HD OpenBSD Artwork
Is there somewhere to get higher resolution OpenBSD artwork? I see the stuff on the website, and it's great, but on my 8k screen it's kind of like a postage stamp in the middle. Do higher Res copies exist somewhere? Can they be made available? Cheers!
troubleshooting shrew vpn client with ipsec.conf
I am converting over to ipsec.conf from isakmpd.conf|policy. I have a default vpn configuration to allow people from their home pc to access. Under isakmpd.conf it works perfectly well. I can use any number of settings, including the desired aes-256 for both phase 1 and phase 2. My isakmpd.conf sections: [Phase 1] Default=ISAKMP-peer-default 61.62.63.64= ISAKMP-peer-default Passive-Connections=IPsec-default [ISAKMP-peer-default] Phase= 1 Transport= udp Local-address= 61.62.63.64 Configuration= AES-main-mode Authentication= redacted [IPsec-default] Phase= 2 ISAKMP-peer=ISAKMP-peer-default Configuration= Default-quick-mode Local-ID= Net-corp [Net-corp] ID-type=IPV4_ADDR_SUBNET Network=10.10.10.0 Netmask=255.255.255.0 [AES-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE I put the following into my ipsec.conf: ike dynamic from any to 10.10.10.0/24 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk redacted I've tried changing the settings to hmac-sha2-256 and aes-256, I've tried changing the client settings to everything from auto through 128, 192 & 256. Nothing seems to work. The debug when I try to connect does show phase 1 done, but later says it's been told to delete the session. See below. It does not seem to matter what settings I change in the vpn client config, I cannot get it to maintain this connection. What is the difference between the ipsec.conf and isakmpd.conf tunnels? What is telling isakmpd to delete this SA? 040442.728781 Exch 10 exchange_finalize: phase 1 done: initiator id 192.168.1.9, responder id fw.example.com, src: 61.62.63.64 dst: 43.100.100.77 040442.728808 Timr 10 timer_add_event: event sa_soft_expire(0x8b057000) added last, expiration in 74131s 040442.728819 SA 80 sa_reference: SA 0x8b057000 now has 5 references 040442.728838 Timr 10 timer_add_event: event sa_hard_expire(0x8b057000) added last, expiration in 86400s 040442.728849 SA 80 sa_reference: SA 0x8b057000 now has 6 references 040442.728861 SA 80 sa_release: SA 0x8b057000 had 6 references 040442.770769 Trpt 70 transport_setup: added 0x87a3c0c0 to transport list 040442.770808 Trpt 70 transport_setup: added 0x87a3c1c0 to transport list 040442.770821 Trpt 50 virtual_clone: old 0x89f49e40 new 0x87a3c2c0 (main is 0x87a3c0c0) 040442.770832 Trpt 70 transport_setup: virtual transport 0x87a3c2c0 040442.770846 Mesg 90 message_alloc: allocated 0x86887100 040442.770858 Mesg 70 message_recv: message 0x86887100 040442.770871 Mesg 70 ICOOKIE: 864ee9d5f19da22f 040442.770885 Mesg 70 RCOOKIE: db55da1a362c3ba3 040442.770896 Mesg 70 NEXT_PAYLOAD: HASH 040442.770909 Mesg 70 VERSION: 16 040442.770920 Mesg 70 EXCH_TYPE: INFO 040442.770931 Mesg 70 FLAGS: [ ENC ] 040442.770943 Mesg 70 MESSAGE_ID: f09ac655 040442.770954 Mesg 70 LENGTH: 92 040442.770978 Mesg 70 message_recv: 864ee9d5 f19da22f db55da1a 362c3ba3 08100501 f09ac655 005c 2cf32098 040442.771002 Mesg 70 message_recv: df99aee4 72eb2103 30579627 a79aac92 3029017f 53433540 0af8aaea 2e464200 040442.771024 Mesg 70 message_recv: fa2d9ad3 1b156485 b4bcf4f2 4befc80a 68c3a13d 07a57a34 cbbfe575 040442.771036 SA 80 sa_reference: SA 0x8b057000 now has 6 references 040442.771053 Cryp 60 hash_get: requested algorithm 1 040442.771063 Cryp 80 ipsec_get_keystate: final phase 1 IV: 040442.771079 Cryp 80 e1859bae f2a4943b 98d51085 c2d0d538 040442.771089 Cryp 80 ipsec_get_keystate: message ID: 040442.771100 Cryp 80 f09ac655 040442.771117 Cryp 50 crypto_init_iv: initialized IV: 040442.771134 Cryp 50 1019151c c500b0c4 eedeef0b 890f3dfd 040442.771144 Cryp 80 ipsec_get_keystate: phase 2 IV: 040442.771161 Cryp 80 1019151c c500b0c4 eedeef0b 890f3dfd 040442.771171 Cryp 70 crypto_decrypt: before decryption: 040442.771194 Cryp 70 2cf32098 df99aee4 72eb2103 30579627 a79aac92 3029017f 53433540 0af8aaea 040442.771217 Cryp 70 2e464200 fa2d9ad3 1b156485 b4bcf4f2 4befc80a 68c3a13d 07a57a34 cbbfe575 040442.771231 Cryp 70 crypto_decrypt: after decryption: 040442.771255 Cryp 70 0c18 9d93aa16 924a5147 05435224 1f50245c 6bb1cfe2 001c 0001 040442.771279 Cryp 70 0111 864ee9d5 f19da22f db55da1a 362c3ba3 040442.771291 Mesg 50 message_parse_payloads: offset 28 payload HASH 040442.771303 Mesg 50 message_parse_payloads: offset 52 payload DELETE 040442.771316 Mesg 60 message_validate_payloads: payload HASH at 0x8688779c of message 0x86887100 040442.771326 Mesg 70 DATA: 040442.771337 Cryp 60 hash_get: requested algorithm 1 040442.771347 Misc 90 message_validate_hash: SKEYID_a: 040442.771365 Misc 90 540cb39d 7776c123 4049eda1 7ad1f6d
need help converting to ipsec.conf
Hi, I am converting a bunch of VPNs from my isakmpd.[conf|policy] files to ipsec.conf mostly because it seems they're deprecated, but partly because I saw an old thread that spoke of functionality I want to explore. I figured I should work through them one by one. I got my own VPN from one site to another working fine, after I figured out that ipsec.conf doesn't handle a space in the psk. The next one is site to site vpn from a client. They are using (I think) a juniper device to terminate with teh following settings: Client side: IP Address: 10.10.10.66 Peer: 10.100.1.66 Phase1 DH Group 1 Encryption: AES-256 Authentication: SHA1 Lifetime: 28800 seconds Phase2 DH Group 2 Encryption: AES-256 Authentication: SHA1 Lifetime: 3600 seconds Preshared Key: Changed PFS: enabled So. I put into my ipsec.conf: ike esp from 172.18.18.0/24 to 172.20.20.0/24 \ local 10.100.1.66 peer 10.10.10.66 \ #main auth hmac-md5 enc aes-256 group modp768 \ #main auth hmac-sha1 enc aes-256 group modp768 \ main auth hmac-sha1 enc aes group modp768 \ quick auth hmac-sha1 enc aes-256 group modp768 \ srcid ca...@fw0.example.com \ psk Changed Then I start up isakmpd and dump debug to a file and I get weird messages. # cat ipsec.log | grep unac 044235.728559 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 044255.325011 Default attribute_unacceptable: GROUP_DESCRIPTION: got MODP_768, expected MODP_1024 044315.878550 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 044315.878641 Default attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA As soon as I switch back to my beloved isakmpd.conf (was its syntax really so complicated?) it comes back up instantly. Why is ipsec expecting 3DES_CBC? There is no reference to 3des in my config... Why is it expecting MODP_1024? Or RSA_SIG? Where is it getting MD5 from? Changing the hash to md5 doesn't seem to make any difference. :( And finally... Does ipsec.conf still parse the policy file to secure the connections? Is there a better way? Or am I wrong in thinking this was a good thing to do? TIA nuffi
Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
On 23 April 2011 16:08, Devin Reade wrote: > Benny Lofgren wrote: > >> On 2011-04-21 22.27, P. Pruett wrote: >>> how about "donate" >> [snip] > >> The reason for my initial suggestion, which was along the lines Rafal whom >> you commented also thought, was that a donation *ISN'T A FUCKING OPTION* >> where I and others live. > > The other thing is that, based on Theo's 18 April post, funds from > donations (or going to the openbsd foundation) don't go into the same > bucket as funds from CD sales. If I'm interested in putting my funds > into the CD bucket, donations and contributions to the foundation > don't get me there. > > Question, Theo: > > If I was to say the following, would it work without causing an > unacceptable amount of work? > > "My company wants to pay you to develop or fix (where > is already on the short list of what is planned for the next release). > It is worth to us. B If you're interested, send us an invoice > (from either you personally or your corporation or other business > entity) in some readily machine readable format (text file, > spread sheet, pdf, it doesn't matter) that lists the amount > and the feature. We'll send you the check immediately, and consider > the deliverable complete when the *initial* version is committed." > > That deliverable is intented to be unobtrusive. B It doesn't say > that it *must* be in the next release. B It also doesn't imply > any sort of user acceptance test or support requirement. It allows > for the possibility for you to pass the funds along and have > another developer implement it. B It is similar to other open > source projects where a company might put up a bounty to have a > certain feature implemented (other than in those cases, it is open to > whomever grabs it first). I have a different suggestion, which is simpler and would work for the corporate that I work for. Is it possible that the invoice gernerated by the sale of goodies from the website could be simplified and generic? I can get budget for a bunch of items from the store each release time, but it isn't possible to justify more than one cd set, and totally impossible to convince the CFO to spring for posters or shirts. But if the invoice simply said something like OpenBSD Goods and Services: $283.77, it would be paid without question. And then I could get whatever CD sets, books, posters or donations I planned when I got them to set the cash aside in the annual budget. And... I guess it would be some work, but shouldn't be much. And for the guys that still want to get the detailed and itemised invoice, then a simple tick box to select the preferred invoice woud be pretty simple. More work still, but again not much. I'd be *very* happy to volunteer to do said work if it was something people didn't think was stupid.
Mail how-to sans mysql
Hi, I am wanting to set up a pretty basic mail server with postfix, and figure that setting up a database backend is overkill. All the most excellent docs I've found on the internet incorporate mysql setup. Can someone link me to a guide that does this without Mysql? The most clear and comprehensive guide I've found is the one by Daniele Mazzocchio hosted on kernelpanic. Is setting up a mail server with mysql as simple as omitting the mysql steps? TIA nuffi
Re: 4.6 arriving
>> Nope, not B at B all. B It was just an idea tossed out to: >> B - see if it had any merit >> B - perhaps spark some other thoughts on how to increase CD purchases >> B - or to get flamed >> >> Its obvious which one you chose. > > I don't believe you. B You suggested it because you only thought of > your own benefit, not of the amount of work others would have to do. Perhaps not everyone who uses OpenBSD has your depth of understanding of all these processes, Theo. You're obviously intimately acquainted with them, but it is possible Rod might not have been. You make very salient points about the suggestion being completely unfeasable, but it seems quite possible that Rod thought he was making a simple suggestion to solve a perceived problem. Reading between the lines, it seems likely that Rod is also a subscriber to the disc set and might perhaps feel a little taken aback at the vehemence of the response. And yes, it might be that he's just some schmoe with a mate who's gonna give him this password he's suggesting... But to assume that would also assume a much greater depth of thought than you've otherwise attributed.
Hardware recomendations please
Hey there. My firewalls are getting old, so I thought it would be a great idea to replace them. I figured that a budget of around $1500 would be more than adequate, but because no one makes mobos with 5 pci slots anymore I am struggling to get these under $2800. I have requirements for 6 legs plus the carp sync (which I could do with a usb nowadays, so that means just 6). The rest of the system is relatively undemanding, so 4 gig RAM is overkill, and it doesn't require huge CPU grunt either. It would be great if I could fit it into a small formfactor case to save rackspace, but this isn't worth $2k to me. Please recommend mobo/NIC combo that would fit within the budget! TIA nuffi
Re: How to NAT a site-site VPN tunnel
I found another thread in french (I think, I am not good with french) with a link that looks promising... http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html I will check out that solution and let you know if I still have problems.
Re: How to NAT a site-site VPN tunnel
2008/11/12 Mitja MuE>eniD <[EMAIL PROTECTED]>: > If you control the target box, the simplest solution by far is to assign a > deconficting alias address to it and then establish the VPN tunnel between > the 3rd party site and this alias address of yours. Everybody will be > accessing through the original address except for the problematic site, they > will use the alias. > > There are tricks with nat on ipsec but they are very hard to configure > right. I have full control over the local OBSD server and the internal network, however the address assiged to the box in question is pretty entrenched and so it isn't really possible to change its address. :( I am not completely without clue, and am willing to get deeper into the configs in question. I should probably point out that I am still using the older style isakmpd.[conf,policy] files at this time, but I believe that my problem lies within the pf.conf file. I think I need to so something like nat on rl2 from 172.20.20.123/32 to $client_network -> enc0 but that doesn't seem to work for me
How to NAT a site-site VPN tunnel
Hi, For ages now I've had a site-to-site vpn configured between my obsd server to a 3rd party client network. Thing is, they're accessing a box which has an rfc 1918 reserved address that they now want to use in their own network. I have a few other clients with other VPNs to the same address, so I need to configure this NAT purely for this one client (for now) I probably should have been natting this all along, but I am not sure how to go about doing so. The how to pages (e/g http://www.openbsdsupport.org/vpn-ipsec.html I've found don't talk about it, and I can't see how to do so in the man pages either. Any hints, suggestions and help will be greatly appreciated! TIA nuffi
Hardware recommendation request
Hi, I read the thread that popped up a few months back, and the consensus was to buy a Dell or buy a switch and make VLANs, but neither of these options are suitable for my requirements. I presently have a pair of Intel Servers with 6 pci NICs plus one on board running as a clustered firewall. These are getting old, and I want to replace them. Only thing is, I am finding it impossible to find anyone who makes mobos with enough pci slots. Can anyone recommend a mobo that does? Or recommend dual port nics that I can use instead of my current intel nics? I am happy with getting individual components and putting something together, just need to know what components. TIA nuffi
VPN troubleshooting help request.
Hi, a client with a cisco device is attemtping to set up a VPN to my OBSD 4.3 firewall. Phase 1 is okay, but phase 2 is fail. It says it fails the policy check. But... Checking through everything in the policy against the debug it seems like it conforms to the policy to me. Are there other things that might cause it to fail the policy check? The policy entry has matches for everything in it within this negotaiation. I sure would appreciate it if you could help me figure out what it doesn't like about my policy. TIA nuffi Debug output looks like this: 194907.101644 Plcy 40 check_policy: adding authorizer [passphrase:123456789] 194907.101668 Plcy 40 check_policy: adding authorizer [passphrase-md5-hex:edb0afdb2eb73b1efb437dc6778bdfcf] 194907.101684 Plcy 40 check_policy: adding authorizer [passphrase-sha1-hex:ca6920eca6f25ec15bc7718e1ac4f03aa6f00a38] 194907.102199 Plcy 80 Policy context (action attributes): 194907.10 Plcy 80 esp_present == yes 194907.102235 Plcy 80 ah_present == no 194907.102248 Plcy 80 comp_present == no 194907.102259 Plcy 80 ah_hash_alg == 194907.102271 Plcy 80 esp_enc_alg == 3des 194907.102283 Plcy 80 comp_alg == 194907.102295 Plcy 80 ah_auth_alg == 194907.102307 Plcy 80 esp_auth_alg == hmac-md5 194907.102318 Plcy 80 ah_life_seconds == 194907.102330 Plcy 80 ah_life_kbytes == 194907.102342 Plcy 80 esp_life_seconds == 1200 194907.102353 Plcy 80 esp_life_kbytes == 194907.102365 Plcy 80 comp_life_seconds == 194907.102377 Plcy 80 comp_life_kbytes == 194907.102389 Plcy 80 ah_encapsulation == 194907.102400 Plcy 80 esp_encapsulation == tunnel 194907.102413 Plcy 80 comp_encapsulation == 194907.102425 Plcy 80 comp_dict_size == 194907.102436 Plcy 80 comp_private_alg == 194907.102448 Plcy 80 ah_key_length == 194907.102460 Plcy 80 ah_key_rounds == 194907.102472 Plcy 80 esp_key_length == 194907.102483 Plcy 80 esp_key_rounds == 194907.102495 Plcy 80 ah_group_desc == 194907.102507 Plcy 80 esp_group_desc == 2 194907.102519 Plcy 80 comp_group_desc == 194907.102531 Plcy 80 ah_ecn == no 194907.102543 Plcy 80 esp_ecn == no 194907.102555 Plcy 80 comp_ecn == no 194907.102567 Plcy 80 remote_filter_type == IPv4 address 194907.102579 Plcy 80 remote_filter_addr_upper == 010.005.010.022 194907.102591 Plcy 80 remote_filter_addr_lower == 010.005.010.022 194907.102604 Plcy 80 remote_filter == 010.005.010.022 194907.102616 Plcy 80 remote_filter_port == 0 194907.102628 Plcy 80 remote_filter_proto == 0 194907.102640 Plcy 80 local_filter_type == IPv4 address 194907.102652 Plcy 80 local_filter_addr_upper == 192.168.020.217 194907.102664 Plcy 80 local_filter_addr_lower == 192.168.020.217 194907.102676 Plcy 80 local_filter == 172.030.020.217 194907.102688 Plcy 80 local_filter_port == 0 194907.102700 Plcy 80 local_filter_proto == 0 194907.102713 Plcy 80 remote_id_type == IPv4 address 194907.102725 Plcy 80 remote_id_addr_upper == 195.022.200.170 194907.102738 Plcy 80 remote_id_addr_lower == 195.022.200.170 194907.102750 Plcy 80 remote_id == 195.022.200.170 194907.102762 Plcy 80 remote_id_port == 500 194907.102774 Plcy 80 remote_id_proto == udp 194907.102804 Plcy 80 remote_negotiation_address == 195.022.200.170 194907.102818 Plcy 80 local_negotiation_address == 200.022.100.170 194907.102830 Plcy 80 pfs == yes 194907.102842 Plcy 80 initiator == yes 194907.102854 Plcy 80 phase1_group_desc == 2 194907.103881 Plcy 40 check_policy: kn_do_query returned 0 194907.104093 Default check_policy: negotiated SA failed policy check 194907.104123 Default dropped message from 195.022.200.170 port 500 due to notification type NO_PROPOSAL_CHOSEN The policy entry looks like this: Comment: # Comment: Cisco box Authorizer: "POLICY" Licensees: Comment:"passphrase:properpassphrase" "passphrase:123456789" Conditions: app_domain == "IPsec policy" && doi == "ipsec" && remote_negotiation_address == "195.022.200.170" && esp_present == "yes" && esp_enc_alg == "3des" && esp_auth_alg == "hmac-md5" && local_filter_type == "IPv4 address" && ( local_filter == "192.168.020.217" ) && remote_filter_type == "IPv4 address" && ( remote_filter == "010.005.010.022" ) -> "true";
Re: PF Congestion and state table question
2008/5/9 Thomas Althoff <[EMAIL PROTECTED]>: > I don't recall Henning's rule, search the archive something like X times > your number of nics. I completely misread this to mean "Hennings rule of misc is Search the archive X times your number of nics before posting your question."
Re: Need help with wordpress install. (resolved)
Yup So it was me being dumb. Needed to add permissions for the www user to the database. Amazing what you can't accomplish after an 18 hour day, and even more amazing how the answer is obvious after a sleep. :-) THanks for the responses!! Nuffi
Re: Need help with wordpress install.
On 04/11/2007, James <[EMAIL PROTECTED]> wrote: > Just thought of something else, too. > > are you using an install of apache from ports, or the default version in > OpenBSD? Because the default version is chrooted, so you may need to install > a bunch of stuff in the chroot environment, or turn off the chroot and lose > its security features. Thanks for the reply. I'm just using the default apache in obsd 4.2. I've tried it switching chroot() off in rc.conf, but it seems to make no difference. :( > I installed wordpress on OpenBSD entirely following the steps here: > > http://codex.wordpress.org/Installing_WordPress > > What step are you on? I am up to this step: Run the WordPress installation script by accessing wp-admin/install.php in your favorite web browser. It is when I put that url into a browser that I get shown that error. THanks for the help. Nuffi
Need help with wordpress install.
Hi. I am getting an error when I try to run the wordpress wp-admin/install.php script: Your PHP installation appears to be missing the MySQL which is required for WordPress. This is OpenBSD 4.2 with: mysql-client-5.0.45 multithreaded SQL database (client) mysql-server-5.0.45 multithreaded SQL database (server) p5-DBD-mysql-3.0008 MySQL drivers for the Perl DBI p5-DBI-1.53 unified perl interface for database access p5-Net-Daemon-0.39 extension for portable daemons p5-PlRPC-0.2018p0 module for writing rpc servers and clients php5-core-5.2.3 server-side HTML-embedded scripting language php5-extensions-5.2.3 informational package about PHP5 extensions php5-mysql-5.2.3mysql database access extensions for php5 php5-mysqli-5.2.3 mysql database access extensions for php5 I have created a blank mysql database, and given it a password. MySQL starts on boot fine, and I can use mysqladmin to my heart's content. I used phpxs to load php5-mysqli (and php5-mysql, after I got desperate). Loading a phptest.php file on the webserver demonstrates that php is working just fine. I have configured the wp-config.php file to point to the database that I have created. I even specified the mysql.default.port = 3306 in the php.ini file after I found someone fixed their problem by doing this on a fedora system. I am sure (well, I am hoping!) that there is something obvious and dumb that I've overlooked. Or that I didn't find documented, but that some of the genii in misc can help me with. TIA nuffi
Re: Can isakmpd based VPN's work with FreeBSD
On 28/01/07, stan <[EMAIL PROTECTED]> wrote: I'v just worked through getting IP, and bridge tuneling working using ipsecctl, and isakmpd. One of the places I would like to use this has an exisitng FreebSD machine at one end. Can OpenBSD interoprate with FreeBSD in this context? Certainly. I've configured OpenBSD isakmpd to work with FreeBDS in teh past, as well as Checkpoint, Cisco Pix, Nokia, several different VPN concentrator devices, etc. If you're having a specific problem, please post more details so taht someone might be able to help. If you're just curious about it's compatibility, it is an excellent choice. HTH nuffi
why the shift from isakmpd.conf?
Hi... I have recently started using OpenBSD, and one of the things that I liked most about it was the ease I got my VPN tunnels working with isakmpd. I've learnt in the past few weeks that the use of isakmpd is being deprecated in favour of ipsec. What were the reasons that led to this decision..? How long will I still be able to use isakmpd? What are the advantages that ipsec has over isakmpd? Will I still be able to configure custom policies when the defaults aren't appropriate? TIA Nuffnough
Re: ip not forwarding after 4.0 rebuild.
On 14/11/06, Bob DeBolt <[EMAIL PROTECTED]> wrote: > > On Monday 13 November 2006 7:53 pm, you wrote: > > > But I don't know what I need to do differently to change the > > situations. > > Is pf enabled and blocking perhaps? Thanks for everyone's help. It must have been something weird (like my brain at 5 in the morning). I've rebuilt the system now and it is working great.
Re: ip not forwarding after 4.0 rebuild.
On 14/11/06, Pierre Lamy <[EMAIL PROTECTED]> wrote: > > You got link on the interface? Even if you do maybe the cable is bad. I can ssh into the system using the local interface IP. Once there I can ping devices on all the networks, including the internet. Problem is that no device on Network A can ping any device on Network A, but cannot ping anything outside. tcpdump traffic of any attempt to ping shows the traffic arriving on the interface local to the device that is pinging, but no traffic is seen on the interface that is local to to destination device. It isn't the cable. I understand that this is odd, that is why I am turning to the list for help. The setting to allow forwarding is turned on, sysctl shows the kernel knows this, but still packets are not being forwarded. I will try another rebuild next, because that doesn't take much time. But I don't know what I need to do differently to change the situations. Thanks for the reply. nuffnough.
ip not forwarding after 4.0 rebuild.
I've been running 3.9 in a CARP pair for my firewalls. So I upgrade the box(well, rebuild it from scratch using the new CD), and things seem fine on the first log in. I fix up all the config files, so that all the 3.9 settings are in place, and make sure to pay attention to the settings that are new (like ipsec=NO in rc.conf). I test a failover and find that the interfaces are failing over individually. So I check the sysctl.conf setting for carp preempt and it is set to 1, which is good. But also a bit confusing. A little more investigation and I find the system isn't forwarding packets at all. Despite the setting in sysctl.conf, and also in the kernel according to the sysctl command. Check the following console output: # uname -a OpenBSD nuffi.nough.com 4.0 GENERIC#1107 i386 # date Tue Nov 14 02:01:52 EST 2006 # tcpdump -nettt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG ^C 0 packets received by filter 0 packets dropped by kernel # date Tue Nov 14 02:03:29 EST 2006 # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 # sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 1 -> 1 # sysctl net.inet.ip.forwarding=0 net.inet.ip.forwarding: 1 -> 0 # sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 0 -> 1 # cat /etc/sysctl.conf | grep forward | grep -v 6 net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets # sysctl net.inet.carp.preempt net.inet.carp.preempt=1 tcpdump shows the phase 2 vpn traffic coming back into the box from the peers on the external interface, but none are properly established. I thought that the only thing that I needed to turn on for packet forwarding was that setting in sysctl.conf... Is there something that I am missing? If a system you'd built was doing this, what would you do next? TIA Nuffnough
Re: Troubles trying to configure non-default VPN
On 11/9/06, jared r r spiegel <[EMAIL PROTECTED]> wrote: > > On Wed, Nov 08, 2006 at 07:50:46AM +1100, nuffnough wrote: > > I have an OpenBSD 3.9 box and I've been asked to configure it to > terminate a > > VPN using AES-256 encryption with SHA authentication, DH Group 5 (rather > > than the default group 2) and a lifetime of one day. I configured my > > isakmpd.conf file like this: > > if you've any interest in trying to use ipsecctl, and if you have other > machines on 4.0 or -current, i was entirely 100% successful ( 'was' as > now the 3.9 boxes this applied to are 4.0 ) with using ipsecctl from > a late -current on 3.9 machines. Upgrades will go ahead over the coming weekend. My disks finally arrived! (It is a bummer living in asia sometimes. Everything goes slower) the ipsecctl in 3.9-REL was a bit less robust in what it understood in the > config file, compared to 4.0. > > at worst, you could run it with lots of -v and then eyeball the FIFO > commands > it does and then write up an isakmpd.conf around that. > > but ipsecctl aside: > > > ** > > [Phase 1] > > Default=ISAKMP-peer-default > > 10.1.2.138= ISAKMP-peer-xx > > > > [Phase 2] > > Connections=IPsec-xx1-rl1-2, IPsec-xx1-rl1-3 > > > > [ISAKMP-peer-xx] > <...> > > [IPsec-xx1-rl1-2] > > Phase= 2 > > ISAKMP-peer=ISAKMP-peer-xx > > is -bp == -xx ? Yes. Sorry about that. > What ended up happening was that my end was initiating the tunnel using > > AES-128, and a lifetime of 1 hour (the default configuration as > indicated > > in the man page). > > > I defined my own Transform ... > <...> > > My understanding from reading the man page is that is the syntax I need > to > > use. It also means that we should be attempting to send a 256 bit key > > length with a lifetime of 1 day (86400 seconds) whenever we're > initiating > > the tunnel. Also, MODP_1536 should be correct for DH Group 5. Please > let > > me know if I am wrong here. > > yup, 1536 is 5 Thanks for the confirmation. if it helps diagnose stuff for you, this doesn't catch _everything_, but > it helped me a great deal with filtering out too much verboseness in the > majority of my debug fricking with isakmpd: > > $ sudo /sbin/isakmpd -dDA=0 -D2=50 -D5=50 -D7=50 -D8=40 -D9=30 awesome. I've just being using -DA=99 and getting lost. :-) > What actually happened was that my box stopped trying to initiate the > > tunnel. With the old configuration I was getting a packet exchange > every > > couple of minutes. > > was that perhaps because it was always unsuccessful and was just > retrying?, When I say stopped making any attempt, perhaps I should have been clearer. Prior to the change I was seeing two ipsec packets every two minutes. I forget what they were now. After I made the change, I saw none. This was using tcpdump -netttl -i rl0 | grep 10.1.2.138 or did everything get established and you made it out the other side of > phase-2 OK, but the actual parameters used were simply not the ones > desired? No Phase one. Just a packet to initiate, then a packet back to say that the far end doesn't like me. Debug on the other end indicated that when my end initiates, it does it with 128bit key length and a lifetime of one hour. Of course, I didn't have the brilliant idea of just setting my end up as passive, to make sure that the other end initiates. The required parameters fall within the ranges of the default AES-SHA config. after they go through phase-1 and make it through phase-2, they ( the > isakmpd processes, or at least your isakmpd and whatever the other side > is ) > should be /relatively/ quiet. Yep. Also, typically once phase-1 is established, phase-2 problems are relatively trivial. And mostly just problems with my policy file. > After I made this change all my other VPNs came up as > > usual but there was no traffic at all relating to this tunnel. > > > > Is my syntax incorrect? > > without running it through isakmpd to parse it, and given that i'm a bit > rusty with isakmpd.conf, nothing jumps out at me. The real (prolly newbie) question that I think I need the answer to is: After I define a custom transform, am I still able to call the standard pre-defined transforms at the same time? I can't see a problem with it, but then I don't (presently) understand how the system loads these definitions. I have about 20 other vpns with diverse encryption parameters. It would be moderately painful if I had to manually configure them all just to make
Troubles trying to configure non-default VPN
I have an OpenBSD 3.9 box and I've been asked to configure it to terminate a VPN using AES-256 encryption with SHA authentication, DH Group 5 (rather than the default group 2) and a lifetime of one day. I configured my isakmpd.conf file like this: ** [Phase 1] Default=ISAKMP-peer-default 10.1.2.138= ISAKMP-peer-xx [Phase 2] Connections=IPsec-xx1-rl1-2, IPsec-xx1-rl1-3 [ISAKMP-peer-xx] Phase= 1 Transport= udp Address=10.1.2.138 Local-address= 192.168.166.174 Configuration= XX-main-mode Authentication= mekmitasdigoat [IPsec-xx1-rl1-2] Phase= 2 ISAKMP-peer=ISAKMP-peer-bp Configuration= Default-quick-mode Local-ID= Net-rl1-2 Remote-ID= Host-xx1 [IPsec-xx1-rl1-3] Phase= 2 ISAKMP-peer=ISAKMP-peer-bp Configuration= Default-quick-mode Local-ID= Net-rl1-3 Remote-ID= Host-xx1 [Net-syd-rl1-2] ID-type=IPV4_ADDR_SUBNET Network=172.16.16.96 Netmask=255.255.255.240 [Net-syd-rl1-3] ID-type=IPV4_ADDR_SUBNET Network=10.33.66.0 Netmask=255.255.255.0 [Host-bp1] ID-type=IPV4_ADDR Address=10.180.1.201 [XX-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA-GRP5 ** What ended up happening was that my end was initiating the tunnel using AES-128, and a lifetime of 1 hour (the default configuration as indicated in the man page). I defined my own Transform and placed it at the bottom of my isakmpd.conf as follows: ** ~ [XX-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= XX-AES-SHA [XX-AES-SHA] ENCRYPTION_ALGORITHM= AES_CBC KEY_LENGTH= 256,128:256 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1536 Life= XX-phase-1-lifetime [XX-phase-1-lifetime] LIFE_TYPE= SECONDS LIFE_DURATION= 86400,1800:86400 ** My understanding from reading the man page is that is the syntax I need to use. It also means that we should be attempting to send a 256 bit key length with a lifetime of 1 day (86400 seconds) whenever we're initiating the tunnel. Also, MODP_1536 should be correct for DH Group 5. Please let me know if I am wrong here. What actually happened was that my box stopped trying to initiate the tunnel. With the old configuration I was getting a packet exchange every couple of minutes. After I made this change all my other VPNs came up as usual but there was no traffic at all relating to this tunnel. Is my syntax incorrect? Is there something I am missing about the structure of isakmpd.conf about the placement or reference of these new sections for lifetime and XX-AES-SHA? If not, can you show me what I am doign wrong, so that I can do it right? TIA! nuffnough
Re: OpenBGPD 4.0 released Nov 1, 2006
On 11/2/06, Henning Brauer <[EMAIL PROTECTED]> wrote: > > We are pleased to announce the official release of OpenBGPD 4.0. > Thanks for the great update. Is this a reason I should install from the latest snapshot via ftp instead of my soon to arrive disc set?
How-to VPN from WinXP behind NAT+ DHCP to OBSD?
Hi there! I am trying to set up a host to site IPSEC VPN tunnel between computers connected to the internet via a typical wireless cable. I have successfully set up several site to site VPN tunnels between my OBSD and checkpoint, cisco, et. al. I am quite confused about how to make two aspects of this configuration work: What IP Addreses do I use for things like the Peer address in the OBSD isakmpd.conf? What do I need to do to make the XP IPSec stack traverse the NAT on the braodband modem? TIA nuffnough
Re: isakmpd debug syntax query
On 1/13/06, Alexander Hall <[EMAIL PROTECTED]> wrote: > > nuffnough wrote: > > Hi. > > > > I need to log the output of isakmpd -DA=90 to a file, and I am at a loss > as > > to exactly what syntax to use. I am using OpenBSD 3.8 default shell > (ksh > > now...) and trying stuff like > > > > isakmpd -T -DA=90 2>&1 > logfile > > This would redirect stderr to stdout (screen) and stdout to "logfile". > > You probably wanted >isakmpd -T -DA=90 > logfile 2>&1 > which redirects both stdout and stderr to "logfile". The order is > important. Thanks for that info. Unfortunately, I am still getting the same result. Here is the console of my attempts: fw0:root:/etc/isakmpd>isakmpd -T -DA=90 > logfile 2>&1 fw0:root:/etc/isakmpd>ls -al logfile -rw-r--r-- 1 root wheel 958 Jan 13 10:25 logfile fw0:root:/etc/isakmpd>cat logfile 102531.115369 Default log_debug_cmd: log level changed from 0 to 90 for class 0 [priv] 102531.115520 Default log_debug_cmd: log level changed from 0 to 90 for class 1 [priv] 102531.115534 Default log_debug_cmd: log level changed from 0 to 90 for class 2 [priv] 102531.115545 Default log_debug_cmd: log level changed from 0 to 90 for class 3 [priv] 102531.11 Default log_debug_cmd: log level changed from 0 to 90 for class 4 [priv] 102531.115564 Default log_debug_cmd: log level changed from 0 to 90 for class 5 [priv] 102531.115574 Default log_debug_cmd: log level changed from 0 to 90 for class 6 [priv] 102531.115583 Default log_debug_cmd: log level changed from 0 to 90 for class 7 [priv] 102531.115593 Default log_debug_cmd: log level changed from 0 to 90 for class 8 [priv] 102531.115602 Default log_debug_cmd: log level changed from 0 to 90 for class 9 [priv] 102531.115612 Default log_debug_cmd: log level changed from 0 to 90 for class 10 [priv] fw0:root:/etc/isakmpd>ps auxw | grep isakmpd _isakmpd 30752 0.0 1.2 2796 2988 ?? S 10:25AM0:01.17 isakmpd -T -DA=90 root 29469 0.0 0.2 868 424 ?? Is10:25AM0:00.01 isakmpd: monitor [priv] (isakmpd) fw0:root:/etc/isakmpd>ls -al logfile -rw-r--r-- 1 root wheel 958 Jan 13 10:25 logfile fw0:root:/etc/isakmpd> I know that I've done this in the past with no problems, and this is confusing me. (easy to do, I am a bit of a nuff nuff). Thanks for your help, nuffnough
isakmpd debug syntax query
Hi. I need to log the output of isakmpd -DA=90 to a file, and I am at a loss as to exactly what syntax to use. I am using OpenBSD 3.8 default shell (ksh now...) and trying stuff like isakmpd -T -DA=90 2>&1 > logfile which just gives me the reports for log levels but doens't actually show me any actual debug log stuff: 173136.403277 Default log_debug_cmd: log level changed from 0 to 90 for class [0-10] [priv] I would appreciate anyone kind enough to correct my syntax. TIA nuff nough.