preventable. ;-))
With best regards,
Tobias
headers that evaluated the
original SPF/DKIM situation upon first receipt.
With best regards,
Tobias
is due to some
subscribers having features active that still require changes to mails
that are incompatible with DKIM's signed headers for this domain.
However, in general, this is still a relatively low amount of missed
messages; So i'd say that the current solution also works.
With best regards,
Tobias
break the workflow of people.
I am intentionally double-posting this email (once from my personal
domain, once from reads-this-mailinglist.com) to see how well
preserving messages as sent works/impacts deliverability.
Will let you know :-)
With best regards,
Tobias
break the workflow of people.
I am intentionally double-posting this email (once from my personal
domain, once from reads-this-mailinglist.com) to see how well
preserving messages as sent works/impacts deliverability.
Will let you know :-)
With best regards,
Tobias
oes not need network
block return out log proto {tcp udp} user _pbuild
pass in on vio0 inet6 from 2a06:d1c0:deac:1:d5:64:a115:1 to
2a06:d1c7:a:4764::/96 af-to inet from 193.104.168.184/29 random
```
With best regards,
Tobias
together, checking some stuff about sending behavior.
With best regards,
Tobias
a dedicated sender domain if relaxing their main
domain is not possible
- Mailproviders allowlist the openbsd mailers to skip by DMARC (only
possible when you controll your mailserver)
With best regards,
Tobias
Moin,
On Sat, 2024-03-09 at 17:24 +, Laura Smith wrote:
> Nice idea Tobias, but I forgot to mention both machines are on the
> same LAN, and the LAN is operating with standard MTU, no jumbos.
Would still give it a try, esp. given that a large text file cat also
shows this MTU-y be
ng dmesg (or find /).
With best regards,
Tobias
On Sat, 2024-03-09 at 16:07 +, Laura Smith wrote:
> Hi
>
> I've got a fresh install of 7.4 on a new box and am seeing a very
> weird problem.
>
> If I enter "dmesg" I get a few lines of output and then it hangs
On Tue, Dec 12, 2023 at 07:38:30AM +0100, Sebastian John wrote:
> Hello,
>
> I installed (not upgrade) OpenBSD 7.4 (amd64) on a brand new
> machine. I put the isakmpd.conf from the old maschine (7.3) on the
> new one. Also some other configurations (interfaces, pf...). All
> works fine but the inc
> > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> > > from 10.88.0.0/22 to 10.88.12.0/24 \
> > > from 203.0.113.92 to 10.88.12.0/24 \
> > > peer any local 203.0.113.92 \
> > > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
> > >childsa enc aes-256-gcm prf hmac-sha2-512 gro
On Tue, Oct 24, 2023 at 10:42:11PM +0200, Tobias Heider wrote:
> On Tue, Oct 24, 2023 at 03:35:57PM -0500, rea...@catastrophe.net wrote:
> > On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> > [..]
> > >$ uname -a
> > >OpenBSD open
On Tue, Oct 24, 2023 at 03:35:57PM -0500, rea...@catastrophe.net wrote:
> On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> [..]
> >$ uname -a
> >OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
> >
> >ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> > from 10.88.0.0/22 to 10.88
?
>
> Thanks for any help in advance.
Can you add verbose server logs too? I don't see any obvious incompatibility.
- Tobias
>
>
> Server configuration
>
> $ uname -a
> OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
>
> ikev2 "LINUX-CLIENT_INET4_LAN&quo
r, so never hit
the mirror list thing).
With best regards,
Tobias
*And on opinions: What should motivate _everyone_ to get on v6 ASAP is
that it would end the business model of some rather annoying IPv4
address traders (I acknowledge there are also not-annoying ones who
would be affected, bu
On October 3, 2023 2:30:54 PM GMT+02:00, "Robert B. Carleton"
wrote:
>Tobias Heider writes:
>
>> On October 3, 2023 1:32:39 AM GMT+02:00, "Robert B. Carleton"
>> wrote:
>>>I'm trying to setup host-to-host encryption using iked with
On October 3, 2023 1:32:39 AM GMT+02:00, "Robert B. Carleton"
wrote:
>I'm trying to setup host-to-host encryption using iked with the
>following configuration:
>
>On 10.2.2.10:
>
>ikev2 passive esp from 10.2.2.10 to 10.2.1.11 srcid 10.2.2.10
>
>On 10.2.1.11:
>
>ikev2 active esp from 10.2.1.11
ore test-setups to run for some time; I will
be able to setup automation for that in the coming weeks.
With best regards,
Tobias
> On Sun, 2023-09-24 at 21:31 +0200, Tobias Fiebig wrote:
> >
> > > But yes, getting a specific commit there will be helpful.
> > Sadly it turn
y default.
Feared, because it basically puts me back to start w.r.t. what the root
cause might be; Could be anything that happened to TLSv1.3 code in
either LibreSSL or Nginx.
I guess the next step is going through all commits of libressl between
what is in 7.2 and 7.3.
With best regards,
Tobias
helpful.
> I just saw, that the version 8 of libpcre2 seems to be quite a bit
> behind the current version:
> https://github.com/PCRE2Project/pcre2/releases
>
> Is this intentional?
I am using what comes from the packages/ports. So the intentions on
that are with the maintainers there.
With best regards,
Tobias
regards,
Tobias
On Sun, 2023-09-24 at 12:53 +0200, Rudolf Leitgeb wrote:
> Do the affected programs use the same libraries?
>
> On Sun, 2023-09-24 at 09:32 +0200, Tobias Fiebig wrote:
> > After upgrading to 7.3 and nginx-1.24.0, i started to see heavy
> > memory
> > lea
closer (and maybe get it reproducible in a
first step):
Did anyone else experience memory leakage on openbsd with mariadb or a
self-build >=nginx-1.23.4 (or other applications) since the upgrade to
7.3?
With best regards,
Tobias
On Wed, Aug 23, 2023 at 08:03:34AM +0200, Jiri Navratil wrote:
> Hello,
>
> Thank you for quick and helpful replies.
>
> Adding line
>
> set skip on enc0
>
> to pf.conf enabled traffic between my sites.
>
> I see in https://www.openbsd.org/faq/faq1
I am a bit late to the party, but some more comments below.
On Sun, Jul 09, 2023 at 11:27:20PM -0400, Anthony Coulter wrote:
> Summary of this email:
>
> 1. I respond to a couple of specific points made by other folks in this
>thread to clarify what I'm trying to accomplish (set up a couple o
On July 5, 2023 4:35:30 AM GMT+03:00, Anthony Coulter
wrote:
>Short version:
>
>I'm trying to set up a "road warrior"-style VPN like the one described
>at https://www.openbsd.org/faq/faq17.html but I'm trying to use IPv6 so
>I can have globally-routable addresses (so I'm not using NAT). So far
On Tue, Apr 11, 2023 at 06:29:50PM +0200, Jan Stary wrote:
> > o On arm64, add a machdep.lidaction sysctl(8)
> > for aplsmc(4) Apple Silicon laptops.
>
> Should that be mentioned in the arm64 examples/sysctl.conf
> as on other such architectures?
>
> Index: etc/etc.arm64/sysctl.conf
> ===
On Fri, Mar 10, 2023 at 05:00:36PM -0500, A Tammy wrote:
>
> On 3/10/23 15:42, J Doe wrote:
> > On 2023-03-05 17:19, A Tammy wrote:
> >
> >>
> >> On 3/5/23 16:49, J Doe wrote:
> >>> Hello,
> >>>
> >>> I was wondering if there is a limit to the number of characters that
> >>> the username and/or pa
On Wed, Mar 01, 2023 at 01:38:24PM +, Stuart Henderson wrote:
> On 2023/03/01 14:21, Tobias Heider wrote:
> > On Wed, Mar 01, 2023 at 09:24:50AM -, Stuart Henderson wrote:
> > > On 2023-03-01, J Doe wrote:
> > > > Hello,
> > > >
> > > &
On Wed, Mar 01, 2023 at 09:24:50AM -, Stuart Henderson wrote:
> On 2023-03-01, J Doe wrote:
> > Hello,
> >
> > I have a question regarding authentication options in OpenIKED on
> > OpenBSD 7.2
> >
> > On my test lab I have one OpenBSD 7.2 machine with OpenIKED configured
> > to use PSK and a
On Fri, Feb 24, 2023 at 09:24:29AM -, Stuart Henderson wrote:
> On 2023-02-23, Thomas Bohl wrote:
> > I have several OpenBSD 7.2 connected to a commercial VPN-Router (LANCOM
> > 1781EW+) using iked. It works, except every time the Child SA
> > negotiation starts, iked answers NO_PROPOSAL_CHO
can give the raid5 on SSD (just
to see where the bottlenecks are) a shot (well, r5-on-virt; But for a
test setup, that should be ok-ish)
With best regards,
Tobias
We told you not
to do it, we told you it would hurt, and you did it anyway.'
So... i'd say there is no error in softraid(4), even if you can
technically make stacking "work".
With best regards,
Tobias
On Thu, Nov 24, 2022 at 06:51:40PM +0300, Aleksandr Mikhaylov wrote:
> Tobias Heider wrote:
> > On Thu, Nov 24, 2022 at 05:50:57PM +0300, Aleksandr Mikhaylov wrote:
> > > Tobias Heider wrote:
> > > > On Thu, Nov 24, 2022 at 12:45:03PM +0300, Aleksandr Mikhaylov wrote
On Thu, Nov 24, 2022 at 05:50:57PM +0300, Aleksandr Mikhaylov wrote:
> Tobias Heider wrote:
> > On Thu, Nov 24, 2022 at 12:45:03PM +0300, Aleksandr Mikhaylov wrote:
> > > Hi. Please tell me how to connect to an OpenBSD 7.2 Release
> > > from an OpenBSD
;
Hi,
your configs look ok. The server log shows the handshake is completed
and a IKE_AUTH reply is sent to the client, but on the client side this
message never arrives. This is why it keeps on resending the AUTH request
until it times out.
It is not clear whether the reply is lost in transit or discarded by your
client. You could try looking at a tcpdump of your handshake or enable
verbose logging in iked on your client and see if you can find anything
suspicious after "send IKE_AUTH req 1 ...".
- Tobias
platform agnostic.
With best regards,
Tobias
-Original Message-
From: owner-m...@openbsd.org On Behalf Of
rsyk...@disroot.org
Sent: Monday, 3 October 2022 14:00
To: misc@openbsd.org
Subject: some simple way to serve videos?
Hello,
until now I have www-served (httpd) my photos using, as
Heho,
Ah, yeah, sorry, meant tap. Writing mails to late n stuff... :-/
With best regards,
Tobias
-Original Message-
From: Holger Glaess
Sent: Saturday, 1 October 2022 10:30
To: Tobias Fiebig ; 'OpenBSD general usage
list'
Subject: Re: VM(D) Interface Question
hi
no
Heho,
Any other VMs on the box? My first thought would be not enough tun devs,
default is iirc 4?
To make it work, if that is the case:
cd /dev ; sh ./MAKEDEV tun4 ; sh ./MAKEDEV tun5; sh ./MAKEDEV tun6
With best regards,
Tobias
-Original Message-
From: owner-m...@openbsd.org On
s one of the issues around SRS (and why a key is needed for SRS).
With best regards,
Tobias
P.S.: There is a reason this comes from tob...@reads-this-mailinglist.com
-Original Message-
From: owner-m...@openbsd.org On Behalf Of Martijn van
Duren
Sent: Tuesday, 30 August 2022 19:2
On Sat, Aug 13, 2022 at 11:10:12AM +, Kostya Berger wrote:
> Hi,I'm trying to connect my OpenBSD 7.1 box to WPA-Enterprise AP. But
> wpa_supplicant fails to connect. However, the same config works fine in
> FreeBSD etc, just as it did in previous versions of OpenBSD (the last I used
> was 6
cat /etc/resolv.conf
cat /etc/pf.conf
ls /etc/hostname.*
cat /etc/honstname.*
ifconfig
With best regards,
Tobias
P.S.: Please keep replies on list. There is nothing more frustrating than
having the same issue as you, digging through promising mailing list archives,
and then figuring out that
network config setup on your device which is not in a
/etc/hostname.if file/manual gateways or sth.?
With best regards,
Tobias
-Original Message-
From: owner-m...@openbsd.org On Behalf Of
latin...@vcn.bc.ca
Sent: Sunday, 7 August 2022 00:43
To: misc@openbsd.org
Subject: Upgrading from 7.0
having limited effect.
https://storage.fiebig.nl/s/H4ZHCwPN85yg4zN
Will add an update accordingly. :-)
With best regards,
Tobais
-Original Message-
From: owner-m...@openbsd.org On Behalf Of Tobias Fiebig
Sent: Monday, 1 August 2022 21:34
To: misc@openbsd.org
Subject: Re: rpki-client disk
major effect, and seems to reduce performance
upon import.
- You are right; softdep is nearly as good as mfs.
With best regards,
Tobias
nt. I think I will just bench through all the options (softdep,
noatime,
mfs, [...]) and write that down to have some comparison points.
With best regards,
Tobias
[1]
https://git.aperture-labs.org/AS59645/monitoring-tools/src/branch/master/other/update_rpki
With best regards,
Tobias
[1]
https://doing-stupid-things.as59645.net/networking/bgp/nsfp/2022/07/31/making-it-ping-part-5.html
will most likely also be
'not safe for production' anyway...
With best regards,
Tobias
-Original Message-
From: owner-m...@openbsd.org On Behalf Of Tito Mari
Francis Escaño
Sent: Sunday, 24 July 2022 07:11
To: misc@openbsd.org
Subject: CIAM recommendation
Hi ever
might
just be a fluke.
With best regards,
Tobias
-Original Message-
From: owner-m...@openbsd.org On Behalf Of
e.co...@gmx.net
Sent: Sunday, 17 July 2022 22:52
To: misc@openbsd.org
Subject: Freeze on OpenBSD 7.1
Hello,
I encounter a freeze on my OpenBSD 7.1 router. I have to reboot it
am sadly not good enough with the codebase to
supply a diff,
but can test a patch if somebody writes one.
With best regards,
Tobias
-Original Message-
From: owner-m...@openbsd.org On Behalf Of Claudio Jeker
Sent: Wednesday, 13 July 2022 13:13
To: Stuart Henderson
Cc: misc@openbsd.org
eoip tunnel, things
then worked.
Maybe something that is sticky/not handled about wg?
With best regards,
Tobias
### After removing wg0 (ifconfig wg0 destroy), deconfiguring the peer,
reloading bgpd, adding eoip0, and reconfig the peer
bgp-test.test /etc # ifconfig wg0
wg0: no such interface
that wg0 came up. Let me try if
this behavior is the same for other tunnels (eoip).
With best regards,
Tobias
### Setting up wireguard interface after bgpd had been started
bgp-test.test rem # bgpctl sh nex
Flags: * = nexthop valid
Nexthop Route Prio Gateway Iface
s added later, e.g., vlan.
With best regards,
Tobias
e video site which goes over a range of these different devices.
Something like the "Lenovo M90n-IoT" might also be worthwhile to look at (even
though it comes with an Intel CPU).
With best regards,
Tobias
-Original Message-
From: owner-m...@openbsd.org On Behalf Of B. Atticus
auto detect OS to false."
It is about how they wired onboard and nv gpu together.
With best regards,
Tobias
> I have a ThinkPad T530, with a recently acquired docking station that I am
> finally attempting to use. It doesn't pick up on the displayport to the
> external mon
On Tue, Apr 12, 2022 at 01:03:55AM +0200, Ettore Tagarelli wrote:
> If I use the "dynamic keyword I get this error: "no IP address found for
> dynamic" though "config address 192.168.98.1/24" is there.
> Using 0.0.0.0/32 instead of 0.0.0.0/0 causes that traffic is not routed
> ('cause /32 restrict
On Tue, Apr 12, 2022 at 03:06:50PM +0200, Ettore Tagarelli wrote:
> Updated to 7.0
> ...same problem 🙁
What does the updated config look like?
"from 0.0.0.0/0 to dynamic" should work in 7.0.
On Mon, Apr 11, 2022 at 11:13:45PM +0200, Ettore Tagarelli wrote:
> this is my iked.conf
> as far as I know the "somename" Stuart wrote about is automatically added
> by iked.
I don't exactly remember how it worked back in 6.6 either but you
could try 0.0.0.0/32 instead of 0.0.0.0/0.
In any case I
On Fri, Mar 25, 2022 at 12:23:45PM -0500, rea...@catastrophe.net wrote:
> The setup is two gateways with IPsec channels setup in tunnel mode
> to bridge networks 10.255.255.0/24 and 10.254.255.0/24. Traffic from
> server-east:enc0 does not match a SA in place when trying to connect to
> httpd on s
On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote:
> I have two openbsd machines configured to connect their respective
> downstream networks over ipsec. When I try to generate traffic (ping)
> from server-west's enc0 interface (10.255.255.1) to server-east's enc0
> interface (
eel free to reach out if you encounter any problems.
- Tobias
> ---
> PGP-Key: CDE74120 ☀ computing @ chaos claudius
>
On Mon, Feb 21, 2022 at 09:12:27AM -0600, rea...@catastrophe.net wrote:
> On Mon, Feb 21, 2022 at 02:55:39PM +0100, Tobias Heider wrote:
> >On Sat, Feb 19, 2022 at 12:28:15AM -0600, rea...@catastrophe.net wrote:
> >> IKE is failing when I connect using a simple password de
On Mon, Feb 21, 2022 at 01:33:12PM +, n8dandy wrote:
> Hello there,
>
> First of all, I would like to thank people involved with iked. It works
> flawlessly, especially with Apple devices. Thanks for your work.
> In the near future, I plan to allow around 330 people to use this service. Do
>
On Sat, Feb 19, 2022 at 12:28:15AM -0600, rea...@catastrophe.net wrote:
> IKE is failing when I connect using a simple password defined in
> /etc/iked.conf. I'm connecting from a native Mac client...is
> mschap-v2 on MacOS broken or are my configs wrong? Thanks in advance.
>
> Working configurati
xtensions of the same type (e.g. multiple subjectAltNames)?
This is all I can say without seeing the actual certificates and/or iked log.
- Tobias
Hey Georg,
The configs look ok to me. The error message and your description
sound like you might have forgotten to copy the certificate private
keys to /etc/iked/private/local.key
On Wed, Dec 01, 2021 at 08:50:58PM +0100, Georg Pfuetzenreuter wrote:
> Hello,
>
> I try to connect two OpenBSD 7.
On Tue, Jul 27, 2021 at 11:18:53AM +0200, Patrick Wildt wrote:
> On Tue, Jul 27, 2021 at 09:55:34AM +0200, Claudio Jeker wrote:
> > On Tue, Jul 27, 2021 at 07:32:09AM -, Stuart Henderson wrote:
> > > On 2021-07-27, Vladimir Nikishkin wrote:
> > > > Hello, everyone.
> > > >
> > > > This is my i
On Mon, May 31, 2021 at 02:31:22PM +, Leclerc, Sebastien wrote:
> > > > If that doesn't help you could share the output of 'ipsecctl -sa' to
> > > > find
> > > > out if the IPsec SAs or flows are the problem.
> > >
> > > That may be the problem, there is nothing between 192.168.1.109 and
> >
On Mon, May 31, 2021 at 12:20:29PM +, Leclerc, Sebastien wrote:
> > I'm not sure about that bge0 rule. iked.conf(5) mentions ipencap only
> > in the context of enc interfaces.
> > You could try adding 'set skip on enc0' to find out if pf is the problem.
>
> That rule has been the same for som
On Fri, May 28, 2021 at 11:56:54AM +, Leclerc, Sebastien wrote:
> >It looks like 'keep state (if-bound)' iked.conf(5) is not present or being
> >respected on the return traffic to the VPN device/firewall from your
> >internal network. ICMP traffic is coming into the VPN device >encrypted,
>
ither try using 0.0.0.0/0 instead or even better update
to the latest version.
>
> Full log: https://pastebin.com/MLC4VXSs
>
> P.S. Tried removing the ikelifetime and lifetime parameters as well. Did
> not help, the same behavior.
>
> On Tue, May 11, 2021 at 7:43 PM Tobias Hei
tell you the exact traffic selectors you need
in your config (look for ikev2_pld_ts in the verbose log).
On Tue, May 11, 2021 at 01:47:53PM +0300, Денис Давыдов wrote:
> Tobias,
>
> The remote side gave me their Cisco ASA 5585 settings and they showed the
> logs:
>
> object network
On Fri, May 07, 2021 at 12:17:35PM +0300, Денис Давыдов wrote:
> Hello all,
>
> I can't understand why I got SA_INIT timeout:
> May 5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: sa_free:
> SA_INIT timeout
>
> 1.1.1.1 (crypto-gw2) - my host
> 7.7.7.7 - our isp provider (some of cisco
On Mon, Feb 22, 2021 at 03:59:53PM +0100, Riccardo Giuntoli wrote:
> Ok. In the log you can appreciate.
>
> UK-HOST one OpenBSD machine connected to three openbsd, one mikrotik and
> one VyOS. The VyOS is CAT-HOST
>
> Kind regards
The log looks fine but it doesn't seem to contain the error messa
]: pfkey_sa_lookup: message: No such
> process
>
I don't see any obvious misconfiguration so this might be a bug,
but without the log i won't be able to help.
- Tobias
>
> Here you are the Strongswan configuration:
>
> conn
> keyexchange=ikev2
> type=trans
0.0/24 to 10.0.1.0/24 \
from 10.0.10.0/24 to 10.0.4.0/24 \
from 10.0.10.0/24 to 10.0.7.0/24 \
local responder peer initiator \
childsa group modp2048 \
srcid "/CN=responder" dstid "/CN=initiator"
- Tobias
Hi,
this doesn't look like an IKE problem if the handshake succeeds.
Try comparing the kernel SAs and flows (ipsecctl -sa on OpenBSD).
I think strongswan for some errors deletes child SAs right after
the handshake, maybe the charon log contains more information.
- Tobias
On Wed, Jul 29,
log output suggests the peer was authenticated via certificate/CA, not raw
public key.
Regards,
Tobias
>
> __
> Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH *
On Mon, Jul 20, 2020 at 12:03:57PM +0300, Антон Касимов wrote:
> I am using OpenBSD 6.7
> iked does not respect mixing ports in the source and the destination of
> traffic selectors.
>
> Such policy in iked.conf
> ikev2 "epsilon" active \
> proto tcp \
> from ::::30 to
On Fri, Jul 10, 2020 at 01:17:38PM +0300, Антон Касимов wrote:
> The descriptions of the ikesa and childsa options contain the following
> statements:
>
> Possible values for auth, enc, prf, group, and the* default proposals* are
> described below in CRYPTO TRANSFORMS. If omitted, iked(8) will use
On Sun, Jun 21, 2020 at 04:33:14PM -0400, Sonic wrote:
> On Sun, Jun 21, 2020 at 12:11 PM Patrick Wildt wrote:
> > If you want to use a specific address for a policy, you can use the
> > "local" keyword to specify it. This is part of the policy, not a global
> > option.
> >
> > Then iked(8) conti
On Tue, Jun 16, 2020 at 08:20:59PM -0400, Daniel Ouellet wrote:
> Hi,
>
> > What I see is that the initial message is received but ignored, so this
> > side here probably runs into some kind of error.
> > To find out what exactly causes this, a more verbose log would help.
> > You could manually s
On Tue, Jun 16, 2020 at 05:08:47PM -0400, Daniel Ouellet wrote:
> > The retransmits tell us that the peer doesn't answer. Or, to be more
> > precise, it doesn't receive *any* message from the peer. Can you have
> > a look at the peer's logs? Does the peer see these packets but chooses
> > not to
Hi,
On Tue, Jun 16, 2020 at 03:25:12PM +0200, tris...@pilat.me wrote:
> Hi guys,
>
> First of all, thanks for the amazing work you've done with 6.7!
>
> That said, I've got the same issue here after I updated to 6.7. The VPN
> keeps cutting off every 10 minutes or so. Is there any way I could fi
On Fri, Jun 12, 2020 at 09:27:18PM +0200, Tobias Heider wrote:
> On Fri, Jun 12, 2020 at 03:31:56PM +0200, Patrik Ragnarsson wrote:
> > Hi,
> >
> > We have two OpenBSD machines acting as gateways for our network using
> > CARP and IPsec (IKEv2).
> >
> > Whe
ork would also help.
> My guess is that it is simple and I don't think about it properly, but I
> am hitting a road block trying to figure it out.
>
> I am a bit at a lost and any clue stick would be greatly appreciated.
>
> Thanks
>
> Daniel
>
- Tobias
On Fri, Jun 12, 2020 at 03:31:56PM +0200, Patrik Ragnarsson wrote:
> Hi,
>
> We have two OpenBSD machines acting as gateways for our network using
> CARP and IPsec (IKEv2).
>
> When the machines were running OpenBSD 6.6, from an IPSec client, you
> were able to reach the passive gateway while bei
On Thu, Jun 11, 2020 at 02:36:53PM +, Leclerc, Sebastien wrote:
> > I seems I got it wrong before. Even when there was ESP traffic, iked is
> > going
> > to start DPD when there hasn't been any incoming IKE message in the last
> > 5 minutes.
> >
> > My advice would be to just disable DPD in
On Tue, Jun 09, 2020 at 08:13:53PM +, Leclerc, Sebastien wrote:
> > > > Before 6.7 iked didn't start DPD in this particular case.
> > > > It kicks in if the tunnel is up and there haven't been any incoming ESP
> > > > packets
> > > > in the last 5 minutes.
> > > > A possible workaround would b
On Tue, Jun 09, 2020 at 06:29:05PM +, Leclerc, Sebastien wrote:
> > Before 6.7 iked didn't start DPD in this particular case.
> > It kicks in if the tunnel is up and there haven't been any incoming ESP
> > packets
> > in the last 5 minutes.
> > A possible workaround would be to ping through th
On Tue, Jun 09, 2020 at 01:11:38PM +, Leclerc, Sebastien wrote:
> > > > Jun 8 12:23:24 hv-fw-inf-02 iked[50153]: spi=0xa84faba012c73dce:
> > > > retransmit 1 INFORMATIONAL req 2
> > > peer 192.0.2.199:500 local 192.0.2.2:500
> > > > Jun 8 12:23:28 hv-fw-inf-02 iked[50153]: spi=0xa84faba012c7
On Mon, Jun 08, 2020 at 05:28:48PM +, Leclerc, Sebastien wrote:
> After an upgrade to 6.7 on amd64 this weekend, iked keeps reconnecting every
> 8 minutes, but only for one tunnel, to a Watchguard firewall. The tunnel has
> been functioning properly for 5 years. Other tunnels to OpenBSD devic
On Wed, Jun 03, 2020 at 02:07:52PM -0400, Sonic wrote:
> On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider wrote:
> > It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public
> > key
> > should be.
>
> The peers public key is there, the peer, a
On Wed, Jun 03, 2020 at 01:09:02PM -0400, Sonic wrote:
> Following the FAQ at https://www.openbsd.org/faq/faq17.html I ran into
> the following problem with the server2 example:
> ===
> ikev2 'server2_rsa' active esp \
> from 10.0.2.0/24 to 10.0.1.0/24 \
> pe
On Sun, May 03, 2020 at 01:07:56PM +0200, Florian Weber wrote:
> Good morning,
>
> I am trying to connect to remote locations to our main responder. The issue
> I am facing is that I can connect each site individually without any issue,
> however, I cannot connect both sides at the same time. The
On Fri, Apr 17, 2020 at 02:37:57PM +0200, Florian Weber wrote:
> Good afternoon,
>
> is it possible to have only traffic which is routed through a specific
> rdomain being encryped, i.e. have an enc interface in another rdomain and
> only the whole traffic that runs in that rdomain gets encryped?
Hello,
We've seen a issue where if you perform a ospfctl reload and have a faulty
configuration for example a interface
that doesn't exist it dies (which is fair in itself) but the seq num for the
database never catches up with the DR until
the adjacency timer expires over and over again, can
I sent a diff to tech@ that should solve your problem:
https://marc.info/?l=openbsd-tech&m=158447623916319&w=2
On Sun, Jan 26, 2020 at 04:12:00PM +, Peter Müller wrote:
> Hello openbsd-misc,
>
> I am strongly interested in this, too.
>
> Since the iked manpage does not mention this, I suppos
rcid explicitly to client1.example.com and
client2.example.com with type FQDN in the client configurations (and leave the
server dstid as it was before).
Regards,
Tobias
-dv) and the output of
`ipsecctl -s all` after the second client has connected would be helpful
Regards,
Tobias
1 - 100 of 637 matches
Mail list logo