Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
On 2023-08-14, latin...@vcn.bc.ca wrote: >> On 2023-08-14, latin...@vcn.bc.ca wrote: >>> Something magic had happend after reboot! lkev2 is working >> >> iked/isakmpd keys are created at boot if they don't exist. >> >>> BTW at the >>> client i can not use Web Browser?, the ssh connection did not stop >>> working. >> >> > > Hello Stuart > > The situation is: that being connected with ikev2 to my server, ssh is not > disconnected as with Wireguard, but it is supposed that all traffic should > go by ikev2! > > I am looking on pf.conf, but i can not imagine how to send lo1/enc0 by ikev2. There's not enough information about what you're trying to do, or what is going wrong, for anyone to help
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
> On 2023-08-14, latin...@vcn.bc.ca wrote: >> Something magic had happend after reboot! lkev2 is working > > iked/isakmpd keys are created at boot if they don't exist. > >> BTW at the >> client i can not use Web Browser?, the ssh connection did not stop >> working. > > Hello Stuart The situation is: that being connected with ikev2 to my server, ssh is not disconnected as with Wireguard, but it is supposed that all traffic should go by ikev2! I am looking on pf.conf, but i can not imagine how to send lo1/enc0 by ikev2. > > If you're able to fetch small pages over http (*not* https), such as > http://www.openbsd.org/grp-tmpl.txt, then you probably have an > MTU (packet size) problem, if so then you could try something > like this near the top of pf.conf to cap the size of TCP packets > as a workaround (make sure you don't use "set skip on enc0" for > this to be used) > > match on enc0 scrub (max-mss 1300 no-df) > > -- > Please keep replies on the mailing list. > No everything goes by normal ip. Not by ikev2. thanks.
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
On 2023-08-14, latin...@vcn.bc.ca wrote: > Something magic had happend after reboot! lkev2 is working iked/isakmpd keys are created at boot if they don't exist. > BTW at the > client i can not use Web Browser?, the ssh connection did not stop > working. If you're able to fetch small pages over http (*not* https), such as http://www.openbsd.org/grp-tmpl.txt, then you probably have an MTU (packet size) problem, if so then you could try something like this near the top of pf.conf to cap the size of TCP packets as a workaround (make sure you don't use "set skip on enc0" for this to be used) match on enc0 scrub (max-mss 1300 no-df) -- Please keep replies on the mailing list.
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
> latin...@vcn.bc.ca wrote:
>> Hello
>>
>> i am testing IKEv2; and because i felt really confuse trying to
>> configure
>> them; i delete all certs; and i can not find how to re-create them, on
>> FAQ
>> and misc!
>>
>> May somebody help please?
>>
>> Thank you.
>
> It's in /etc/rc , function make_keys at line 135:
>
> # Generate keys for isakmpd, iked and sshd if they don't exist yet.
> make_keys() {
> # ...
> local _iked_key=/etc/iked/private/local.key
> local _iked_pub=/etc/iked/local.pub
>
> # ...
>
> if [[ ! -f $_iked_key ]]; then
> echo -n "openssl: generating iked ECDSA keys... "
> if openssl ecparam -genkey -name prime256v1 -out $_iked_key
> >/dev/null
> 2>&1 &&
> chmod 600 $_iked_key &&
> openssl ec -out $_iked_pub -in $_iked_key \
> -pubout >/dev/null 2>&1; then
> echo done.
> else
> echo failed.
> fi
> fi
>
> # ...
> }
>
> -Lucas
>
Hey Lucas thank you very much man!
Something magic had happend after reboot! lkev2 is working, BTW at the
client i can not use Web Browser?, the ssh connection did not stop
working.
Really thanks man.
