First time setting up ISAKMPD
I've read through the manpages and googled through lots of tutorials, but can't seem to get a very simple VPN (isakmpd) gateway working with racoon (mobile OS X Tiger clients). After trying to connect, I am not able to ping the internal network from the mobile VPN client. I can post the full logs, but first please take a look at my conf files to see if I'm missing something. My simple VPN should work like this: [mobile clients]internet[OPENBSD GATEWAY][192.168.0.0/24 internal network] mobile clients are to join the 192.168.0.0/24 network, with a manually assigned 192.168.0.X address. I've even gone to the point of over simplifying my pf.conf and isakmpd settings to avoid problems caused by other settings. This is my first time setting up a VPN with isakmpd so please understand if I'm missing something very obvious, and if you see something wrong with the settings I'd appreciate it if you can point me to the right direction. Here are my conf files> --pf.conf-- ### MACROS ###---INTERFACES---### ext_if="em0" int_if="em4" #brg_if1="em2" #brg_if2="em3" brg_if="em1" vpn_if="enc0" ###---NETWORKS/ADDRESSES---### ext_add="219.XXX.XXX.82" int_gw="192.168.0.1" int_net="192.168.0.0/24" ### SCRUB scrub in all ### NAT nat on $ext_if inet from $int_if:network to any -> $ext_add ### RULES ### vpn part pass in quick on $ext_if inet proto udp from any to ($ext_if) port isakmp keep state pass out quick on $ext_if inet proto udp from ($ext_if) to any port isakmp keep state ### esp traffic pass in quick on $ext_if inet proto esp from any to ($ext_if) pass out quick on $ext_if inet proto esp from ($ext_if) to any pass in quick on $vpn_if proto ipencap all pass out quick on $vpn_if all pass in quick on $vpn_if all Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg == "3des" && esp_enc_alg != "null" -> "true"; --isakmpd.conf -- [General] Listen-on=219.XXX.XXX.82 Retransmits= 5 Exchange-max-time= 120 [Phase 1] Default= ISAKMP-Clients [Phase 2] Passive-Connections= IPSec-clients [ISAKMP-Clients] Phase= 1 Transport= udp Configuration= Default-main-mode Authentication= somesecretpassword [IPSec-Clients] Phase= 2 Configuration= Default-quick-mode Local-ID= default-route Remote-ID= dummy-remote [default-route] ID-type= IPV4_ADDR_SUBNET Network= 0.0.0.0 Netmask= 0.0.0.0 [dummy-remote] ID-type= IPV4_ADDR_SUBNET Network= 0.0.0.0 Netmask= 0.0.0.0 [Default-main-mode] EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-GRP2-SUITE Kory T
Re: Intel PRO/1000 MT Dual Port Server Adapter Issues
I have the exact same PCI card and have no problems since 3.7. Using it on a Tyan S2707 motherboard. Kory T On Oct 18, 2005, at 11:10 AM, Jason Dixon wrote: On Oct 17, 2005, at 8:59 PM, Damien Gardner Jnr wrote: [ Redirecting back to misc@ where this belongs ] From: "Ken Gunderson" <[EMAIL PROTECTED]> To: I'm having some issues w/an Intel PRO/1000 MT Dual Port Server Adapter in an OBSD-3.7 firewall. The card is in the pci-x riser on one of these puppies; Dmesg complains the "The EEPROM Checksum Is Not Valid". I've tested the card in a Winblows machine and it works. Any insights as to what is going on here greatly appreciated. We had exactly the same problem with dual and quad versions of these same cards - we ended up swapping to PCI cards and changing the motherboard to something with enough PCI slots to support all the cards.. :\ If this is the case, I'm glad this became public. I'm about to fork out for some of these. Can anyone suggest any specific Gig-E dual port cards that work well with 3.7-3.8? Vendor recommendations welcome. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
isakmpd.conf that works with OS X tiger VPN client?
I was wondering if anyone has had success making a isakmpd.conf that works with the OS X 10.4.X built in VPN client. I've tried several different configs but am new to OpenBSD so have been having problems just understanding the whole isakmpd.conf and isakmpd.policy files. If anyone has had success, it would be great if you can show me a copy of the file. Thanks. Kory T
Re: unnumbered PPPoE
Thanks for the suggestion. Unfortunately, bridge(4) doesn't support pppoe(4) as a possible interface. I don't know why, but it just rejects it. Anyone know of a workaround for this? I'm on a 100mb/s FTTH line so a userland pppoe is not an option. Kory T On Oct 10, 2005, at 11:42 PM, Christopher Hylarides wrote: While I have never done it myself, I THINK that you might be able to do it with bridging the pppoe interface with an ethernet interface. Play around a little bit. -- Chris On 10-Oct-05, at 8:44 AM, Talmage wrote: I've been reading through manpages and tutorials but have not been able to get an answer to a question I have. I am wondering if it's possible to use OpenBSD as an unnumbered PPPoE client bridge. Basically a transparent bridge that processes packets for PPPoE so the rest of the network doesn't have to deal with PPPoE. [internet]-[ISP(PPPoE Server)][modem][openbsd(PPPoE Client)]-[multiple static IPs] Kory T
unnumbered PPPoE
I've been reading through manpages and tutorials but have not been able to get an answer to a question I have. I am wondering if it's possible to use OpenBSD as an unnumbered PPPoE client bridge. Basically a transparent bridge that processes packets for PPPoE so the rest of the network doesn't have to deal with PPPoE. [internet]-[ISP(PPPoE Server)][modem][openbsd(PPPoE Client)]-[multiple static IPs] Kory T
Simple networking question
Is there anyway of making a pppoe0 interface part of a bridge? I'm trying to setup a stealth ethernet bridge that does packet filtering, and also want it to act as a pppoe client. Kory T
Re: in-kernel PPPoE (resolved but related issue)
I finally got in-kernel PPPoE to work after fixing the hostname.pppoe0 file up a bit. Now I'm new to this so I have a few questions. I can get the OpenBSD box to access the internet fine, but am a bit confused about getting the rest of the network connected to the net. I have multiple Static IP addresses. This is what I've tried so far. I have 4 ethernet interfaces, em0~em3, Static IP address XXX.XXX.XXX. 80/29 pppoe0 is connected to em0, pppo0 has a static IP of X.X.X.80 bridge0 is created with em0 and em1, both interfaces are up em1 has no IP address, and is connected to a ethernet switch for servers that need static ips the servers are manually assigned static IPs X.X.X.81~86 This has not worked for me, I'm sure I'm doing something wrong. The servers can ping X.X.X.80, but cant connect beyond the openbsd box. Am I missing something? I'm basically trying to make a OpenBSD network bridge that will act as a PPPoE client (and do some filtering and NAT later on). Any help will be appreciated. Kory T
in-kernel PPPoE doesn't like my authname
I'm planning on implementing a OpenBSD all-in-one router/firewall/ PPPoE_client/VPN_server and have been having issues getting the in- kernel PPPoE to work which is the first thing I'm working on. I've checked the pppoe(4) manpages but still haven't been able to get it to work. Here's the message I get while booting up> -- ifconfig: pppoe0: phase established [EMAIL PROTECTED]: bad value add net default: gateway XXX.XXX.XXX.80 ... -- Obviously somethings wrong with myauthname. Does the in-kernel pppoe have problems with long usernames? or the "%" character? then once boot-up is complete I keep getting these messages> -- Sep 30 21:36:10 hostname /bsd: pppoe0: pap failure Sep 30 21:36:10 hostname /bsd: pppoe0: phase terminate Sep 30 21:36:10 hostname /bsd: pppoe0: phase dead Sep 30 21:36:20 hostname /bsd: pppoe0: pap failure Sep 30 21:36:20 hostname /bsd: pppoe0: phase terminate Sep 30 21:36:20 hostname /bsd: pppoe0: phase dead -- and keeps repeating every 10~20 sec. Here are my config files and ifconfig (I cut out irrelevant info) $ cat /etc/hostname.em1 inet XXX.XXX.XXX.81 255.255.255.248 NONE media autoselect $ cat /etc/hostname.pppoe0 pppoedev em1 !/sbin/ifconfig em1 up !/usr/sbin/spppcontrol \$if myauthproto=pap [EMAIL PROTECTED] myauthkey=SECRET !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x !/sbin/route add default XXX.XXX.XXX.80 up $ ifconfig lo0: flags=8049 mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 em1: flags=8843 mtu 1500 address: 00:e0:81:24:f5:da media: Ethernet autoselect (100baseTX full-duplex) status: active inet XXX.XXX.XXX.81 netmask 0xfff8 broadcast XXX.XXX.XXX.87 pflog0: flags=0<> mtu 33224 pfsync0: flags=0<> mtu 2020 enc0: flags=0<> mtu 1536 pppoe0: flags=8811 mtu 1492 dev: em1 state: PADI sent sid: 0x0 PADI retries: 22 PADR retries: 0 inet 0.0.0.0 --> 0.0.0.1 netmask 0x inet6 fe80::207:e9ff:fe10:bedc%pppoe0 -> prefixlen 64 scopeid 0xa some more info: -using stable branch of 3.7 -obviously my ISP uses PPPoE for authentication -I have 5 static IP addressses XXX.XXX.XXX.81~86 -gateway to ISP is XXX.XXX.XXX.80, broadcast XXX.XXX.XXX.87 -ftth internet connection em1 is going to be used as the WAN port with static IP XXX.XXX.XXX.81 em2 is not setup yet but will act as a bridge between em1 for static IPs em3 is not setup yet but will be NAT interface for internal LAN I still have a lot to configure to get it to work well but I need to get PPPoE working first so I can at least connect to the net. I have no clue as to why PPPoE is not working besides the possible myauthname problem. Any suggestions/help will be appreciated. I can post my dmesg if that would help. Thanks. Kory T
