Re: pf anchors attached to irrelevant states

[Markus Wernig]

On 5/19/24 13:37, Stuart Henderson wrote:


I can confirm this is a problem, definitely seen in 7.4, I can't remember
if 7.3 was affected. 7.2 from Dec 22 seems ok.


Yes, 7.3 is affected. It is the same problem reported here:
https://marc.info/?l=openbsd-misc&m=168754952806369

Re: lcamtuf on the recent xz debacle

[Markus Wernig]

On 4/4/24 23:17, Katherine Mcmillan wrote:

an open source data compression utility available on almost all installations of 
Linux and other Unix-like operating systems."


There are a couple of problems with this statement, but I just want to 
focus in on the "almost all installations of Linux and other Unix-like 
operating systems" part. 


The statement reads "available on almost all ...", which is correct, as 
far as I can tell. But yes, the backdoor code in the version that was 
discovered seems to have targeted only Linux.

Re: Bridging firewall with online update/upgrade

[Markus Wernig]

On 4/3/24 18:19, Karel Lucas wrote:

I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
would like to use ETH4 for the update/upgrade of the firewall. Remove
the connection from ETH1, plug it into ETH4, and update/upgrade. Then
the connection returns to ETH1. ETH4 therefore receives an IP address
and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network
connection of the ADSL modem is in ETH4, my network, including the
firewall, is no longer secured, and attackers can take advantage. I
therefore wonder whether it is possible to let the data flow via ETH1
and ETH4 first pass through PF before an update/upgrade is done via
ETH4. This means that the bridging firewall will have two entrances, one
without and one with an IP address. I would like to know if that is
possible, or if there is another option.
I'm not entirely sure about how bridging works on OpenBSD and PF, but 
the answer, from a network point of view, would be "Don't make ETH4 part 
of the same bridge as ETH1-3, and apply a basic, restrictive ruleset to 
ETH4, allowing only for the update traffic to/from $self".

(I hope I'm not missing something basic here)

Re: can't find PID

[Markus Wernig]

I have asked myself the same question.

When runninng tcpdump -n -i pflog0 with the -e -v flags (and only in 
that combination), it outputs tuples that looks like they should be a 
uid and pid:


16:40:47.110033 rule 2/(match) [uid 0, pid 92257] block in on trunk0: ...
(it's 92257 on the machine this example is from, but is different on 
other machines)


The pid that "pid" references does not show up in any invocation of ps 
(-A, -a, -H, -k). It's also not mentioned in tcpdump[8].


pflog[4] does mention a uid_t uid and pid_t pid field in the pfloghdr 
struct, but does not say where the values come from.


When I reload the pf ruleset with pfctl, the number in the pid field 
changes. So my assumption is that it is the pid of the pfctl process 
that inserted the rule. Is that correct?


thx /m

On 3/5/24 15:45, Theo de Raadt wrote:


What are you expecting here??



ofthecentury  wrote:


Yes, I'm tcdupming pflog and ALL my dropped packets
reference some PID 6504 that is not found among
the processes that are running.

Re: Open-source security processor

[Markus Wernig]

On 9/8/23 00:24, Richard Thornton wrote:


Say you had the guts of an x86_64 desktop running Windows on the bench and
another computer running OpenBSD right next to it, is there some mechanism
available that could allow you to integrity scan the NVMe drive (and also
the firmware but that's probably an easier problem solved with something
like SPI) of the powered-off x86_64 with the OpenBSD box, like a hardware
device that allows both OpenBSD and the laptop physical hardware level
access to the same NVMe, or would you have the NVMe in OpenBSD, scan it and
then somehow "hand over" the NVMe to Windows?

The NVMe drive can't be physically touched, not just swapped from board to
board, I'm thinking of this from a more "embedded" viewpoint.


If you think about a forensic analysis and/or integrity check of the 
*contents* of the NVMe, you should draw a binary image of the disk and 
analyze that. If you cannot remove the disk, but boot the system from an 
external device (into whatever OS you prefer), you could create such a 
copy from there (dd is your friend). You could also analyze the disk 
directly from there, but there's a high probability that you will modify 
it by doing so (in case you have to mount the filesystems).


If you cannot boot the system from an external device (because it is eg. 
in a hibernated state that you need to preserve), I don't think there is 
much you can do without removing the disk from the computer.


/m

Re: IP6 redirects through relayd no longer working reliably

[Markus Wernig]

Just for the record: The problem was caused by a malfunctioning upstream 
gateway, which did no longer respond properly to neighbor solicitation 
requests.


The SYN ACK from the server was dropped because the firewall had already 
removed the state created by the SYN.


On 6/23/23 22:51, Markus Wernig wrote:

pflog shows that the IPv6 SYN-ACK replies from the backend servers are 
being dropped by pf. But weirdly the blocks are logged over 30 seconds 
after the SYN is allowed through:

IP6 redirects through relayd no longer working reliably

[Markus Wernig]

Hi all

(Sorry for flooding, this seems related to the question I asked earlier. 
Please bear with me.)


I am using relayd on 7.3-release as an IP loadbalancer in front of some 
dualstack backend hosts. This setup has worked for some years now.


After upgrading to 7.3 about 4 weeks ago I noticed a steady decline of 
IPv6 sessions coming into the backend servers, up to the point where 
none arrive at all (for 2 days now).


Now users start complaining that their connections to the servers 
(public IP) are either timing out or are established only after a very 
long time (usually the tcp start timeout when the client switches from 
IPv6 to trying IPv4). The IPv4 connections succeed immediately.


pflog shows that the IPv6 SYN-ACK replies from the backend servers are 
being dropped by pf. But weirdly the blocks are logged over 30 seconds 
after the SYN is allowed through:



Jun 20 14:12:49.489707 rule 2/(match) [uid 0, pid 85766] pass out on 
vlanX: [Client.IP6].50210 > [Server.IP6].443:
S 2508622700:2508622700(0) win 64800 <[|tcp]> [flowlabel 0xd4400] (len 
32, hlim 52)
Jun 20 14:12:49.493267 rule 2/(match) [uid 0, pid 85766] pass out on 
vlanX: [Client.IP6].50211 > [Server.IP6].443:
S 806421981:806421981(0) win 64800 <[|tcp]> [flowlabel 0x162e5] (len 32, 
hlim 52)
Jun 20 14:12:49.507508 rule 2/(match) [uid 0, pid 85766] pass out on 
vlanX: [Client.IP6].50212 > [Server.IP6].443:
S 3945655871:3945655871(0) win 64800 <[|tcp]> [flowlabel 0x8abc6] (len 
32, hlim 52)
Jun 20 14:12:49.517783 rule 2/(match) [uid 0, pid 85766] pass out on 
vlanX: [Client.IP6].50213 > [Server.IP6].443: S 1191028748:1191028748(0) 
win 64800 <[|tcp]> [flowlabel 0xa7d6] (len 32, hlim 52)


Jun 20 14:13:20.943370 rule 2/(match) [uid 0, pid 85766] block in on 
vlanX: [Server.IP6].443 > [Client.IP6].50213: S 3650589557:3650589557(0) 
ack 209077342 win 64800 <[|tcp]> [flowlabel 0xd922c] (len 32, hlim 64)
Jun 20 14:13:20.943433 rule 2/(match) [uid 0, pid 85766] block in on 
vlanX: [Server.IP6].443 > [Client.IP6].50212: S 2068945110:2068945110(0) 
ack 2313561433 win 64800 <[|tcp]> [flowlabel 0xf8c9c] (len 32, hlim 64)
Jun 20 14:13:20.943476 rule 2/(match) [uid 0, pid 85766] block in on 
vlanX: [Server.IP6].443 > [Client.IP6].50211: S 3395939328:3395939328(0) 
ack 1849611325 win 64800 <[|tcp]> [flowlabel 0xb519e] (len 32, hlim 64)
Jun 20 14:13:20.943518 rule 2/(match) [uid 0, pid 85766] block in on 
vlanX: [Server.IP6].443 > [Client.IP6].50210: S 106368970:106368970(0) 
ack 1534267447 win 64800 <[|tcp]> [flowlabel 0xca19a] (len 32, hlim 64)


(The rule 2 that is logged is the rule number of the relayd/* anchor.)

tcpdump on vlanX shows the backend server sends the SYN-ACK immediately.

The IPv4 addresses are natted from public to rfc-1918 space and work.

For IPv6, the address of backend server.A is used as the public IP 
(service.pub). Only if server.A becomes unavailable, are packets 
redirected to server.B.


relayd.conf:
...
table  {
   Server.A.IP6 retry 2
}
table  {
   Server.B.IP6 retry 2
}
redirect "service.pub.80.v6" {
  listen on Server.A.IP6 tcp port 80 interface trunk0
  forward to  port 80 \
check http "/" host "server.A" code 200
  forward to  port 80 \
check http "/" host "server.B" code 200
}
redirect "service.pub.443.v6" {
  listen on Server.A.IP6 tcp port 443 interface trunk0
  forward to  port 443 \
check https "/" host "server.A" code 200
  forward to  port 443 \
check https "/" host "server.B" code 200
}

I am not 100% sure that the IPv6 failover actually worked before, but 
the connections to Server.A.IP6 were definitely working.

I do see the http and https checks succeed on both backend servers.

I've tried flushing the states and rebooting the firewall, to no avail.

relayctl shows all redirects/tables as active and all hosts as up:

2   redirectservice.pub.80.v6  active
3   table   server.A:80active (1 hosts)
3   hostServer.A.IP6   100.00% up
4   table   server.B:80active (1 hosts)
4   hostServer.B.IP6   100.00% up

3   redirectservice.pub.443.v6 active
5   table   server.A:443   active (1 hosts)
5   hostServer.A.IP6   100.00% up
6   table   server.B:443   active (1 hosts)
6   hostServer.B.IP6   100.00% up


Now I'm out of ideas on how to debug this further.

Has anyone been experiencing something similar?
Has something fundamental changed in relayd or pf that could cause this?
Does anybody spot an error in my configuration?

Thanks for any pointer!

Best regards
Markus

All packets logged with relayd/* anchor rule number

[Markus Wernig]

Hi all

I am using relayd on 7.3-release as an incoming IP loadbalancer and 
therefore have this line near the beginning of the filter section of 
pf.conf:


anchor "relayd/*"

It shows up as rule number 2 in pfctl -vv -s rules:

@0 match all scrub (no-df reassemble tcp)
  [ Evaluations: 89452 Packets: 545363Bytes: 161423157 
States: 1772  ]

  [ Inserted: uid 0 pid 59061 State Creations: 0 ]
@1 match out all scrub (random-id)
  [ Evaluations: 89452 Packets: 295160Bytes: 98671558 
States: 921   ]

  [ Inserted: uid 0 pid 59061 State Creations: 0 ]
@2 anchor "relayd/*" all
  [ Evaluations: 89452 Packets: 576068Bytes: 163171696 
States: 1772  ]

  [ Inserted: uid 0 pid 59061 State Creations: 58739 ]


But now all packets get logged with rule no. 2 in pflog, regardless of 
whether or not they match any relayd redirect.


Here's an example of an outgoing natted NTP query, which has nothing 
whatsoever to do with the relayd rules/redirects:


# tcpdump -e -vvv -ttt -n -i pflog0 port ntp

Jun 23 20:07:56.377848 rule 2/(match) [uid 0, pid 59061] pass in on 
vlanX: 192.168.x.y.123 > a.b.c.d.123: v4 client strat 2 poll 10 prec -24 
dist 0.006881 disp 0.034591 ref a.b.c.d@3896531217.384170621 orig 
3896531389.381188988 [|ntp] (DF) [tos 0xb8] (ttl 64, id 1236, len 76)
Jun 23 20:07:56.377928 rule 2/(match) [uid 0, pid 59061] pass out on 
trunk0: [rewritten: src n.m.p.o:55798, dst a.b.c.d:123] 192.168.x.y.123 
> a.b.c.d.123: v4 client strat 2 poll 10 prec -24 dist 0.006881 disp 
0.034591 ref a.b.c.d@3896531217.384170621 orig 3896531389.381188988 
[|ntp] [tos 0xb8] (ttl 63, id 1236, len 76, bad ip cksum dd99! -> de99)



Is this the expected behaviour?

Is there any way to get the actual rule numbers back? I am quite sure 
this was different in earlier releases.


Thank you in advance

Markus

Re: carp status master on both firewalls

[Markus Wernig]

for my external carp interface both firewalls show master as status 


The config is below for reference:

/etc/hostname.carp0 on fw1

inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password 
advskew 1
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0

/etc/hostname.carp0 on fw2
  
inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em0 pass password advskew 128

inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0

On both firewalls I have added the following in /etc/pf.conf:

pass on { $ext_if $int_if } proto carp keep state (no-sync)

Did anyone already encounter this issue or has any idea what might be wrong?


Hard to tell without logs. Some things that come to mind:

- Do the two fw actually have a link on their carp0 carpdev interfaces? 
If both are master, both should be sending out CARP advertisements, so 
I'd try to run tcpdump on both external interfaces and look for those:

tcpdump -n -e -i carp0 proto carp

- Did you enable CARP preemption? Try setting these via sysctl:
net.inet.carp.preempt=1
net.inet.carp.log=3

- In your config one fw has carpdev em2, the other carpdev em0. Could be 
OK, or could be an error.

Re: redirection puzzle

[Markus Wernig]

On 12/2/22 16:17, rsyk...@disroot.org wrote:

echo 1 | tee $(tty) | sed 's/1/2/'


Not 100% sure, but probably some timing/subshell issue.
This works:

tty=$(tty) && echo 1 | tee $tty | sed 's/1/2/'

best /m

Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks

[Markus Wernig]

Hi Tom

On 5/11/22 21:32, Tom Smyth wrote:


We are updating some course material for an upcoming PF firewall course,
and I would like to put a call out to those who use PFsync in a
redundant firewall cluster
The one thing that immediately comes to mind is to NOT use a crossover 
cable for the pfsync connection (even though that seems to be kind of 
recommended in the pfsync(4) man page). Doing so will lead to a change 
of the other firewall's carp demotion counter on its pfsync interface if 
one peer is rebooted or shut down (and thus causing a link down event on 
the cabled interface on the other side). It also gives you three chained 
single points of failure at the same time (nic1, cable, nic2), which I 
would rather avoid (do the math).


I do of course agree with the intention of the suggestion (only run 
pfsync over a secure link). Since I am in the position where I only run 
my PF firewalls in a trusted environment, where I also control the 
switches (no shared cloud etc. infrastructure), I have found that 
running pfsync over a dedicated VLAN interface on a pair of trunk(4)ed 
NICs on 2 trusted switches sufficiently satisfies that requirement.


Best, Markus

Re: (bug?) relayd forward to directives interfering

[Markus Wernig]

On 11.08.21 08:40, Vladimir Nikishkin wrote:

> table   { 127.0.0.1 }
> table  { 127.0.0.1 }

Have you tried having the two backend listeners on different IP
addresses rather than on different ports? Eg. 127.0.0.1 and 127.0.0.2?

best /m

Re: Why demotion counter for group carp is set to 33 on boot?

[Markus Wernig]

On 7/13/21 9:32 AM, Tom K wrote:

> why demotion counter for group carp is set to 33 on boot? This is the 
> primary firewall and there are no adskew settings in all hostname.carpX 
> files or anywhere else.
> Because of this the other firewall which should be normaly the standby 
> (adskew 100), is always MASTER (comes up with carp demote count 0).

I remember similar symptoms when some of my vlan interfaces were
blocking carp traffic. I think I had to add an according rule for every
interface like this:
pass  quick on vlan230 inet proto carp  from any  to any keep state
(no-sync)

In another case one of the interfaces on the master was misconfigured
(some typo in hostname.if).

Maybe setting net.inet.carp.log=3 also shows more info.

best /m

Re: rad daemon strange error message

[Markus Wernig]

On 6/30/21 1:32 PM, Pierre Dupond wrote:
> veteher30 has no IPv6 link-local address, ignoring
 ^

I don't know rad, but from the output above there seems to be a typo in
some config.

Re: IPv6 NDP Confusion with PF enabled

[Markus Wernig]

On 3/8/21 11:05 PM, Antonino Sidoti wrote:

> There is no blocking showing up when I examine the pflog0, 

I would run tcpdump -n -i em0 icmp6 during /etc/netstart with and
without pf enabled. If you see a difference, that should help you find
out what to allow in your ruleset.

/m

Re: seeing carp interface state change for unknown reason ; cluestick hunting

[Markus Wernig]

On 2/7/21 1:38 AM, Bryan Stenson wrote:


   31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2,
link: no carrier, mtu: 1500,



Just grasping for something here...my next steps are to swap this unit
out with the other one (to try and eliminate hardware failure of THIS
unit).  Any other suggestions?


Check the switch interface for any errors and messages.

Re: OpenBSD VM creation problem

[Markus Wernig]

On 1/23/21 3:25 AM, Hakan E. Duran wrote:


I have a few VMs on KVM/QEMU infrastructure. When I try to create an
OpenBSD VM, my key strokes start echoing on the VM console. 


Not sure if this is the same problem, but I did have similar trouble 
with qemu and OpenBSD in the past. I had to disable mpbios and acpimadt 
in the kernel to make it work. See boot_config(8).


From my notes from back then I also explicitly enabled acpi and ioapic, 
but I can't remember why ...


best /markus

Re: auto-boot

[Markus Wernig]

On 1/20/21 10:01 AM, Bastien Durel wrote:


If There is no software way to solve this problem, I shall need to buy
a small HDMI screen and drop serial console ...


If the console gets input from the serial port even with no cable 
plugged into it (and not just the other side disconnected), there's most 
likely something wrong with the port. Either it's malfunctioning on the 
electrical level, or some strange mode is set in the BIOS.


best /m

Re: question about hostname.carp

[Markus Wernig]

On 11/4/20 4:05 PM, Harald Dunkel wrote:


inet 10.0.1.1 0xff00 NONE vhid 41 pass secret carpdev em1 advbase 1 
advskew 0


If you use the actual broadcast address 10.0.1.255 instead on NONE it 
will work with both.

Re: Encrypted notepad software suggestions

[Markus Wernig]

On 9/28/20 4:54 PM, William Orr wrote:

> https://vim.fandom.com/wiki/Encryption

That post is from 2001 (still valid, though).
Vim from the current package defaults to blowfish2 as encryption algorithm.

best /m

Re: Encrypted notepad software suggestions

[Markus Wernig]

On 9/28/20 9:18 AM, Martin wrote:

> I'm looking for some notepad with encryption of notes/files created. Simply 
> Text File encryption is suitable too to hide some info from plain text files 
> I have.
Depending on your definition of "notepad", vim (gvim) should have
built-in encryption (:X command), at least it does on Linux.

best /m

Re: Routing and forwarding: directly connected computers

[Markus Wernig]

On 9/3/20 5:41 PM, Ernest Stewart wrote:

> And which pf rules and how to establish those routing tables are exactly what 
> I'm asking.
Maybe if you share the output of the ping test from your original mail
we could see what is actually happening.
>From your setup I would assume that the IP addresses the hosts are using
for the ping are not what you expect.

best /m

Re: pfsync interface in carp group

[Markus Wernig]

On 6/9/20 9:25 PM, Paul B. Henson wrote:

> Hmm, I had never considered using jumbo frames. 
...
> I guess multicast would work too 

Neither jumbo frames nor multicast will prevent group demotion when the
other side of a crosslink cable goes physically down. Only not having
the sync interface in the carp group will.

Re: pfsync interface in carp group

[Markus Wernig]

On 6/9/20 12:27 AM, Paul B. Henson wrote:

> Yes, I am using a direct link between the two physical firewalls.
[...]
> Is this no longer a best practice?

If it's in the documentation, I suppose it still is.

But I have found it problematic, because taking down one firewall, or
even only its sync interface, will automatically demote the sync
interface on the other one, which then will affect the whole carp group,
if the interface is part of that group. When I first tried carp in the
lab many, many years ago, I vaguely remember seeing effects similar to
what you describe, and have used switched sync interfaces ever since.

Re: pfsync interface in carp group

[Markus Wernig]

On 6/8/20 12:29 AM, Paul B. Henson wrote:
> whenever I rebooted the secondary firewall, the
> carp interfaces on the primary would flip to backup and then back to
> master as the secondary one rebooted

I don't see that behaviour on my carp pair. Are you using a cross-link
cable between the two firewalls? (You shouldn't, in my experience.)

best

Re: Select ssh key from ssh-agent?

[Markus Wernig]

On 5/24/20 3:55 AM, David A. Pocock wrote:
> I can't relate; doing this from OpenBSD6.7 to OpenBSD6.7 the ecdsa forward
> through and show up via ssh-add without any issues (and allow using the 
> intermediary host without having the keys present (and being able to choose 
> keys as per the initial question).

If you want to use a specific agent-forwarded key on the intermediary
host, you can put the public key (sic!) in a file on the intermediary
host and use that file with the -i option or in the config file. The
private key for doing the signature during authentication is then
automatically selected from the agent.

/m

Re: Strange behavior when I try to use lladdr

[Markus Wernig]

On 5/22/20 12:12 PM, Денис Давыдов wrote:

> I decided to reinstall OpenBSD to a newer version on my VMware ESXi
> cluster. So I deleted an old router and start the new one using the old
> configuration, except that I add lladdr parameter with the old MAC address

Last I looked into it (some years ago) VMware did not allow to manually
set the adapter MAC address in the guest to addresses from some
hardcoded ranges, among which the VMware OUI 00:50:56. According to [1]
this is still the case today, they also specify the range there that can
be used.

> Now if I will stop tcpdump on terminal[2] I'll get packet loss again.
> This is a weird behavior. What could be wrong?

tcpdump by default puts the interface in promiscuous mode, which is why
it picked up frames not addressed to the lladr you set, but also to
00:50:56:92:d1:18, which seems to be the MAC that VMware has assigned to
the adapter.

/m

[1]
https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.troubleshooting.doc/GUID-7F723748-E7B8-48B9-A773-3822C514684B.html

Re: pfsync on VLAN - supported ?

[Markus Wernig]

On 14.11.2019 11:30, Rachel Roch wrote:
>>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan 
>>> interface for pfsync ?
I have had pfsync running happily over a vlan interface for years, never
a problem.

> Regarding the extra port, in my case I'm using that for LACP (my switches 
> support distributed LACP, so i can have two cables going into two switches)
Having the sync port physically redundant and connected to a switch is a
very good idea, because a crossover cable will cause a carp demote
whenever the other firewall goes down or is rebooted, afair.

best /m

Re: random packet drops with syncookies/synproxy

[Markus Wernig]

On 09.11.2019 15:24, Claudio Jeker wrote:

>> So nobody is using syncookies/synproxy at all?
> 
> I guess that is a reasonably safe assumption. syncookies are rather new
> and probably need more battle testing.

OK, then I will send a bug report.

> synproxy never helped me much in
> case of a SYN attack since it will cause pf(4) to hit the state limit no
> matter what you do and then stuff starts to break.

Yes, synproxy will not help with that, but syncookies should. But the
syncookies entry in the man page also states that a connection opened
via syncookie will then run through synproxy, so the problem I'm seeing
might be in either one.

best /

Re: random packet drops with syncookies/synproxy

[Markus Wernig]

Hm, also no replies to that one :-)

On 11/6/19 8:15 PM, Markus Wernig wrote:

> So just to make sure: Is anybody using syncookies and/or synproxy in
> production in a similar setup?

So nobody is using syncookies/synproxy at all?

best /m

Re: random packet drops with syncookies/synproxy

[Markus Wernig]

Hi again

Nobody has answered, so I suppose nobody else has this problem :-)
That's good.

So just to make sure: Is anybody using syncookies and/or synproxy in
production in a similar setup?

Thx /markus


On 11/4/19 8:35 PM, Markus Wernig wrote:
> Hi all
> 
> After being hit by some synflood waves recently I enabled syncookies on
> our OBSD 6.6 i386 CARP fw pair:
> 
> set syncookies always
> 
> This stopped the state table from filling up. But after some hours pf
> started (randomly?) dropping legitimate connection attempts, both on
> external->internal (dst-natted) and on internal->internal (not natted)
> connections (TCP only, afaict).
> 
> Looking at pflog and the rule number that blocked the packet, it seems
> that the preceding "pass quick" rules matching the packets were ignored.
> 
> The packets that were dropped were the ACK ones, so the SYN-SYNACK seems
> to have taken place. The client then usually retransmitted the ACK,
> which kept being dropped for ca. 15-20 seconds, after which time it was
> suddenly accepted and the connection established. Many times also only
> the first ACK was dropped, and the first retransmit was accepted.
> 
> So I disabled syncookies and set the relevant ~5 external->internal
> rules to synproxy state.
> 
> With that, the same behaviour happened within a few minutes.
> 
> During that time pfctl -vsi showed the "synproxy" counter increasing by
> multiple thousands per second (sic), while the state table entries
> remained stable around 500 (their normal value).
> 
> So I disabled the synproxy state again, but reloading the rules with
> pfctl was not enough, I had to reboot both boxes to stop them from
> dropping legitimate connections. With both syncookies and synproxy
> disabled, the problem does not occur.
> 
> Is anybody aware of anything that could trigger this behaviour? Or have
> any hint where I could look further? I have all the log files if more
> info is needed.
> 
> thx /markus
> 
> (btw. the behaviour was the same on 6.5)
> 

random packet drops with syncookies/synproxy

[Markus Wernig]

Hi all

After being hit by some synflood waves recently I enabled syncookies on
our OBSD 6.6 i386 CARP fw pair:

set syncookies always

This stopped the state table from filling up. But after some hours pf
started (randomly?) dropping legitimate connection attempts, both on
external->internal (dst-natted) and on internal->internal (not natted)
connections (TCP only, afaict).

Looking at pflog and the rule number that blocked the packet, it seems
that the preceding "pass quick" rules matching the packets were ignored.

The packets that were dropped were the ACK ones, so the SYN-SYNACK seems
to have taken place. The client then usually retransmitted the ACK,
which kept being dropped for ca. 15-20 seconds, after which time it was
suddenly accepted and the connection established. Many times also only
the first ACK was dropped, and the first retransmit was accepted.

So I disabled syncookies and set the relevant ~5 external->internal
rules to synproxy state.

With that, the same behaviour happened within a few minutes.

During that time pfctl -vsi showed the "synproxy" counter increasing by
multiple thousands per second (sic), while the state table entries
remained stable around 500 (their normal value).

So I disabled the synproxy state again, but reloading the rules with
pfctl was not enough, I had to reboot both boxes to stop them from
dropping legitimate connections. With both syncookies and synproxy
disabled, the problem does not occur.

Is anybody aware of anything that could trigger this behaviour? Or have
any hint where I could look further? I have all the log files if more
info is needed.

thx /markus

(btw. the behaviour was the same on 6.5)

pf dropping fragmented UDP despite of scrub no-df

[Markus Wernig]

Hi all

I have this at the beginning of pf.conf:

match all scrub (reassemble tcp no-df )
match out all scrub (random-id)

Behind that FW is a (OpenIndiana) DNS server that fragments those of its
UDP replies that are too large for the local MTU (1500). (Log below is
from a DNSKEY query, the failure of which results in DNSSEC validation
failing.)
The server also sets the DF bit on the fragmented packets ...
The external IP dns1-external.domain.tld is natted on the firewall to
dns1-internal.domain.tld.

The fragmented replies reach the internal firewall interface, but never
go out again. There is a log entry for both fragments of the reply
packets (even though the rule is set to not log), and no further notice.

I thought that with the no-df scrub option this should no longer happen
... I must be missing something, but what? I've bumped my head into this
too long now, maybe somebody spots what I can't.

(FWIW: The same query over IPv6 (no nat - the server is dual-stack)
works, but then the requesting client has issues with reassembling the
packets :-[)


tcpdump on internal interface:

13:23:09.374991 72.13.58.105.44267 > dns1-internal.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 38692, len 64)
13:23:09.376370 dns1-internal.domain.tld.domain > 72.13.58.105.44267:
47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld. DNSKEY[|domain] (frag
7478:1480@0+) (DF) (ttl 255, len 1500)
13:23:09.376377 dns1-internal.domain.tld > 72.13.58.105: (frag
7478:110@1480) (DF) (ttl 255, len 130)

13:23:14.380440 72.13.58.105.44267 > dns1-internal.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 53971, len 64)
...


tcpdump on pflog0 (the matching rule is set to not log):

Dec 04 13:23:09.376397 rule def/(fragment) [uid 0, pid 0] pass in on
vlan210: [uid 4294967295, pid 10] dns1-internal.domain.tld.domain >
72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1
domain.tld.[|domain] (frag 7478:1480@0+) (DF) (ttl 255, len 1500)
Dec 04 13:23:09.376413 rule def/(fragment) [uid 0, pid 0] pass in on
vlan210: [uid 4294967295, pid 10] dns1-internal.domain.tld >
72.13.58.105: (frag 7478:110@1480) (DF) (ttl 255, len 130)

Dec 04 13:23:14.381860 rule def/(fragment) [uid 0, pid 0] pass in on
vlan210: [uid 4294967295, pid 10] dns1-internal.domain.tld.domain >
72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1
domain.tld.[|domain] (frag 7491:1480@0+) (DF) (ttl 255, len 1500)
...


tcpdump on external interface:

13:23:09.374546 72.13.58.105.44267 > dns1-external.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 38692, len 64)

13:23:14.380013 72.13.58.105.44267 > dns1-external.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 53971, len 64)
...

Thx /markus

Re: Does pf's Sources table ever get cleared?

[Markus Wernig]

On 03.08.2017 06:42, Emille Blanc wrote:

> 005: RELIABILITY FIX: May 6, 2017
> Expired pf source tracking entries never got removed, leading to memory
> exhaustion.
> ref: https://www.openbsd.org/errata61.html
Thanks for the pointer! Problem gone after running syspatch (such a cool
tool!).

/m

Re: Does pf's Sources table ever get cleared?

[Markus Wernig]

On 02.08.2017 16:07, Steve Williams wrote:
> pfctl -t Sources -T flush

Thanks for the hints. The above yields an error here:

# pfctl -t Sources -T flush
pfctl: Table does not exist.

pfctl(8) is rather clear on the topic:
...
 -F modifier
 Flush the filter parameters specified by modifier (may be
 abbreviated):
...
 -F SourcesFlush the source tracking table.

The problem appears to be not so much with dynamic tables, but with the
way src-nodes are expired (but not flushed).

best /markus

Re: Does pf's Sources table ever get cleared?

[Markus Wernig]

There does seem to be a timer that is set to expire, but it does not
seem to work:

# pfctl -s Sources -vv
...
a.b.c.d ( states 0, connections 0, rate 0.0/0s )
   age 11:41:50, expires in 00:00:00, 33 pkts, 11524 bytes, rule 582
e.f.g.h ( states 0, connections 0, rate 0.0/0s )
   age 12:24:25, expires in 00:00:00, 320 pkts, 110512 bytes, rule 582
i.j.k.l ( states 0, connections 0, rate 0.0/0s )
   age 10:03:11, expires in 00:00:00, 2 pkts, 80 bytes, rule 591
m.n.o.p ( states 0, connections 0, rate 0.0/0s )
   age 10:55:49, expires in 00:00:00, 2 pkts, 80 bytes, rule 591

Could this be a bug?

best markus


On 01.08.2017 17:34, Markus Wernig wrote:
> Hi all
> 
> I have a pair of OBSD 6.1 firewalls, on which some rules require source
> tracking, i.e. have a max-src-conn or similar statement as in:
> 
> pass  log  quick on { em0 vlan1 } inet proto tcp  from any  to
>  port { 80, 443 } modulate state ( max-src-conn 50,
> max-src-conn-rate 25/5, overload  flush global )
> 
> This works perfectly, any hosts that surpass that limit get blocked.
> 
> But on the other hand, the Sources table (as seen with pfctl -s Sources)
> keeps growing. With every allowed connection, there are two new entries.
> And it seems that the Sources table expands in one direction only. I.e.
> even long after the relative connection has been flushed from the state
> table, there are still the entries in the Sources table.
> 
> No matter what happens, the Sources keep expanding until the src-nodes
> hard limit is reached. At which point only a reboot will help.
> 
> I've tried to flush them with pfctl -F Sources, but without success:
> 
> wall0101 # pfctl -s Sources | wc -l
>  512
> wall0101 # pfctl -F Sources
> source tracking entries cleared
> wall0101 # pfctl -s Sources | wc -l
>  514
> 
> Is there any reason (presumably in my ruleset, but didn't find it) that
> would keep entries in the Sources table from being cleared?
> Shouldn't the tracking entries be removed when the corresponding states
> are flushed and shouldn't pfctl -F Sources clear the Sources table?
> 
> Thx /markus
> 

Does pf's Sources table ever get cleared?

[Markus Wernig]

Hi all

I have a pair of OBSD 6.1 firewalls, on which some rules require source
tracking, i.e. have a max-src-conn or similar statement as in:

pass  log  quick on { em0 vlan1 } inet proto tcp  from any  to
 port { 80, 443 } modulate state ( max-src-conn 50,
max-src-conn-rate 25/5, overload  flush global )

This works perfectly, any hosts that surpass that limit get blocked.

But on the other hand, the Sources table (as seen with pfctl -s Sources)
keeps growing. With every allowed connection, there are two new entries.
And it seems that the Sources table expands in one direction only. I.e.
even long after the relative connection has been flushed from the state
table, there are still the entries in the Sources table.

No matter what happens, the Sources keep expanding until the src-nodes
hard limit is reached. At which point only a reboot will help.

I've tried to flush them with pfctl -F Sources, but without success:

wall0101 # pfctl -s Sources | wc -l
 512
wall0101 # pfctl -F Sources
source tracking entries cleared
wall0101 # pfctl -s Sources | wc -l
 514

Is there any reason (presumably in my ruleset, but didn't find it) that
would keep entries in the Sources table from being cleared?
Shouldn't the tracking entries be removed when the corresponding states
are flushed and shouldn't pfctl -F Sources clear the Sources table?

Thx /markus

Re: pf changes port on udp nat-to and rdr-to reply packets (RTP stream)

[Markus Wernig]

On 06/09/2016 08:03 PM, Bryan Vyhmeister wrote:
> On Thu, Jun 9, 2016, at 10:48 AM, Markus Wernig wrote:
>> Short question:
>> How do I prevent pf from changing the source port of outgoing natted udp
>> packets?
>  
> Did you look at static-port in pf.conf(5)?

Argh! I had overlooked that. Shame. Works now.

Thanks!

/m

pf changes port on udp nat-to and rdr-to reply packets (RTP stream)

[Markus Wernig]

Hi all

I have a strange behaviour in pf on 5.9-stable:

A system (asterisk) behind the gateway is receiving and replying to udp
streams (RTP). The connection parameters (src/dst ip/port) are set up
before (STUN and SIP), so both systems "know" where to send to.

The gateway does NAT (rdr-to in, nat-to out) for the system. But while
incoming packets are forwarded with source and destination port
unchanged, the source port on the outgoing packets is changed (to
something in the >5 range). This breaks the connection, as the
external system (resp. the firewall it is behind) expects the packets to
have the original dst port as src port.

The same happens when the system starts a udp stream on its own - the
source port gets rewritten. Also the UDP checksum appears to be wrong
after the NAT.


Short question:
How do I prevent pf from changing the source port of outgoing natted udp
packets?


Long question:

tcpdump:

$int_if:
18:40:21.392468 $int_server_ip.10442 > $external_system.5012: [udp sum
ok] udp 32 (DF) (ttl 64, id 64912, len 60)
18:40:21.396091 $external_system.5012 > $int_server_ip.10442: [bad udp
cksum a9e7! -> 316d] udp 32 (ttl 115, id 9052, len 60)
18:40:21.413332 $int_server_ip.10442 > $external_system.5012: [udp sum
ok] udp 32 (DF) (ttl 64, id 64916, len 60)
18:40:21.415143 $external_system.5012 > $int_server_ip.10442: [bad udp
cksum a9e7! -> 7036] udp 32 (ttl 115, id 9053, len 60)
...

$ext_if:
18:40:21.392510 $sext_server_ip.51049 > $external_system.5012: [bad udp
cksum 528b! -> e3da] udp 32 (ttl 63, id 16487, len 60)
18:40:21.395975 $external_system.5012 > $sext_server_ip.10442: [udp sum
ok] udp 32 (ttl 116, id 9052, len 60) <--This is a "new" incoming stream

18:40:21.413377 $sext_server_ip.51049 > $external_system.5012: [bad udp
cksum 528b! -> 53d8] udp 32 (ttl 63, id 30449, len 60)
18:40:21.415089 $external_system.5012 > $sext_server_ip.10442: [udp sum
ok] udp 32 (ttl 116, id 9053, len 60)
...

The problem seems to be that the internal system tells the external one
about the source port (10442) it should connect to (via SIP), and as
last step sends a packet from that port (plus in-protocol info, I
assume). But pf changes that source port on that outgoing packet (to
51049), and keeps doing so for all following packets, while the external
system sticks to the protocol and sends its traffic to 10442.

So it looks like pf can't distinguish between what it sees as "follow
up" packets to the first outgoing packet (18:40:21.392468) and the reply
packets to the "incoming" stream.

The connection breaks because the firewall the $external_system is
behind expects replies to the packets send to 10442 to come back from
that port.

All of this wouldn't happen if the source port hadn't been changed to 51049.

So: is there any way of preventing this behaviour? I didn't find
anything in pf.conf(5) or elsewhere ...

Thx for any insight, folks

/markus

PS:
These are the rules in question:

match in from any to $ext_server_ip rdr-to $int_server_ip

match out from $int_server_ip to any nat-to $ext_server_ip

pass  log  quick on { $ext_if, $int_if } inet proto udp  from any  to
$int_server_ip port {  >< 11001 }  label "RTP IN -- ACCEPT "

pass  log  quick on { $ext_if, $int_if } inet proto udp  from
$int_server_ip  to any port { >= 1024 }  label "UDP HIGH OUT -- ACCEPT "

ntpd not setting time under kvm-qemu

[Markus Wernig]

Hi all

I have 5.5 i386 running under kvm-qemu, using ntpd to sync time.

But the system keeps constantly loosing time, at a rate of about two
seconds per minute (which of course makes it unusable).

When starting ntpd with the "-s" flag, it successfully sets the system
time and initializes /var/db/ntp.drift. But after that it does no longer
set the system time, even if it says so in syslog:

Sep 21 13:12:37 secure ntpd[26259]: adjusting local clock by 53.514878s
Sep 21 13:14:47 secure ntpd[26259]: adjusting local clock by 52.869489s
Sep 21 13:16:27 secure ntpd[26259]: adjusting local clock by  54.363131s

The offest is correct, by the time it writes that message, the system
clock is really that much off the real ntp time. Only that the local
clock never does get adjusted. The clock frequency is also never
adjusted, and ntp.drift remains untouched.

In order to run the system at all under qemu I had to disable mpbios in
the kernel. Could this have caused that effect?

Or is anyone aware of this being a problem under kvm-qemu and i386 (no
such problems with 5.5 or -current amd64)?

Thanks /markus

Re: how to debug iked failures?

[Markus Wernig]

Hi all

To finish off this ancient thread, I've written up what it took to get
StrongSwan to play nicely with iked and to build a GRE tunnel over the
IPSec link:

http://markus.wernig.net/en/it/ip6tunnel.phtml

Any feedback is of course very welcome.

krgds /markus

On 08/13/2014 06:05 AM, Markus Wernig wrote:
> Finally found a rather awkward workaround:
> 
> 1) On the VPN GW, set an ip alias from a different subnet
> (192.168.100.1/24) on the primary interface
> 2) Set up iked.conf with
>   ikev2 ...
>   from 0.0.0.0/0 to 192.168.100.0/24
>   config address 192.168.100.0/24
>   config address 192.168.100.2
>   (yes, both ...)
> 3) On the client, configure tunnel mode instead of transport mode,
> configure remote subnet to be 192.168.100.0/24, but still request ip
> configuration from IKEv2.

Re: how to debug iked failures?

[Markus Wernig]

Finally found a rather awkward workaround:

1) On the VPN GW, set an ip alias from a different subnet
(192.168.100.1/24) on the primary interface
2) Set up iked.conf with
ikev2 ...
from 0.0.0.0/0 to 192.168.100.0/24
config address 192.168.100.0/24
config address 192.168.100.2
(yes, both ...)
3) On the client, configure tunnel mode instead of transport mode,
configure remote subnet to be 192.168.100.0/24, but still request ip
configuration from IKEv2.

When this comes up, the client gets two IP addresses (192.168.100.2 and
a random one from the same subnet, but strongswan fails if it is sent
the static one alone ...)

So now I can connect from the client (from its 192.168.100.2 address) to
the VPN GW (on its 192.168.100.1 alias) - which is what this was all
about (hence the transport mode).

As a by-note: It seems that iked, after authenticating the peer, always
sends the "to" address from iked.conf as TSi and the "from" address as
TSr in the IKE_AUTH response. In my understanding, this should be the
other way round.

Thanks for bearing with me :-)

krgds /markus

Re: how to debug iked failures?

[Markus Wernig]

On 08/12/2014 07:19 PM, Reyk Floeter wrote:

> Another reason for AF 0 could be the use of the keyword "any" in your
> iked.conf.  I thought we fixed that before to inherit the AF from the
> peer, but try to use "0.0.0.0/0" instead of "any" for IPv4 and
> something like "::/0" for IPv6.
> 
> Reyk
> 

Yes, that was indeed the cause. Replacing every occurance of "any" with
0.0.0.0/0 finally allowed the flow to be set up! Thank you very much !!!

But still, no joy ... :-[

iked now authenticates the ufqdn and sends it its assigned ip address.
Then it sends TSi and TSr, but chooses its own internal address as TSi:

Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_cp: type REPLY length 8
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS
0x0001 length 4
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_payloads: decrypted payload
SA nextpayload TSi critical 0x00 length 44
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_sa: more 0 reserved 0
length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x18f70837
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_xform: more 3 reserved 0
length 12 type ENCR id AES_CBC
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_attr: attribute type
KEY_LENGTH length 128 total 4
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_xform: more 3 reserved 0
length 8 type INTEGR id HMAC_SHA1_96
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_xform: more 0 reserved 0
length 8 type ESN id NONE
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_payloads: decrypted payload
TSi nextpayload TSr critical 0x00 length 24
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: count 1 length 16
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: type IPV4_ADDR_RANGE
protoid 0 length 16 startport 0 endport 65535
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: start 192.168.10.Aug 12
20:40:52 tunnel iked[6305]: ikev2_pld_cp: type REPLY length 8
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS
0x0001 length 4
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_payloads: decrypted payload
SA nextpayload TSi critical 0x00 length 44
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_sa: more 0 reserved 0
length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x18f70837
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_xform: more 3 reserved 0
length 12 type ENCR id AES_CBC
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_attr: attribute type
KEY_LENGTH length 128 total 4
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_xform: more 3 reserved 0
length 8 type INTEGR id HMAC_SHA1_96
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_xform: more 0 reserved 0
length 8 type ESN id NONE
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_payloads: decrypted payload
TSi nextpayload TSr critical 0x00 length 24
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: count 1 length 16
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: type IPV4_ADDR_RANGE
protoid 0 length 16 startport 0 endport 65535
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: start 10.x.y.z end 10.x.y.z
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_payloads: decrypted payload
TSr nextpayload NONE critical 0x00 length 24
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: count 1 length 16
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: type IPV4_ADDR_RANGE
protoid 0 length 16 startport 0 endport 65535
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: start 0.0.0.0 end
255.255.255.255
Aug 12 20:40:52 tunnel iked[6305]: ikev2_msg_send: IKE_AUTH response
from 192.168.10.30:4500 to 80.219.68.219:4500 msgid 1, 1980 bytes, NAT-T
30 end 192.168.10.30
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_payloads: decrypted payload
TSr nextpayload NONE critical 0x00 length 24
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: count 1 length 16
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: type IPV4_ADDR_RANGE
protoid 0 length 16 startport 0 endport 65535
Aug 12 20:40:52 tunnel iked[6305]: ikev2_pld_ts: start 0.0.0.0 end
255.255.255.255
Aug 12 20:40:52 tunnel iked[6305]: ikev2_msg_send: IKE_AUTH response
from 10.x.y.z:4500 to A.B.C.D:4500 msgid 1, 1980 bytes, NAT-T

Again, is not the TSi the client's address? Why would iked send its own
private address?

Is the problem that I am trying to assign addresses from the same
internal network that the VPN GW is in?

The strongswan logs seem to match this:

Aug 12 20:40:52 slimtoo charon: 10[IKE] IKE_SA xfertunnel[1] state
change: CONNECTING => ESTABLISHED
Aug 12 20:40:52 slimtoo charon: 10[IKE] scheduling reauthentication in
86110s
Aug 12 20:40:52 slimtoo charon: 10[IKE] maximum IKE_SA lifetime 86290s
Aug 12 20:40:52 slimtoo charon: 10[IKE] processing INTERNAL_IP4_ADDRESS
attribute
Aug 12 20:40:52 slimtoo charon: 10[KNL] 192.168.1.x is on interface wlan0
Aug 12 20:40:52 slimtoo charon: 10[IKE] installing new virtual IP 10.a.b.c
Aug 12 20:40:52 slimtoo charon: 10[KNL] virtual IP 10.a.b.c installed on
wlan0
Aug 12 20:40:52 slimtoo charon: 10[CFG] selecting proposal:
Aug 12 20:40:52 slimtoo charon: 10[CFG]   proposal matches
Aug 12 20:40:52 slimtoo charon: 10[CFG] recei

Re: how to debug iked failures?

[Markus Wernig]

On 08/12/2014 05:39 PM, Markus Wernig wrote:

> But really, I think this is the problem:
> Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD
> SA spi 0xcb320247
> Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0
> Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: failed to load
> flow
> Aug 12 16:56:18 tunnel iked[22215]: ikev2_dispatch_cert: failed to send
> ike auth
> 
> It seems that the flow that comes from &sa->sa_flows in
> ikev2.c::ikev2_childsa_enable does not have its AF set. How could this
> happen?
> 

Could this be the reason?

Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_payloads: decrypted payload
TSi nextpayload TSr critical 0x00 length 24
Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: count 1 length 16
Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: type IPV4_ADDR_RANGE
protoid 0 length 16 startport 0 endport 65535
Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: start 10.x.y.z end 10.x.y.z
Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_payloads: decrypted payload
TSr nextpayload NONE critical 0x00 length 8
Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: count 1 length 0
Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: type 
protoid 0 length 0 startport 0 endport 65535


Should not the TSi contain the IP of the Client? In the log above it
appears that it contains the IP of the VPN GW. And then TSr is of an
unknown type? Is strongswan sending something wrong here?

thx /markus

Re: how to debug iked failures?

[Markus Wernig]

On 08/12/2014 12:33 PM, Markus Wernig wrote:

> sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
> address_src: A.B.C.D
> address_dst: 10.x.y.z
> spirange: min 0x0100 max 0x
> sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
> sa: spi 0xfe52d794 auth none enc none
> state mature replay 0 flags 0<>
> address_src: A.B.C.D
> address_dst: 10.x.y.z
> sadb_update: satype esp vers 2 len 41 seq 20 pid 25389
> sa: spi 0xfe52d794 auth hmac-sha1 enc aes
> state mature replay 64 flags 0x204
> lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
> lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0
> address_src: A.B.C.D
> address_dst: 10.x.y.z
> key_auth: bits 160: ...
> key_encrypt: bits 128: ...
> identity_src: type ufqdn id 0: UFQDN/j...@doe.com
> identity_dst: type fqdn id 0: FQDN/vpn.doe.com
> udpencap: udpencap port 4500
> tag: ipsec-UFQDN/j...@doe.com
> sadb_update: satype esp vers 2 len 34 seq 20 pid 25389
> sa: spi 0xfe52d794 auth hmac-sha1 enc aes
> state mature replay 64 flags 0x204
> lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
> lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0
> address_src: A.B.C.D
> address_dst: 10.x.y.z
> identity_src: type ufqdn id 0: UFQDN/j...@doe.com
> identity_dst: type fqdn id 0: FQDN/vpn.doe.com
> udpencap: udpencap port 4500
> tag: ipsec-UFQDN/j...@doe.com
> sadb_add: satype esp vers 2 len 41 seq 21 pid 25389
> sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes
> state mature replay 64 flags 0x204
> lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
> lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
> address_src: 10.x.y.z
> address_dst: A.B.C.D
> key_auth: bits 160: ...
> key_encrypt: bits 128: ...
> identity_src: type fqdn id 0: FQDN/vpn.doe.com
> identity_dst: type ufqdn id 0: UFQDN/j...@doe.com
> udpencap: udpencap port 4500
> tag: ipsec-UFQDN/j...@doe.com
> sadb_add: satype esp vers 2 len 34 seq 21 pid 25389
> sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes
> state mature replay 64 flags 0x204
> lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
> lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
> address_src: 10.x.y.z
> address_dst: A.B.C.D
> identity_src: type fqdn id 0: FQDN/vpn.doe.com
> identity_dst: type ufqdn id 0: UFQDN/j...@doe.com
> udpencap: udpencap port 4500
> tag: ipsec-UFQDN/j...@doe.com


But really, I think this is the problem:
Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD
SA spi 0xcb320247
Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0
Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: failed to load
flow
Aug 12 16:56:18 tunnel iked[22215]: ikev2_dispatch_cert: failed to send
ike auth

It seems that the flow that comes from &sa->sa_flows in
ikev2.c::ikev2_childsa_enable does not have its AF set. How could this
happen?

Re: how to debug iked failures?

[Markus Wernig]

On 08/12/2014 11:58 AM, Reyk Floeter wrote:

> Operation not supported is from the kernel returning "EOPNOTSUPP".
> 
> If any of the following sysctls are turned off and it is requested via
> the PFKEYv2 socket, the kernel will return EOPNOTSUPP:
> 
> net.inet.esp.enable=1
> net.inet.ah.enable=1
> net.inet.ipcomp.enable=0
> 
All three are set to 1.
But strangely, now the "Operation not supported" message does not occur
anymore.

> You can also monitor the pfkey messages with "ipsectl -m" [add one or
> more -v for packet dumps] to see what message returns EOPNOTSUPP.

Here's the output - I don't see any obvious errors ...

sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
address_src: A.B.C.D
address_dst: 10.x.y.z
spirange: min 0x0100 max 0x
sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
sa: spi 0xfe52d794 auth none enc none
state mature replay 0 flags 0<>
address_src: A.B.C.D
address_dst: 10.x.y.z
sadb_update: satype esp vers 2 len 41 seq 20 pid 25389
sa: spi 0xfe52d794 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0
address_src: A.B.C.D
address_dst: 10.x.y.z
key_auth: bits 160: ...
key_encrypt: bits 128: ...
identity_src: type ufqdn id 0: UFQDN/j...@doe.com
identity_dst: type fqdn id 0: FQDN/vpn.doe.com
udpencap: udpencap port 4500
tag: ipsec-UFQDN/j...@doe.com
sadb_update: satype esp vers 2 len 34 seq 20 pid 25389
sa: spi 0xfe52d794 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0
address_src: A.B.C.D
address_dst: 10.x.y.z
identity_src: type ufqdn id 0: UFQDN/j...@doe.com
identity_dst: type fqdn id 0: FQDN/vpn.doe.com
udpencap: udpencap port 4500
tag: ipsec-UFQDN/j...@doe.com
sadb_add: satype esp vers 2 len 41 seq 21 pid 25389
sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
address_src: 10.x.y.z
address_dst: A.B.C.D
key_auth: bits 160: ...
key_encrypt: bits 128: ...
identity_src: type fqdn id 0: FQDN/vpn.doe.com
identity_dst: type ufqdn id 0: UFQDN/j...@doe.com
udpencap: udpencap port 4500
tag: ipsec-UFQDN/j...@doe.com
sadb_add: satype esp vers 2 len 34 seq 21 pid 25389
sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
address_src: 10.x.y.z
address_dst: A.B.C.D
identity_src: type fqdn id 0: FQDN/vpn.doe.com
identity_dst: type ufqdn id 0: UFQDN/j...@doe.com
udpencap: udpencap port 4500
tag: ipsec-UFQDN/j...@doe.com


I was wondering wether client sending EAP options would have anything to
do with it:

>> sending end entity cert 
>> establishing CHILD_SA xfertunnel
>> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
>> AUTH CPRQ(ADDR DNS DNS) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP)
>> N(NO_ADD_ADDR) N(EAP_ONLY) ]

Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_payloads: decrypted
payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_notify: protoid NONE
spisize 0 type MOBIKE_SUPPORTED
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_payloads: decrypted
payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_notify: protoid NONE
spisize 0 type NO_ADDITIONAL_ADDRESSES
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_payloads: decrypted
payload NOTIFY nextpayload NONE critical 0x00 length 8
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_notify: protoid NONE
spisize 0 type EAP_ONLY_AUTHENTICATION

thx /markus

Re: how to debug iked failures?

[Markus Wernig]

On 08/10/2014 03:09 PM, Reyk Floeter wrote:

> Just try to increase the number of "v"s to get more info, for example,
> iked -dvv or iked -dvvv to get packet dumps.

Thanks for the hint. That brought some progress.
I've now switched back to -current and changed the client setup (I had
been using the NetworkManager backend of the charon keying daemon, which
caused the crashes, also on -current).

Now iked does not crash anymore - I will still do the recompiling and
backtracing, as this clearly should not happen. But I think it would
make sense to first get a working setup.

That said, the connection does still not succeed.
After SA_INIT and IKE_AUTH everything seems fine, certificate gets
authenticated, but then iked says it can't send the ike_auth packet back.

Aug 12 11:02:47 tunnel iked[26844]: sa_stateok: VALID flags 0x1f,
require 0x1f cert,certvalid,auth,authvalid,sa
ug 12 11:02:47 tunnel iked[26844]: ikev2_next_payload: length 22
nextpayload CERT
Aug 12 11:02:47 tunnel iked[26844]: ikev2_next_payload: length 1520
nextpayload AUTH
Aug 12 11:02:47 tunnel iked[26844]: ikev2_next_payload: length 264
nextpayload CP
Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa_getspi: message: Operation
not supported
...
Strange ... what is not supported?
...
Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_payloads: decrypted
payload TSi nextpayload TSr critical 0x00 length 24
Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: count 1 length 16
Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: type IPV4_ADDR_RANGE
protoid 0 length 16 startport 0 endport 65535
Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: start 10.x.y.z end
10.x.y.z
Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_payloads: decrypted
payload TSr nextpayload NONE critical 0x00 length 8
Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: count 1 length 0
Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: type 
protoid 0 length 0 startport 0 endport 65535
Aug 12 11:02:47 tunnel iked[26844]: ikev2_msg_send: IKE_AUTH response
from 10.x.y.z:4500 to A.B.C.D:4500 msgid 1, 1996 bytes, NAT-T
Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa_add: update spi 0xf82bfb58
Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa: udpencap port 4500
Aug 12 11:02:47 tunnel iked[26844]: ikev2_childsa_enable: loaded CHILD
SA spi 0xf82bfb58
Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa_add: add spi 0xcdac6edf
Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa: udpencap port 4500
Aug 12 11:02:47 tunnel iked[26844]: ikev2_childsa_enable: loaded CHILD
SA spi 0xcdac6edf
Aug 12 11:02:47 tunnel iked[26844]: pfkey_flow: unsupported address family 0
Aug 12 11:02:47 tunnel iked[26844]: ikev2_childsa_enable: failed to load
flow
Aug 12 11:02:47 tunnel iked[26844]: ikev2_dispatch_cert: failed to send
ike auth

Does anybody see what's going wrong here?

It does then send out a packet, but on the client side this triggers an
error:

initiating IKE_SA xfertunnel[1] to E.F.G.H
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.x[500] to E.F.G.H[500] (1204 bytes)
received packet: from E.F.G.H[500] to 192.168.1.x[500] (457 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for 
sending cert request for 
authentication of 'j...@doe.com' (myself) with RSA signature successful
sending end entity cert 
establishing CHILD_SA xfertunnel
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH CPRQ(ADDR DNS DNS) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.1.x[4500] to E.F.G.H[4500] (2236 bytes)
received packet: from E.F.G.H[4500] to 192.168.1.x[4500] (1996 bytes)
TS_RESPONDER verification failed
could not decrypt payloads
message verification failed
IKE_AUTH response with message ID 1 processing failed


Any more ideas?

Thx /markus

how to debug iked failures?

[Markus Wernig]

Hi all

I am trying to set up a ipsec tunnel with iked in a double NAT scenario:

Client --> NAT GW 1 --> Inet --> NAT GW 2 --> VPN GW

Client has 192.168.1.x, User is j...@doe.com
VPN GW has 10.x.y.z, hostname vpn.doe.com
NAT GW 1 does hide NAT to A.B.C.D
NAT GW 2 does static NAT for public GW IP, forwards to VPN GW

The client runs Strongswan on Linux.
VPN GW is running 5.5 GENERIC#271 on amd64.

I'm trying to set up RSA authentication with X.509 certificates, so I've
configured Strongswan to use Key and Cert with
subjectAltname=email:j...@doe.com, and to ask for IP address. Copied the
client cert and the issuing CA cert to /etc/iked/certs on the VPN GW.
PF is disabled. Configured iked on the VPN GW in iked.conf:

ikev2 johndoevpn \
quick esp inet \
from any to 10.x.y.z \
peer any local any \
srcid vpn.doe.com dstid j...@doe.com \
config address 10.x.y.A \
config netmask 255.255.255.0 \
config name-server 10.x.y.B \ (valid IP of DNS at VPN site)
tag johndoevpn

VPNGW# sysctl -a | grep esp
net.inet.esp.enable=1
net.inet.esp.udpencap=1
net.inet.esp.udpencap_port=4500

But the client is unable to connect to the VPN GW, and I just can't find
out what's going wrong. Unfortunately there are two ways it is failing:

1) Client sends IKEv2 msg IKE_SA_INIT on Port 500, VPN GW replies with
IKE_SA_INIT and CertReq, then client sends IKE_AUTH. But to this packet
the VPN GW never replies, and the client resends until it times out. I
see in the client log that it is selecting and sending the j...@doe.com
certificate. In the VPN GW logs I get:

Aug  9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_SA_INIT from
initiator A.B.C.D:34276 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes
Aug  9 08:40:35 tunnel iked[18255]: ikev2_msg_send: IKE_SA_INIT from
10.x.y.z:500 to A.B.C.D:34276, 457 bytes
Aug  9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
Aug  9 08:40:39 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
Aug  9 08:40:46 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
Aug  9 08:40:59 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes

2) Client sends IKEv2 msg IKE_SA_INIT on Port 500, and iked terminates
immediately. If this happens, only a reboot will ever again get it to at
least answer the SA_INIT. If iked is simply restarted, it will only
crash again when the next packet arrives.

Aug  9 14:31:56 tunnel iked[32658]: ikev2_recv: IKE_SA_INIT from
initiator A.B.C.D:36858 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes
Aug  9 14:31:56 tunnel iked[4493]: lost child: ikev2 terminated; signal 11
Aug  9 14:31:56 tunnel iked[27717]: ikev1 exiting
Aug  9 14:31:56 tunnel iked[20802]: ca exiting
Aug  9 14:31:56 tunnel iked[4493]: parent terminating

In both cases, there are no other logs anywhere on the VPN GW. I've
started iked with "-DA=99 -v" and sent an "ikectl log verbose", but no
change. ikectl monitor shows nothing.

So I was wondering if anybody saw what I am doing wrong - probably I
got the config wrong. Especially I'm not quite sure if the files
containing the certs need to have special names.
If not: How does one debug iked? Why is it not answering, and, above
all, why is it crashing? Are there really no logs?

I've also tried the following, with identical results:

- 5.6 current-amd64 from Aug 8
- create a new RSA keypair and X.509 cert for VPN GW (extracted pubkey
from cert to /etc/iked/local.pub, privkey to
/etc/iked/private/local.key, and copied the cert (with
subjectAltname=DNS:vpn.doe.com) to /etc/iked/certs)

Would be very glad if anyone could share a pointer ...

Thx /markus

Re: Very slow I/O under OpenBSD i386 on qemu-kvm from RHEL7rc

[Markus Wernig]

On 06/17/2014 11:10 AM, Brad Smith wrote:

>>> boot -c
>>> disable mpbios

> Because ACPI is in use which takes higher precedence over MP BIOS. You
> have to disable acpimadt.


THANKS GUYS!!

This just "resolved" a blocker that had for 2 years prevented me from
upgrading my OpenBSD kvm guests to anything beyond 5.1!

/m

Re: Oddity with httpd/mod_ssl: missing HTTPS environment variable on non _default_ vhosts

[Markus Wernig]

Not sure about the ported httpd, but usually you have to enable the 
generation of those environment vars with


SSLOptions +StdEnvVars

as they are off by default.

krgds /m


On Tue, 18 Feb 2014, Olivier Mehani wrote:


(Almost) everything works fine, and I do indeed manage to 
successfully
access all sites over HTTPS as expected. However, the HTTPS 
environment
variable, which should be set to 'on' for HTTPS sessions, is missing 
for

all but the first VHost.

ipsec with smartcard?

[Markus Wernig]

Hi all

I need to build an OpenBSD IPsec gateway that uses keys/certificates
from a hardware device (external smartcard, presumably via pkcs#11) for
authenticating itself to other gateways when establishing a connection
with them (active).

In the ipsec/isakmpd man pages I found no references to pksc11 or smart
cards - is there a way to do this at all? If so, what would be the right
place to look for the documentation?

Thx /markus

Re: vpn isakmpd ipsec, one side with only one interface

[Markus Wernig]

Hi

I'm not sure if this will work, but you could try creating a loopback
interface (lo2) on FWC with the IP address that the FTP server should be
reachable on and then set up a regular VPN between FWA and FWC just for
that one IP address:
ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ...

Then tell the FTP server to listen on the IP of the lo2 interface
(172.17.2.21?)


/m

On 02/13/12 14:43, Wesley M. wrote:
> o;?Hi, 
> 
> I was using ipsec vpn between 2 OpenBSD Gateway. It worked very
> well.
> 
> Here : 
> 
> ---rl0---[fwA]---rl1(internet)-sis1---[fwB
> with ftpd]---sis0--- 
> 
> Now we remove ftp services from fwB and put it on an
> other machine fwC with an internet connection (only one network card). is
> it possible to keep a vpn online from fwA and fwC, and so computersA can
> reach again ftp using vpn (provided by fwC). Perhaps i need to use vether
> on fwC so briged pf ?
> 
> Here the old ipsec.conf from fwB:
> ike esp from
> 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA 
>  main auth hmac-sha1 enc
> aes-256 group modp1024 
>  quick auth hmac-sha1 enc aes-256 group modp1024 
> 
> psk "demopassword"
> 
> My idea on fwC : 
> 
> add verther0 with : "inet
> 172.17.2.21 255.255.255.0" 

Re: CARP strangeness after 5.0 upgrade

[Markus Wernig]

On 01/25/12 18:23, Matt Hamilton wrote:
> 
> pass in quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18
> queue carp_out
> pass in quick on $int_if proto carp from $fw_int_ips to 224.0.0.18
> queue carp_in
> pass out quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18
> queue carp_out
> pass out quick on $int_if proto carp from $fw_ext_ips to 224.0.0.18
> queue carp_in

And $fw_ext_ips/$fw_int_ips do really contain the ip addresses of BOTH
boxes?

> 
> I don't understand why the master is the one with the highest
> advskew. This is the same on the inside carp interface too.

You said you saw carp advertisments on the net. Who is sending those?

Can you set sysctl net.inet.carp.log=7 and see if any carp-related
errors appear in the syslog?

/m

Solved: /bsd: carpN: ip_output failed: 65

[Markus Wernig]

Hi all

Disbling ipv6 on the ifs didn't help.

It turned out pf was blocking the outgoing carp advertisements on 2 out
of 4 interfaces without logging.
Adding "keep state (no-sync)" to the carp rules, activating them, and
then flushing states on both firewalls finally brought the cluster back
to normal.

Thanks to cd for the help.

lg /markus

On 01/15/12 16:18, Markus Wernig wrote:
> Hi all
> 
> After upgrading to 5.0 (and also on -current) I keep getting those
> errors for 2 out of 4 carp'd interfaces in a fw cluster pair:
> 
> /bsd: carp2: ip_output failed: 65
> /bsd: carp3: ip_output failed: 65
> 
> And effectively, no CARP traffic is seen on those two interfaces,
> neither in nor out. Both boxes assume master status on the if.
> 
> I got a gut feeling that this has something to do with ipv6, which I do
> not use at all on the boxes. My pf ruleset is actually ipv4 only. I do
> see ipv6 addresses on the phyif and carpif though (which I have not
> configured).
> 
> Could it be that I need to add something to my ruleset?
> 
> Any way to totally disable ipv6 for a test?
> 
> krgds /markus

/bsd: carpN: ip_output failed: 65

[Markus Wernig]

Hi all

After upgrading to 5.0 (and also on -current) I keep getting those
errors for 2 out of 4 carp'd interfaces in a fw cluster pair:

/bsd: carp2: ip_output failed: 65
/bsd: carp3: ip_output failed: 65

And effectively, no CARP traffic is seen on those two interfaces,
neither in nor out. Both boxes assume master status on the if.

I got a gut feeling that this has something to do with ipv6, which I do
not use at all on the boxes. My pf ruleset is actually ipv4 only. I do
see ipv6 addresses on the phyif and carpif though (which I have not
configured).

Could it be that I need to add something to my ruleset?

Any way to totally disable ipv6 for a test?

krgds /markus

Re: CARP strangeness after 5.0 upgrade

[Markus Wernig]

On 01/12/12 00:05, Markus Wernig wrote:

> If I set net.inet.carp.log=7, I get lots of the following on both fws,
> only for carp1 and carp2, never for carp0 and carp3:
> carp2: ip_output failed: 65
> carp1: ip_output failed: 65
> carp2: ip_output failed: 65
> carp1: ip_output failed: 65
> carp2: ip_output failed: 65
> carp1: ip_output failed: 65

Hi all

After another round of reboots (no config changed) this has now shifted
to carp2 and carp3:
Jan 12 08:33:17 fw1 /bsd: carp2: ip_output failed: 65
Jan 12 08:33:17 fw1 /bsd: carp3: ip_output failed: 65
Jan 12 08:33:18 fw1 /bsd: carp2: ip_output failed: 65
Jan 12 08:33:18 fw1 /bsd: carp3: ip_output failed: 65

And consequently tcpdump shows outgoing carp traffic on em0 and em1 only.

Does anybody have an idea where to search further?

krgds /markus

CARP strangeness after 5.0 upgrade

[Markus Wernig]

Hello all

I have recently upgraded a pair of CARPed firewalls from 4.6 to 5.0
(late, I know ...) after almost 2 years of absolutely flawless operation
(ipv4 interfaces only).

I have changed all the nat/rdr rules in pf.conf to the new syntax, not
changed any other fw/nw setting (at least to my knowledge - I used
sysmerge in the process, carefully, and haven't noticed any fw/nw
related changes in any file. The boxes are rather straight forwardly
configured "plain" firewalls and very close to the default settings).

They have 4 interfaces each, the external (egress, carp0 on em0) one
being connected to the provider's switches (professional gear, Cisco or
the like), the dmz (internal, carp1-3 on em1-3) ones being connected to
a pair of levelone gsw-1641 ("web smart switch", the cheap stuff).

The two fw (fw1=master, and fw2=backup) and switches have been rebooted
multiple times by now.

The problem now is that the CARP master selection leads to weird
results. After rebooting both, I get the following picture:

fw1 (master, advbase 1 advskew 1):
carp0: BACKUP
carp1: MASTER
carp2: MASTER
carp3: BACKUP

ifconfig -g carp
carp: carp demote count 3

fw2 (backup, advbase 1 advskew 10)
carp0: MASTER
carp1: MASTER
carp2: MASTER
carp3: MASTER

ifconfig -g carp
carp: carp demote count 2

I get the following in dmesg on fw1:
carp: carp0 demoted group carp by 1 to 129 (carpdev)
carp: carp1 demoted group carp by 1 to 130 (carpdev)
carp: carp2 demoted group carp by 1 to 131 (carpdev)
carp: carp3 demoted group carp by 1 to 132 (carpdev)
carp: carp2 demoted group carp by -1 to 131 (carpdev)
carp: carp2 demoted group xfer by -1 to 0 (carpdev)
carp: carp0 demoted group carp by -1 to 130 (carpdev)
carp: pfsync0 demoted group carp by 1 to 131 (pfsync bulk start)
carp: pfsync0 demoted group pfsync by 1 to 1 (pfsync bulk start)
carp: carp3 demoted group carp by -1 to 130 (carpdev)
carp: carp3 demoted group mgmt by -1 to 0 (carpdev)
carp: carp1 demoted group carp by -1 to 129 (carpdev)
carp: carp1 demoted group coca by -1 to 0 (carpdev)
carp2: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp: pfsync0 demoted group carp by -1 to 128 (pfsync bulk done)
carp: pfsync0 demoted group pfsync by -1 to 0 (pfsync bulk done)
carp: carp2 demoted group carp by 1 to 129 (> snderrors)
carp: carp1 demoted group carp by 1 to 130 (> snderrors)
carp: carp1 demoted group coca by 1 to 1 (> snderrors)
carp: carp2 demoted group xfer by 1 to 1 (> snderrors)
carp0: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp: carp3 demoted group carp by 1 to 3 (> snderrors)
carp: carp3 demoted group mgmt by 1 to 1 (> snderrors)
carp0: state transition: MASTER -> BACKUP
nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:01c8
carp3: state transition: MASTER -> BACKUP


dmesg on fw2 gives this:
carp: carp0 demoted group carp by 1 to 129 (carpdev)
carp: carp1 demoted group carp by 1 to 130 (carpdev)
carp: carp2 demoted group carp by 1 to 131 (carpdev)
carp: carp3 demoted group carp by 1 to 132 (carpdev)
carp: pfsync0 demoted group carp by 1 to 133 (pfsync bulk start)
carp: pfsync0 demoted group pfsync by 1 to 1 (pfsync bulk start)
carp: carp2 demoted group carp by -1 to 132 (carpdev)
carp: carp2 demoted group xfer by -1 to 0 (carpdev)
carp: carp1 demoted group carp by -1 to 131 (carpdev)
carp: carp1 demoted group coca by -1 to 0 (carpdev)
carp: carp0 demoted group carp by -1 to 130 (carpdev)
carp: carp3 demoted group carp by -1 to 129 (carpdev)
carp: carp3 demoted group mgmt by -1 to 0 (carpdev)
carp: pfsync0 demoted group carp by -1 to 128 (pfsync bulk done)
carp: pfsync0 demoted group pfsync by -1 to 0 (pfsync bulk done)
carp2: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp: carp2 demoted group carp by 1 to 129 (> snderrors)
carp: carp1 demoted group carp by 1 to 130 (> snderrors)
carp: carp1 demoted group coca by 1 to 1 (> snderrors)
carp: carp2 demoted group xfer by 1 to 1 (> snderrors)
carp0: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp: carp3 demoted group carp by 1 to 3 (> snderrors)
carp: carp3 demoted group mgmt by 1 to 1 (> snderrors)
carp0: state transition: MASTER -> BACKUP
nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:01c8
arp info overwritten for 10.10.10.100 by 00:1e:68:9a:e4:4f on em2
nd6_na_input: duplicate IP6 address fe80:0009::0200:5eff:fe00:01c9
carp3: state transition: MASTER -> BACKUP
nd6_na_input: duplicate IP6 address fe80:000b::0200:5eff:fe00:01ff
nd6_na_input: duplicate IP6 address fe80:000a::0200:5eff:fe00:01d2
carp0: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp: carp3 demoted group carp by -1 to 2 (< snderrors)
carp: carp3 demoted group mgmt by -1 to 0 (< snderrors)
nd6_na_input: duplicate IP6 address fe80:000a::0200:5eff:fe00:01d2
nd6_na_input: duplicate IP6 address fe80:0009::0200:5eff:fe00:01c9
carp0: state transition: MASTER -> BACKUP
nd6_na

Re: sasyncd syncs only newly created sad's

[Markus Wernig]

Hi Mihajlo

Yes, this feature (re-sychronization after master failure) has been
missing from the day sasyncd came out
(http://archives.neohapsis.com/archives/openbsd/2005-09/0818.html). When
I gave that speech in Switzerland (the one you found the PDF of), I was
confident that it would be implemented within a couple of months or so
... the whole thing being a sponsored development, I figured that the
sponsor would want this program to be usable. But, alas, it wasn't.
Pity, really. With a little more time at my hands and a little more wit
in my brains I would love to pick this up. It would be SUCH a killer
application. Hakan Olsson, the original developper, did once say he
would look into it, butI haven't heard of him since.

krgds & sorrynohelphere

/markus

Mihajlo Manojlov wrote:
> Hi again,
> 
> there is no feedback.. could someone who runs sasyncd check this for me?
> Please, just restart sasyncd on slave(or master), and see if it syncs the
> SAD's?
> 
> This behaviour renders my redundant routers - non redundant. If I reboot
> master, when it comes back and become master again, all VPN tunnels are down
> because no SAD's are synced.
> 
> Thank you very much.
> 
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Mihajlo Manojlov
> Sent: Wednesday, January 06, 2010 11:10 PM
> To: misc@openbsd.org
> Subject: sasyncd syncs only newly created sad's
> 
> Hi to all,
> 
> I have two carped boxes and I want to use sasyncd for vpn redundancy, but
> only
> newly created sad's get synced. For example, I reboot the slave box, and when
> it comes up again, sasyncd only sets flows, not the sad's. Maybe this is
> normal behaviour?
> 
> log from master:
> Jan  6 21:59:23 openbsd1 sasyncd[25895]: net: peer "10.23.6.2" connected
> Jan  6 21:59:23 openbsd1 sasyncd[25895]: net_ctl: peer "10.23.6.2" state
> change to SLAVE
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: monitor_get_pfkey_snap: got 2016
> bytes SADB, 1392 bytes SPD
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_send_flush: sending FLUSH to
> peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SADB data
> 020a00023f000200010088f180d710010303040004000200
> 15f7444b04000400
> 380404000300
> b00403000500100259d44c6d
> 03000600100259d45bb205000a00
> 010038392e3231322e37362e3130392f3332
> 05000b00010038392e3231322e39312e3137382f3332
> 04000800a0009884229af8684722ecf09bfe79c0d8eef96b3cfb
> 04000900c000e73eb8f1c43d90bdfaf40fb3abfe879d28e74cf8e870dd0b01001400
> 0101010013000300150010020a00
> 030011001002ff00030016001002
> 0a070800030012001002ff00
> 0200210008007465737476706e00
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca800
> len 504 to peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca9f8
> len 504 to peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccabf0
> len 504 to peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccade8
> len 504 to peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SPD data
> 02121d0003000600100259d44c6d
> 010014000101010013000300150010020a00
> 030011001002ff0003001600
> 10020a070800030012001002ff00
> 05000a00010038392e3231322e39312e3137
> 382f333205000b00010038392e3231322e37
> 362e3130392f333202121d0003000600
> 100259d44c6d01001400030201001300
> 0300150010020a070800030011001002
> ff000300160010020a00
> 030012001002ff0005000a000100
> 38392e3231322e39312e3137382f333205000b000100
> 38392e3231322e37362e3130392f33320212
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca000
> len 232 to peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca0e8
> len 232 to peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca1d0
> len 232 to peer 10.23.6.2
> Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0

Re: mod_perl script is failing to work under SSL

[Markus Wernig]

Chris Bennett wrote:

> I now wanted to improve security a bit, so when I tried accessing script
> with https, I get this error in log file:
> Can't locate object method "request" via package "Apache" 

Hi

Compare the httpd.conf of your ssl and non-ssl virtual hosts. Both must
have something like

 PerlModule Apache::Registry

 
   SetHandler perl-script
   PerlHandler Apache::Registry
   Options ExecCGI
 

krgds /markus

Re: how to set gnome-terminal default encoding

[Markus Wernig]

23e7 wrote:
> Hi,
> my openbsd is 4.5, gnome-terminal default encoding is ascii, I cannot
> find how to set to utf-8.

Which version? Normally, it's under Terminal->Set Character Encoding
(Alt-T C)
/m

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: dealing with incoming mail your own domain

[Markus Wernig]

Hi Jose

The MX is the host destined for receiving mail for a domain. There is no
indication that it should also be the only one sending mail from a
domain. At the moment most domains use SPF records to mark their
preferred relay, so you might want to check that instead of/in addition
to the MX record.

Be careful to look at the EnvFrom only, because evaluating the HdrFrom
will block all kind of incoming mail (forwarded, mailing lists ...)

Do you have mobile users who regularly use webmail or provider-owned
relays with their @example.com addresses?

Your MX will also have to be your outgoing relay or the outoing relay is
whitelisted somehow, else people @example.com canB4t mail among each other.

regards /markus

Jose Fragoso wrote:

> Bsically, if my network has de MX servers for domain
> @example.com, and a host tries to send a mail saying
> 'mail from:', I will trap him.
> 
> So I would like to hear opinions from the more experienced
> users about the pros and cons of this idea.

Re: Solved: sendmail: restrict sender domain for authenticated users

[Markus Wernig]

Hi Dan, thanks for the pointer

Custom rules are the equivalent of having your head spin through a
tumble-dryer ... but they work:

SLocal_check_rcpt
# check if sender is in local domains
# if yes, accept
# if not, recipient has to be local, else reject
R$* $: $1 $| $>3 $&f
R$* $| <>   $@ OK   <> is always ok
R$* $| $*<@$=w.>$@ OK   u...@local-host-name is ok
R$* $| $*   $: $1   any other user gets checked
R$* $: $>3 $1   check recipient
R$+<@$=w.>  $@ OK   recipient local? ok. this seems
to be incoming
R$+<@$+>$#error $@ 5.1.8 $: "551 Invalid sender domain"

thx /markus

Dan Harnett wrote:
> On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote:
>> I have sendmail on 4.4 as MX and relay for outgoing mail using smtp
>> auth. Now some users started using arbitrary from: addresses in their
>> mail clients. I would like to restrict those sender addresses to the
>> local domains, i.e. allow them to send mail from u...@my.domain or
>> u...@my.other.domain, and reject their mails from u...@foreign.domain,
>> preferably during the smtp dialog between MUA and sendmail.
>>
>> I've searched the sendmail docs and google, but can't find how to do
>> this. Is it possible at all?
> 
> Without modifying rulesets or running multiple instances of sendmail, I
> think the simplest way is to use milter-regex.  You can even match the
> authenticated username against specific envelope senders rather than any
> local domain.  Otherwise, you're probably looking at implementing
> something similar to this[1] in your configuration file.
> 
> [1] http://www.sendmail.org/~ca/email/restrict.html

Re: Solved: sendmail: restrict sender domain for authenticated users

[Markus Wernig]

Hi Dan, thanks for the pointer

Custom rules are the equivalent of having your head spin through a
tumble-dryer ... but they work:

SLocal_check_rcpt
# check if sender is in local domains
# if yes, accept
# if not, recipient has to be local, else reject
R$* $: $1 $| $>3 $&f
R$* $| <>   $@ OK   <> is always ok
R$* $| $*<@$=w.>$@ OK   u...@local-host-name is ok
R$* $| $*   $: $1   any other user gets checked
R$* $: $>3 $1   check recipient
R$+<@$=w.>  $@ OK   recipient local? ok. this seems
to be incoming
R$+<@$+>$#error $@ 5.1.8 $: "551 Invalid sender domain"

thx /markus

Dan Harnett wrote:
> On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote:
>> I have sendmail on 4.4 as MX and relay for outgoing mail using smtp
>> auth. Now some users started using arbitrary from: addresses in their
>> mail clients. I would like to restrict those sender addresses to the
>> local domains, i.e. allow them to send mail from u...@my.domain or
>> u...@my.other.domain, and reject their mails from u...@foreign.domain,
>> preferably during the smtp dialog between MUA and sendmail.
>>
>> I've searched the sendmail docs and google, but can't find how to do
>> this. Is it possible at all?
> 
> Without modifying rulesets or running multiple instances of sendmail, I
> think the simplest way is to use milter-regex.  You can even match the
> authenticated username against specific envelope senders rather than any
> local domain.  Otherwise, you're probably looking at implementing
> something similar to this[1] in your configuration file.
> 
> [1] http://www.sendmail.org/~ca/email/restrict.html

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

sendmail: restrict sender domain for authenticated users

[Markus Wernig]

Hi all

I have sendmail on 4.4 as MX and relay for outgoing mail using smtp
auth. Now some users started using arbitrary from: addresses in their
mail clients. I would like to restrict those sender addresses to the
local domains, i.e. allow them to send mail from u...@my.domain or
u...@my.other.domain, and reject their mails from u...@foreign.domain,
preferably during the smtp dialog between MUA and sendmail.

I've searched the sendmail docs and google, but can't find how to do
this. Is it possible at all?

thx /markus

Re: cpu not configured??

[Markus Wernig]

OK, for the record:

boot -c
disable pcibios0
disable acpi0
disable apm0

will boot the machine (after waiting ca. 2 minutes after wsmouse0)!

But, alas, the harddisks are not recognized by the kernel, which is - as
far as I can tell - a rather final statement.

Looking forward to 4.6.

krgds /markus

Markus Wernig wrote:

> I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without
> success so far.

cpu not configured??

[Markus Wernig]

Hi all

I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without
success so far.

The kernel stops booting after some lines of output. I've tried 4.4 and
4.5.

On 4.4 it stops right after the first lines. The last line of output is:
acpi0: tables DSDT FACP HPET MCFG SLIC APIC BOOT SSDT SSDT SSDT SSDT

No error, it just hangs

On 4.5 there are some lines more of output (including the above one), it
tells about wakeup devices and different timers, then comes to:

cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 265MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0,version 20,24 pins

And stops right there. Still, no errors, nothing. I don't ever get to a
point where I can run a meaningful dmesg.

The processor is a Intel(R) Core(TM)2 Duo CPU P8400  @ 2.26GHz with
the following flags (as seen from linux, though): fpu vme de pse tsc msr
pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx
fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts pni
dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1
lahf_lm tpr_shadow vnmi flexpriority

I remember other machines and other operating systems where I had to
pass special kernel boot parameters at the boot prompt in order to have
the kernel ignore or treat differently certain hardware (one favourite
was to disable acpi and the local apic). Here I'd use boot -c.

But which parameters should I disable or modify? Unfortunately I'm not
that familiar with the OBSD kernel, so I'd be grateful for any hints. I
realize that this is going to take a lot of poking around in the dark.

Thx /markus

Re: Flapping VPN under load on Soekris

[Markus Wernig]

Mikolaj Kucharski wrote:


Another scenario. When all VPNs are up and stable (traffic is low) and
one of the clients is rebooted at boot time when ipsecctl -f
/etc/ipsec.conf is executed it's tunell is setup and _all_ other
tunnels are immediately dropped.


Am I right to assume that only those tunnels from behind the same NAT 
device are dropped?


There was what I consider a bug in isakmpd that only looked ad IP pairs 
when matching packets to existing SAs. So any new connection from the 
same IP would break the existing ones. I don't know if it's actually fixed.


See 
http://kerneltrap.org/index.php?q=mailarchive/openbsd-misc/2008/2/3/704644


krgds /markus

Re: PF/Carp/Pfsync

[Markus Wernig]

Hi Georg

I think I remember something like this ... could it be that carp takes 
over the interface before pfsync has finished updating the booted 
machine's connection table?
TCP (and many other protocols) takes care of such situations by simply 
retransmitting, so any TCP connections should recover within seconds. 
When using UDP I suppose, recovery depends on the application.


Another reason could be the interfaces not coming back up together. You 
should set net.inet.carp.preempt=1


hth /markus


Georg Kahest wrote:
[...] but when the prefered

master comes up again and starts to act as carp master, then client who
has carp as its gateway loses some packets on the moment of failover, [...]

Re: CARP not leaving backup state

[Markus Wernig]

If you tcpdump do you see any carp traffic at all (ip proto 112)? Upon 
reboot? And you did enable carp preemption on both hosts (sysctl 
net.inet.carp.preempt=1)?

Re: CARP not leaving backup state

[Markus Wernig]

Hi

Are you sure that all the interfaces you have configured carp on have 
link and can connect to each other? (I've seen similar behaviour caused 
by defective NICs: receive buffer not receiving while send buffer still 
sending - try ping on all interfaces) Is lo up? Is there any other 
router on the same network segment that propagates the same VHID with a 
better metric (i suppose that a VRRP router on the same net could cause 
trouble if it uses the same VHIDs).


no answers, just questions, I know ...

hth /markus

isakmpd times out on rolled-over client certificate

[Markus Wernig]

Hi all

I have an OBSD4.3 VPN gateway that authenticates users based on their 
certificate and an isakmpd.policy, which works just fine. Now a user had 
to renew his certificate: same CA, same CA certificate, same Subject DN, 
same EVERYTHING. I'd have expected that he'd just need to close the VPN 
tunnel, install the new certificate, authenticate again and that'd be 
it. But not so. isakmpd logs and sends back: isakmpd[26674]: dropped 
message from aaa.bbb.ccc.ddd port 500 due to notification type 
INVALID_ID_INFORMATION


On one machine, I had to restart isakmpd to get it to accept the new 
certificate, on the other one I can't because I connect to it through 
the same VPN ... Obviously some part of the certificate gets cached 
somewhere in memory (isakmpd? kernel?). Tearing down old SAs for the 
user's IP (echo "t aaa.bbb.ccc.ddd" > /var/run/isakmpd.fifo) doen't help.


Is there any way (apart from bouncing isakmpd) to force (isakmpd? 
kernel?) to forget the old and use the new certificate? On one occasion 
I had to reboot a box ... which I consider a rather drastic measure for 
the occasion of a user certificate renewal.


tx /markus

Re: IPSec tunnel problem

[Markus Wernig]

Alexey Vatchenko wrote:


It's because of:
ike passive esp from 192.168.0.0/24 to any local egress dstid
[EMAIL PROTECTED] psk xxx


Yes, it's because of that. But I'm convinced that you don't need that at
all.
From what I understand, you just need to give access from some remote
network(s) to your office net. Please correct me if you are trying to
achieve something else. Again (see last post):

Home gateway:
ike dynamic esp from HOME_NET to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP
psk xxx

Office gateway:
ike passive esp from HOME_NET to 192.168.0.0/24 psk xxx
(if you have more than one external networks, you can put "any" instead
of "HOME_NET" or repeat the stanza for each network.)

krgds /markus

Re: IPSec tunnel problem

[Markus Wernig]

Hi

From my point of view the problem is that you use the same network 
range 192.168.0/24  in your home and office. Off the top of my head I'd 
say that this should not work. The routing entries look a bit scary, 
actually. If I had the same setup, I'd try one of the following:

- change the home network to something else than 192.168.0/24
- nat all traffic from the home network on the office gateway to its own 
internal address


And I'd start out with the simplest of configurations and build from that:

Home gateway:
ike dynamic esp from HOME_NET to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP 
psk xxx


Office gateway:
ike passive esp from HOME_NET to 192.168.0.0/24 psk xxx

krgds /markus

Alexey Vatchenko wrote:


flow esp from 192.168.0.0/24 to 192.168.0.0/24 type bypass


Coming to the office this morning i found out that all office's outgoing 
traffic goes through my home gateway. It looks like IPSec created 
default route for hosts in local network.

Re: IPSec tunnel problem

[Markus Wernig]

Hi

What does the ipsec.conf entry on the Office gateway for the Home 
gateway look like?

IP range of Home network?
Are you trying to use the Home gateway as a relay to get into the Office 
net from other locations than from Home network?

Do you have any NAT rules involved?

"ipsecctl -s all" on Office and Home gateways before and after 
connection is established could shed some light.


/m

Alexey Vatchenko wrote:

The problem is when home gateway establishes IPSec tunnel with office 
gateway, computers from office network cannot connect to office gateway 
(but they still can get Internet through the gateway).


Here is what i do:

Office network: 192.168.0.0/24
ipsec.conf: ike passive esp from 192.168.0.0/24 to any local egress 
dstid [EMAIL PROTECTED] psk xxx


Home
ipsec.conf: ike dynamic esp from any to 192.168.0.0/24 peer 
OFFICE_EXTERNAL_IP srcid [EMAIL PROTECTED] psk xxx


So, please, shed some light on what i do wrong.

Re: multiple ipsec-nat-t clients behind same ip address

[Markus Wernig]

Rephrasing: Is it possible to have multiple nat-t clients behind the 
same NAT address connect to the same OBSD ipsec gateway? How?


thx /markus

Markus Wernig wrote:

Hi all

I'm having some trouble with VPN clients (workstations) connecting to an
OBSD 4.2 VPN gateway.
All clients sit behind one natting gateway, and are natted to the same
egress ip address. They try to connect to another network behind the VPN
gateway. The first connect succeeds, and the client gets its connection
(i can track this with ipsecctl -s all on the VPN gateway). Traffic uses
nat-t (udp 4500) as destination, yet the connection gets source-natted
and the source port is changed to some unique value.

This works well. But as soon as the second client connects, the first
one is disconnected! The second connection is source-natted to the same
IP, but uses a different source port.

ipsecctl shows that both tuples for flows and sa get replaced by new
ones the moment the second client connects. tcpdump on the gateway shows
normal ipsec traffic during the first connection until the new one is
initiated. After this, no packet for the first connection is sent by the
gateway, but all belong to the second one (different SPIs and different
source port)
.
Now i'm a bit unsure. From my understanding, it should be possible to
have multiple nat-t clients use the same external ip address. Is there
any limitation that i'm not aware of? Do i need to configure something
on the gateway? It's set up for roadwarriors. Here's ipsec.conf:

ike passive esp tunnel \
from any to a.b.c.d/24 \
srcid vpn.gate.way

with a.b.c.d being the network the clients want to connect to and
vpn.gate.way the fqdn of the gateway, as it appears in its certificate.

Thx for any hint

/markus

multiple ipsec-nat-t clients behind same ip address

[Markus Wernig]

Hi all

I'm having some trouble with VPN clients (workstations) connecting to an
OBSD 4.2 VPN gateway.
All clients sit behind one natting gateway, and are natted to the same
egress ip address. They try to connect to another network behind the VPN
gateway. The first connect succeeds, and the client gets its connection
(i can track this with ipsecctl -s all on the VPN gateway). Traffic uses
nat-t (udp 4500) as destination, yet the connection gets source-natted
and the source port is changed to some unique value.

This works well. But as soon as the second client connects, the first
one is disconnected! The second connection is source-natted to the same
IP, but uses a different source port.

ipsecctl shows that both tuples for flows and sa get replaced by new
ones the moment the second client connects. tcpdump on the gateway shows
normal ipsec traffic during the first connection until the new one is
initiated. After this, no packet for the first connection is sent by the
gateway, but all belong to the second one (different SPIs and different
source port)
.
Now i'm a bit unsure. From my understanding, it should be possible to
have multiple nat-t clients use the same external ip address. Is there
any limitation that i'm not aware of? Do i need to configure something
on the gateway? It's set up for roadwarriors. Here's ipsec.conf:

ike passive esp tunnel \
from any to a.b.c.d/24 \
srcid vpn.gate.way

with a.b.c.d being the network the clients want to connect to and
vpn.gate.way the fqdn of the gateway, as it appears in its certificate.

Thx for any hint

/markus

syslog-ng and isakmpd

[Markus Wernig]

Hi all

I have replaced syslogd with syslog-ng on my OBSD4.2 boxes (needed tcp,
encryption and fifos). I have managed to mimick all traditional log
behaviour (as per the default syslogd config) with one exception:
isakmpd will not log a single bit into any facility. afaik isakmpd uses
the daemon facility (as does ntpd), so I have the following in
syslog-ng.conf:

source src {
unix-dgram("/dev/log");
internal();
};
[...]
filter f_daemon { facility(daemon); };
[...]
destination d_daemon { file("/var/log/daemon"); };
[...]
log { source src; filter f_daemon; destination d_daemon; };
[...]

Which works fine for ntpd. But no word from isakmpd in any file, not
even the catchall, not even with logging turned up to the maximum.
I've tried every which way but just can't see what to change.
Has anyone seen this before?

Thx /markus

deploy openssl patch

[Markus Wernig]

Dear list

I have a couple of 4.1 firewalls that I would like to upgrade to 4.2.
Before taking them online again I'd like to deploy the openssl patch 
from ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/002_openssl.patch


Being perimeter firewalls, those systems don't have compile tools 
installed. I would thus need to pre-compile libssl on a 4.2 buildhost 
and deploy it onto the firewalls. I've been looking through the 
documentation but did not find a "good" way to do this, because openssl 
is not a package, but part of the base system.


Is there any way other than tar - scp - untar after compiling libssl?

thx for any pointers

/markus

Re: ipsec with carp

[Markus Wernig]

Hi

The one time I remember getting that error was when I _thought_ I was
using certificates from /etc/isakmpd/{certsB&private}, but still had a
local.pub and local.key from the installation lying around that got used
instead. Some more debug info (/var/log/daemon) would be helpful indeed.

krgds /m

Patrick Hemmen wrote:
> Hello all,
> 
> I have two OpenBSD machines for a redundancy VPN-Gateway. They use
> carp to share one IP-Address and sasyncd to synchronize SAs and SPDs.
> I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't
> established and the error "PAYLOAD_MALFORMED" appears in the logs.
> With tcpdump I can see that the initial packet (isakmp v1.0 exchange
> ID_PROT) to establish the tunnel come from the host IP-Address and not
> from the carp address.

Re: carp devices master/backup behavior

[Markus Wernig]

Hi

If the problem is intermittent, this is probably correct, but have you 
checked that you _really_ have different vhids for all devices?
You might also want to set different passwords for each carp device, 
just to go sure they don't interfere with each other.


krgds /markus

Erich wrote:

the backup system is in a state where the carp devices are in a mixed 
state. carp3  and carp4 for example are still MASTER and the rest of 
the interfaces has gone back to BACKUP state like they should.

they are all in the same carp group. ideas what to check?

Re: IPSec VPN gateway with only one interface

[Markus Wernig]

For the record:

The problem was not with with the single interface, but with my 
misreading the documentation. The error was in specifying the tunnel 
twice. The working ipsec directives are of course:


ipsec.conf on A:
ike esp from  to  peer  
srcid  dstid 


ipsec.conf on B:
ike passive esp tunnel from any to  srcid 


Markus Wernig wrote:

Hi all

I'v looked through what documentation I could find, but didn't find this 
case mentioned, so I assumed it would work (which it doesn't):


I have an OBSD 4.1 vpn gateway (A) with only one interface, over which 
the default route points out and over which the packets to forward 
through the tunnel arrive. The other gateway is a "regular" 2-interface 
OBSD 4.1 gateway (B).


Here's the layout:

Internal Net --  -- VPN gateway A
&
 Internet
&

&
   VPN gateway B
&
  Destination Net

The tunnel seemingly does get created without any errors, but when 
packets pass through the tunnel, the remote gateway sends them right 
back. Also, on both gateways, 4 flows and 4 SADs get created, instead of 
2 each, as I'd expect:


# ipsecctl -s all
FLOWS:
flow esp in from  to  peer B> srcid  dstid  type use
flow esp out from  to  peer B> srcid  dstid  type require
flow esp in from  to  peer B> srcid  dstid  type use
flow esp out from  to  peer B> srcid  dstid  type require


SAD:
esp tunnel from  to  spi 0xADEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from  to  spi 0xBDEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from  to  spi 0xCDEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from  to  spi 0xDDEADBEEF auth 
hmac-sha2-256 enc aes


Thus, contradicting routes get added to the kernel routing tables:

gateway B:

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
0   0 0 NAT 
router A/esp/use/in
  0 0 0 NAT 
router A/esp/require/out
  0 0 0 NAT 
router A/esp/use/in
0   0 0 NAT 
router A/esp/require/out




ipsec.conf on A:
ike esp from  to  peer  
srcid 
ike esp from  to  peer  
srcid 


ipsec.conf on B:
ike passive esp tunnel from any to  srcid 
ike passive esp tunnel from  to any srcid 


A tcpdump on enc0 of both gateways shows the packets looping between the 
two gateways until ttl == 1.


Can anybody tell me if this is supposed to work at all? Does anyone see 
an obvious flaw? I'm really lost at why the gateways add flows and 
routes in both directions...



thx /markus

pf tag from ipsec in nat rules

[Markus Wernig]

Hi all

Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat 
rules (OBSD 4.1)?


The idea is:
ipsec.conf:
ike esp from A to B tag "mytag"

pf.conf:
nat on $int_if tagged "mytag" -> ($int_if:1)
nat on $int_if from !($int_if) -> ($int_if:0)


If I use the "tagged" keyword, the second nat rule is used even for 
packets coming out of the ipsec tunnel. Replacing the "tagged" keyword 
with the actual IPs works:

nat on $int_if from A to B -> ($int_if:1)

Shouldn't this be possible with tags?

thx for any pointer

/markus

IPSec VPN gateway with only one interface

[Markus Wernig]

Hi all

I'v looked through what documentation I could find, but didn't find this 
case mentioned, so I assumed it would work (which it doesn't):


I have an OBSD 4.1 vpn gateway (A) with only one interface, over which 
the default route points out and over which the packets to forward 
through the tunnel arrive. The other gateway is a "regular" 2-interface 
OBSD 4.1 gateway (B).


Here's the layout:

Internal Net --  -- VPN gateway A
&
 Internet
&

&
   VPN gateway B
&
  Destination Net

The tunnel seemingly does get created without any errors, but when 
packets pass through the tunnel, the remote gateway sends them right 
back. Also, on both gateways, 4 flows and 4 SADs get created, instead of 
2 each, as I'd expect:


# ipsecctl -s all
FLOWS:
flow esp in from  to  peer B> srcid  dstid  type use
flow esp out from  to  peer B> srcid  dstid  type require
flow esp in from  to  peer B> srcid  dstid  type use
flow esp out from  to  peer B> srcid  dstid  type require


SAD:
esp tunnel from  to  spi 0xADEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from  to  spi 0xBDEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from  to  spi 0xCDEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from  to  spi 0xDDEADBEEF auth 
hmac-sha2-256 enc aes


Thus, contradicting routes get added to the kernel routing tables:

gateway B:

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
0   0 0 NAT 
router A/esp/use/in
  0 0 0 NAT 
router A/esp/require/out
  0 0 0 NAT 
router A/esp/use/in
0   0 0 NAT 
router A/esp/require/out




ipsec.conf on A:
ike esp from  to  peer  
srcid 
ike esp from  to  peer  
srcid 


ipsec.conf on B:
ike passive esp tunnel from any to  srcid 
ike passive esp tunnel from  to any srcid 


A tcpdump on enc0 of both gateways shows the packets looping between the 
two gateways until ttl == 1.


Can anybody tell me if this is supposed to work at all? Does anyone see 
an obvious flaw? I'm really lost at why the gateways add flows and 
routes in both directions...



thx /markus

Re: isakmpd.policy not getting evaluated? SOLVED

[Markus Wernig]

Hi all

For the archives: isakmpd.policy for authenticating users by their 
certificates' subjects (ASN1 DNs):


KeyNote-Version: 2
Authenticator: "POLICY"
Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
Conditions: app_domain == "IPsec policy" &&
 doi == "ipsec" &&
 esp_present =="yes" &&
 esp_enc_alg !="null" &&
 remote_id_type =="ASN1 DN" &&
 (
 remote_id=="/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" ||
 remote_id=="/C=CH/CN=Jane Doe/[EMAIL PROTECTED]/O=My Org"
 ) -> "true";

KeyNote-Version: 2
Authenticator: "POLICY"
Licensees: "DN:/CN=Some other CA Cert Subject"
Conditions: app_domain == "IPsec policy" &&
 doi == "ipsec" &&
 esp_present =="yes" &&
 esp_enc_alg !="null" &&
 remote_id_type =="ASN1 DN" &&
 (
 remote_id=="/CN=Some Body/[EMAIL PROTECTED]" ||
 remote_id=="/CN=Any One/[EMAIL PROTECTED]"
 ) -> "true";

Don't put anything (comments, blank lines ...) before the first line. It 
will silently just not work.


enjoy
/markus

isakmpd.policy not getting evaluated? (was: Use certificate subjec/ASN1 t in ipsec.conf ?)

[Markus Wernig]

Hi again!

I need to authenticate users in isakmpd by the subject DN of their x509 
certificates. For this, I wrote isakmpd.policy as follows:


KeyNote-Version: 2
Authenticator: "POLICY"
Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
Conditions: app_domain == "IPsec policy" &&
  doi == "ipsec" -> "true";

KeyNote-Version: 2
Authenticator: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
Licensees: "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
Conditions: remote_id_type =="ASN1 DN" &&
  remote_id == "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" -> "true";

The accompanying ipsec.conf looks like:

ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain

I can now establish an IPSec connection with any certificate issued by 
the CAs whose certificates lie in /etc/isakmpd/ca.
But the restrictions I put in isakmpd.policy do not seem to get 
enforced, i.e. any certificate gets accepted, not only the configured 
one (/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org). So either my 
isakmpd.policy is wrong or it does not get evaluated.


Does anybody have a pointer on how to restrict access to just the 
certificates I specify in isakmpd.policy?


thx /markus

Hans-Joerg Hoexer wrote:

Hi,

the Subject Alternative Name of your certificate will be used as phase 2
IDs, ie. that's what is sent.  If you want to use the Subject Canonical
Name, you have to additionlly provide an isakmpd.policy file and you have
to run isakmpd without the "-K" option.  See isakpmd.policy(5).

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

[Markus Wernig]

s/isakmpd.conf/isakmpd.policy/g

typo
/m

Markus Wernig wrote:
> Hello & thanx for the swift reply
> 
> Now i've read through the isakmpd.conf and keynote manpages, but,
> honestly, I still don't know how to get this working.
> 
> Here's the isakmpd.conf I came up with:
> 
> KeyNote-Version: 2
> Authenticator: "POLICY"
> Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
> Conditions: app_domain == "IPsec policy" &&
>   doi == "ipsec" -> "true";
> 
> KeyNote-Version: 2
> Authenticator: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
> Licensees: "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
> Conditions: remote_id_type =="ASN1 DN" &&
>   remote_id == "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" -> "true";
> 
> The last assertion is to be repeated for every allowed client with the
> according subject.
> 
> Additionally, I removed the reference to the client in ipsec.conf:
> 
> ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
> ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain
> 
> But still, no joy.
> 
> Just to make sure that I don't head off in the wrong direction: Is this
> basically how it's supposed to work? And could I additionally still use
> the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the
> packets from each user-session and have user-based rules in pf.conf.
> 
> thx /markus
> 
> Hans-Joerg Hoexer wrote:
>> Hi,
>>
>> the Subject Alternative Name of your certificate will be used as phase 2
>> IDs, ie. that's what is sent.  If you want to use the Subject Canonical
>> Name, you have to additionlly provide an isakmpd.policy file and you have
>> to run isakmpd without the "-K" option.  See isakpmd.policy(5).
>>
>> On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote:
>>> Hi all
>>>
>>> I'm setting up a OBSD 4.1 ipsec gateway, against which users will 
>>> authenticate using x509 certificates. They all use personal certificates 
>>> (key usage: digSig), which contains their user name and Email in the 
>>> subject. I need to authenticate them by the whole subject, but can't 
>>> seem to find out how.

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

[Markus Wernig]

Hello & thanx for the swift reply

Now i've read through the isakmpd.conf and keynote manpages, but,
honestly, I still don't know how to get this working.

Here's the isakmpd.conf I came up with:

KeyNote-Version: 2
Authenticator: "POLICY"
Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
Conditions: app_domain == "IPsec policy" &&
  doi == "ipsec" -> "true";

KeyNote-Version: 2
Authenticator: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
Licensees: "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
Conditions: remote_id_type =="ASN1 DN" &&
  remote_id == "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" -> "true";

The last assertion is to be repeated for every allowed client with the
according subject.

Additionally, I removed the reference to the client in ipsec.conf:

ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain

But still, no joy.

Just to make sure that I don't head off in the wrong direction: Is this
basically how it's supposed to work? And could I additionally still use
the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the
packets from each user-session and have user-based rules in pf.conf.

thx /markus

Hans-Joerg Hoexer wrote:
> Hi,
> 
> the Subject Alternative Name of your certificate will be used as phase 2
> IDs, ie. that's what is sent.  If you want to use the Subject Canonical
> Name, you have to additionlly provide an isakmpd.policy file and you have
> to run isakmpd without the "-K" option.  See isakpmd.policy(5).
> 
> On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote:
>> Hi all
>>
>> I'm setting up a OBSD 4.1 ipsec gateway, against which users will 
>> authenticate using x509 certificates. They all use personal certificates 
>> (key usage: digSig), which contains their user name and Email in the 
>> subject. I need to authenticate them by the whole subject, but can't 
>> seem to find out how.

Use certificate subjec/ASN1 t in ipsec.conf ?

[Markus Wernig]

Hi all

I'm setting up a OBSD 4.1 ipsec gateway, against which users will 
authenticate using x509 certificates. They all use personal certificates 
(key usage: digSig), which contains their user name and Email in the 
subject. I need to authenticate them by the whole subject, but can't 
seem to find out how.


I can authenticate them (i.e. it works) if I just use the email address 
from the certificate as a filter in ipsec.conf along the lines:


ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain 
dstid [EMAIL PROTECTED]
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain 
dstid [EMAIL PROTECTED]


But what I need would look something like:

ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain 
dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain 
dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"


When I configure this, with all possible variations of quoting and 
backslashes, isakmpd tells me in the log file:


Jul 20 18:52:15 gate isakmpd[8707]: ipsec_validate_id_information: 
dubious ID information accepted
Jul 20 18:52:15 gate isakmpd[8707]: ike_phase_1_recv_ID: received remote 
ID other than expected /C=CH/CN=John


Apropos the subjectAltName: openssl tells me about the certificate:

[...]
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
[...]

Is there a way to see what is getting sent? isakmpd does not seem to 
like the spaces in the /CN, is there a way to quote this for him?

Is this possible at all?

thx for any hint

/markus

pckbc, pmsi_* errors, mouse not working on 4.1

[Markus Wernig]

Hi all

I've upgraded OBSD on my notebook (hp-compaq nc7xxx series) from 3.8 to 
4.1. All went well, except that when I start X, neither mouse nor 
keyboard are responding any more. Instead I get repeating error messages 
in syslog and on console:

pmsi_enable: command error
pckbc: command timeout
pmsi_disable: command error

Google suggested that I try to enable ACPI, which I did via UKC. But as 
soon as I quit UKC, the machine hard resets and starts over. The same 
happens when I edit a kernel with config and boot from it: immediate 
reset and reboot.


Is there any other approach to solving the mouse problem? If no: is 
there any way to find out what is killing the kernel with acpi enabled?


thx /markus

encap routes

[Markus Wernig]

Hi all

Does anybody know what the status of the problem described here is?

http://archives.neohapsis.com/archives/openbsd/2005-12/0327.html

The problem is that OBSD IPSec gateways will reject packets they have an
SA for if they don't have an IP route to the destination (any route,
default gw will suffice).
Is it planned to be change the default behaviour?

thx /markus

Re: host to host ipsec link

[Markus Wernig]

Stuart Henderson wrote:
> On 2007/04/16 15:06, Markus Wernig wrote:
> ...
> 
> the error message does come from sasyncd.
> 
>> sharedkey [32byte RSA key]
> 
> the other config lines are ok, the error must be here.
> 

aarrgg ... and indeed it was. I had produced that
string with # openssl rand 32 | perl -pe 's/./unpack("H1",$&)/ges' - as
I always do - but must have botched something on the way ... thx
/m

Re: CARP access outside a subnet

[Markus Wernig]

Hi

I'm not sure about carp supporting addresses in other subnets than the
physical one. But to debug this further:
- what does tcpdump -e -n -i xennet1 show on the routers when you ping
the virtual interface from outside the lan?
- is the route for the egress path the same as for the ingress path
(i.e. does the route back to the accessing device point out over the
same interface (xennet1) that the packets come in on)?
- maybe your next hop router does not receive the virtual mac address.
check the arp table on the next hop router.
- what is the error message when pinging from the outside and who
generates it?

krgds /markus

david l goodrich wrote:
> I'm sorry to bring this up again, since it didn't get any responses the
> first time.
> 
> But I haven't had any luck on my own, and was hoping someone might have an
> idea.
> 
> 
> On 4/9/07, david l goodrich <[EMAIL PROTECTED]> wrote:
>> I have two hosts in a CARP group.
>>
>> on router-meus-cd1, i have the following network configuration:
>>
>> router-meus-cd1# ifconfig xennet1
>> xennet1:
>> flags=8963 mtu
>> 1500
>> capabilities=2800
>> enabled=0
>> address: 00:16:3e:71:ef:6f
>> inet 10.10.10.2 netmask 0xff00 broadcast 10.10.10.255
>> inet6 fe80::216:3eff:fe71:ef6f%xennet1 prefixlen 64 scopeid 0x4
>> router-meus-cd1# ifconfig carp216
>> carp216: flags=8843 mtu 1500
>> carp: MASTER carpdev xennet1 vhid 216 advbase 1 advskew 0
>> address: 00:00:5e:00:01:d8
>> inet 216.51.247.30 netmask 0xfff8 broadcast 216.51.247.31
>> router-meus-cd1#
>>
>> on router-meus-cn1, i have a similar configuration:
>>
>> router-meus-cn1# ifconfig xennet1
>> xennet1:
>> flags=8963 mtu
>> 1500
>> capabilities=2800
>> enabled=0
>> address: 00:16:3e:04:d3:e0
>> inet 10.10.10.1 netmask 0xff00 broadcast 10.10.10.255
>> inet6 fe80::216:3eff:fe04:d3e0%xennet1 prefixlen 64 scopeid 0x4
>> router-meus-cn1# ifconfig carp216
>> carp216: flags=8843 mtu 1500
>> carp: BACKUP carpdev xennet1 vhid 216 advbase 1 advskew 
>> 0216.51.247.30
>>
>> address: 00:00:5e:00:01:d8
>> inet 216.51.247.30 netmask 0xfff8 broadcast 216.51.247.31
>> router-meus-cn1#
>>
>>
>> The default route, nameservers, etc are all set correctly.
>>
>> CARP works great on the 216.51.247.24/29 subnet, from any machine on that
>> subnet I can ping 216.51.247.30.
>>
>> When I get outside the subnet, I can't ping the address or ssh to it.
>>
>> Does anyone have some insight into why this is happening?
>>
>> Thanks
>>   --david

Re: host to host ipsec link

[Markus Wernig]

Mathieu Sauve-Frankel wrote:

> Currently the order in which isakmpd, ipsecctl and sasyncd need to be
> invoked in order for everything to work is pretty rigid. 
> 
> # isakmpd -KS   
> # ipsecctl -f /etc/ipsec.conf
> # sasyncd 
> 
> First start isakmpd with -KS, this brings up isakmpd in passive mode, 
> isakmpd won't initiate any IKE traffic until an sasyncd process sets
> isakmpd to "active" mode through the fifo, you can do this by hand by
> issuing "M active" into the fifo with echo. Don't forget to load your rules 
> before you issue this command. 
> 
> If you are not going to use sasyncd, don't use -S.
> 

Hi & thx for the insight. I now realize that the problem is caused by
sasyncd not starting. It terminates immediately with the message
"config: syntax error". Unfortunately it's not a syntax error in the
sasyncd.conf file, but the error really seems to stem from the program
"config" that seems to get called in the process of invoking sasyncd ...
between stat-ing the config file and parsing it, as I would suppose,
because sasyncd will not complain about real, intentional syntax errors
in the file or an empty file, but will bail out on wrong file permissions.

I have copied over sasyncd.conf from a working installation and changed
the sharedkey and peer parameters. But config: syntax error hits me even
if I empty the file (which should produce errors about missing
sharedkeys and the like)

Just to go sure, here's the file:

# cat /etc/sasyncd.conf
interface carp1
flushmode sync
listen on xl0 port 5000
sharedkey [32byte RSA key]
peer 10.111.1.2

Plus, "syntax error" does not appear in the sasyncd binary with strings
or source code.

Sorry again if I'm missing something obvious.
/markus

Re: host to host ipsec link

[Markus Wernig]

Hello!

Renaud Allard wrote:
> Markus Wernig wrote:
>> Renaud Allard wrote:
>>
>>> Did you verify that isakmpd is running?
>> Yes. It runs as follows:
>>
>> 11967 ??  Is  0:00.05 isakmpd: monitor [priv] (isakmpd)
>> 18753 ??  I   0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo
>>
>>
> -S is used for redundant setups. Did you try without that flag?

Infact, this resolves the problem! Thanks a lot.

Yet, it brings me to the next problem that I didn't set the -S flag, but
/etc/rc does so automatically because of sasyncd, which will be used on
those boxes in a further step. (The far goal being two firewall clusters
encrypting traffic between the networks behind them, and encrypting
traffic between the two members respectively.)

krgds /markus

Re: host to host ipsec link

[Markus Wernig]

Renaud Allard wrote:

> Maybe also try on both firewalls:
> 
> cd /etc/isakmpd && ln -s private/local.pub .
> 
> Then restart isakmpd and reload the rules.
> 

Hi

Tried that as well ... still no go.
I have disabled pf for setting the enc up. I suppose, that doesn't
matter, does it?

krgds /markus

Re: host to host ipsec link

[Markus Wernig]

Renaud Allard wrote:

> Did you verify that isakmpd is running?

Yes. It runs as follows:

11967 ??  Is  0:00.05 isakmpd: monitor [priv] (isakmpd)
18753 ??  I   0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo

Re: host to host ipsec link

[Markus Wernig]

Renaud Allard wrote:

> It seems you just forgot to load your rules.
> Just add "ipsecctl -f /etc/ipsec.conf" in the rc.local of both your
> firewalls and everything should just work fine.


Hi

I've tried to load the rules by hand with "ipsecctl -f /etc/ipsec.conf"
- to no avail. On the other hand I seemed to understand that with
"ipsec=YES" in /etc/rc.conf.local this was done automatically.

I've tried it nevertheless, unfortunately no joy ;-)

thx /markus

host to host ipsec link

[Markus Wernig]

Hello all

I am trying a  - what I think is - simple ipsec setup. The point is to
ipsec-encrypt all traffic between a pair of firewalls (gateA and gateB,
both OBSD 4.0), in order to send pfsync traffic over the encrypted link.
Although having read through ipsec, ipsec.conf, isakmpd and friend's
manpages, I get stuck on the same point. Obviously I'm missing some
important point.

gateA:/etc/ipsec.conf:
ike esp from 10.111.1.1 to 10.111.1.2

gateB:/etc/ipsec.conf:
ike esp from 10.111.1.2 to 10.111.1.1

private and public key created by rc on initial boot in
/etc/isakmpd/private on both machines.
copied
gateA's /etc/isakmpd/private/local.pub to
gateB:/etc/isakmpd/pubkeys/ipv4/10.111.1.1
and
gateB's /etc/isakmpd/private/local.pub to
gateA:/etc/isakmpd/pubkeys/ipv4/10.111.1.2

/etc/rc.conf.local
ipsec=YES
isakmpd_flags="-K -f /var/run/isakmpd.fifo"


I thought that with this, automatic keying would setup a tunnel between
10.111.1.1 and 10.111.1.2 on system start. But nothing of the like
happens, not even a single IKE package is exchanged between the two
hosts. Consequently, when pinging from 10.111.1.1 to 10.111.1.2 or vice
versa, the packets go over the wire in the clear.

I'm sorry, but I just can't see what I'm missing. Would anybody have a
pointer for a lost soul?

thx /markus

health check for members of round-robin group

[Markus Wernig]

Hi everybody!

I am looking at implementing a round-robin load-balanced group of
servers behind an OBSD firewall.

The pf commands would run along the lines
[...]
table  persist file /etc/pf.serverlist
rdr on $ext_if proto tcp from any to $virtual_ip port 80 \
   ->  round-robin
[...]

Now the question is, what happens if one of the servers in
/etc/pf.serverlist goes down? I suppose, each nth connection is still
forwarded to it. Apparently, I need to do some sort of health check
periodically (say, every 60 seconds) and remove the faulty server from
 and from /etc/pf.serverlist (in case the fw gets reloaded
while the server is still down).

Now just before I go and hack away at that health check crontab script:
Is anybody aware if such a check mechanism already has been implemented,
maybe in some other form?

thx /markus

Re: Carp on trunk is working since 3.9

[Markus Wernig]

Reyk Floeter wrote:

> 
> retry with 3.9

OK, thanks and sorry for the noise. Works now, but now another thing
keeps popping up: I've set the trunkproto to failover on both boxes. Now
when I pull the master nic's cable, the time it takes for the other one
to take over varies from around 5 to 8 seconds on failover and between 1
and around 8 seconds on failback (reinsertion). Is this expected
behaviour? Or could there be one of the dumb switches interfering?
What would the "normal" failover time in this scenario be?

The layout would be as follows (NIC 1 set to master):

 
|NIC 1 |-|  |- Test Host
| BOX A| | Switch A |
|NIC 2 | |  |
\   /
 \ /   |
  \   /|
   \ / |
X  |
   / \ |
  /   \|
 / \ 
|NIC 1 |/   \|  |
| BOX B| | Switch B |
|NIC 2 |-|  |
 

Test host is pinging trunk0 (NIC 1, NIC 2) on each box.
If the cable into NIC 1 is pulled, I get the above timeouts before failover.
If I do # ifconfig NIC1 down, traffic stops alltogether and no failover
occurs, regardless of what switch the test host is plugged into. The
status of trunk0 changes to "no carrier", while trunkport NIC1 drops to
"master" and NIC2 remains as "active". Is this also expected?

thx /markus