id 10.8.2.53
auth-key $password
auth-type simple
no redistribute 10.8.2.48/30
redistribute 10.0.0.0/8
redistribute 10.10.250.128/25
# areas
Re: LACP trunk load balancing hash algorithm
On Mon, Jan 17 2011 at 35:23, Jason Healy wrote: > I had a few hours to play with a hardware traffic generator today, I wanted to > try beating up my OpenBSD setup to see what kind of throughput I could get. > > For the curious, I was able to pulverize it with 64 byte packets and it topped > out at about 165kpps. Throughput was less than physical interface speed > (about 800Mbps). For fun, I cranked the payload size up to 1500 bytes, but I > couldn't get the box to exceed 1Gbps, even though I had several gigabit > interfaces trunked together. At first, it was a switch problem (the switch > was sending all the traffic over a single link). However, after I found out > my switches LACP hash algorithm I was able to spread the traffic out by > randomizing the port numbers. I also played with a traffic generator recently. Here are sone numbers with the tests we've done : Hardware : Dell R310, 2 Gb of RAM, CPU was a quad core, I didn't wrote the exact model yet. I could bring it in a few days. NIC : Intel gigabit Quad port ET2 (Chipset 82576) Software : 4.8-stable, no patch, no sysctl customisation except ip.forwarding=1 Firewall Ruleset : echo "pass all" > /etc/pf.conf && pfctl -f /etc/pf.conf Max pps =~ 330-340K Test IMIX =~ 1,1 Gb/s We were able to fully route 2Gb/s of traffic with 1024 packet length (1 Gb/s in each direction) without loosing a single packet. Theorically, the box should be able to route 4Gb/s (33*10^4*1518*8) Largely enougth for our use :) > I then confirmed that 4Gbps of traffic was leaving the switch to the OpenBSD > box, but only 1Gbps was coming back. Therefore, I'm guessing that the > load-balancing algorithm for OpenBSD does not behave the same way as my > Juniper switching gear. Does anybody know the LACP hash that the trunk > interface in OpenBSD uses to load-balance the outgoing traffic? I didn't have > time to do more than a cursory test with different port numbers and IP > addresses, so I'm not sure what I might be doing wrong, or if its even > possible to use layer 3/4 info in OpenBSD to hash the traffic. Since I'm > using the box as a router, layer 2 hashing doesn't help me very much since the > source MAC is always the same. > > I took a peek at the source, but I'm definitely not a C hacker, so nothing > jumped out at me for computing the hash... > > Thanks, > > Jason Claer
Re: pf and DNS
On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote: > I try to use OpenBSD wherever I can and in the firewall I have > installed in a big jewel store > here I have the following problem. > > Many websites these days "Akamize" or do whatever that gives them a > different IP address > everytime you access it. > > And consequently pf which does not know a thing about domains does not help > us. > > I want a solution which can address this. Use a proxy according your application protocol (like squid for http) and do the applicative filtering on it. > What I currently do is add an entry manually to /etc/hosts and ask > everyone in the network > to us my DNS. > It is crappy and bereft with 100s of problems. > > First thing is that it does not allow us to use "Akamaizer" and load > balancing feature offered by them. > > And it is not a good idea to change on every computer... > > Is there a better idea? Proxification will mostly require modifications on the client's side but it could be simplified with proxy.pac distribution. If you go the socks way, you won't have any choice but to install a proxy client on each computer. Claer
Re: relayd port to linux
On Sat, Nov 06 2010 at 51:01, Joe McDonagh wrote: > On 11/05/2010 05:31 PM, Aleksandar Lazic wrote: > >On Fre 05.11.2010 10:45, Theo de Raadt wrote: > >>>due to the fact that openssh and some other parts of openbsd are > >>>ported to linux maybe you can tell me if you plan to make a > >>>openrelayd which is able to compile on linux. > >> > >>relayd depends deeply on pf. > >> > >>so the answer is no. > > > >ok, sorry for rush. > > > >Do you know a good replacement for stunnel with http-header rewrite on > >non openbsd OS?! > > > Well, besides Marco being right about the best Unix system for > networking out there (OpenBSD, keep in mind I manage a lot of > reenucksh systems too), I would check out nginx or > mod_proxy_balancer. I am big into puppet (uses ssl for > communication), and I load balance with mod_proxy_balancer, and I > know a lot of people who use nginx (but not me). Move your puppet to apache+passenger instead of starting serveral mongrel instances. It is much simpler to manage. Claer > -- > -- > Joe McDonagh > Operations Engineer > AIM: YoosingYoonickz > IRC: joe-mac on freenode > "When the going gets weird, the weird turn pro."
[SOLVED] Re: Error establishing ppp connection with UMTS modem mini-pci card
On Fri, Oct 01 2010 at 00:11, Denis Doroshenko wrote: > On Fri, Oct 1, 2010 at 10:31 AM, Claer wrote: > ... > > it's usual for todays modems to no negotiate their IP address (in > older days handsets would send some dummy value), but you can add a > predefined address for the peer to the /etc/ppp/options, like: > > :192.168.255.254 I was afraid to pick up any arbitrary IP address. Well, it works fine right now and I'm able to surf using the box so everything is fine. Thanks everyone! Claer
Re: Error establishing ppp connection with UMTS modem mini-pci card
On Thu, Sep 30 2010 at 45:10, Tilo Stritzky wrote: > On 30/09/10 00:40 Claer wrote: > > Hello list, > > > > I have a minipci umts modem that is reconized fine by OpenBSD (4.7-stable) > > but I'm unable to find the good pppd configuration to establish the > > configuration to my ISP. > [...] > > > > The content of /etc/ppp/chat/orange : > > ABORT BUSY > > ABORT 'NO CARRIER' > > ABORT VOICE > > ABORT "NO DIALTONE" > > "" AT > > OK AT+CGDCONT=1,"IP","orange.fr" > > No PIN setup? Nope, there is no pin for this chip. > > OK ATDT*99***1# > > 'CONNECT' '\c' > > 'TIMEOUT' '5' > > > > In the /var/log/messages I can see these lines : > > Aug 24 02:51:14 fw pppd[14700]: pppd 2.3.5 started by root, uid 0 > > Aug 24 02:52:00 fw pppd[14700]: Connect script failed > > > > Any help appreciated :) > > Your connect script failed. Now find out why. > /var/log/daemon is a better place to look for pppd output, maybe you > have to include debug-level messages in syslog.conf to see the chat > stuff. > > Or get cu(1) and try to run your chat sequence manually, see where > it breaks. Thanks for the help. The script was missing '' ATZ at the start. Now I'm blocked one step further. pppd seems to be unable to negociate the IP address. As yuo suggested I added debug info to syslog in order to see what was wrong with the daemon. Here are the new /etc/ppp/peers/orange and the new log trace : /dev/cuaU0 384000 noauth noipdefault defaultroute novj #nodeflate nobsdcomp debug kdebug 1 user "orange" connect "/usr/sbin/chat -v -f /etc/ppp/chat/orange" pppd[27737]: sent [LCP ConfReq id=0x1 ] pppd[27737]: rcvd [LCP ConfReq id=0x0 ] pppd[27737]: sent [LCP ConfAck id=0x0 ] pppd[27737]: rcvd [LCP ConfAck id=0x1 ] pppd[27737]: rcvd [LCP DiscReq id=0x1 magic=0xd6e2d43d] pppd[27737]: rcvd [CHAP Challenge id=0x1 <62bca7bd3427414f92ef743e467a1c6f>, name = "UMTS_CHAP_SRVR"] pppd[27737]: sent [CHAP Response id=0x1 , name = "orange"] pppd[27737]: rcvd [CHAP Success id=0x1 ""] pppd[27737]: sent [IPCP ConfReq id=0x1 ] pppd[27737]: sent [CCP ConfReq id=0x1 ] pppd[27737]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0c 1a 04 78 00 18 04 78 00] pppd[27737]: rcvd [IPCP ConfNak id=0x1 ] pppd[27737]: sent [IPCP ConfReq id=0x2 ] pppd[27737]: rcvd [IPCP ConfNak id=0x2 ] pppd[27737]: sent [IPCP ConfReq id=0x3 ] pppd[27737]: rcvd [IPCP ConfReq id=0x0] pppd[27737]: sent [IPCP ConfNak id=0x0 ] pppd[27737]: rcvd [IPCP ConfNak id=0x3 ] pppd[27737]: sent [IPCP ConfReq id=0x4 ] pppd[27737]: rcvd [IPCP ConfReq id=0x1] pppd[27737]: sent [IPCP ConfAck id=0x1] pppd[27737]: rcvd [IPCP ConfAck id=0x4 ] pppd[27737]: Could not determine remote IP address pppd[27737]: sent [IPCP TermReq id=0x5 "Could not determine remote IP address"] pppd[27737]: rcvd [IPCP TermAck id=0x5] pppd[27737]: sent [LCP TermReq id=0x2 "No network protocols running"] pppd[27737]: rcvd [LCP TermAck id=0x2] pppd[27737]: Connection terminated. Claer
Error establishing ppp connection with UMTS modem mini-pci card
Hello list, I have a minipci umts modem that is reconized fine by OpenBSD (4.7-stable) but I'm unable to find the good pppd configuration to establish the configuration to my ISP. The modem is reconized as follows : umsm0 at uhub1 port 2 configuration 1 interface 0 "HP HP hs2300 HSDPA Broadband Wireless Module" rev 1.10/0.01 addr 2 ucom0 at umsm0 and ATI send : Sierra Wireless, Inc. MC8775 APP1 OK I'm using this configuration for pppd : /etc/ppp/peers/orange : /dev/cuaU0 384000 noauth noipdefault defaultroute deflate 0 bsdcomp 0 noccp noaccomp novj novjccomp lock debug kdebug 1 user "orange" connect "/usr/sbin/chat -v -f /etc/ppp/chat/orange" The content of /etc/ppp/chat/orange : ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT "NO DIALTONE" "" AT OK AT+CGDCONT=1,"IP","orange.fr" OK ATDT*99***1# 'CONNECT' '\c' 'TIMEOUT' '5' In the /var/log/messages I can see these lines : Aug 24 02:51:14 fw pppd[14700]: pppd 2.3.5 started by root, uid 0 Aug 24 02:52:00 fw pppd[14700]: Connect script failed Any help appreciated :) Thanks, Claer
Re: CARP + PF
On Thu, Aug 05 2010 at 50:12, Z Wing wrote: [...] > The question I have is how do I get dhclient working with the cable modem, > given that the IP address is dynamic? dhclient doesn't work when the carp > interface is in INIT mode and I'm not sure how to get carp to "share" the IP > address between the 2 boxes. I presume that this must be possible to do as I > am sure others would want to do it too. > > What would the best way of doing this be? My criteria is: > > - 1 cable modem with an IP assigned by my provider via DHCP > - 1 dsl modem with statically assigned IPs > - 2 boxes running OpenBSD, 1 master and 1 backup. If the master goes down, the > backup takes over the master's duties and routes traffic through the cable > modem and dsl modem according to my routing/firewall rules [which I am happy > with - basically load balancing through various NAT rules] > > I'd appreciate any comments or advice I wouldn't use carp for the Internet connections but for the LAN interfaces. For establishing Internet connections, one can use ifstated using the CARP state of the lan interface. You'll end up with a simple state machine (in pseudo language): carp init : if carp.up state carp_up if carp.down state carp_down carp_up : start dhclient, pppoe on dsl pfctl -f if carp.down state carp_down carp_down : stop dhclient, pppoe if carp.up state carp_up
Re: openbsd 4.7 pf + route-to question
On Tue, Jul 27 2010 at 04:10, Maikel Verheijen wrote: > Hello fellow openbsd fans, Hello, > While preparing a test environment for my upgrade to openbsd 4.7 I ran into a > slight problem. My current setup uses route-to rules to send out traffic back > out on the interface it received it on like this: > > pass out on $ext_if2 route-to ($ext_if1 $ext_if1_router) from ($ext_if2) > pass out on $ext_if1 route-to ($ext_if2 $ext_if2_router) from ($ext_if2) > > After changing this to > > pass out on $ext_if2 from ($ext_if2) route-to ($ext_if1 $ext_if1_router) > pass out on $ext_if1 from ($ext_if1) route-to ($ext_if2 $ext_if2_router) > > and applying this to a fresh install of openbsd 4.7 this only seems to work > when I enable multi-path routing with 2 default gateways. This has the > disadvantage that all traffic gets sent out round-robin, which is not what I > want. > > Can anyone help me figure out what I'm doing wrong? This setup does seem to > work on openbsd 4.5, didn't try 4.6 yet, but will do so later today to see if > it works there. I'm not sure route-to is supposed to work with "pass out" rules. I always thought it was only for incoming connections.
Re: VPN between OpenBSD loopback interfaces - possible ?
On Mon, Jun 07 2010 at 10:18, rh...@hushmail.com wrote: > Actually, thinking about this again, I see from "netstat -an" that > isakmpd listens on all ports by default. Therefore needing to > specify in isakmpd.conf should be unnecessary, no ? My bad, normally the "local" directive in ipsec.conf should be ok. Binding on a specific address was necessary for my case because I had more than 255 local addresses (*lots* of vlan...). > The precise errors I am seeing at present are : > Default rsa_sig_decode_hash: no public key found > Default dropped message from 10.0.0.2 port 500 due to notification > type INVALID_ID_INFORMATION > > I have reduced configs to minimal levels: > > ike esp from 10.0.0.2 to 10.0.0.1 local 10.0.0.1 peer 10.0.0.2 \ > psk *** > > ike esp from 10.0.0.1 to 10.0.0.2 local 10.0.0.2 peer 10.0.0.1 \ > psk *** > > > I can ping 10.0.0.2/10.0.0.1 from each other. Here is the configuration I used between 2 peers : ike esp tunnel \ from 10.10.10.6 to 10.10.10.5 \ main auth hmac-sha1 enc aes group grp5 \ quick auth hmac-sha1 enc aes group grp5 \ psk OpenBSD As stated, juste adding the "local" keyword should suffice. Claer
Re: VPN between OpenBSD loopback interfaces - possible ?
On Mon, Jun 07 2010 at 15:10, rh...@hushmail.com wrote: > Hello List, > > Have a working OSPF / BGP test setup going between two machines, > with BGP using the loopback of the other machine as the endpoint. > > I now would like to go one step further and implement PF with > pfsync over IPSec as I don't have any spare ethernet ports. > > The problem is that I've tried all sorts of ipsec.conf > configurations (including various combinations using "local", > "peer", "srcid", "dstid" parameters) however isakmpd always > sees the incoming connection as originating from the IP address of > the ethernet interface instead of the loopback. > > Has anyone on list had success in getting a VPN going between > loopbacks ? Aren't you looking for this ? : r...@fw ~ # cat /etc/isakmpd/isakmpd.conf # $Id: isakmpd.conf 44 2009-04-02 16:32:20Z claer $ [General] DPD-check-interval= 30 Default-phase-1-lifetime= 86400,60:86400 Default-phase-2-lifetime= 28800,60:86400 Listen-on= IP.IP.IP.IP Claer
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 14:21, Enrico Scichilone wrote:
> Am 19.05.2010 20:52, schrieb Claer:
> >However, on the kerberos server side, no request have been made to the
> >"claer" account :
> >May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
> >23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
> >krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
> >database
> >
> >Thanks for helping me so far!
> >
> >Claer
> >
>
> Hi Claer,
> I'm not sure if this may help, but I asked myself if the client/user
> you are connecting from is using kerberos.
There shouldn't be any difference. In this case, Kerberos is used to
verify the authentication of the user from the ssh server point of view
not to verify if the user has already a krb ticket and login him
automatically.
However I did the test and it didn't change anything (as expected :) )
Claer
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
> > claer:*:1000:1000:Claer:/home/claer:/bin/ksh
> >
> > Now the next step is to try an authentification with ssh. That's why
> > /etc/login.conf has been modified regarding auth entry :
> >
> > auth-defaults:auth=krb5-or-pwd,passwd:
> >
> > But, when I try to ssh in with -l claer, sshd doesn't seem to find
> > the "claer" passwd entry and I have this line on the kerberos server :
> >
> > May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
> > 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
> > krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
> > database
> >
> > Any hint ?
>
> Did you add your host principal to /etc/kerberosV/krb5.keytab?
Yep. If the "claer" local account is enabled, it's working fine with
Kerberos auth. I can confirm this by watching log files and I even tried
to alter the hashed passwd with vipw to be sure I was not using the
local password.
ypldap + ypbind are working fine :
# tail -n 2 /etc/passwd
_claer:*:1000:1000:Claer:/home/claer:/bin/ksh
+:*:0:0:::/bin/ksh
# getent passwd | tail -n 4
_claer:$2a$06$SgIzOv47AbodJPX7jzgAoOioV322Dk5Cha9VCyqgU/b6/YUDU4TM6:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
megami:*:1001:1001:Megami:/home/megami:/bin/ksh
nobody:*:65534:65534:nobody:/nonexistent:/bin/ksh
I started a test ssh server on port to check. Here are the
interesting debug logs :
debug1: userauth-request for user claer service ssh-connection method none
debug1: attempt 0 failures 0
debug1: unable to get login class: claer
input_userauth_request: invalid user claer
Failed none for invalid user claer from 172.16.1.100 port 52325 ssh2
debug1: userauth-request for user claer service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: userauth-request for user claer service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=claer devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
debug1: userauth-request for user claer service ssh-connection method password
debug1: attempt 3 failures 2
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: Kerberos password authentication failed: Client not found in Kerberos
database
debug1: krb5_cleanup_proc called
Failed password for invalid user claer from 172.16.1.100 port 52325 ssh2
The logextact from authlog :
May 19 20:44:24 socrate krb5-or-pwd: verify: Client not found in Kerberos
database
However, on the kerberos server side, no request have been made to the
"claer" account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Thanks for helping me so far!
Claer
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > It seems that the client is trying to get a ticket for the afs client.
> > AFS is not enabled on my BSD box and I don't need it. The only reference
> > I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to
> > disable this behavior?
>
> Yes.
>
> [appdefaults]
> kinit = {
> afslog = no
> }
Continuing to play with Kerberos, I'm adding ypldap into play.
This time, I'd like to use ldap to add entries to getent passwd
and Kerberos for authentification (I'd like to avoid the login_ldap
step is possible). As my kerberos setup is now ok, I declared the LDAP
server on /etc/ypldap.conf, started portmap ypldap ypbind, added the
"+:" entries to passwd and group.
Now, I have a working ypbind system. To confirm this, I renamed my
local account as _claer using vipw and verified the output of
getent passwd :
# getent passwd | grep claer
_claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
Now the next step is to try an authentification with ssh. That's why
/etc/login.conf has been modified regarding auth entry :
auth-defaults:auth=krb5-or-pwd,passwd:
But, when I try to ssh in with -l claer, sshd doesn't seem to find
the "claer" passwd entry and I have this line on the kerberos server :
May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Any hint ?
Regards,
Claer
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > It seems that the client is trying to get a ticket for the afs client.
> > AFS is not enabled on my BSD box and I don't need it. The only reference
> > I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to
> > disable this behavior?
>
> Yes.
>
> [appdefaults]
> kinit = {
> afslog = no
> }
Perfect :)
Now I can move forward and play with ypldap. Thanks.
Claer
LDAP & Kerberos authentification
Hello,
I'm playing with Kerberos authentification on my box and there
are some problems that I need assistance for.
For the first time I saw a lack of documentation on OpenBSD
(Weel, may be it's time to contribute :-)) regarding authentification.
The FAQ doesn't help much on Kerberos. It just says to read
"# info heimdal". Well, I did it and I was a little disapointed. The
info is great to setup a Kerberos server but being new to Kerberos, I'd
have liked infos on setting up a client.
After some hours googling/learning, I finally managed to get the
Kerberos Server running and configured OpenBSD Client as follow :
# cat /etc/kerberosV/krb5.conf
[libdefaults]
default_realm = CLAER.HAMMOCK.FR
[realms]
CLAER.HAMMOCK.FR = {
kdc = diogene.claer.hammock.fr
admin_server = diogene.claer.hammock.fr
master_kdc = diogene.claer.hammock.fr
default_domain = claer.hammock.fr
}
[domain_realm]
.claer.hammock.fr = CLAER.HAMMOCK.FR
claer.hammock.fr = CLAER.HAMMOCK.FR
# ls -l /etc/kerberosV/krb5.keytab
-rw--- 1 root wheel 358 May 15 15:45 /etc/kerberosV/krb5.keytab
>From there, I can obtain a kerberos ticket on the system :
# kinit claer
cl...@claer.hammock.fr's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: cl...@claer.hammock.fr
Issued Expires Principal
May 19 10:06:28 May 19 20:05:51 krbtgt/claer.hammock...@claer.hammock.fr
Strange thing is I saw this in the server logfile :
May 19 10:06:34 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23
3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for
krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database
May 19 10:06:37 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23
3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for
krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database
It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to
disable this behavior?
Regards,
Claer
Re: IPSec to Checkpoint
On Wed, Nov 12 2008 at 18:13, Joe Warren-Meeks wrote: > Hey guys, Hi, > I'm struggling to get isakpmd to talk to a checkpoint firewall > > I need the following parameters > > General IKE Properties = AES-256 with SHA1 > IKE Phase 1 SA = Group2 (1024 bit) > IKE Phase 1 SA renegotiation = 1440 > IKE Phase 2 SA renegotiation = 3600 > > The network layout looks as follows: > > OurNet OurFirewall Internet TheirFW TheirNet > > 195.24.xxx.xxx/25 - 195.24.xxx.yyy - 62.232.xxx.xxx 62.232.xxx.yyy > > I currently have the following in my isakpmd.policy > > Keynote-version: 2 > Authorizer: "POLICY" > Conditions: app_domain == "IPsec policy" && > esp_present == "yes" && > esp_enc_alg != "null" -> "true"; > > And my isakmpd.conf is at the end. Any pointers guys? I don't know if your isakmpd.conf is good or not. The general part seems good. But I'm wondering why you are not using the new configuration file (/etc/ipsec.conf) It's much easier to use and to maintain over time. For your part, you'll have to keep default lifetime in isakmpd.conf as it's not supported in ipsec.conf. >From experience I can assure you it works also with Check Point (R60 to R65) you just have to carefully ensure that all ipsec variables are the same (As always with ipsec). Please review the parameters with the other end. If you can, also ask them for their error message when establishing the tunnel. I found the CheckPoint messages more usefull than the isakmpd ones. > [General] > Retransmits=5 > Exchange-max-time= 120 > Listen-on= 195.24.xxx.yyy > Default-phase-1-lifetime= 1440,60:86400 > Default-phase-2-lifetime= 3600,60:86400 > > > > [Phase 1] > 62.232.xxx.xxx= local-remote > > [local-remote] > Phase= 1 > Transport= udp > Local-address= 195.24.xxx.yyy > Address=62.232.xxx.xxx > Configuration= Default-main-mode > Authentication= makemeagoatorsomething > > [Phase 2] > Connections=VPN-local-remote-62.232.xx.yy/255.255.255.224 > > > [VPN-local-remote-62.232.xx.yy/255.255.255.224] > Phase= 2 > ISAKMP-peer=local-remote > Configuration= Default-quick-mode > Local-ID= network-195.24.xxx.xxx/255.255.255.128 > Remote-ID= network-62.232.xxx.yyy/255.255.255.224 > > > > [network-195.24.xxx.xxx/255.255.255.128] > ID-type=IPV4_ADDR_SUBNET > Network=195.24.xxx.xx > Netmask=255.255.255.128 > > > > [network-62.232.xxx.yyy/255.255.255.0] > ID-type=IPV4_ADDR_SUBNET > Network=62.232.xxx.yyy > Netmask=255.255.255.0 > > > [Default-main-mode] > DOI=IPSEC > EXCHANGE_TYPE= ID_PROT > Life= ANY > Transforms= AES-256-SHA > > [Default-quick-mode] > DOI=IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-AES-256-SHA-SUITE > > [AES-256-SHA] > ENCRYPTION_ALGORITHM= AES_CBC > KEY_LENGTH= 256,256:256 > HASH_ALGORITHM= SHA > AUTHENTICATION_METHOD= PRE_SHARED > GROUP_DESCRIPTION= MODP_1024 > Life= LIFE_MAIN_MODE > > [QM-ESP-AES-256-SHA-SUITE] > Protocols= QM-ESP-AES-256-SHA > > -- joe.
Re: Duplicate incoming packets to multiple destinations using pf
On Tue, Nov 04 2008 at 02:19, Simen Stavdal wrote: > Hi Giancarlo/misc, Hello, > Thanks for the answer, I guess dup-to isn4t the right tool then... > Has anyone tried to achieve what I am trying to do though? > I am obviously open to other ideas. Maybe I'll give you a wrong path but, did you looked at "proxying" the trap with net-snmp ? Direct the original trap to your firewall (carped ?) and then when the trap arrives on it, ask net-snmp to send serveral traps to the supervision servers. Claer > The main objective though, is to preserve the source address, while > replacing the destination address to multiple hosts > > Cheers, > Simon. > > On Nov 4, 2008, at 5:32 PM, Giancarlo Razzolini wrote: > >> Simen Stavdal escreveu: >>> Hello, >>> >>> I have the following scenario. >>> >>> A router (let's call it router A) is sending snmp traps to an nms >>> (Network Monitoring System). >>> Between the router A and the nms (let's call it nms-a) is a Dell >>> PowerEdge 860 running OpenBSD 4.1 i386 (bsd.mp) and pf. >>> On the same segment as nms-a, is nms-b, nms-c etc. >>> >>> I am trying to make pf copy the incoming trap, while keeping the >>> source >>> ip address (of router A), and changing the destination ip for nms- >>> a,b,c >>> etc, >>> but I am not even sure if this is the right way about it. >>> >>> This is a variant of the rule that I have tried : >>> pass in on $int_if dup-to ($nms_if $nms-b ) proto udp from >>> 10.10.10.1 to >>> $nms-a port 162 >>> >>> (all macros are defined, and expanded correctly in the ruleset when >>> issuing pfctl -s all ) >>> >>> The way I have understood the syntax, is that traps destined for >>> nms-a, >>> will be duplicated to nms-b. >>> However, when I tcpdump the nms_if, I can only see traps for nms-a >>> (and >>> none for b). >>> >>> I mentioned that the rule was a variant, because I have tried several >>> other options, but to no avail. >>> Has anyone done this before? Am I barking up the wrong tree? >>> >>> Here is some more (hopefully) useful information : >>> tcpdump output (x.x.x.2 is the ip of nms-a, and Y.Y.Y.Y is the agent >>> address (the source ip of the trap)) >>> 12:21:04.798192 10.10.10.1.2074 > X.X.X.2.snmp-trap: Trap(36) >>> E:cisco.9.41.2 [Y.Y.Y.Y] enterpriseSpecific[specific-trap(1)!=0] >>> 16671316 >>> .iso.org=[|snmp] >>> >>> The expanded rule from pfctl -s all | grep "dup-to" >>> pass in on bge1 dup-to (vlan4 Z.Z.Z.1) inet proto udp from >>> 10.10.10.1 to >>> X.X.X.2 port = snmp-trap keep state >>> (Z.Z.z.1 is nms-b) >>> >>> Any input is very welcomed, >>> >>> Cheers, >>> Simon Stavdal. >>> >>> - >>> Fe din egen, gratis e-postadresse pe Start.no >>> >>> >>> >> As the man page states, it literally duplicate the packet. It means >> that an exact copy of it will be sent to the specified machine. >> Also, you are not seeing them when you use tcpdump, because they are >> all the same. If nms-b isn't prepared to receive an packet which >> wasn't destined for it, it will discard the packet silently. You >> must check on nms-b if it is receiving the packets. >> >> My regards,
Re: Deploying carp with limited global IPs
On Sun, Nov 02 2008 at 37:10, Rod Whitworth wrote: > On Wed, 29 Oct 2008 00:22:01 -0400, Steven Surdock wrote: > > >I've used the following for a while (naturally this assumes that the ISP > >link is delivered via some shared medium and not a point-to-point link) > > > >/etc/hostname.xxx0: > >up description "to ISP" > > > >/etc/hostname.carp0: > >inet 192.168.1.2 255.255.255.252 192.168.1.3 vhid 1 carpdev xxx0 > > > >-Steve S. > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > >Of > >> Rod Whitworth > >> Sent: Tuesday, October 28, 2008 11:49 PM > >> To: Miscellaneous OBSD > >> Subject: Deploying carp with limited global IPs > >> > >> In preparing for a possible carp redundacy setup for a client's border > >> router/firewall I have found no information so far as to whether it is > >> possible to have carp working where the link to the ISP is a /30. > >> > >> Every example I have found in presentations and tutorials has used 3 > >> IPs on a typical dual firewall setup. So they assume (all fictional > >> addresses here) something like 4.3.2.1 is the upstream router, with .2 > >> for the $ext_if in unit 1, .3 for $ext_if in unit 2 and .4 for the > >> carp0 in each. > >> > >> With a common enough point-to-point /30 link where upstream is .1 and > >> the firewall is .2, what can we use in hostname.xx0 in each of the > >> firewalls? No more IPs are available from the ISP apart from a routed > >> subnet that is expecting to arrive via .2. > > > > Sorry, but I don't get what your suggestion can do for the case I > proposed. > Maybe I'm dense. > Assuming my link is 4.3.2.0/30 the upstream router is 4.3.2.1 and I > have no choice but to use 4.3.2.2 as my $ext_if. How does that work > with your example? > > Thanks, Did you look at ifstated ? I tryed it for 2 firewalls with 1 pppoe link. This setup didn't go on production but worked fine during tests. Claer
Re: 4.4 in Poissy, near Paris, France
On Mon, Oct 13 2008 at 48:08, Freddy DISSAUX wrote: > Thanks to all the developers for a job well done. Hehehe Where in Poissy? I'm in beauregard ;-) cya Claer
Re: OpenBSD + isakmpd + VPN concentrator 3060
On Fri, Sep 26 2008 at 03:19, Christoph Leser wrote: > This is interesting. We suffer from spurious connection losses since we > started with OBSD ipsec. > Do you have any details what caused your problem, and why setting > DPD-check-interval helped? The problem was the following : Tunnels were established well but, in case of internet connections problems, the vpn went down and never came up again. Once the vpn went down, the work around was simply to kill isakmpd and restart it. Not very simple when the vpn went down at 2 AM (and users complaining at 8) Analysing an idle VPN connection (we were lucky to have a test environnement), I saw that Cisco 3030 was emitting isakmp_info packets every 20 seconds. I cut the internet link, waited 1 min and then replugged the cable. tcpdump showed that my OpenBSD Box didn't loose its SAs but Cisco 3030 was trying to create new ones. At this point Isakmp daemons on both sides can't talk to each other again. As DPD was enabled on the cisco side and the techs were unable to tell me if it's the standard configuration or not, I found this way to enable DPD on the OpenBSD side. It corrected the problem as both side tryed to restart isakmp negociations after a short internet failure. Claer > > In our environnement (we manage openbsd tunnels to cisco 3030 > > which is out of our scope) we debugged a strange problem when > > the connection goes down. The tunnels won't come back after a > > small link shutdown. > > > > The problem was Cisco 3030 was doing DPD check and not the OpenBSD. > > > > If it's the case for you too, you should add these lines to > > /etc/isakmpd/isakmpd.conf : > > > > --- isakmpd.conf --- > > [General] > > DPD-check-interval= 30 > > --- isakmpd.conf ---
Re: OpenBSD + isakmpd + VPN concentrator 3060
On Fri, Sep 26 2008 at 45:07, Mariusz Makowski wrote: > I finally was able to setup vpn connection. > Other side was configured in wrong way and sum of all my ipsec.conf look in > this way: > > -- ipsec.conf -- > other_peer = "c.c.c.c_public_ip" > > > ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer $other_peer \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk "somekey" > -- ipsec.conf -- In our environnement (we manage openbsd tunnels to cisco 3030 which is out of our scope) we debugged a strange problem when the connection goes down. The tunnels won't come back after a small link shutdown. The problem was Cisco 3030 was doing DPD check and not the OpenBSD. If it's the case for you too, you should add these lines to /etc/isakmpd/isakmpd.conf : --- isakmpd.conf --- [General] DPD-check-interval= 30 --- isakmpd.conf --- > But i have another problem, a.a.a.a_net is not configured on my network > interface, it's a just net that must be done nat on this. > I was reading a bit about doing nat on obsd and ipsec. > I've tried to do so: > > -- conf -- > ifconfig lo1 inet a.a.a.a_net > route add -net d.d.d.d_net a.a.a.a_host and pf.conf: > nat on lo1 from e.e.e.e_net to d.d.d.d_net -> a.a.a.a_host -- conf -- > > But it isn't seem to work. Packets are showing on lo1, but there are not > going threw the flow/enc0 interface. The route will not work. Instead, you should use pf and route-to directive. > -- tcpdump lo1 -- > 09:38:20.497416 a.a.a.a_hostb > d.d.d.d_host: icmp: echo request > 09:38:20.497421 a.a.a.a_hostb d.d.d.d_host: icmp: echo request > -- tcpdump lo1 -- > > flows: > flow esp in from d.d.d.d_net to a.a.a.a_net peer c.c.c.c_public_ip srcid > b.b.b.b_public_ip dstid c.c.c.c_public_ip type use > flow esp out from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip srcid > b.b.b.b_public_ip dstid c.c.c.c_public_ip type require > > image :): > e.e.e.e_net (em0) | a.a.a.a_net (lo1) b.b.b.b_public_ip --- > c.c.c.c_public_ip d.d.d.d_net > > Regard, > Mariusz Makowski > > > Mariusz Makowski wrote: >> Mariusz Makowski wrote: >>> Hello, >>> >>> Firstly i want to mention that it's my begining with ipsec/isakmpd >>> tunneling. >>> >>> My problem is about making connection from OpenBSD 4.3 to Cisco VPN >>> concentrator 3060. >>> Cisco concentrator is out of my range so i can't check log there and i >>> only wish that configuration there is done well. >>> >>> Here it is my example: >>> >>> a.a.a.a_net b.b.b.b_public_ip --- c.c.c.c_public_ip >>> d.d.d.d_net >>> >>> What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net >>> >>> What i know about cisco configuration: >>> - VPN concentrator 3060 >>> - c.c.c.c_public_ip >>> - d.d.d.d_net >>> - VPN Method: IPSec >>> - Encryption: 3DES >>> - Key exchange IKE >>> - Pre-Shared Key: somekey >>> - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 >>> - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds >>> - Encapsulation Mode: Tunnel >>> - Negotiation Mode: Main >>> >>> OpenBSD: >>> - clean instalation of 4.3 >>> - no pf yet >>> - em0: a.a.a.a_net >>> - em1: b.b.b.b_public_ip >>> >>> After couple hours of reading stuff on internet and reading some >>> configuration files i achivied this configuration: >>> >>> -- isakmpd.conf -- >>> [General] >>> Listen-on= b.b.b.b_public_ip >>> >>> [Phase 1] >>> c.c.c.c_public_ip= CONN >>> >>> [Phase 2] >>> Connections = LINK >>> >>> [CONN] >>> Phase= 1 >>> Transport= udp >>> Address = c.c.c.c_public_ip >>> Configuration= Default-Main-Mode >>> Authentication = somekey >>> >>> [LINK] >>> Phase= 2 >>> ISAKMP-Peer = HP >>> Configuration= Default-Quick-Mode >>> Local-ID = LAN-1 >>> Remote-ID= LAN-2 >>> >>> [LAN-1] >>> ID-Type = IPV4_ADDR_SUBNET >>> Network = a.a.a.a_net >>> Netmask = a.a.a.a_netmask >>> >>> [LAN-2] >>> ID-Type = IPV4_ADDR_SUBNET >>> Network = d.d.d.d_net >>> Netmask = d.d.d.d_netmask >>> >>> [Default-Main-Mode] >>> DOI = IPSEC >>> Exchange_Type= ID_PROT >>> Transforms = 3DES-SHA >>> >>> [Default-Quick-Mode] >>> DOI = IPSEC >>> Exchange_Type= QUICK_MODE >>> Suites = QM-ESP-3DES-SHA-SUITE >>> >>> [3DES-SHA] >>> ENCRYPTION_ALGORITHM = 3DES_CBC >>> HASH_ALGORITHM = SHA >>> AUTHENTICATION_METHOD= PRE_SHARED >>> GROUP_DESCRIPTION= MODP_1024 >>> Life = LIFE_3600_SECS >>> >>> [QM-ESP-3DES-SHA-SUITE] >>> Protocols= QM-ESP-3DES-SHA >>> >>> [QM-ESP-3DES-SHA-PFS-SUITE] >>> Protocols= QM-ESP-3DES-SHA-PFS >>> >>> [QM-ESP-3DES-SHA] >>> PROTOCOL_ID =
3G Mini PCI Express recommendations
Hi list, I'll want to build a small device with 3G + wlan. The ALIX 6b2 seems to be a good candidate for it. It has 1 mini pci express and 1 mini pci interfaces. I sought the archives and already found OpenBSD compatible mini pci Wireless devices but I didn't found references for mini-pcie 3G cards. Does someone here already play with such devices ? Regards, Claer
Re: tcpdump -X
On Tue, Jul 15 2008 at 49:16, GVG GVG wrote: > On Tue, Jul 15, 2008 at 3:54 PM, David Hill <[EMAIL PROTECTED]> wrote: > > On Tue, Jul 15, 2008 at 03:42:58PM +0200, GVG GVG wrote: > > > Dear list, > > > > > > was going through the OpenBSD tcpdump version and couldn't identify > > anything > > > like the '-A' flag in order to capture full web sites etc. Tried optin > > '-X' > > > but didn't work! Should I use '-s snaplen' but what snaplen value do I > > have > > > to define. Tried few combinations with no success! > > > > > > Thanks for your help > > > > > > George > > > > > > > Use the size of your MTU, which can be found my using ifconfig. > > > > -- > > David Hill > > Thanks for your prompt reply. > > Just out of curiosity what's this 'MTU' stands for? Maximum Transmission Unit. Its the biggest number of bytes that can be transmited on the media (ISO layer 2). You can go on wikipedia for more informations http://en.wikipedia.org/wiki/Maximum_transmission_unit Claer
Re: PF DiffServ
On Tue, Jul 15 2008 at 32:01, Insan Praja SW wrote: > Hi Misc@, > I was wondering if I could use pf to read and write DSCP code to packets, > maybe using "scrub" or altq? If there is a way to do it using Puffy, maybe > I could try it on my box. > Thanks, Hello, Actually, 4.3 can read DSCP but not write it. Write support was commited last month (http://marc.info/?l=openbsd-cvs&m=121014159632272&w=2) so you can certainly test this functionnality with a snapshot. Claer
Re: Hardware recommendation for firewalls (more than 4 NICs)
On Mon, Jul 14 2008 at 28:15, Mart?n Coco wrote: > Thanks! > > Have you tried the quad nics on those Dells? We do have a couple of R200s, > 860s and 850s running with 2 dual port cards no problem, but we have never > tried the quad ports. Hello, I do have around 20 Dell 860 and R200 with 2 cards Intel Quad ports. That is a total of 10 interfaces on those cheap Dell. You'll never hit any problem if you use only one Quad port. Be careful with 2 cards on 860. You'll have to order "Intel PRO/1000 PT Quad Port" and *NOT* the "Low profile" one. For the moment, no issues with them. We hadn't tested performance. These Dell protect small Internet link so we didn't bother check performance for links below 10Mb. Claer > Torsten Frost escribis: >> On Fri, Jul 11, 2008 at 11:47 PM, Martmn Coco >> <[EMAIL PROTECTED]> wrote: >>> Hi misc, >>> >>> I'm currently looking for hardware alternatives for firewalls that should >>> have more than four NICs. >>> >>> Currently we are buying R200s from Dell, but we have the 4 NIC >>> limitation. >>> We could tell Dell to install a quad port NIC (in addition to the >>> two-port >>> onboard card), but I haven't read good things about the way they work. >>> >>> I've also looked into soekris, but they don't seem to have enough CPU for >>> what we want (this is pure speculation) as we also have intense IPSec >>> traffic on some of these firewalls (I've seen that some of them could >>> have >>> encryption boards added to increase performance, but I don't know if it >>> works for any kind of protocol, or at what rate). >>> >>> In any case, what I would like to have is firewalls with multiple NICs >>> (at >>> least 6 NICs) *and* sufficient CPU to let IPSec work alright at least at >>> ~50Mbps (internal backbone firewalls). The multiple NICs are to use >>> trunk, >>> pfsync, real network interfaces, etc. >>> >>> Thanks, >>> Martmn. >>> >>> >> We run a pair of dell 1950s and have been generally happy with them. >> We run one dual port intel card and the two build in ports, no >> problem pushing about >> 400mbit. The intel cards have worked ok for us for years now in >> various versions. >> You can configure the box with two dual nics or two quad nics on the dell >> web.
Re: Net-SNMP segfaults under OpenBSD 4.3
On Fri, Jun 27 2008 at 13:12, Stephan A. Rickauer wrote: > On Wed, 2008-06-25 at 11:17 -0400, (private) HKS wrote: > > In my quest for real SNMP monitoring of OpenBSD, I installed > > net-snmp-5.4.1p0 > > on an OpenBSD 4.3 box via packages. The executable segfaults every time I > > try > > to run it. This happens with or without command-line options, with my custom > > config file or the default config file. I've tested with two different > > machines, two > > different mirrors, and seen no change. > > > > I've not yet tried building net-snmp from the ports system, but that's > > my next step. > > > > Has anybody else run into this? > > I've seen this, too. But a package made out of the port will work. Repeatable also here. We built net-snmp package from ports. Claer
Re: OpenOSPF routing and CARP issues (?)
On Fri, Jun 20 2008 at 48:12, Chris Naselli wrote:
> Hi all!
Hi,
[...]
> OpenOSPFD have the following configuration:
>
> area 0.0.0.0 {
>interface em0 # carped with carp0
>interface em1 # carped with carp1
>interface carp2
> }
>
> In this topology I found a problem: OpenOSPF daemon is configured with
> "interface carpX" for any interface with except em0/em1 to announce the
> connected interface only if master but however there are the announce of all
> the route learned from other cisco router behind it, thus causing (unwanted)
> traffic also in the router in backup carp state.
>
> How I can make OpenBSD redistribute ospf learned routes only if carp state
> is master even if in ospfd.conf have configured "interface em0" (and not
> "interface carp0")? Is my topology just broken?
If you wish to execute commands (for example ospfd) regarding carp
states, I recommend you to check ifstated(8) and ifstated.conf(5)
> Sorry for the long email and thanks in advance.
Sorry I shortened it :)
Claer
Re: Route ftp-proxy pasive mode to secondary Internet conection
On Tue, Jun 24 2008 at 24:19, Giancarlo Razzolini wrote: > Jon Rubio wrote: > > Hello everyone, > > > > We need some help with the ftp-proxy on reverse mode. Thanks you very much > > for your help. > > > > The scenario: > > --- > > > > We have an OpenBSD firewall with two interfaces conected to Internet (bge0 > > ang bge1). > > The first interface is used to browse internet and access all external > > Internet services. > > The second interface is used to manage incoming conections from our partners > > to our internal services (www, ftp & mail). > > > > We have sucessfully created routing rules on the PF to route outgoing trafic > > for www and mail services. > > We have even sucessfully created routing rules on the PF to route outgoing > > trafic for FTP service until it enters on passive mode (ftp authentification > > is sucessfull). > > > > But on PF rules created by the ftp-proxy (dinamically) we can't find how to > > specify to use the secondary connection, so it sends packages from the first > > interface. > > > > B?Can anyone, please help us? Any idea would be appreciated. > > > > Thanks in advance. > > -- > > View this message in context: > > http://www.nabble.com/Route-ftp-proxy-pasive-mode-to-secondary-Internet-conec > > tion-tp18100893p18100893.html > > Sent from the openbsd user - misc mailing list archive at Nabble.com. > > > > > > > There are two solutions for this problem AFAIK. The easy, and the not so > easy, but nice solution. The easy, is to change the default gateway of > the firewall to be the secondary connection one. You will have to adapt > you rules to use the primary connection for navigation traffic, because > know, your "secondary" connection is your primary one. So the logic > changes. The second alternative is to use the -mpath feature of ifconfig > to set both the default gateways, and to make ftp-proxy create the rules > using the connection you want. Take a look at -a option of it. In both > cases you will have to select the routes using pf. I recommend that you > do things right and use -mpath. It can even help with failover and other > things. > > My regards, You may want to look at the -T option of ftp-proxy. This way you can tag packets for further filtering. The man page seems to describe a solution to your problem : -T tag The filter rules will add tag tag to data connections, and not match quick. This way alternative rules that use the tagged key- word can be implemented following the ftp-proxy anchor. These rules can use special pf(4) features like route-to, reply-to, la- bel, rtable, overload, etc. that ftp-proxy does not implement it- self. Claer
Re: tcpdump -s0
On Wed, Jun 18 2008 at 32:10, arthur wrote: > -s0 always error with 'invalid snaplen 0' and the man page doen't mention how > to capture full frame. > > However, the man of tcpdump support s0 > (http://www.tcpdump.org/tcpdump_man.html) > > How could I capture full messages. You can just use a value bigger than the MTU. # tcpdump -ns 1550 Claer
Re: ipsec home network to colo server
om
> >>>> src_mask: 255.255.0.0
> >>>> dst_mask: 255.255.255.255
> >>>> protocol: proto 0 flags 0
> >>>> flow_type: type unknown direction out
> >>>> src_flow: 10.0.0.0
> >>>> dst_flow: 208.70.72.13
> >>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351
> >>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
> >>>> state mature replay 16 flags 4
> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
> >>>> address_src: 67.159.171.204
> >>>> address_dst: 208.70.72.13
> >>>> identity_src: type fqdn id 0: fire.sporkton.com
> >>>> identity_dst: type fqdn id 0: angie.sporkton.com
> >>>> src_mask: 255.255.0.0
> >>>> dst_mask: 255.255.255.255
> >>>> protocol: proto 0 flags 0
> >>>> flow_type: type unknown direction out
> >>>> src_flow: 10.0.0.0
> >>>> dst_flow: 208.70.72.13
> >>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351
> >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
> >>>> state mature replay 16 flags 4
> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
> >>>> address_src: 208.70.72.13
> >>>> address_dst: 67.159.171.204
> >>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac
> >>>> key_encrypt: bits 192:
> >>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe
> >>>> identity_src: type fqdn id 0: angie.sporkton.com
> >>>> identity_dst: type fqdn id 0: fire.sporkton.com
> >>>> src_mask: 255.255.255.255
> >>>> dst_mask: 255.255.0.0
> >>>> protocol: proto 0 flags 0
> >>>> flow_type: type unknown direction in
> >>>> src_flow: 208.70.72.13
> >>>> dst_flow: 10.0.0.0
> >>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351
> >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
> >>>> state mature replay 16 flags 4
> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
> >>>> address_src: 208.70.72.13
> >>>> address_dst: 67.159.171.204
> >>>> identity_src: type fqdn id 0: angie.sporkton.com
> >>>> identity_dst: type fqdn id 0: fire.sporkton.com
> >>>> src_mask: 255.255.255.255
> >>>> dst_mask: 255.255.0.0
> >>>> protocol: proto 0 flags 0
> >>>> flow_type: type unknown direction in
> >>>> src_flow: 208.70.72.13
> >>>> dst_flow: 10.0.0.0
> >>>
> >>> I would recommend taking a look at if you haven't already:
> >>> http://www.securityfocus.com/infocus/1859
> >>>
> >>> Jonathan
> >>>
> >>>
> >>
> >> http://www.securityfocus.com/infocus/1859
> >> is the article that started it all for me using ipsec and OpenBSD. It's
> >> not exactly geared for one end being dynamic ip though.
> >>
> >> I don't have much experience with dynamic addresses, but if my
> >> understanding is correct, the best would be as below.
> >>
> >> Let me know if it works, I'm curious, since I've also never done ipsec
> >> between a static and dynamic device without an internal subnet on both
> >> hosts:
> >>
> >>
> >> colo /etc/ipsec.conf:
> >>
> >> ike passive from 208.70.72.13 to 10.0.0.0/16
> >>
> >> home /etc/ipsec.conf:
> >>
> >> ike dynamic from 10.0.0.0/16 to 208.70.72.13
> >>
> >> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to
> >> amaze me in it's simplicity compared to other options)
> >>
> >> Make sure your pf on both ends is allowing negotiation (which it seems to
> >> be). Also, unless you need to apply pf rules to your encrypted traffic,
> >> make sure you've got enc0 in your "set skip on" interfaces.
> >>
> >> I'd suggest using pubkeys as in isakmpd(8) which should be:
> >>
> >> copy /etc/isakmpd/local.pub from colo to
> >> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine
> >>
> >> copy /etc/isakmpd/local.pub from home to
> >> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo
> >>
> >> That would be better than psk if you can get it working, imho.
> >>
> >> Cheers
> >>
> >>
> >>
> >
> > i have switched to using pubkeys via fqdn as im using fqdn in both
> > dstid and srcid, that is now working. and quite nicely if i do say so
> > myself
> >
> > i have appropriate nonat on the dynamic side as well
> > angie="208.70.72.13"
> > table const { 10/8, 172.16/12, 192.168/16 }
> > no nat on $ext_if from to $angie
> >
> >
> > the pf is set up to allow all udp 500 traffic on both sides.
> > pass in on $ext_if inet proto udp from any to $ext_if port isakmp
> >
> > enc0 was not on my skip list however it is now, and still no change
> > set skip on {enc0, lo0}
> >
> > from the man page sample:
> > #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
> > # srcid me.mylan.net dstid the.others.net
> > #ike esp from 192.168.3.1 to 192.168.3.2 \
> > # srcid me.mylan.net dstid the.others.net
> >
> > # Set up a tunnel using static keying:
> > #
> > # The first rule sets up the flow; the second sets up the SA.
> >
> > it seems to imply that 2 rules are needed for any one connection, one
> > rule that specifies interesting traffic and one that defines
> > termination points. I will try this.
> >
> >
> > --
> > -Lawrence
> >
>
> Im not exactly sure how to tell the second rule, as the home endpoint
> is dynamic, i cant set that one to a ip since it will change, and if i
> set it to a fqdn i get errors for mismatched types, however i think it
> just looks up the name anyone doesnt it?
Do you have a rule to allow esp traffic ? If you don't have one, here is
what you should add in your pf ruleset :
pass in on $ext_if inet proto 50 from any to $ext_if
Claer
Re: Dell Power Edge 1950 SAS Raid1 'sd0: not queued: error 5'
On Wed, May 14 2008 at 24:09, David Gwynne wrote:
> i believe this has been fixed with revision 1.80 of src/sys/dev/ic/mfi.c.
> could you please try -current (or at least 4.3) and see if the problem
> persists?
OK. I'll try to upgrade these servers asap. (It's have to be done anyway =))
Claer
> On 14/05/2008, at 1:10 AM, Claer wrote:
>
>> Hi list,
>>
>> Today one of our first Dell 1950 crashed in a strange way. I asked non
>> IT people to restart it that's why I dont have console traces of the
>> problem.
>>
>> Before the server became unresponsitive, I could see this in
>> /var/log/messages :
>>
>> May 11 04:50:55 fw1 /bsd: sd0: not queued, error 5
>> May 11 04:51:26 fw1 last message repeated 89 times
>> May 11 04:51:26 fw1 last message repeated 34 times
>>
>> Googling for "sd0: not queued, error 5" I found a thread with a similar
>> log. http://readlist.com/lists/openbsd.org/misc/11/56564.html
>>
>> It seems the problem is not fixed for the release installed on this
>> firewall (4.1). It's the first time in around 1 year that I got this
>> problem.
>> During the problem, "telnet server 22" opened and closed the connection
>> without displaying ssh banner. The network stack was still running
>> and the carp interfaces did not change to BACKUP mode.
>>
>> As this firewall is used for tests it did not impact any users
>> (exept myself ;)) but permits to run debug commands if suggested.
>> I'll update the perc firmware as mentionned on the thread posted above.
>> The server will be upgraded soon to 4.3 too.
>>
>> Any help on how to avoid this problem is welcome.
>>
>>
>> Claer
>>
>> dmeg :
>>
>> OpenBSD 4.1-stable (GENERIC) #1: Fri Aug 17 23:55:00 CEST 2007
>>[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
>> cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz ("GenuineIntel" 686-class)
>> 1.60 GHz
>> cpu0:
>> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
>> real mem = 1072955392 (1047808K)
>> avail mem = 971632640 (948860K)
>> using 4278 buffers containing 53772288 bytes (52512K) of memory
>> mainbus0 (root)
>> bios0 at mainbus0: AT/286+ BIOS, date 03/26/07, BIOS32 rev. 0 @ 0xffe90,
>> SMBIOS rev. 2.4 @ 0x3ffbc000 (62 entries)
>> bios0: Dell Inc. PowerEdge 1950
>> pcibios0 at bios0: rev 2.1 @ 0xf/0x1
>> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfaa60/368 (21 entries)
>> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6321ESB LPC" rev
>> 0x00)
>> pcibios0: PCI bus #22 is the last bus
>> bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1800
>> 0xcb800/0x5200 0xec000/0x4000!
>> acpi at mainbus0 not configured
>> ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca8/8 spacing 4
>> cpu0 at mainbus0
>> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
>> pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x12
>> ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0x12
>> pci1 at ppb0 bus 6
>> ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
>> pci2 at ppb1 bus 7
>> ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
>> pci3 at ppb2 bus 8
>> ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
>> pci4 at ppb3 bus 9
>> bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: irq 5
>> ppb4 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01
>> pci5 at ppb4 bus 10
>> ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
>> pci6 at ppb5 bus 11
>> ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x12
>> pci7 at ppb6 bus 1
>> ppb7 at pci7 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00
>> pci8 at ppb7 bus 2
>> mfi0 at pci8 dev 14 function 0 "Dell PERC 5" rev 0x00: irq 6
>> mfi0: logical drives 1, version 5.1.1-0040, 256MB RAM
>> scsibus0 at mfi0: 1 targets
>> sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct
>> fixed
>> sd0: 69376MB, 69376 cyl, 64 head, 32 sec, 512 bytes/sec, 142082048 sec
>> total
>> ppb8 at pci7 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00
>> pci9 at ppb8 bus 3
>> ppb9 at pci0 dev 4 function 0 "Intel 5000 PCIE" rev 0x12
>> pci10 at ppb9 bus 12
>> ppb10 at pci10 dev 0 function 0 vendor "IDT", unknown product 0x8018 rev
>> 0x04
>> pci11 at ppb10 bus
Dell Power Edge 1950 SAS Raid1 'sd0: not queued: error 5'
Hi list,
Today one of our first Dell 1950 crashed in a strange way. I asked non
IT people to restart it that's why I dont have console traces of the
problem.
Before the server became unresponsitive, I could see this in
/var/log/messages :
May 11 04:50:55 fw1 /bsd: sd0: not queued, error 5
May 11 04:51:26 fw1 last message repeated 89 times
May 11 04:51:26 fw1 last message repeated 34 times
Googling for "sd0: not queued, error 5" I found a thread with a similar
log. http://readlist.com/lists/openbsd.org/misc/11/56564.html
It seems the problem is not fixed for the release installed on this
firewall (4.1). It's the first time in around 1 year that I got this
problem.
During the problem, "telnet server 22" opened and closed the connection
without displaying ssh banner. The network stack was still running
and the carp interfaces did not change to BACKUP mode.
As this firewall is used for tests it did not impact any users
(exept myself ;)) but permits to run debug commands if suggested.
I'll update the perc firmware as mentionned on the thread posted above.
The server will be upgraded soon to 4.3 too.
Any help on how to avoid this problem is welcome.
Claer
dmeg :
OpenBSD 4.1-stable (GENERIC) #1: Fri Aug 17 23:55:00 CEST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU 5110 @ 1.60GHz ("GenuineIntel" 686-class)
1.60 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR
real mem = 1072955392 (1047808K)
avail mem = 971632640 (948860K)
using 4278 buffers containing 53772288 bytes (52512K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 03/26/07, BIOS32 rev. 0 @ 0xffe90,
SMBIOS rev. 2.4 @ 0x3ffbc000 (62 entries)
bios0: Dell Inc. PowerEdge 1950
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfaa60/368 (21 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6321ESB LPC" rev
0x00)
pcibios0: PCI bus #22 is the last bus
bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1800
0xcb800/0x5200 0xec000/0x4000!
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca8/8 spacing 4
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x12
ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0x12
pci1 at ppb0 bus 6
ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci2 at ppb1 bus 7
ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 8
ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
pci4 at ppb3 bus 9
bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: irq 5
ppb4 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01
pci5 at ppb4 bus 10
ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci6 at ppb5 bus 11
ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x12
pci7 at ppb6 bus 1
ppb7 at pci7 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00
pci8 at ppb7 bus 2
mfi0 at pci8 dev 14 function 0 "Dell PERC 5" rev 0x00: irq 6
mfi0: logical drives 1, version 5.1.1-0040, 256MB RAM
scsibus0 at mfi0: 1 targets
sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct
fixed
sd0: 69376MB, 69376 cyl, 64 head, 32 sec, 512 bytes/sec, 142082048 sec
total
ppb8 at pci7 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00
pci9 at ppb8 bus 3
ppb9 at pci0 dev 4 function 0 "Intel 5000 PCIE" rev 0x12
pci10 at ppb9 bus 12
ppb10 at pci10 dev 0 function 0 vendor "IDT", unknown product 0x8018 rev
0x04
pci11 at ppb10 bus 13
ppb11 at pci11 dev 0 function 0 vendor "IDT", unknown product 0x8018 rev
0x04
pci12 at ppb11 bus 14
em0 at pci12 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06:
irq 5, address 00:15:17:3e:c8:dc
em1 at pci12 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06:
irq 11, address 00:15:17:3e:c8:dd
ppb12 at pci11 dev 1 function 0 vendor "IDT", unknown product 0x8018 rev
0x04
pci13 at ppb12 bus 15
em2 at pci13 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06:
irq 11, address 00:15:17:3e:c8:de
em3 at pci13 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06:
irq 6, address 00:15:17:3e:c8:df
ppb13 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0x12
pci14 at ppb13 bus 16
ppb14 at pci0 dev 6 function 0 "Intel 5000 PCIE" rev 0x12
pci15 at ppb14 bus 17
ppb15 at pci15 dev 0 function 0 vendor "IDT", unknown product 0x8018 rev
0x04
pci16 at ppb15 bus 18
ppb16 at pci16 dev 0 function 0 vendor "IDT", unknown product 0x8018 rev
0x04
pci17 at ppb16 bus 19
em4 at pci17 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06:
irq 5, address 00
Re: ipsec.conf question
On Mon, May 05 2008 at 20:14, Prabhu Gurumurthy wrote: > All, > > I have a question regarding ipsec.conf. > > Example: > > IPsec peers: 3.3.3.3, 3.3.3.2 > Interesting traffic: 1.1.1.1 -> 192.168.100.2 > 2.2.2.2 -> 192.168.100.0/24 > > Main/Quick mode crypto/groups being: aes, sha1 and group2 > PSK being "test123" > > How can I define the above concisely? > > I can, for example, do the following: > > ike esp from 1.1.1.1 to 192.168.100.2 \ > local 3.3.3.3 peer 3.3.3.2\ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes group modp1024 \ > psk "test123" > > ike esp from 2.2.2.2 to 192.168.100.0/24 \ > local 3.3.3.3 peer 3.3.3.2\ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes group modp1024 \ > psk "test123" > > Is there any way to shorten it? since most of it seem to be redundant > except for the interesting traffic part. You can simply use macro as in pf.conf. For example : LAN_priv = "192.168.100.0/24" Our_PSK = "test123" IPSEC_peers = "local 3.3.3.3 peer 3.3.3.2" IPSEC_crypto = "main auth hmac-sha1 enc aes group modp1024 quick auth hmac-sha1 enc aes group modp1024" ike esp from $IP_pub_1 to $IP_priv $IPSEC_peers $IPSEC_crypto \ psk $Our_PSK ike esp from $IP_pub_2 to $LAN_priv $IPSEC_peers $IPSEC_crypto \ psk $Our_PSK With 4.3-current you can use includes. Sample from man page : Additional configuration files can be included with the include keyword, for example: include "/etc/macros.conf" Claer
Re: Dell R200
On Fri, Apr 25 2008 at 45:17, Mart?n Coco wrote: > Hi misc, Hi, > I'll be buying a couple of Dell R200 Rackmount servers to use as > firewalls/routers. > > I found this thread in the archives about it: > http://marc.info/?l=openbsd-misc&m=120167827217058&w=2 > > And it seems to be working with snapshots. > > But my question is: will it be supported by the 4.3 release? We're not used > to run -current on our firewalls, and we'd prefer to continue with -release > and -stable. We tested r200 servers this week with a 4.3 stable release. It seems to work fine for the moment. Claer
Re: rdr to squid proxy with authentication
On Wed, Apr 23 2008 at 40:17, Monah Baki wrote: > Hi all, Hi, > I implemented the following rule and so far I can see that all users are > accessing my proxy server > > Tried the following in /etc/inetd.conf > > 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w \ >20 192.168.3.106 8080 > > > rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> \ >127.0.0.1 port 5000 > > > But I have one question, my proxy requires authentication before browsing, > how can I have the firewall also authenticate, because if I disable on the > squid proxy authentication, it works. If I enable it, all sites I try to > visit comes up with a page that I need authentication first to use the > proxy. Using transparent proxying + auth is generally considered a bad idea.
Re: Logging failed SSH users and the passwords they typed
On Wed, Apr 23 2008 at 01:00, Jon Radel wrote: > Sam Fourman Jr. wrote: > >> Is there a way to login the passwords that were used in the bruteforce > >> attack? > > > > I am siting trying to come up with a good reason why you would give a > > damn what passwords they tried? > > > > I mean for the most part they are scripts trying to BRUTE your ssh port > > anyhow. > > Not only that, if you read any history of Unix's early days you should > come across some instructive stories as to why logging the passwords of > failed attempts is now generally considered a really bad idea. > Basically has something to do with that between all the garbage from > brute force attempts you'll find entries of legitimate attempts with > small typos in the password. Suddenly your log file has become really > dangerous. > If it's for honeypot and educationnal reasons, it's best to not use the same daemon as the production one. Searching a little I found this program : http://kojoney.sourceforge.net/ You can use it as your base to do what you wanted.
Re: aterm, rxvt -- memory usage
On Tue, Apr 22 2008 at 43:22, Arun G Nair wrote: > On Mon, Apr 21, 2008 at 11:44 PM, Claer <[EMAIL PROTECTED]> wrote: > > I personnaly use unicode rxvt. It's a clone of rxvt that comes with > > unicode (oh surprising) and with client/server mode to reduce memory > > usage when you have serveral terms like I used to have. > > > > urxvt is also one of the rare terms out there with transparency and > > whitening the background and not darkening it. > > Hi, I where can I find urxvt for openbsd ? I can't seem to find it in > ports. Am using 4.2. > Oh sorry, I didn't check it's availability in ports. But, as stated, it's certainly not too hard to compile it from sources. Claer
Re: aterm, rxvt -- memory usage
On Mon, Apr 21 2008 at 34:18, Jesus Sanchez wrote: > Hi all, Hi, > I'm using 4.2 without problem, and I'm trying to find one "xterm" to my > personal use with only one thing in mind: low cpu and memory usage. > > I discarded xterm because it have some things I don't need and it uses a > lot of memory too. > > My two favourite options are aterm and rxvt. I have done some test using > "top" and I have found that aterm uses less memory than rxvt. Where rxvt > uses 1800 KB, aterm uses 1400 KB and stuff like that. I have no problem > using both of them, and I would thing they have the same options for me > except aterm have more package dependences that rxvt, but aterm have > transparency an rxvt not. > > I'm supposed to belive that even having transparency options, aterm uses > less memory than rxvt? I'm missing something? I know they are different > programs but still disturbing me. I personnaly use unicode rxvt. It's a clone of rxvt that comes with unicode (oh surprising) and with client/server mode to reduce memory usage when you have serveral terms like I used to have. urxvt is also one of the rare terms out there with transparency and whitening the background and not darkening it. Claer
Re: CARP LAN outgoing IP address
On Fri, Apr 18 2008 at 32:21, G?bri M?t? wrote: > Ezzel a datummal: Friday 18 April 2008 21.29.18 ezt mrta: > > On Fri, Apr 18, 2008 at 11:48 AM, Gabri Mati <[EMAIL PROTECTED]> wrote: > > > This is normal, but is there a way to make the outgoing package to have > > > the internal CARP device's address as source IP? > > > > What would this accomplish? If one of the nginx machines goes down, > > the TCP sessions won't be able to failover to the other carp peer. > > I'd prefer to see in my logs which proxy a request came from so I can > > better diagnose if a particular machine is misbehaving. > > You're right, but we need the carp'd IP for statistics on the web servers. If > one of the machines goes down then the user just have to hit the refresh > button and she has access to the content again. > Did you try to NAT the LAN interface with the carp address ? It should work for self outgoing traffic too. The problem is, if the connection is issued from the backup firewall you will lost the connection. To bypass this limitation, you can use ifstated and pf tables. - If the LAN interface is in master mode : add the carp address to the NAT table - If the LAN interface is in backup mode : remove the carp address from the nat table Claer
Re: What crypto card to buy?
On Tue, Apr 01 2008 at 00:15, Khalid Schofield wrote: > Hi, > I'm wondering what is the best crypto card to buy to use with openbsd to do > AES and blowfish and the SSL encryption. The question you should ask yourself is "Do you need an accelerated SSL card?" As showed in http://marc.info/?l=openbsd-misc&m=108220996010023&w=2, a fast CPU beats a crypto card for small packets. This is due to I/O and interrupts. If you intend to use embedded devices with small CPU, go for C7 ones, these CPU include a crypto accelerator. > Is this the best buy? http://www.soekris.com/vpn1401.htm I searched for crypto cards for IPSEC Encryption, the best answer I found was : not use one ;-) > It mentions AES but not blowfish. As said by other people, you should go for AES encryption. Claer
Re: pf tag/tagging and packages from localhost
On Mon, Feb 25 2008 at 06:11, Darren Spiteri wrote: > On 2/25/08, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Darren Spiteri <[EMAIL PROTECTED]> [2008-02-24 15:11]: > > > > > Tags are for assigning trust between interfaces, for instance to > > > prevent traffic from WWW DMZ from leaking into the trusted LAN. > > > > > > that is ONE use of them, but certaily not the only one. > > Please enlighten us then, Henning. What do you use tags for, routing? > Why don't you update the doco with some examples? For example, I use tags for QoS inside IPSEC. It's documented in ipsec.conf(5) Claer
Re: syslog-ng and log analyzers
On Wed, Feb 20 2008 at 32:08, Rami Sik wrote: > Hi All, Hi alone, > > I would like to see what you'd suggest as a log analyzer tool(s) on a > centralized log server running syslog-ng. In our network, I decided to analyse the logs received by syslog-ng with Prelude-LML. In fact, all logs are retransmitted to Prelude-LML syslog daemon binding on localhost. Prelude-LML can find security threats in logs of numerous products. It's easy to see them with the Prelude console (Prewikka). The fact that only a copy is sent to prelude-lml permits to store the logs as you want. This way you can analyse mail or web logs with your favorite log analyser. We intend to use awstats for this purpose. > I also need to use a specific tool as PF log analyzer. What do you > suggest for that purpose? For the moment, I didn't choose any product to analyse pf logs. I haven't found yet a firewall log analyser that emphase the important alerts and not summarise in a beautiful graph all the connections. Claer
Re: Route-based VPN - Fortigate to OpenBSD
On Sun, Feb 10 2008 at 23:03, Chris Jones wrote: > Thanks for the advice I will look into that should the gif option not work. > Do you have any advice as to how to run gif over ipsec? Sorry I don't have any clue to setup gif tunneling with a Fortinet end point. Between 2 OpenBSD boxes it's quite easy, just do s/GRE/gif/ in my previous sentense ;-) Claer > Claer wrote: >> On Sat, Feb 09 2008 at 00:10, Chris Jones wrote: >>> Hi all, >> Hi, >>> A while back I attempted to setup a route-based VPN tunnel between a >>> Fortigate firewall and an OpenBSD firewall with no success. I now have >>> the need to get this to work and wondering if someone on the list can >>> shed some light on the configuration. The end goal is to have a gif(4) >>> interface run over IPSec so that I can use a dynamic routing protocol to >>> route traffic to remote VPN networks. >>> >>> I can successfully create an IPSec VPN connection between the Fortigate >>> and OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and >>> Netscreens are un-numbered. >>> >>> I have tried bringing up the gif interface after successfully >>> establishing an IPSec connection by issuing the following commands. >>> >>> $ sudo ifconfig gif0 create >>> $ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 >>> $ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32 >>> $ sudo route add -inet 10.2.0.0/16 10.0.0.2 >>> >>> I then modified the un-numbered tunnel interface on the Fortigate side to >>> use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I >>> already have an IPSec tunnel established. Where I'm confused is setting >>> up gif to tunnel over the IPSec connection in order route traffic across >>> it. Can someone point me in the right direction. >> "Routed VPN" in Netscreen and Fortinet is done by modifying the way ipsec >> should work. It's not the way to go if you want to take the vpn decision >> based on ip routes. >> I'd firstly try to create a GRE tunnel (numbered) between peers and then >> create a host to host vpn with GRE tunnel on top of it. Both OpenBSD and >> Netscreen support GRE, I hope Fortinet does. >> Claer >>> My setup is quite simple. >>> >>> network >>> --- >>> >>> internal externalexternal internal >>> --- | -> Internet -> | --- >>> 10.1.1.0/24 1.1.1.1 2.2.2.210.2.0.0/16 >>> >>> >>> ipsec.conf >>> -- >>> >>> remote_gw = "2.2.2.2" >>> >>> ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \ >>> aggressive auth hmac-sha1 enc 3des group modp1536 \ >>> quick auth hmac-sha1 enc 3des group modp1536 \ >>> srcid [EMAIL PROTECTED] \ >>> psk "secret" >>> >>> >>> Thanks, >>> -Chris >>> >>> -- >>> Chris Jones > > -- > Chris Jones > > GDI Software Services Canada Inc. > Suite 1300, 1500 West Georgia St. > Vancouver, BC, Canada > V6G 2Z6 > Email: [EMAIL PROTECTED] > Mobile: 604.218.5981 > Phone: 604.909.3300 | Fax: 604.909.0100
Re: Route-based VPN - Fortigate to OpenBSD
On Sat, Feb 09 2008 at 00:10, Chris Jones wrote: > Hi all, Hi, > A while back I attempted to setup a route-based VPN tunnel between a > Fortigate firewall and an OpenBSD firewall with no success. I now have the > need to get this to work and wondering if someone on the list can shed some > light on the configuration. The end goal is to have a gif(4) interface run > over IPSec so that I can use a dynamic routing protocol to route traffic to > remote VPN networks. > > I can successfully create an IPSec VPN connection between the Fortigate and > OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and > Netscreens are un-numbered. > > I have tried bringing up the gif interface after successfully establishing > an IPSec connection by issuing the following commands. > > $ sudo ifconfig gif0 create > $ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 > $ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32 > $ sudo route add -inet 10.2.0.0/16 10.0.0.2 > > I then modified the un-numbered tunnel interface on the Fortigate side to > use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I > already have an IPSec tunnel established. Where I'm confused is setting up > gif to tunnel over the IPSec connection in order route traffic across it. > Can someone point me in the right direction. "Routed VPN" in Netscreen and Fortinet is done by modifying the way ipsec should work. It's not the way to go if you want to take the vpn decision based on ip routes. I'd firstly try to create a GRE tunnel (numbered) between peers and then create a host to host vpn with GRE tunnel on top of it. Both OpenBSD and Netscreen support GRE, I hope Fortinet does. Claer > My setup is quite simple. > > network > --- > > internal externalexternal internal > --- | -> Internet -> | --- > 10.1.1.0/24 1.1.1.1 2.2.2.210.2.0.0/16 > > > ipsec.conf > -- > > remote_gw = "2.2.2.2" > > ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \ > aggressive auth hmac-sha1 enc 3des group modp1536 \ > quick auth hmac-sha1 enc 3des group modp1536 \ > srcid [EMAIL PROTECTED] \ > psk "secret" > > > Thanks, > -Chris > > -- > Chris Jones
Re: CARP & PPPo
On Thu, Jan 31 2008 at 24:21, Steven Surdock wrote: > Richard Daemon wrote: > > On Jan 31, 2008 8:36 PM, Sevan / Venture37 > > <[EMAIL PROTECTED]> wrote: > > > >> > >> I definitely would be! > > I don't have my ISP that does PPPoE anymore, so I have no way to test > > it... > > Carp on pppoe doesn't really make sense, unless I'm missing something. > For fun, I tried it a while back > (http://marc.info/?l=openbsd-misc&m=113940624732259&w=2). I suspect the > "solution" to a redundant firewall cluster with a pppoe interface will > involve ifstated. It's the way I solved the same problem. All interfaces are carped but pppoe. I use ifstated to track carp status. If the master goes down, then shutdown isakmpd and pppoe If the slave goes up, then activate pppoe and wait till fully functionnal (got an ip address) If the pppoe link become OK, start isakmpd and reapply pf just in case For the moment, I didn't have any issues on the primary :) Claer
Re: SSH Brute Force Attacks Abound - and thanks!
On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote: > Claer <[EMAIL PROTECTED]> writes: > > > I always hesitate to use this trick. Could you please develop more the > > implications of this method? Is it still effective? > Yes, it's still effective. You need to put in whatever values you > feel are appropriate for your network and users. In Lars' example, Sorry for not being that clear. I was talking about auto mailing whois address block abuse contacts. I already uses rate filtering. Its true that this method is still effective. Some bots starts to distribute the attacks, so the effectiveness is eroding with time. For the record, I also tried the os fingerprint trick. This one is not effective for ssh bruteforce but for antispam. For the moment, only windows 2000 os is matched frequently (around once a day for my dsl connection). Anyway, thanks for your long explanation :) Regards, > > > pass in on $ext_if proto tcp to ($ext_if) port ssh > > flags S/SA keep state (max-src-conn 4, \ > > max-src-conn-rate 2/60, overload \ > > flush global) > > any host with more than 4 simultaneous ssh connections OR that > connects more than twice during any 60-second period has all their > existing connections terminated, their address put into the bruteforce > table and their address no longer matches the criteria for the pass > rule. Those values are low enough that you might risk tripping up > legitimate connections if there are enough users coming in from behind > a NATing gateway, but that scenario may not be relevant for your case. > > What happens to connections from addresses in the bruteforce table is > up to you, but I suspect a rule involving 'block quick' is very > common. And yes, it's in the tutorial[1] and covered in that little > book of mine[2]. > > - Peter > > [1] http://home.nuug.no/~peter/pf/en/bruteforce.html goes right to > this topic, http://home.nuug.no/~peter/pf/ for a choice of formats > > [2] http://nostarch.com/pf.htm > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: SSH Brute Force Attacks Abound - and thanks!
On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote: > Kennith Mann III wrote: > > ... > > While moving the SSH port doesn't help much against anyone running an > > nmap scan, it stops blind port 22 scans that run generic password > > hacks and filling your logs with crap, > > Overloads help a bit: > > pass in on $ext_if proto tcp to ($ext_if) port ssh >flags S/SA keep state (max-src-conn 4, \ >max-src-conn-rate 2/60, overload \ >flush global) > > Regarding the logs, one thing that worked in the past was giving the > netblock owner a hard time. It's their responsibility. It's not too > hard to make up a shellscript (or use another scripting language) which > automates a daily report and the complaint. I always hesitate to use this trick. Could you please develop more the implications of this method? Is it still effective? Thanks! Claer
Re: PE1950
On Wed, Nov 21 2007 at 56:15, Marco Peereboom wrote: > This machines works fine with 4.2. > > PERC6 does not work yet with out mfi driver but I am also pretty sure > those aren't really available yet. The last PE 1950 we bought (2 months ago) came with PERC 5. I heard that new hardware should arrive near december for the PE 1950. Claer > On Wed, Nov 21, 2007 at 09:55:54AM -0800, Stanislav Ovcharenko wrote: > > Hello, > > > > I'm planning on running OpenBSD 4.2 on Dell Power Edge 1950. > > > > Question 1: How stable is it on x64 platform? I mean native 64 bit code. I > > assume that x86 code will run just fine ... > > Question 2: Does anyone know if PERC 6 RAID controller is supported. The > > hardware list says that it will work with PERC 5 and I'm wondering if the > > same driver will detect and support the chipset on PERC 6 controller. > > > > Any feedback would be appreciated. > > > > Regards, Stas.
Re: Cisco 3002 VPN client to OpenBSD?
On Wed, Oct 03 2007 at 32:20, Jeff Simmons wrote: > Anyone have any experience with this? > > A company a client of mine wishes to work with insists this will work, but I > have my doubts. The documentation for the 3002 seems to indicate that it is > specifically for connections to a Cisco 3000 series VPN concentrator, and it > requires (?) group-password and user-password entries for connections to the > 3000. Most of the rest of the configuration is pretty standard, if old (3des, > sha1). It's just a no-go. The Cisco client license forbids explicitely to connect to anything but Cisco Hardware. Here is an extract from the Cisco Client license : --8<---8<--8<- Grant of License 2. Cisco Systems hereby grants you the right to install and use the Software on an unlimited number of computers, provided that each of those computers must use the Software only to connect to Cisco Systems products, and subject to export restrictions in Paragraph 4 hereof. You may make one copy of the Software for each such computer for the purpose of installing the Software on that computer. The Software is licensed for use only with Cisco Systems products, and for no other use. --8<---8<--8<- Claer
Re: OpenBGPd Regular Expression
On Tue, Sep 18 2007 at 06:20, Claudio Jeker wrote: > On Tue, Sep 18, 2007 at 12:25:02PM -0500, [EMAIL PROTECTED] wrote: > > I saw from a thread a while back that putting as-path regular > > expression support into OpenBGPd was being considered. I'm testing > > out a 4.2 snapshot, and so far it doesn't seem to be there just yet. > > > > For various reasons, I'd like to be able to tweak prefixes based on > > some specific as-path values a la Juniper. This kind of stuff: > > > > Criteria: Path whose second AS number must be 56 or 78. > > Regular Expression: (. 56) | (. 78) or . (56|78) > > Example Matches: 1234 56 and/or 34 78 > > > > http://www.juniper.net/techpubs/software/junos/junos74/swconfig74-policy/html/policy-extend-match-config3.html > > > > Anyone know if this is in the works? > > > > Adding a better AS filter list is on my todo list since a long time. We > will not implement a full regex -- cisco demonstrated once again why regex > is a bad idea. > > Just a few thoughts. I do not like the | (or) operator. This can be > written with two rules without any issues. I guess we will support +, ., - > , ^ and $. About OpenBGPd todo list, is there any plan to implement bpg confederations ? Thanks Claer
Re: can carp state changes log to syslog?
On Tue, Sep 11 2007 at 41:12, Bryan Irvine wrote: > I've found a couple of threads in the archive about the possibility of > adding this feature, but can't seem to find out whether or not this is > possible. I think this is the patch you are looking for : http://marc.info/?l=openbsd-misc&m=118232405007254&w=2
Re: VPN Connection from 4.1 to WatchGuard
On Thu, Aug 23 2007 at 58:21, James Lepthien wrote: > Hi again, Hi, > just for your information and if anybody runs into the same problem. I > found outr that there are a lot of sysctl values for IPSec which can be > changed so that it is possible for me to not use the default timeout of > 86400. Have a look: [...] > net.inet.ip.ipsec-pfs=1 > net.inet.ip.ipsec-timeout=28800 > net.inet.ip.ipsec-soft-timeout=8 [...] soft timeout should be inferior to ipsec-timeout. Frow what I understood, ipsec timeout is when isakmpd *needs* new key pair. ipsec-soft-timeout is when the kernel computes the key pair. So if soft-timeout is longer than the isakmpd one, then isakmpd has to wait for the calculation of the key as soon as it requires it. As the calculation may take some times, you certainly prefer the kernel computes the keys before isakmpd asks them. > I already changed the ipsec-timeout to my WatchGuard value at the other end > and also change the encryption to 3des. Now I will take a closer look if it > really works flawlessly ;) Aren't these values fixed with ipsecctl or isakmpd.conf?! > Cheers, > James > > PS: Does anybody know which are the timeouts for phase 1 and 2? I guess the > ipsec-timeout I changed is fpr phase 2 only. Which of the others is for > phase 1? The phase1 and phase2 timeouts are managed by isakmpd.conf (search misc, it was already mentionned serveral times ;)) By default, isakmpd negociates the value with the peer between 60 and 84600 seconds. [...] >>>>> My ipsec.conf looks like this: >>>>> >>>>> ike esp from $ext_IP to $peer_GW >>>>> ike esp from $ext_IP to $peer_LAN peer $peer_GW >>>>> ike esp from $int_LAN to $peer_LAN \ >>>>> peer $peer_GW \ >>>>> main auth hmac-sha1 enc 3des group modp1024 \ >>>>> quick auth hmac-sha1 enc 3des group none \ >>>>> psk "" You have "group none" for phase 2. That means you don't use PFS. But in this email you fixed sysctl's pfs option to 1. There is a contradiction. Regards, Claer
Re: questions regarding ipsec tunnel
On Fri, Jun 15 2007 at 14:12, Sebastian Reitenbach wrote: > Hi all, Hi, > ike active esp from 192.168.27.0/24 to 192.168.0.0/16 \ >local 223.150.201.44 peer 34.123.15.43 \ >main auth hmac-md5 enc 3des group grp2 \ >quick auth hmac-md5 enc aes group modp1024 \ >psk "MySecretPassPhrase" There is a mistake in the main mode declaration. Your group cannot be set to "grp2". You should use modp1024 as in the quick mode statement. >From ipsec.conf man mage : The following group types are permitted with the group keyword: Group Size modp768 768 modp10241024 modp15361536 modp20482048 modp30723072 modp40964096 modp61446144 modp81928192 none0 [quick mode only] Regards, Claer
Re: ipsec.conf and carp/physical interfaces
On Fri, May 11 2007 at 08:13, [EMAIL PROTECTED] wrote: > ok i misinterpreted the man page, this is what i needed instead... > > ike esp from a.a.a.0/24 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218 > ike esp from x.x.x.142 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218 > ike esp from x.x.x.142 to y.y.y.218 > On 5/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > When using ipsec.conf to set up the vpn on redundant firewalls with carp > > on the outside interface, I noticed that the session is using the ip of the > > physical interface and not the ip of the carp interface which the remote end > > is listening for. When looking in the man pages there are options for local > > remote but setting this up seems to give me a syntax > > error. I had this working a few days ago and now I cant seem to figure out > > what im doing wrong. Hi, I read somewhere on the list that you cannot assign IPs to the interfaces if you are using carp + pfsync + sasyncd. You should have only the carp IP set up. Is your config working ? Did you test failover ? Thanks, Claer
Re: Openbsd ipsec with cisco vpn client
On Fri, Apr 20 2007 at 34:05, Lars D. Nood?n wrote: > On Fri, 20 Apr 2007, Claer wrote: > > On Thu, Apr 19 2007 at 53:12, carlopmart wrote: > >> Somebody have tried to use cisco vpn client to connect to openbsd ipsec > >> gateway using user and pass or x509 certificates? Can somebody sends me > >> some examples ? > > It's explicitely forbidden in the license. So I didn't took time to try > > it, sorry. > > Do you mean that the license forbids using a Cisco vpn client with an > OpenBSD ipsec gateway? If so, can you point to the URL for the license? Exactly. The license obliges Cisco VPN Clients to connect to Cisco equipments only. It is written on the License agreement (EULA) you accept when installing the client. Here is the interesting part : "2. Cisco Systems hereby grants you the right to install and use the Software on an unlimited number of computers, provided that each of those computers must use the Software only to connect to Cisco Systems products, and subject to export restrictions in Paragraph 4 hereof." We responded to a public offer where the client wanted to connect to free software gateway using the Cisco client, thats why we looked into the license part. Claer
Re: Openbsd ipsec with cisco vpn client
On Thu, Apr 19 2007 at 53:12, carlopmart wrote: > Hi all, Hi, > Somebody have tried to use cisco vpn client to connect to openbsd ipsec > gateway using user and pass or x509 certificates? Can somebody sends me > some examples ? It's explicitely forbidden in the license. So I didn't took time to try it, sorry. Claer
Re: Deleting SAs with ipsecctl
On Thu, Apr 12 2007 at 19:14, Martin Hedenfalk wrote: > Hello misc, Hello, > I'm trying to delete individual tunnels with ipsecctl: > This is on the 4.1 snapshots from April 6. [...] > Then I try to delete the SAs: > # ipsecctl -ss > esp tunnel from 192.168.5.5 to 192.168.5.12 spi 0x17661dae auth hmac- > sha2-256 enc aes > esp tunnel from 192.168.5.12 to 192.168.5.5 spi 0x268063a2 auth hmac- > sha2-256 enc aes > # ipsecctl -ss | ipsecctl -d -f- > stdin: 1: no authentication key specified > stdin: 2: no authentication key specified > ipsecctl: Syntax error in config file: ipsec rules not loaded > What authentication key is needed? How can I remove a specific SA? Starting from 4.1, ipsecctl no longer show the SA keys with 'ipsecctl -s sa'. To show them, there is a new -k flag. > I should add that this is on a passive IPsec aggregator with many > dynamic tunnels from "road warrior" type peers. I didn't try roadw arriors yet. What client software do you use ? Claer
Re: ipsec between openbsd 4.0 and checkpoint
On Thu, Mar 29 2007 at 44:08, Sebastian Reitenbach wrote: > Hi list, Hi, > I have a problem to setup an ipsec tunnel between my openbsd box and a > checkpoint firewall. [...] > I had no problem to get a tunnel working between two openbsd 4.0 hosts with > the above configuration file, so I think my problem can only be the timings > of the renegotiations. What are the default renegotiation timings, and where > should i configure these? The default SA lifetime are described in the man page of isakmpd.conf : [General] Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 OpenBSD will accept lifetimes between 60 and 86400 seconds with a default of 1 hour for phase 1 and 20 minutes for phase 2. As you wrote, default Checkpoint lifetime are 1440 min for phase 1 (86400 seconds) and 3600 seconds for phase 2. I doubt it's a lifetime problem. The configuration should work, at least it works here between Checkpoint R61 and OpenBSD 4.0. Could you provide us some error messages pleas? Messages from the Checkpoint side would help too :) Claer
Re: isakmpd Default main: select: Bad file descriptor
On Mon, Mar 12 2007 at 44:12, Sebastian Reitenbach wrote: > Hi list, Hi, > I try to setup ipsec with isakmpd -K and ipsecctl on a OpenBSD 4.0 host. I had > it running on > friday, using the following configuration: > > ike active esp from 192.168.100.0/24 to 192.168.101.0/24 \ > local 24.24.24.24 peer 42.173.16.1 \ > main auth hmac-md5 enc aes group grp2 \ > quick auth hmac-md5 enc aes group grp2 \ > psk MySekret I opened a bug when the symetric encryptin is set to AES. I found the same behavior as yours. I didn't took the time to investigate but changing the encryption to 3des resolved the issue. There is certainly an error in the ipsecctl generated output for isakmpd. regards, Claer > > I started isakmpd -K and then did an ipsecctl -vv -c /etc/ipsec.conf, and > then I > immediately > get a Bad file descriptor, see below: > > 122049.815507 UI 30 ui_config: "C set [Phase 1]:42.173.16.1=peer-42.173.16.1 > force" > 122049.815901 UI 30 ui_config: "C set [peer-42.173.16.1]:Phase=1 force" > 122049.815971 UI 30 ui_config: "C set [peer-42.173.16.1]:Address=42.173.16.1 > force" > 122049.816031 UI 30 ui_config: "C set > [peer-42.173.16.1]:Local-address=212.204.56.174 > force" > 122049.816141 UI 30 ui_config: "C set > [peer-42.173.16.1]:Authentication=MySekret force" > 122049.816202 UI 30 ui_config: "C set > [peer-42.173.16.1]:Configuration=mm-42.173.16.1 > force" > 122049.816297 UI 30 ui_config: "C set [mm-42.173.16.1]:EXCHANGE_TYPE=ID_PROT > force" > 122049.816366 UI 30 ui_config: "C add > [mm-42.173.16.1]:Transforms=3DES-MD5-GRP2 force" > 122049.816467 Default main: select: Bad file descriptor > 122050.817017 Default main: select: Bad file descriptor > 122051.827071 Default main: select: Bad file descriptor > 122052.837085 Default main: select: Bad file descriptor > 122053.847123 Default main: select: Bad file descriptor > > I have seen this "Bad file descriptor" on friday too, after a reboot of the > machine, > it "dissapeared". Unfortunately I do not know, what the problem was and how it > got fixed by > the reboot. What could cause the "Bad file descriptor" error message? Do I can > fix it, with > raising some sysctl values or raising values in /etc/login.conf? A pointer in > the right > direction would be great. Just rebooting does not work > > > kind regards > Sebastian
Re: site-to-site vpn 4.0 to cisco 3000 SOLVED
On Sun, Feb 25 2007 at 06:20, c l wrote: > Finally got this to work. Here's the config that ended up working. > > I'm not sure why I didn't notice before but the quick mode stuff wasn't > setup correctly. > > ipsec.conf > ike esp from 192.168.1.0/24 to 10.10.0.0/16 peer 2.2.2.2 \ >main auth hmac-sha1 enc 3des group modp768 \ >quick auth hmac-sha1 enc 3des group none psk openbsdrules > There is another potential problem with this configuration. You did not specify the ike mode: active, passive, dynamic. The default behavior is to use "active". "dynamic" mode comes with DPD (Dead Peer Detection) and don't work with some devices. I remember a post here stating that it doesn't interoperate with Netscreen at the other end. You're lucky to not enter into this problem :) Routing in the enc0 interface is done with the flow statement in the ipsec.conf file. Your ipsec.conf should include a line like this one : flow esp from 192.168.1.0/24 to 10.10.0.0/16 peer peer 2.2.2.2 Good luck! Claer > cisco > IKE proposal > authentication mode - presharedkeys > authentication algorithm - sha/hmac-160 > encryption - 3DES-168 > DH Group - 1 768-bits > Lifetime - 3600seconds > > Lan-to-Lan connection > interface - external(2.2.2.2) > connection type - bi-directional > peer - 1.1.1.1 > presharedkey - openbsdrules > authentication - esp/sha/hmac160 > local network - 10.10.0.0 (wildcard mask 0.0.255.255) > remote network - 192.168.1.0 (wildcard mask 0.0.0.255) > > SA > authentication - esp/sha/hmac160 > encryption - 3DES-168 > mode - tunnel > Lifetime - 1200seconds > > > > Now I just have to figure out the routing :) > > > > > >From: William Bloom <[EMAIL PROTECTED]> > >To: c l <[EMAIL PROTECTED]> > >CC: misc@openbsd.org > >Subject: Re: site-to-site vpn 4.0 to cisco 3000 > >Date: Sun, 25 Feb 2007 18:53:12 -0700 > > > >The man page for isakpd.conf indeed sheds some light, there's an example > >in that page that show's how to specify lifetimes for both phases... > > > > [General] > > Default-phase-1-lifetime= 3600,60:86400 > > Default-phase-2-lifetime= 1200,60:86400 > > > >At this point, if the lifetimes indeed agree, then I myself would be a > >little puzzled over why the proposal would be rejected. Both endpoints > >are configured to use the peer address as the ID? At first blush, your > >settings seem all kosher. > > > >I would agree, though, that it certainly appears that there must still be > >some sort of inconsistency between the proposals. > > > >Another suggestion... > > > >It appears that you've been trying to initiate the VPN from one end, > >perhaps the OpenBSD end. Probably by sending a ping from the 1st site to > >the 2nd. Restart both ends to clear out any SAs that have been > >negotiated and try to ping from the -other- end in order to see what > >happens when the VPN negotiation is initiated the opposite direction. > >The log entries might show something useful. > > > >Also, did the OpenBSD logs show any detail of the failure from the last > >attempts apart from the mismatched SA queries? > > > > > >Bill > > > > > >On Feb 25, 2007, at 14:48, c l wrote: > > > >>Hello, thanks for the reply, it helped if I'm not mistaken. I think > >>I'm getting closer but still no joy. See below. > >> > >>>From: William Bloom <[EMAIL PROTECTED]> > >>>To: c l <[EMAIL PROTECTED]> > >>>CC: misc@openbsd.org > >>>Subject: Re: site-to-site vpn 4.0 to cisco 3000 > >>>Date: Sun, 25 Feb 2007 14:02:13 -0700 > >>> > >>>I've setup maybe 78 LAN-to-LAN VPNs between my datacenter and other > >>>sites of customers and partners. However, I haven't had occasion to > >>>use OpenBSD as a VPN endpoint yet and I'm not an expert on the ike/ > >>>ipsec features of OpenBSD. Having said that, I've done quite a bit of > >>>VPN troubleshooting in the past, so I'll take a stab at this in > >>>general terms... > >>> > >>>My reading of the three 'ike esp' statements in ipsec.conf is that > >>>you've declared three sets of SAs on the OpenBSD endpoint, all to peer > >>>2.2.2.2 - one SA between the interior address spaces of the two > >>>locations, a second between the endpoint address of the 1st location >
Re: site hosting on 2 internet connections
On Thu, Feb 15 2007 at 55:23, Daniel Ouellet wrote: > Jacob Yocom-Piatt wrote: > >i've read about using the route-to to balance outbound connections in > >the pf address pools docs, but i don't see this being immediately > >helpful for hosting purposes since the inbound connections should come > >in on both netblocks in the case that the load is spread over the two > >connections. > > Any why not. The outgoing is not relevant to your incoming. You request > a URL that is pretty small in size, but your reply is the one that have > all the content. Yes, you can do round robin for incoming, or use the > most reliable one for incoming, etc. But you are concern about sending > your traffic out from the hosting site and that's your load right there. > Send it the way you see fit on your connection. Doesn't matter the path > it takes to reach back the end users. Then balance your connections with > PF the way you see fit. > > There is nothing wrong with that. Use your most reliable for incoming, > and split the outgoing on both. This can be very problematic if your ISPs are running antispoofing protections (they should, they rarely do). The other problem I see in that setup is the asymetric routing it creates. It can be another source of problems later. Please, try to check with a temp server (with one of your free IP) before putting this configuration in production environement. Claer
pf and ipsec troubles
Hi guys, I just overcome some configuration issues with pf and ipsecctl and I'd like to share my experience with these tools. Firstly, I played with pf and a new feature named 'urpf'. It simplify a lot antispoofing configurations but be aware that it can cause you troubles. After enabling urpf with the following line at the begining of my ruleset : block in quick on ! enc0 from urpf-failed I was unable to telnet my email gateway. I was systematically getting a "Connection reset". Nothing was found in tcpdump -ni pflog0, and the mail service was perfectly working locally. After some reseach I found that urpf was the cause of my troubles. It sends back a RST on urpf-failed instead of dropping packets (default behavior) and filtered my rdr. I don't know if its a bug, but the packet should not have been blocked according the documentation. The workaround was to add the "pass" keyword to the rdr rules, in order to bypass the block from urpf-failed. I also added the log keyword to the antispoofing rule, so that I can diagnose faster the next time :-) Second big problem was the IPSEC negociation between another OpenBSD box and a Cisco PIX. Here is my small setup : 192.168.4.0/24_-_PIX_-_(random lan)_-_OpenBSD_-_172.16.[123].0/24 [10.10.2.253] [10.10.3.253] I inserted the following in my ipsec.conf : ike esp from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk "openbsd" flow esp from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253 The negociation never happened from the OpenBSD to the Pix. But a ping from the 192.168.4.0 network create the tunnel. ipsecctl -nf reported no error, everything seems to be OK. With the network tech. (the one who configured the pix), we saw that OpenBSD is trying to negociate the tunnel with 3des!! Reviewing the man pages many times, I finally figured that I missed the keyword "group none" for the quick phase negociation. Then I changed the configuration to something more correct : ike dynamic esp tunnel \ from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group none \ psk "openbsd" flow esp from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253 The tunnel worked fine since that moment :-) A happy user, Claer
Re: isakmpd + carp + sasyncd failover problems
On Thu, Jan 18 2007 at 14:16, Kai Mosebach wrote: > we are using 3 Soekris firewall pairs in our companies setup to provide > failover IPSec connections between 3 sites using OpenBSD 4.0 RELEASE. > The big picture looks like this : > > A -> B (passive) > A -> C (passive) > B -> C (passive) > > By now its basically working fine, but with the IPSec failover we have > several problems which i cannot come by after several days of testing. > > The main problem is, that if MASTER is rebooted, the SLAVE takes over, > fine. > Once the MASTER comes up again, it takes over the SAs of the SLAVE but > as soon as its carp interfaces get demoted (and he becomes an isakmpd > master) he acquires new SAs which leads to an failure in the IPSec > tunnel, as there are twice as much SAs in the SA-DB than before and > (supposedly) the newly created SAs of the MASTER are used which leads to > an "invalid cookie" on the remote site. I tweaked the /etc/rc script to > do the demotion later (or i do it manually) and its directly related to > the point where the isakmpd is becoming master again. I have a smaller setup (1 carp cluster and a single box at the other end) and also noted the duplicate SAs. I updated to current in order to see a resolution of this problem with no luck. I didn't see the "invalid Cookie" message in log files. Claer
