On 11 dec 2006, at 07.14, nuffnough wrote:
Hi...
I have recently started using OpenBSD, and one of the things that I
liked
most about it was the ease I got my VPN tunnels working with isakmpd.
I've learnt in the past few weeks that the use of isakmpd is being
deprecated in favour of ipsec.
On 24 nov 2006, at 22.44, Brian Candler wrote:
Is this 60 second timeout a tunable? Or can you point me to where it's
defined in the kernel? I'd like to try increasing it.
sysctl net.inet.ip.ipsec-invalid-life=60
(If you're curious, look at reserve_spi() in /usr/src/sys/netinet/
ip_ipsp.c)
On 24 nov 2006, at 13.12, Brian Candler wrote:
...
Time(s) Num flows
--- -
10 606
20 976
30 1286
40 1384
50 1768
60 1946
70 1946 ..
And there it stops, never reaching 2000 (in+out).
But I find the following in /var/log/messages:
On 25 sep 2006, at 14.00, Stefan Sczekalla-Waldschmidt wrote:
Hi,
Can I prevent OpenBSD from advertising its NAT-T Capability or prevent
to negociate it ?
-T option to isakmpd, as mentioned in isakmpd(8). It shouldn't be
necessary to disable it, unless you're stuck with some old NAT-box
On 11 aug 2006, at 22.59, Steve Glaus wrote:
...
I'm mostly asking questions now for my own curiousity so feel free
everyone to ignore these ramblings.
- Is PFS something that's negotiated only during phase 2? Could
this be why it was passing phase one but not passing phase two?
Yup. PFS
On 10 aug 2006, at 16.26, Tech Support wrote:
Question: Can I have an isakmpd.conf file, set only the config
options I
want, run isakmpd WITHOUT
the -K and still use ipsectl?
Yes.
Another item - IS PFS disabled or enabled by default when one uses
ipsecctl? Can this be set?
pfs is
On 28 jul 2006, at 11.19, jeraklo wrote:
...
The network layout looks like following:
CLIENT (can have public IP or private IP)
| (private client IP assumes default gateway uses NAT)
|
|
INTERNET
|
|
NIC_0_FIREWALL_0 (public IP)
FIREWALL_0
NIC_1_FIREWALL_1 (public IP, subnet_A)
|
|
NIC_0
On 28 jul 2006, at 14.09, jeraklo wrote:
So, you are saying that pf(4), ipsec(4), ipsecctl(8),
and maybe vpn(8) is all I need ? Do I have to make
That's a good start, yes. Plus it should be fairly easy to find
configuration examples for setups like this.
some special tweakings on the
On 29 jun 2006, at 22.33, Stephen Bosch wrote:
I'm trying to set up a tunnel to a Cisco PIX.
It seems to make it past Phase 1, the trouble starts at Phase 2.
I've provided some tcpdump output below:
...
So, at this point it looks like Phase 1 was successful. Phase 2
begins:
On 18 apr 2006, at 10.59, Reyk Floeter wrote:
...
- set the flows for each peer. any direct communication
between the peers and the gateway will be bypassed (not
encrypted) to allow the ISAKMP key exchange (a more
complicated version is possible, i.e. with additional
static flows, the proto
On 1 feb 2006, at 08.38, Jurjen Oskam wrote:
On Wed, Feb 01, 2006 at 01:19:58AM -0500, Peter wrote:
raid0: Device already configured!
ioctl (RAIDFRAME_CONFIGURE) failed
Can anyone lend a hand in this important matter?
Let me guess (since you didn't post any configuration): you
enabled
On 26 jan 2006, at 20.09, Bob DeBolt wrote:
Main question is this, why does the 10.x.x.x address come back to
us instead
of timing out??
You only stated the ping returns, not actually with what. :)
In case the 10.x.x.x box has a problem reaching the next hop, you
should see an ICMP
On 14 jan 2006, at 14.20, James Mackinnon wrote:
Hello everyone
I have a 2 central locations which have multiple interfaces (4) and
have
tunnels for each of these interfaces to 34 other locations.. this
comes out to
approx 198 tunnels on each of these 2 systems.
Could you mail me the
On 6 dec 2005, at 06.14, Brian A. Seklecki wrote:
OpenBSD requires that gateway A and gateway B have a default route
declared
*EVEN THOUGH ONE IS NOT REQUIRED IN THE LAB CONFIGURATION*
...
So why in the world would a default gateway be required? A default
gateway is only required to
On 5 dec 2005, at 02.57, Brian A. Seklecki wrote:
I opened a PR on this earlier this year. Seach my last name in
query-pr.
The Cisco 3000 supports SA Proposals with multiple discontiguous
subnets.
The IKE protocol does not. In fact subnets are not part of SA
proposals. (They're phase2
On 29 nov 2005, at 13.20, robdenz@@libero..it wrote:
I keep getting messages such as
Default pf_key_v2_get_spi: GETSPI: Operation not supported
Default initiator_send_HASH_SA_NONCE: doi-get_spi failed
Make sure you did not accidentally disable ESP (and AH) in /etc/
sysctl.conf.
/H
Isn't this in the FAQ (yet/still)? It definitely is in the archives...
If you have a tunnel between the networks traffic between the
networks is the *only* traffic to be encrypted. See 'netstat -rn -f
encap', source and destination fields.
As soon as any of the gateways are involved,
Try increasing PF max number of states.
It is currently limited to 1, so when you reach this no new
traffic (that would create a state) is permitted until some of the
old ones expire. The 1 limit is ok for most machines, but
definitely not for a busy server / firewall. (Same goes
On 16 jun 2005, at 16.45, Stephen Marley wrote:
Is this known behaviour with the code in its current state, or
should I
be looking at my configuration or reporting a problem?
Yes, I've seen it. Unfortunately I have lots of other work at the
moment, so it'll probably be a week or so
19 matches
Mail list logo