s?
Mit freundlichen Grüßen / Best regards / Meilleures salutations
Christoph Leser
Systemtechnik
S&P Computersysteme GmbH
Systemhaus für Logistik
Zettachring 4
70567Stuttgart
www.sup-logistik.de
T: +49 711 726 41-0
F: +49 711 726 41-70
christoph.le...@sup-logistik.de
Amtsger
I read in an 2013 paper by Reyk Floeter about openIKED
(https://www.openbsd.org/papers/openiked-asiabsdcon2013.pdf)
"The design intends to allow operation of both protocol versions on the same
host"
but
"The unprivileged IKEv1 process is currently an empty stub"
Does this mean that I cannot h
Betreff: Re: ipsec outgoing address translation question
>
> Christoph Leser wrote:
>
> > with ipsecctl I can configure outgoing address translation in
> > ipsec.conf like this:
> >
> > ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24
> >
Hello,
with ipsecctl I can configure outgoing address translation in ipsec.conf like
this:
ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 peer
10.10.20.1
Is there an equivalent syntax for isakmpd.conf? ( Due to problems with NAT-T I
need to use isakmpd.conf and cannot
There seems to be no interest in this issue on @misc.
Would it be ok to file a bug for this?
> -Ursprüngliche Nachricht-
> Von: Christoph Leser
> Gesendet: Montag, 9. September 2013 16:45
> An: Christoph Leser; misc@openbsd.org
> Betreff: AW: Help with ISAKMP Nat Traversal
l isakmpd[13061]: exchange_establish:
from-129.143.250.128/25-to-192.168.199.0/24 exchange already exists as
0x848b5800
Sep 9 16:09:39 q-dsl isakmpd[13061]: ui_shutdown_daemon: received shutdown
command
Sep 9 16:09:39 q-dsl isakmpd[13061]: isakmpd: shutting down...
> -Ursprüngliche Nach
it
Which seems either wrong or at least misleading: we are directly connect to the
internet, it is the other side that is behind a NAT.
What also strikes me is that the 'Next Proposal' fields at byte offset 005c
and 0068 are zero instead of 02 (PROPOSAL) and 03 (TRANSFORM) as the figure
ant page of rfc 2408 suggests.
Please let me know how you read this matter.
Thanks
Christoph Leser
>Von: owner-m...@openbsd.org [owner-m...@openbsd.org]" im Auftrag von
>"Stuart Henderson >[s...@spacehopper.org]
>Gesendet: Samstag, 7. September 2013 00:11
>An: misc@openbsd.org
>Betreff: Re: ISAKMPD NAT/Traversal
>>On 2013-09-06, Christoph Leser wrote:
>
the encapsulation modes ( or is RFC3947 deas, it
seems to be a standard proposal since 2005 ).
Mit freundlichen Grüßen
Christoph Leser
S&P Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logistik.de
che Nachricht-
> Von: Philip Guenther [mailto:guent...@gmail.com]
> Gesendet: Montag, 26. November 2012 21:44
> An: Christoph Leser
> Cc: 'misc@openbsd.org' (misc@openbsd.org)
> Betreff: Re: ../../../../arch/i386/i386/locore.s:1755: Error: no such
> instruction:
> `sta
mk).
The cvs status of locore.s is 'Up to date', Revision 1.145
I followed the same procedure some weeks ago ( Sep. 25. ) and had no problems.
dmesg.boot is included at the end of this message.
Best Regards / Mit freundlichen Grüßen
Christoph Leser
Dmesg.boot:
OpenBSD 5.2 (GENER
d the debug output
in messages shows for this?
Best Regards / Mit freundlichen Grüßen
Christoph Leser
S&P Computersysteme GmbH
Zettachring 4
70567 Stuttgart
Fasanenhof
EMail: le...@sup-logistik.de
____
Von: Christoph Leser
Gesendet:
Dienstag, 2. Oktober 2012
your pf.conf. If you see both, I would believe your tunnel is ok and the
remote side is filtering your icmp or does not route your packet properly into
the (remote) internal net.
Christoph Leser
S&P Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logisti
: Freitag, 28. September 2012 13:45
> An: misc@openbsd.org
> Cc: Christoph Leser
> Betreff: Re: Router project on OpenBSD questions
>
> On Tue, Sep 25, 2012 at 05:51:42PM +0100, Stuart Henderson wrote:
>
> > On 2012/09/25 18:24, Otto Moerbeek wrote:
> > > On Tue
Thank you for this hint.
I indeed have ike.c r=1.76.
I will refresh my system tonight, give it a try and report my result.
Best Regards
Christoph
> -Ursprüngliche Nachricht-
> Von: Otto Moerbeek [mailto:o...@drijf.net]
> Gesendet: Montag, 24. September 2012 22:03
> An: Chr
to:s...@spacehopper.org]
> Gesendet: Montag, 24. September 2012 16:41
> An: Christoph Leser
> Cc: misc@openbsd.org
> Betreff: Re: Router project on OpenBSD questions
>
> On 2012/09/24 13:24, Christoph Leser wrote:
> > It seems that the patch from Stuart Henderson, propose
It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 on tech@
has not made it into âcurrent yet.
Von: Stuart Henderson [mailto:s...@spacehopper.org]
Gesendet: Samstag, 22. September 2012 16:52
An: Christoph Leser; misc@openbsd.org
Betreff: Re: Router project on OpenBSD
Henderson [mailto:s...@spacehopper.org]
Gesendet: Samstag, 22. September 2012 16:52
An: Christoph Leser; misc@openbsd.org
Betreff: Re: Router project on OpenBSD questions
Search the archives for the cisco nat-t problem, I sent a mail with more
details and I think there was a patch with it
BSD 5.2
Any hints to information about interoperabilty issues with cisco ( and
possible solutions ) would be highly welcome
Mit freundlichen Grüßen
Christoph Leser
S&P Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logistik.de
those values in isakmpd.conf. Never seen those
messages and all works fine.
On 09/17/2012 09:30 PM, Christoph Leser wrote:
> After updating to 5.2 current, I noticed, that incoming phase-1
> requests get drop due to ( from /var/log/messages )
>
> Sep 17 21:20:51 q-dsl
make any difference.
Best Regards / Mit freundlichen Grüßen
Christoph Leser
S&P Computersysteme GmbH
Systemhaus für Logistik
Zettachring 4
70567 Stuttgart
www.sup-logistik.de
Tel.: 0711 72641 0
Fax: 0711 72641 70
Amtsgericht Stuttgart HRB 11921
Geschäftsführer Jürgen Probst, Horst Reichert
r problems?
-Ursprüngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von
Christoph Leser
Gesendet: Samstag, 15. September 2012 15:51
An: misc@openbsd.org
Betreff: isakmpd nat problem with openBSD 5.2
After I upgraded from openBSD 4.6 to 5.2 I have the followi
After I upgraded from openBSD 4.6 to 5.2 I have the following problem with
isakmpd+nat when the remote side is behind a NAT gateway:
openBSD Phase 1 recognizes NAT and switches to port 4500 to send the ID
information.
openBSD Phase 2 then tries to negotiate TUNNEL mode, but the remote side
rejects
Hello,
I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:
ike active esp tunnel from to peer
My isakmpd.policy file is
# cat /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present
Sorry for the noise. I overlooked your nat statement in pf.conf.
But it is wrong, as per man page you shopuld nat on enc0, not on $ext_if
Hi,
from what I see you use the new address translation feature of ipsec 4.7
This requires a nat statement in pf.conf , which is probably missing from your
Hi,
from what I see you use the new address translation feature of ipsec 4.7
This requires a nat statement in pf.conf , which is probably missing from your
configuration..
See the section on 'outgoing network address translation' in the man page of
ipsec.conf
Regards
Christoph
> -Urspr|ngli
Take a look at pdftk. It is a simple command line tool, that can do a lot of
things with pdf files: merge, split, rotate, fill forms etc.
http://www.accesspdf.com/pdftk/
Regards
> -Urspr|ngliche Nachricht-
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
> Im Auftrag von P
> -Urspr|ngliche Nachricht-
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
> Im Auftrag von Aaron Mason
> Gesendet: Mittwoch, 2. Dezember 2009 23:14
> An: OpenBSD
> Betreff: Re: IPSec Blues
>
>
> On Wed, Dec 2, 2009 at 11:02 AM, Bryan Irvine
> wrote:
> >> Does somebody know
1723 is PPTP. This uses GRE ( generic routing encapsulation ).
You must allow this protocol.
And, as far as I know, openBSD cannot NAT this protocol ( it is possible to
nat GRE for pptp if you peek into the next higher level protocol ( ppp in this
case ? ) but this is not implemented )
So I did
Are you sure that obsd does not try to initiate the connection at least once?
I have noticed the following problem with cisco:
Some Cisco models delete the security association after an inactivity timeout,
they call it "Cisco IPSec Security Association Idle Timers".
When this happens, openBSDs d
I'm sure I have seen the answer to my question here on the list some
time ago, but I'm too stupid to find it again:
In what order are the following operations performed on an IP packet
a. IPSEC ( decides whether a packet matches an IPSEC flow )
b. normal kernel routing
c. NAT
d. packet filtering
> -Urspr|ngliche Nachricht-
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
> Im Auftrag von Tobias Ulmer
> Gesendet: Donnerstag, 23. April 2009 14:02
> An: Thomas Pfaff
> Cc: misc@openbsd.org
> Betreff: Re: Problem with slow disk I/O
>
>
> On Thu, Apr 23, 2009 at 03:27:42PM +
You can use -Djava.awt.headless=true on the Java commandline to start without
x.
Regards
Christoph
> -Urspr|ngliche Nachricht-
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
> Im Auftrag von Eugeni Akmuradov
> Gesendet: Samstag, 14. Mdrz 2009 11:50
> An: misc@openbsd.org
>
n Weisgerber
> Gesendet: Sonntag, 25. Januar 2009 23:10
> An: misc@openbsd.org
> Betreff: Re: isakmpd does not initiate quick mode after main
> mode is established
>
>
> Christoph Leser wrote:
>
> > I'm still struggling to keep my ipsec vpns running smoothly.
Yes, I can confirm that glxsb.c 1.15 works fine with 4.4. stable.
Now AES 256 works again.
Thanks
> -Urspr|ngliche Nachricht-
> Von: Markus Friedl [mailto:markus.r.fri...@arcor.de]
> Gesendet: Dienstag, 20. Januar 2009 13:53
> An: Christoph Leser
> Cc: misc@openbsd.or
As described in
http://kerneltrap.org/mailarchive/openbsd-misc/2008/9/22/3364064
there is a problem with the driver for the AMD Geode LX series processor
security block for openBSD 4.4 ( glxsb.c ).
This has been fixed in version 1.15 of this file, but this fix has not
been committed to 4.4. stable
> -Urspr|ngliche Nachricht-
> Von: dug [mailto:d...@xgs-france.com]
> Gesendet: Montag, 19. Januar 2009 17:44
> An: Hans-Joerg Hoexer
> Cc: Christoph Leser; misc@openbsd.org
> Betreff: Re: Cisco IPSec Security Association Idle Timers and isakmpd
>
>
> Le 19 j
Hi,
I noticed that the cisco end of a VPN I configured on my openBSD sends a
DELETE message after a certain amount of idle time.
This feature is described in
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle
.html#wp1045897
The effect is, that the VPN no longer works. open
After migrating to OBSD 4.4 ( from 4.1 ) I sometimes find that for a
particular VPN ( tunnel mode ) :
1. The corresponding flows are established, as shown by
netstat -rnf encap
and
ipsecctl -sflow
2. The packets sent to the remote site show up in
tcpdump -leni enc0
with a
I'm still struggling to keep my ipsec vpns running smoothly.
Is there a reference to a more detailed description of the allowed
isakmp exchanges?
Watching tcpdump for some time gives me a rough impression of what is
going on, but it is hard to tell what's wrong ( if anything at all )
when the exch
I used to configure VPNs using isakmpd.conf, for 2 dozen VPNs, each with
a hand crafted set of parameters ( encryption, hmac, key length etc. ).
Now I tried to move this setup to ipsec.conf by spelling out the
complete line for every VPN like this:
ike active esp tunnel from a.b.c.d to e.f.g.h p
Just my 1 cent on the perl script
#!/usr/bin/perl
`cd /path-to-dir`:
`rm *`;
will purge your working directory, not /path-to-dir, as each of the `command`
constructs is executed in a process of its own and thus has no influence on
the next command
you would be better of with
#!/usr/bin/perl
`cd
as far as I know you need to set the syslogd_flags variable in
/etc/rc.conf.local or /etc/rc.conf
regards
Christoph
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Sma11T0wnITGuy
> Gesendet: Donnerstag, 11. Dezember 2008 15:35
> An: misc@o
Re: ISAKMPD <-> cisco : attribute ENCAPSULATION_MODE
> = 61443 (unknown)
>
>
> On 2008-11-25, Christoph Leser <[EMAIL PROTECTED]> wrote:
> > I see the above message in the tcpdump of
> /var/run/isakmpd.pcap, when
> > a cisco router establishes quick mode to my openbsd. Th
Hi,
I see the above message in the tcpdump of /var/run/isakmpd.pcap, when a
cisco router establishes quick mode to my openbsd. The connect works ok,
just wondering what this message could mean. I have only seen
'ENCAPSULATION MODE = TUNNEL' in this context.
As connect setup fails in the opposite
Trying to establish an ipsec tunnel to a debian linux box with openswan,
using this entry in ipsec.conf:
ike active esp from 192.168.1.0/24 to 192.168.2.0/24 peer a.b.c.d srcid
"[EMAIL PROTECTED]" dstid "[EMAIL PROTECTED]" psk xxx
I get 'PAYLOAD MALFORMED' in the middle of the phase 1 ne
> I think the mailing lists would be better if it wasn't always full of
> people asking stupid questions, and then being answered by people with
> ridiculous or uneducated answers.
> Not that I want to be here providing the correct answers. Why bother?
> They won't be understood, and it isn't wor
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Charlie Clark
> Gesendet: Donnerstag, 6. November 2008 18:34
> An: misc
> Betreff: openbsd fail2ban
>
>
> Hi,
>
> I have noticed that people constantly try to brute force sshd on my
> openbsd box
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von BARDOU Pierre
> Gesendet: Donnerstag, 6. November 2008 15:30
> An: misc@openbsd.org
> Cc: LOUIS Marc
> Betreff: NAT + IPsec problem
>
>
> Hello,
>
> I am trying to setup an IPsec connection.
> He
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Carlos Laviola
> Gesendet: Donnerstag, 6. November 2008 13:34
> An: misc@openbsd.org
> Betreff: isakmpd routing woes
>
>
> Hello,
>
>
>
> I have three /24 networks connected to each other through
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von bofh
> Gesendet: Dienstag, 28. Oktober 2008 16:13
> An: OpenBSD general usage list
> Betreff: Re: "J.C. Roberts" <[EMAIL PROTECTED]> saiz >
> OpenBSD. --We won't miss you.
>
>
> On Tue, Oct 28, 2
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Rod Whitworth
> Gesendet: Mittwoch, 29. Oktober 2008 07:47
> An: OpenBSD general usage list
> Betreff: Re: How to debug IPSec and PF problem
>
>
> On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsa
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Otto Moerbeek
> Gesendet: Freitag, 24. Oktober 2008 13:11
> An: Sebastian Reitenbach
> Cc: misc@openbsd.org
> Betreff: Re: slow network performance behind cisco
>
>
> On Fri, Oct 24, 2008 at 12:5
I'd like to ask the community:
Will IKE V2 ever become available on a larger scale and will it
eventually replace V1 sometime?
Regards
This is interesting. We suffer from spurious connection losses since we
started with OBSD ipsec.
Do you have any details what caused your problem, and why setting
DPD-check-interval helped?
> In our environnement (we manage openbsd tunnels to cisco 3030
> which is out of our scope) we debugged a
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Aaron W. Hsu
> Gesendet: Montag, 22. September 2008 20:04
> An: misc@openbsd.org
> Betreff: OpenBSD Road Warrior connecting to L2TP/IPSec VPN?
>
>
> Hell All,
>
> I am trying to connect to my Uni
I would like to block these messages as they fill up /var/log/messages
A MS windows server with a trunked interface sends packets with either of its
two hardware addresses, causing these messages
Regards
Hi,
I've a question regarding the priority of routing entries.
Please take a look at the following routing table for a machine with 3
ethernet interfaces (
link#1 192.168.0.1 ( internal net 1 /24 )
link#2 u.v.w.254 ( internet/30 )
link#4 10.10.60.1 ( internal net 2 /24 ):
netstat -r
x27;t quick ' >/var/run/isakmpd.fifo
echo 'c ' >/var/run/isakmpd.fifo
Is there anything known about such behaviour ?
Thanks
Christoph
Mit freundlichen Gr|_en
Christoph Leser
S&P Computersysteme GmbH
Systemhaus f|r Logistik
Tel: 0711 726410
Mail: [EMAIL PROTECTED]
A
Hi,
afaik all access to oracle databases require oracle client software. only
exception I know of is JDBC ( java database connectivity, which has a thin
client requiring only tcp and the oracle jdbc client, which is pure java.
maybe that is an option.
if not you might connect your ms sql server t
messages do, why are they sent? Is it a normal behaviour or is
the remote site trying to end the vpn. ( remote is a lancom ?? ).
Why is it that isakmpd sometimes tries to reestablish and sometimes it does
not?
Thanks for any hints
Mit freundlichen Gr|_en
Christoph Leser
S&P Computersy
I forgot to ask:
what are the NAT statements in your pf.conf, that you mention. the ipsec
packets should not be NAT'ed inyour configuration ( although ipsec can go
through NAT in general ).
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag
> von jcr
>
Hi,
here my 50 cent:
tcpdump looks good, obsd maschine receives first message of phase 1 exchange
and sends a suitable response.
your netgear log says, that no response to first message is received.
this means, response from isakmpd gets lost, either in local pf or in netgear
( dont know if the
Hi,
I use the pppoe0 device to connect to my isp. And I use ntpd.
ntpd seems not to be aware of the changing ip address of the interface. It
keeps sending messages with the source address it saw on startup, as can be
seen for netstat -an or pflog.
Is there a signal I can send to ntpd to rebind i
I have a problem with ipsec/isakmpd.
I have setup about 20 vpn's to various other sites, all using tunnel mode (
active ).
All but one are working fine.
One connection exhibits the following behaviour:
After isakmpd starts, the vpn starts correctly, main and quick mode are
successfully negotiat
> -Urspr|ngliche Nachricht-
> Von: Christoph Leser
> Gesendet: Freitag, 21. September 2007 16:44
> An: '[EMAIL PROTECTED]'
> Betreff: Re: isakmp phase 2 negotiation failed
>
>
> > w
> >#$OpenBSD: ipsec.conf,v 1.5 2006/
> -Urspr|ngliche Nachricht-
> Von: Christoph Leser
> Gesendet: Freitag, 21. September 2007 12:58
> An: 'n0g0013'
> Betreff: AW: isakmp phase 2 negotiation failed
>
>
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED]
[mailto:[EM
Hi,
is AES 256 cipher supported in OBSD 4.1 ipsec implementation?
If it is, how can I specify this as input to ipsecctl ( ipsec.conf )?
regards
Christoph
Hello,
I tried ( and failed ) to set up an IPSEC Tunnel to a LANCOM VPN Router in a
somewhat special constellation:
main mode is ok
quick mode negotiated successfully and established the following flow:
# ipsecctl -s flow
flow esp in from 172.17.0.0/16 to 172.17.7.50 peer a.b.c.d srcid
[EMAIL P
hello,
I would love to set up a openBSD/soekris based dsl router for accessing the
internet from home (my provider is t-com from germany).
Can anyone here tell me whether there are internal dsl modem cards available
which are supported by openBSD?
It would be sad if I had to install an external
scp from linux to linux via an ipsec tunnel between openBSD gateway and lancom
1611+ router fails( hangs) if tcp window scaling is enabled.
This is my setup:
Redhat Linux ES3 <---> dc0 openBSD IPSEC dc1 < internet -> lancom
1611+ <---> Redhat Linux ES4
RHES3 does
scp a.a host:
D]
Gesendet: Mi 21.12.2005 19:15
An: Christoph Leser
Cc: misc@openbsd.org
Betreff: Re: NAT/pf before IPSEC
On Wed, 21 Dec 2005, Christoph Leser wrote:
> Does this imply that I must not mention VPN-2 in the isakmpd.conf Connections
> statement?
>
> Thanks for your help.
I tried with and w
I came across
http://www.kb.cert.org/vuls/id/226364
which describes some vulnerablities in IKE Protocol V1 implementations.
That page state ( that is at least what I read from it ) that it is unknown
whether OpenBSD is affected or not.
Is anything known about this issue? Should I care about it
isc@openbsd.org
> Betreff: Re: NAT/pf before IPSEC
>
>
> No the other side does not need to know about this additional
> section if
> you are using NAT as described.
>
> Nick
>
> On Wed, 2005-12-21 at 14:06 +0100, Christoph Leser wrote:
> > If you add this ex
If you add this extra section to your isakmpd.conf, do you need to add it to
the remote site too? Does this extra section change the negotiation between the
two endpoints.
Thanks
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag
> von Nick Suckling
Hello,
the question is about how to route traffic from an openvpn tunnel
to an ipsec tunnel.
This is my setup:
The OpenBSD gateway has an internal (10.0.1.1/24 )
and external (x.x.x.x/30) interface.
The internal net is NAT'ed to the external interface to provide
internet access to hosts on th
76 matches
Mail list logo
