ipsec ipcomp howto - OpenBSD 5.7

2016-03-19 Thread Motty Cruz 
configuring ipsec.conf with ipcomp seem to be difficult then I thought. 
I enable ipcomp

# sysctl -a | grep ipcomp
net.inet.ipcomp.enable=1

ipcomp is enabled on both gateways. Here is ipsec.conf:

flow ipcomp from 10.10.10.0/24 to 10.10.2.0/24 \
   peer 192.168.1.57

ike esp from 10.10.10.0/24 to 10.10.2.0/24 \
peer 192.168.1.57 \
main auth hmac-sha2-256 enc 3des group modp1024 lifetime 86400 \
quick auth hmac-sha2-256 enc 3des lifetime 86400 \
psk f15490b4ebc2bfc41a9a009509c91ceb443547f6

my local LAN 10.10.10.0/24
remote LAN 10.10.2.0/24

# ipsecctl -s all
FLOWS:
flow esp in from 10.10.2.0/24 to 10.10.10.0/24 peer 192.168.1.57 type 
require
flow esp out from 10.10.10.0/24 to 10.10.2.0/24 peer 192.168.1.57 type 
require


SAD:
esp tunnel from 192.168.1.57 to 192.168.125.157 spi 0xc259f59d auth 
hmac-sha2-256 enc 3des-cbc
esp tunnel from 192.168.125.157 to 192.168.1.57 spi 0xe9b1976d auth 
hmac-sha2-256 enc 3des-cbc

#


any ideas? documentation man ipsec.conf has poor information about 
ipcomp, in my point of view.

client limit (100) reached, refusing connection from xx.xxx.x.26 OpenBSD 5.1

2016-02-17 Thread Motty Cruz 

I see the following error in my firewall log:
client limit (100) reached, refusing connection from xx.xxx.x.26 (this 
IP is on the firewall interface facing the public)

proxy cannot connect to server xx.xxx.x.48: No route to host

Thanks,
_Motty

Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

2015-07-11 Thread Motty Cruz 
Thank you for your suggestion,

I already have connections to peers using isakmpd, am afraid to bring 
those connections down to switch over to ipsec.

On 07/11/2015 05:02 PM, carlos albino garcia grijalba wrote:
> use ipsec.conf the new configuration are simple i have connections 
> from cisco peers and the only problem were using
> wrong credentials
>
> > Date: Fri, 10 Jul 2015 12:59:56 -0700
> > From: motty.c...@gmail.com
> > To: misc@openbsd.org; motty.c...@gmail.com
> > Subject: OpenBSD 5.5 won't initiate VPN (Ipsec 
> site-to-site)connection to Cisco device
> >
> > Hello,
> >
> > I have a gateway machine OpenBSD 5.5 that won't not initiate connection
> > to peer. The one way to establish VPN tunnel is if peer ping IP in my
> > subnet.
> > in pf.conf
> > IpsecClients="{ 173.16.2.20/32, 139.19.10.51/32 }"
> > IpsecHosts="{ 192.16.38.24/27 }"
> >
> > # IPSec VPN tunnel
> > pass in on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts
> > port 500
> > pass in on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts
> >
> >
> > isakmpd.conf
> > phase 1
> > 139.19.10.51= ISAKMP-peer-CORP1
> > phase 2
> > connections = IPsec-CORP1-DataCenter1
> >
> > #Phase 1 peers
> > ## CORP1
> > [ISAKMP-peer-CORP1]
> > Phase= 1
> > Transport= udp
> > Address= 139.19.10.51
> > Configuration= Default-main-mode3
> > Authentication= psecret
> >
> > # phase 2
> > [IPsec-CORP1-DataCenter1]
> > Phase= 2
> > ISAKMP-peer= ISAKMP-peer-CORP1
> > Configuration= Default-quick-mode3
> > Local-ID= Net-datacenter1
> > Remote-ID= Net-corp1
> >
> > [IPsec-CORP1-DataCenter2]
> > Phase= 2
> > ISAKMP-peer= ISAKMP-peer-CORP1
> > Configuration= Default-quick-mode3
> > Local-ID= Net-datacenter2
> > Remote-ID= Net-corp2
> >
> > any ideas?

OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

2015-07-10 Thread Motty Cruz 

Hello,

I have a gateway machine OpenBSD 5.5 that won't not initiate connection 
to peer. The one way to establish VPN tunnel is if peer ping IP in my 
subnet.

in pf.conf
IpsecClients="{ 173.16.2.20/32, 139.19.10.51/32 }"
IpsecHosts="{ 192.16.38.24/27 }"

# IPSec VPN tunnel
pass  in  on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts 
port 500

pass  in  on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts


isakmpd.conf
phase 1
139.19.10.51= ISAKMP-peer-CORP1
phase 2
connections =  IPsec-CORP1-DataCenter1

#Phase 1 peers
## CORP1
[ISAKMP-peer-CORP1]
Phase=  1
Transport=  udp
Address=139.19.10.51
Configuration=  Default-main-mode3
Authentication= psecret

# phase 2
[IPsec-CORP1-DataCenter1]
Phase=  2
ISAKMP-peer=ISAKMP-peer-CORP1
Configuration=  Default-quick-mode3
Local-ID=   Net-datacenter1
Remote-ID=  Net-corp1

[IPsec-CORP1-DataCenter2]
Phase=  2
ISAKMP-peer=ISAKMP-peer-CORP1
Configuration=  Default-quick-mode3
Local-ID=   Net-datacenter2
Remote-ID=  Net-corp2

any ideas?

bgp sending community string

2015-05-13 Thread Motty Cruz 
trying to send a community string to our neighbor here is my configuration:

# ISP peer 1 announcements only#
neighbor 19.25.16.13 {
 remote-as   7X32
 descr   "level1"
 announce all
 set community 7X32:100
tcp md5sig password "passwd2"
}

here is how our neighbor see my router:

KRT in-kernel 19.16.16.0/22 -> {19.25.16.14}
Page 0 idx 0 Type 1 val a4e65a0
Nexthop: 19.25.16.14
 MED: 0
Localpref: 300
 AS path: [3XX2] 2XX1 2XX12XX12XX1I
 Communities: 3xx2:2900

  I want "localpref" to be much lower for them. They have configured the 
"community string" on their side, however we're not sending that string, 
I believe my syntax may be wrong.

any ideas?

Thanks,

"route show" does not show routes announce by BGP on OpenBSD 5.5 i386

2015-05-13 Thread Motty Cruz 
running the command "route show" does not get the full internet routing 
table as I should. However, if I run "bgpctl show rib" I get the full 
routing table. Router is routing packets fine, however, I am concern 
that something may be wrong.


any explanation as to why this is happening?

# bgpctl show
Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down 
State/PrfRcvd
level27X32 100853278 0 02:17:31 
532191
level17X32300278 0 
02:17:16  1

gateway2  22X8274272 0 02:15:01  1
gateway1  22X8274272 0 02:15:01  1

#netstat -rn
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu Prio Iface
default19.25.16.13 UGS1 8485 - 8 em0
19.25.16.12/30  link#1 UC 10 - 4 em0
19.25.16.13 2c:6b:f5:a4:df:40  UHLc   2  583 - 4 em0
127/8  127.0.0.1  UGRS   00 33192 8 lo0
127.0.0.1  127.0.0.1  UH 10 33192 4 lo0
19.16.26/24   199.96.38.85   UGS0   882702 - 8 em1


Thanks,

help! BGP receive updates from one peer and broadcast to a different peer - OpenBSD 5.5

2015-05-01 Thread Motty Cruz 
Hello,

My company is getting another Internet connection, our new ISP ask that 
we setup bgp to peer with one of their router to receive updates and 
peer to another router to broadcast our routes. ISP gave us the 
following setup example:

My questions is how would this setup be done in OpenBSD 5.5 bpgd.conf.

Thanks
Motty

Re: OpenBSD 5.5 ISAKMPD

2015-01-16 Thread Motty Cruz 

Hello All,
is actually OpenBSD 4.8 not OpenBSD 5.5, I apologize for the mistake.

I still get the exchange_run: doi->initiator error, not even sure what 
to look for.


Thanks,
Motty

On 01/16/2015 01:16 PM, mxb wrote:

Hey,
You probably want to start with ipsec.conf(5).
isakmpd.conf is generated out of ipsec.conf.
I think people running 5.4+ don’t even use it any more.

Br

//mxb


On 16 jan 2015, at 21:22, Motty Cruz  wrote:

Hello All,

I'm trying to setup IPSec Tunnel using the following parameters.
Phase 1
exchange encryption: AES256
Data Integrity: SHA256
DH: group 20
Agressive Mode

phase 2
encryption: AESGCM256
HASH: SHA384

I can't find examples to configure isakmpd.conf using parameters above.

[fw2-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= AES256-SHA2-GRP20

[fw2-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-AESGCM-SHA2-SUITE

[QM-ESP-AESGCM-256-SHA2-SUITE]
TRANSFORM_ID=   AESGCM
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM=   HMAC_SHA2
GROUP_DESCRIPTION=  EC_384
Life=   LIFE_3600_SECS

using this configuration I get the following error:
isakmpd[30247]: exchange_run: doi->initiato

Thanks in advance,
-Motty

Re: OpenBSD 5.5 ISAKMPD

2015-01-16 Thread Motty Cruz 

Thanks Br,

I tried it but did not generated isakmpd for me.

do you have any idea of what "exchange_run: doi->initiator" means?

Thanks,
Motty
On 01/16/2015 01:16 PM, mxb wrote:

Hey,
You probably want to start with ipsec.conf(5).
isakmpd.conf is generated out of ipsec.conf.
I think people running 5.4+ don’t even use it any more.

Br

//mxb


On 16 jan 2015, at 21:22, Motty Cruz  wrote:

Hello All,

I'm trying to setup IPSec Tunnel using the following parameters.
Phase 1
exchange encryption: AES256
Data Integrity: SHA256
DH: group 20
Agressive Mode

phase 2
encryption: AESGCM256
HASH: SHA384

I can't find examples to configure isakmpd.conf using parameters above.

[fw2-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= AES256-SHA2-GRP20

[fw2-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-AESGCM-SHA2-SUITE

[QM-ESP-AESGCM-256-SHA2-SUITE]
TRANSFORM_ID=   AESGCM
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM=   HMAC_SHA2
GROUP_DESCRIPTION=  EC_384
Life=   LIFE_3600_SECS

using this configuration I get the following error:
isakmpd[30247]: exchange_run: doi->initiato

Thanks in advance,
-Motty

OpenBSD 5.5 ISAKMPD

2015-01-16 Thread Motty Cruz 

Hello All,

I'm trying to setup IPSec Tunnel using the following parameters.
Phase 1
exchange encryption: AES256
Data Integrity: SHA256
DH: group 20
Agressive Mode

phase 2
encryption: AESGCM256
HASH: SHA384

I can't find examples to configure isakmpd.conf using parameters above.

[fw2-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= AES256-SHA2-GRP20

[fw2-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-AESGCM-SHA2-SUITE

[QM-ESP-AESGCM-256-SHA2-SUITE]
TRANSFORM_ID=   AESGCM
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM=   HMAC_SHA2
GROUP_DESCRIPTION=  EC_384
Life=   LIFE_3600_SECS

using this configuration I get the following error:
isakmpd[30247]: exchange_run: doi->initiato

Thanks in advance,
-Motty

Re: Packet Filter router i368 vs 64bit

2014-11-25 Thread motty cruz 
 Thank you Juan,

I appreciate your suggestions and advice.
I am planning on using Dual socket B2 (LGA 1356) supports Intel® Xeon®
processor E5-2400 v2, I suppose i386 would perform better rather than 64bit
amd processor. Thank you again!

Thanks,
Motty
On 11/25/2014 03:01 PM, Juan J. Fernandez wrote:

Greetings Motty Cruz,

In general, you could achieve performance by configuring your kernel
according to your hardware. You can use dmesg(8) and 'GENERIC' kernel
configuration as a guide for your hardware.

Sometimes i386 will run faster than 64 bit (see
http://www.openbsd.org/amd64.html).


Juan J. Fernandez

On 11/25/14 16:52, Motty Cruz wrote:

Hello all,
I am searching for hardware to build a router with OpenBSD. I have found
mixed signals as to fastest system with i386 or 64bit. I know in the past
i386 OpenBSD used to perform a lot better than 64bit system.

Any suggestions!
Thanks,
Motty

Packet Filter router i368 vs 64bit

2014-11-25 Thread Motty Cruz 

Hello all,
I am searching for hardware to build a router with OpenBSD. I have found 
mixed signals as to fastest system with i386 or 64bit. I know in the 
past i386 OpenBSD used to perform a lot better than 64bit system.


Any suggestions!
Thanks,
Motty

Re: reload isakmpd

2014-07-25 Thread motty cruz 
Thank you all,

I used this command.

ps aux

kill 29309

kill 7908

ps aux

isakmpd -S

sasyncd


Thanks,


On Fri, Jul 25, 2014 at 8:29 AM, Reyk Floeter  wrote:

> On Fri, Jul 25, 2014 at 08:17:15AM -0700, motty cruz wrote:
> > Hello, how to reload configuration without restarting isakmpd?
> >
> > Thanks,
> >
>
> Have a look at THE FIFO USER INTERFACE in isakmpd(8):
>
>  NOTE: Sending isakmpd a SIGHUP or an "R" through the FIFO will
>  void any updates done to the configuration.
>
> You can also try to SIGHUP and re-run ipsecctl afterwards.
>
> Good luck!
>
> Reyk

reload isakmpd

2014-07-25 Thread motty cruz 
Hello, how to reload configuration without restarting isakmpd?

Thanks,