Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

o this VPN when CARP > does switchover and there will be no drama. > > I am currently using IPSEC/L2TP, but I do not insist on switching to > wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I > switched IKEv2 to IPSEC/L2TP when my CA certificate

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

and there will be no drama. I am currently using IPSEC/L2TP, but I do not insist on switching to wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't cope with updating it to get a VPN back to work

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

On 2024-05-29, Vitaliy Makkoveev wrote: > He wants replication. This means both wireguard "servers" know the client > state. No client reconnection at failure, no delay, seamless migration > from failed node to the backup. Something like sasyncd(8), but for > npppd(8) or wg(4). wireguard doesn't

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

> On 29 May 2024, at 18:50, Hrvoje Popovski wrote: > > On 29.5.2024. 12:48, Radek wrote: >> Thank you, that explains everything. >> Does wireguard support replication? Will it work properly in my CARP setup? >> > > > why not use iked as vpn solution ? i'm not sure but i think that iked is

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

> On 29 May 2024, at 18:50, Hrvoje Popovski wrote: > > On 29.5.2024. 12:48, Radek wrote: >> Thank you, that explains everything. >> Does wireguard support replication? Will it work properly in my CARP setup? >> > > Hi, > > I have wg listen on carp interface for redundancy and it's working >

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

> On May 29, 2024, at 3:48 AM, Radek wrote: > > Thank you, that explains everything. > Does wireguard support replication? Will it work properly in my CARP setup? wireguard doesn’t have “state” per se. it remembers the last address a key was associated with. In the event of a failover,

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

On 29.5.2024. 12:48, Radek wrote: > Thank you, that explains everything. > Does wireguard support replication? Will it work properly in my CARP setup? > Hi, I have wg listen on carp interface for redundancy and it's working without admins or clients needs to do anything when primary carp

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

On 2024/05/29 18:08, Vitaliy Makkoveev wrote: > On Wed, May 29, 2024 at 01:23:47PM -, Stuart Henderson wrote: > > On 2024-05-29, Vitaliy Makkoveev wrote: > > > On Wed, May 29, 2024 at 12:48:41PM +0200, Radek wrote: > > >> Thank you, that explains everything. > > >> Does wireguard support

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

On Wed, May 29, 2024 at 01:23:47PM -, Stuart Henderson wrote: > On 2024-05-29, Vitaliy Makkoveev wrote: > > On Wed, May 29, 2024 at 12:48:41PM +0200, Radek wrote: > >> Thank you, that explains everything. > >> Does wireguard support replication? Will it work properly in my CARP setup? > >>

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

On 2024-05-29, Vitaliy Makkoveev wrote: > On Wed, May 29, 2024 at 12:48:41PM +0200, Radek wrote: >> Thank you, that explains everything. >> Does wireguard support replication? Will it work properly in my CARP setup? >> > > No for both questions. However, wireguard allows to create complicated >

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

t; > Hello, > > > I have two redundant firewalls with CARP: [krz75-MAS]<->[krz75-SLA]. I'm > > > trying to set up redundant IPSEC VPN on it. > > > > > > - CARP + pfsync is working as expected - ca 1-2 pings lost at switchover. > > > - sasyncd see

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

t; Hello, > > I have two redundant firewalls with CARP: [krz75-MAS]<->[krz75-SLA]. I'm > > trying to set up redundant IPSEC VPN on it. > > > > - CARP + pfsync is working as expected - ca 1-2 pings lost at switchover. > > - sasyncd seems to work as expected - fl

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

npppd does not support replication > On 27 May 2024, at 19:58, Radek wrote: > > Hello, > I have two redundant firewalls with CARP: [krz75-MAS]<->[krz75-SLA]. I'm > trying to set up redundant IPSEC VPN on it. > > - CARP + pfsync is working as expected - ca 1

[7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

Hello, I have two redundant firewalls with CARP: [krz75-MAS]<->[krz75-SLA]. I'm trying to set up redundant IPSEC VPN on it. - CARP + pfsync is working as expected - ca 1-2 pings lost at switchover. - sasyncd seems to work as expected - flows and SADs are replicated between nodes - i

Re: When IPSec destination 0.0.0.0/0, I cannot ping directly connected Interfaces

On 12.3.2024. 17:11, Samuel Jayden wrote: > Dear Misc, > > I have an OpenBSD device with two interfaces: vport10 with an IP address of > 192.168.83.1/24 and vport20 with an IP address of 192.168.85.1/24. I have > configured IPSec to route all traffic from these two vport interfac

When IPSec destination 0.0.0.0/0, I cannot ping directly connected Interfaces

Dear Misc, I have an OpenBSD device with two interfaces: vport10 with an IP address of 192.168.83.1/24 and vport20 with an IP address of 192.168.85.1/24. I have configured IPSec to route all traffic from these two vport interfaces to another point through an IPSec tunnel using the destination

Re: ipsec hardware recommendation

Hi, thank you for suggestions, took me some time to think about them and reply here. On Fri, 11 Aug 2023 14:19:44 - (UTC) Stuart Henderson wrote: > If you post your IPsec configuration, perhaps someone can suggest > whether the choice of ciphers etc could be improved. It can make &

Re: IPsec over PPPoE

enc0 > > interface, and can be filtered as such." and next line works with VPN > > tag, but there are no lines "pass in ... tag VPN" in pf.conf before this > > part. Shall that be added to FAQ? I expect, that switch from "set skip on > > enc0" to "pas

Re: IPsec over PPPoE

rt. Shall that be added to FAQ? I expect, that switch from "set skip on > enc0" to "pass in ... tag VPN" will be better in my case. > > If someone with IPsec experiences will propose changes to FAQ17, then I > also noted: > > In "road warrior" pa

Re: IPsec over PPPoE

enc0 interface, and can be filtered as such." and next line works with VPN tag, but there are no lines "pass in ... tag VPN" in pf.conf before this part. Shall that be added to FAQ? I expect, that switch from "set skip on enc0" to "pass in ... tag VPN" will be b

Re: ipsec hardware recommendation

> On 11 Aug 2023, at 21:08, Marko Cupać wrote: > > Hi, > > I have star topology network where dozens of spokes communicate with > other spokes through central hub over GRE tunnels protected with > transport-mode ipsec. > > This worked great for years, but l

Re: ipsec hardware recommendation

On 2023-08-11, Marko Cupać wrote: > Hi, > > I have star topology network where dozens of spokes communicate with > other spokes through central hub over GRE tunnels protected with > transport-mode ipsec. > > This worked great for years, but lately all the locations got bandwi

Re: ipsec hardware recommendation

On Fri, Aug 11, 2023 at 01:08:07PM +0200, Marko Cupać said: Are there any commands I can run which would indicate ipsec traffic is being throttled due to hardware being underspecced? top shows CPU is more than 50% idle. netstat shows ~1 Ierrs / Ifail (no Oerrs / Ifail) on interfaces

ipsec hardware recommendation

Hi, I have star topology network where dozens of spokes communicate with other spokes through central hub over GRE tunnels protected with transport-mode ipsec. This worked great for years, but lately all the locations got bandwidth upgrade (spokes: 10Mbit -> 50Mbit, hub: 2x200Mbit -> 2x5

Re: ip6-only ipsec tunnel over ip4

On 2023-07-26, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > I need to set up an ipsec tunnel between a couple of ip6 networks, > but I only have an ip4 path between the two gateways. I don't want > any ip4 traffic inside the ipsec tunnel, so I'm a bit puzzled about > how to set this

Re: ip6-only ipsec tunnel over ip4

I have an L2 tunnel ( eoip ) going across IPsec tunnel, I'm routing ip4 across it. You could try the same with ipv6. diana KI5PGJ On July 25, 2023 8:07:16 PM MDT, "Lyndon Nerenberg (VE7TFX/VE6BBM)" wrote: >I need to set up an ipsec tunnel between a couple of ip6 networks, >

ip6-only ipsec tunnel over ip4

I need to set up an ipsec tunnel between a couple of ip6 networks, but I only have an ip4 path between the two gateways. I don't want any ip4 traffic inside the ipsec tunnel, so I'm a bit puzzled about how to set this up. Once I have the end-points up, can I just point the ip6 traffic and routes

Re: IPsec "road warrior" VPN not getting set up properly.

al "route -v show" will > make it easier to figure out where all the routes are coming from. > Would this change have support if I did the legwork? Yes, setting a fixed iked route label seems like a good idea. I am not convinced we need a per policy config setting. > > 2. What

Re: IPsec "road warrior" VPN not getting set up properly.

currently exist are for the "iface" > option which tells an iked initiator (a machine, typically but not > necessarily mobile) to use mode-config to fetch an address, and > configure it on an interface. > > There is a diff for route-based IPsec which does use the route ta

Re: IPsec "road warrior" VPN not getting set up properly.

I'm sure this is obvious to people, but just in case it is not: I pay $25/month for my VPS, and I think I could bring that down to $10 or $15 if I wanted. My VPS routes me a /48 IPv6 network... I clearly meant "My VPS _provider_ routes me...".

Re: IPsec "road warrior" VPN not getting set up properly.

Before I essentially echo back what Stuart said, let me clarify something. I don't really recommend NAT over NDP proxying more than the other way around. I was merely stating that a hack is a hack is a hack. If you are forced to use a hack, then insisting on one over the other is bizarre unless

Re: IPsec "road warrior" VPN not getting set up properly.

t;iface" option which tells an iked initiator (a machine, typically but not necessarily mobile) to use mode-config to fetch an address, and configure it on an interface. There is a diff for route-based IPsec which does use the route table (https://marc.info/?l=openbsd-tech=168844868110327=2

Re: IPsec "road warrior" VPN not getting set up properly.

the peer's address) with the peer's address, and re-adds it to the routing table. What benefit does this provide? I think I understand "cloning" in the context of ARP and NDP caches with their RTF_CLONING and RTF_CLONED flags, and I recognize the pattern here of "take an existing route

Re: IPsec "road warrior" VPN not getting set up properly.

Thus said Anthony Coulter on Thu, 06 Jul 2023 21:52:54 -0400: > I would also suggest comparing the "hackiness" of NDP proxying to the > hackiness of NAT, which is how we solve this same problem in IPv4. I realize I'm coming in late to this discussion, and may not actually have anything of

Re: IPsec "road warrior" VPN not getting set up properly.

> veering slightly from the topic (typical setup for a server host would > not be to use DHCPv6 but just statically route another block - usually a > /56 or /48), but... I don't doubt this is typical for serious network operators. But I would counter that for every user who is in a position to

Re: IPsec "road warrior" VPN not getting set up properly.

Yeah, I don't have the interest to get into it about this; but I find it (informally) inconsistent to take an ideological stance against NAT and not have a similar stance against NDP proxying. Networking is a lot cleaner when it can be reasoned about with a rudimentary grasp of graph theory where

Re: IPsec "road warrior" VPN not getting set up properly.

veering slightly from the topic (typical setup for a server host would not be to use DHCPv6 but just statically route another block - usually a /56 or /48), but... On 2023-07-07, Anthony Coulter wrote: > The trouble with subnets is that they have to be configured. I would > have to install a

Re: IPsec "road warrior" VPN not getting set up properly.

elegant. What does it take for the proxied IP address to be globally routable? Three things have to happen: the Internet has to deliver the packet to the IKEv2 responder's gateway router. The gateway router has to send the packet to the IKEv2 responder. And the IKEv2 responder has to send the

Re: IPsec "road warrior" VPN not getting set up properly.

the recommended solution for IPv6. Taking responsibility for routing the whole /64 subnet just to support a couple of IPsec tunnels seems wrong. I'm not trying to bridge networks; I just want to use an IPsec tunnel to proxy traffic from my laptop. The "ndp -s" trick seems s

Re: IPsec "road warrior" VPN not getting set up properly.

similar setup myself except I use WireGuard, but I'm confident IKEv2/IPSec would be easy to set up as well.

Re: IPsec "road warrior" VPN not getting set up properly.

pings to my server where they > can be shoved into the IPsec tunnel to the client. So it looks like > the iked responder needs to send IPv6 neighbor advertisements for the > allocated address after all. Is there a way to do this? Your simplest options are either to ask upstream to

Re: IPsec "road warrior" VPN not getting set up properly.

OK, I've sorted out my network issues server but it turns out that I was misinterpreting the tcpdump output on my VPS. When an external computer tries to ping my client's virtual IP address, the VPS's gateway router is *not* forwarding the pings to my server where they can be shoved into the IPsec

Re: IPsec "road warrior" VPN not getting set up properly.

f which IP >address it is, which seems like a handy feature for what I'm trying to >do. > >Here is what I want to do: the client should open an IPsec tunnel to >the server. The client should request an IPv6 address from the server's >enormous /64 subnet. Then, applications runni

IPsec "road warrior" VPN not getting set up properly.

vider doesn't appear to look at neighbor discovery traffic; it routes all traffic in that /64 to my VirtIO interface, regardless of which IP address it is, which seems like a handy feature for what I'm trying to do. Here is what I want to do: the client should open an IPsec tunnel to the serv

Re: IPsec over PPPoE

reload flows somehow when the private IP changes) or use "any" as > source with the other end's static public IP as the destination (and be > careful with your flow traffic selectors if you still need to send some > traffic towards the other side without IPsec). or you can

Re: IPsec over PPPoE

aybe also port numbers etc, if configured to do so). When using tcpdump, don't just look at interfaces where you expect to see the traffic. Look at others where it might conceivably end up, too. > 5) There is note in FAQ, that Native WireGuard support is also > available. As both

Re: IPsec over PPPoE

(and be careful with your flow traffic selectors if you still need to send some traffic towards the other side without IPsec). Flows towards a box behind NAT need to use the NAT's public IP to match outgoing packets sent towards the internet. You can ignore 'srcnat' in this context. 'srcnat' could be u

Re: IPsec over PPPoE

> > 5) There is note in FAQ, that Native WireGuard support is also > available. As both IPsec and WireGuard are new to me, may wg(4) be an > option? > Yes, it should be a good option for site2site tunnels. -- May the most significant bit of your life be positive.

IPsec over PPPoE

in FAQ, that Native WireGuard support is also available. As both IPsec and WireGuard are new to me, may wg(4) be an option? 6) Any good IPsec reading next to FAQ and man pages? Thank you, Jiří

Re: Route based IPsec

On 5/31/23 05:03, Valdrin MUJA wrote: > Hi Claudio & David, > > Wireguard can work behind NAT. In that case maybe the solution is wireguard + BGP. I've been using OSPF over wireguard for several years now. It works quite well. You just have to add `wgaip 224.0.0.0/8' to allow multicast over

Re: Route based IPsec

g my work with the wireguard config.) From: owner-m...@openbsd.org on behalf of Claudio Jeker Sent: Wednesday, May 31, 2023 12:09 To: David Gwynne Cc: Misc Subject: Re: Route based IPsec On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > >

Re: Route based IPsec

rt Henderson > >>> wrote: > >>> > >>> On 2023-05-27, Valdrin MUJA wrote: > >>>> Does OpenBSD have routed based IPsec support? > >>> > >>> Not yet. > >> > >> while you wait, it might be possible to confi

Re: Route based IPsec

> On 31 May 2023, at 18:33, Claudio Jeker wrote: > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: >> >> >>> On 27 May 2023, at 21:40, Stuart Henderson >>> wrote: >>> >>> On 2023-05-27, Valdrin MUJA w

Re: Route based IPsec

On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > > > > On 27 May 2023, at 21:40, Stuart Henderson > > wrote: > > > > On 2023-05-27, Valdrin MUJA wrote: > >> Does OpenBSD have routed based IPsec support? > > > >

Re: Route based IPsec

Thanks David, I'll try it soon. From: owner-m...@openbsd.org on behalf of David Gwynne Sent: Wednesday, May 31, 2023 01:35 To: Stuart Henderson Cc: misc@openbsd.org Subject: Re: Route based IPsec > On 27 May 2023, at 21:40, Stuart Henderson wr

Re: Route based IPsec

> On 27 May 2023, at 21:40, Stuart Henderson wrote: > > On 2023-05-27, Valdrin MUJA wrote: >>Does OpenBSD have routed based IPsec support? > > Not yet. while you wait, it might be possible to configure a gif tunnel protected by ipsec transport mode. dlg

Re: Route based IPsec

On 27.5.2023. 9:24, Valdrin MUJA wrote: > Hello, > > I need Route based IPsec solution to set up between a firewall device and > my OpenBSD firewall. > However, I am a little confused about this: > I created more than one enc device, I did policy based routing with PF bu

Re: Route based IPsec

On 2023-05-27, Valdrin MUJA wrote: > Does OpenBSD have routed based IPsec support? Not yet.

Route based IPsec

Hello, I need Route based IPsec solution to set up between a firewall device and my OpenBSD firewall. However, I am a little confused about this: I created more than one enc device, I did policy based routing with PF but no results. I guess this is not the intended use of interfaces like

ipsec via strongswan (traffic present but no response)

Hello, lbld12# uname -a OpenBSD lbld12.duckdns.org 7.3 GENERIC.MP#1130 amd64 Our current vpn uses user/password authentication, mschapv2. so I am trying to use strongswan to connect to my workplace. # ipsec statusall Security Associations (1 up, 0 connecting): qarea[1]: ESTABLISHED 62

Re: Ipsec + bridge + egre issue with multiple bridges an non-static ip

ipp wrote: > > Hi all, > > I hope that someone here on the list could give me some hints on how I can > make my setup working. > > I have the following setup: > > "Virtual server 1" is connected to "Virtual server 2" via egre over ipsec on >

Ipsec + bridge + egre issue with multiple bridges an non-static ip

Hi all, I hope that someone here on the list could give me some hints on how I can make my setup working. I have the following setup: "Virtual server 1" is connected to "Virtual server 2" via egre over ipsec on both sides I’m using a bridge and a vether interface.

Re: ipsec traffic is dropped between two machines

On Wed, Mar 23, 2022 at 02:10:03PM +0100, Tobias Heider wrote: >On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote: >> I have two openbsd machines configured to connect their respective >> downstream networks over ipsec. When I try to generate traffic (ping)

Re: ipsec traffic is dropped between two machines

On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote: > I have two openbsd machines configured to connect their respective > downstream networks over ipsec. When I try to generate traffic (ping) > from server-west's enc0 interface (10.255.255.1) to server-east's enc0 &g

Re: ipsec traffic is dropped between two machines

On Tue, Mar 22, 2022 at 09:56:49AM -0500, rea...@catastrophe.net wrote: >Rules on both sides are: > ># server-east >-- >pass in proto udp from any to self port { isakmp, ipsec-nat-t } keep state >pass out proto udp from any to any port { isakmp, ipsec-nat-t }

Re: ipsec traffic is dropped between two machines

s (vio0..) for ESP traffic allowance. >The '@73' and '@58' already indicates a major difference so check for 'pass >... proto esp'. Thanks. There are only differences as one side has other rules for local access (some web server, etc.). Rules on both sides are: # server-east ------ pass i

Re: ipsec traffic is dropped between two machines

On 2022-03-22, Philipp Buehler wrote: >> server-east PF rule: >> - >> @58 pass log quick on enc0 all flags S/SA tagged VPN.WEST > > enc(4) is an observer interface and not meant to take pf rules besides > "set skip on enc0" :-) I disagree, that's where I hang my "scrub

Re: ipsec traffic is dropped between two machines

Problem with service working after cross-pinging the other sides seems like some stateful firewall that needs a nudge from inside. -- Paweł Kraszewski

Re: ipsec traffic is dropped between two machines

Am 21.03.2022 19:04 schrieb rea...@catastrophe.net: The flows look correct in the SA table on server-west and traffic leaves on enc0, hits vio0 on server-east as ESP traffic, but then is dropped. Again, only when I also start a ping on server-east (10.254.255.1) to server-west (10.255.255.1)

Re: ipsec traffic is dropped between two machines

On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote: [..] >SAD: >esp tunnel from 203.0.113.50 to 100.64.1 spi 0x54e00602 enc aes-128-gcm >esp tunnel from 100.64.1 to 203.0.113.50 spi 0xcb8f2ddb enc aes-128-gcm This flow should be: esp tunnel from 203.0.113.50 to 100.64.1.92

ipsec traffic is dropped between two machines

I have two openbsd machines configured to connect their respective downstream networks over ipsec. When I try to generate traffic (ping) from server-west's enc0 interface (10.255.255.1) to server-east's enc0 interface (10.254.255.1), traffic is sent out the corresponding SA but is never seen

Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

Hi fix...@gmail.com. I use this set of parameters for l2tp+IPSec. It works fine both with Windows and Apple ( includng iOS15 and OSX 12 ) Hope it'll help you. ike passive esp transport proto udp from 100.88.99.100 to any port 1701 \     main auth hmac-sha1 enc aes-256 group modp2048

Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

On Fri, Feb 18, 2022 at 15:06 Stuart Henderson wrote... > On Fri, Feb 18, 2022 at 11:43 AM I wrote: >> ike passive esp transport proto udp from $public_ip to any \ >> main auth "hmac-sha2-256" enc "aes-256" group "modp2048" \ >> quick auth "hmac-sha2-256" enc "aes-256" group "modp2048" \ >>

Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

On 2022-02-18, fix...@gmail.com wrote: > On Fri, Feb 18, 2022 at 11:43 AM I wrote: >> I recently started seeing some ipsec clients fail on newer versions of >> MacOS and iOS. After MacOS 12.1, connecting to my head end now fails >> with NO_PROPOSAL_CHOSEN using mod1024 in my

Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

Matthew Ernisse writes... > How are you setting the proposals on the MacOS end? Your first instance I > think you figured out that you had not specified PSK and so you had a mismatch > there. In the second case you didn't supply the iked(8) debugging information > so I'm not sure what is

Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

On Fri, Feb 18, 2022 at 01:30:27PM -0600, fix...@gmail.com said: > Date: Fri, 18 Feb 2022 13:30:27 -0600 > From: fix...@gmail.com > To: misc@openbsd.org > Subject: Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from > recent MacOS/iOS clients > > On Fri, Feb 18, 202

Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

On Fri, Feb 18, 2022 at 11:43 AM I wrote: > I recently started seeing some ipsec clients fail on newer versions of > MacOS and iOS. After MacOS 12.1, connecting to my head end now fails > with NO_PROPOSAL_CHOSEN using mod1024 in my ipsec.conf. I've also > tried, with no success: &

IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

I recently started seeing some ipsec clients fail on newer versions of MacOS and iOS. After MacOS 12.1, connecting to my head end now fails with NO_PROPOSAL_CHOSEN using mod1024 in my ipsec.conf. I've also tried, with no success: main auth "hmac-sha2" enc "aes" group modp1

Re: ipsec with default route and routing of internal networks

On 14.9.2021. 13:12, Hrvoje Popovski wrote: > On 13.9.2021. 15:52, Stuart Henderson wrote: >> On 2021-09-13, Hrvoje Popovski wrote: >>> On 13.9.2021. 14:08, Tom Smyth wrote: Can you do  an exception for the ranges ...  so internet - private ips you dont want over the tunnel)

Re: ipsec with default route and routing of internal networks

On 13.9.2021. 15:52, Stuart Henderson wrote: > On 2021-09-13, Hrvoje Popovski wrote: >> On 13.9.2021. 14:08, Tom Smyth wrote: >>> Can you do  an exception for the ranges ...  so internet - private ips >>> you dont want over the tunnel) >>> >>> ike esp from 10.90.0.0/24 to

Re: ipsec with default route and routing of internal networks

On 2021-09-13, Hrvoje Popovski wrote: > On 13.9.2021. 14:08, Tom Smyth wrote: >> Can you do  an exception for the ranges ...  so internet - private ips >> you dont want over the tunnel) >> >> ike esp from 10.90.0.0/24 to any encrypt   >> and  >> >>  10.90.0.0/24

Re: ipsec with default route and routing of internal networks

On 13.9.2021. 14:08, Tom Smyth wrote: > Can you do  an exception for the ranges ...  so internet - private ips > you dont want over the tunnel) > > ike esp from 10.90.0.0/24 to any encrypt   > and  > >  10.90.0.0/24 to   NOT  [networks you dont want >

Re: ipsec with default route and routing of internal networks

al network, as other networks (10.91/24, > 10.92/24). > i need "ike esp from 10.90.0.0/24 to any"... because hosts on that > network need to go out to internet over ipsec tunnel ... but at the same > time hosts in that 10.90/24 network needs to communicate to other > internal networks... > -- Kindest regards, Tom Smyth.

Re: ipsec with default route and routing of internal networks

ke esp from 10.90.0.0/24 to any"... because hosts on that network need to go out to internet over ipsec tunnel ... but at the same time hosts in that 10.90/24 network needs to communicate to other internal networks...

Re: ipsec with default route and routing of internal networks

10.90.0.0/24 to {list of private network ranges that are across the tunnel} (remove any and replace with specific subnets to be routed across the Ipsec tunnel) without a diagram I cant help much more... On Mon, 13 Sept 2021 at 11:36, Hrvoje Popovski wrote: > Hi all, > > I have a

ipsec with default route and routing of internal networks

Hi all, I have a firewall that routes few internal networks, 10.90/24, 10.91/24, 10.92/24. And i have some static routes to other firewalls, but i don't think that is relevant to this problem. For network 10.90/24 i have ipsec tunnel, and i need to push any traffic from that network

OpenSMTPD priority and IPSEC relay distribution

Hello there. I've got some domains that I want to point to a bounce of MX all with the same priorities. Once one of them receive the message I want that it resend it relaying to all the others in a IPSEC GRE network. What is the correct configuration of smtpd.conf? Nice regards, -- Name

Re: Can't connect to IKE1 VPN Server via OpenBsd 6.8 with IPSEC/L2TP

> Marko Bauhardt hat am 31.12.2020 00:05 > geschrieben: > > > Hi, > I have a dell xps laptop with OpenBsd 6.8 running. I want to connect to an > IKEv1 L2TP VPN Server. > > I followed the steps on https://www.openbsd.org/faq/faq17.html#clientikev1 > and

Can't connect to IKE1 VPN Server via OpenBsd 6.8 with IPSEC/L2TP

Hi, I have a dell xps laptop with OpenBsd 6.8 running. I want to connect to an IKEv1 L2TP VPN Server. I followed the steps on https://www.openbsd.org/faq/faq17.html#clientikev1 and /usr/local/share/doc/pkg-readmes/xl2tpd I created the following config files /etc/ipsec.conf ike

iked vs IPsec failover (carp & sasyncd)

Hi folks, wrt IPsec failover via sasyncd and carp: sasyncd(8) and iked(8) don't seem to tell, but I would guess that all hosts on the carp interface have to share the private key to support renegotiation. How can I tell iked which private key to use, instead of local.key? Is there a similar

Re: IPsec and MTU / fragmentation

>> > > How did you calculate the max-mss? It seems too high for a double tunnel > setup. Also, sorry for double post, you need the match rule on enc0 to impact TCP streams going over IPSec to change their mss. I don’t have the old emails for this thread, so not sure if

Re: IPsec and MTU / fragmentation

hrough > the tunnel. > > In my instance, the solution for eliminating packet loss over the long > distance > ipsec/gre tunnel was putting in a queue: > > queue hfsq-gre0 on gre0 flows 1024 bandwidth $BW_LIMIT max $BW_LIMIT quantum > 400 qlimit 1000 default > > .d.d. >

Re: IPsec and MTU / fragmentation

er still experienced about 5% packet loss when i run speedtest.net through the tunnel. In my instance, the solution for eliminating packet loss over the long distance ipsec/gre tunnel was putting in a queue: queue hfsq-gre0 on gre0 flows 1024 bandwidth $BW_LIMIT max $BW_LIMIT quantum 400 qlimit 1000 default .d.d.

Re: question about IPsec

On 2020-08-15, Riccardo Giuntoli wrote: > Hello there nice people. > > It's possible have in the same machine IKEv2 and IKEv1 running? Not with iked/isakmpd, they conflict on the kernel interface for adding ipsec information. Possibly with strongswan. > How can I open IKEv2

question about IPsec

Hello there nice people. It's possible have in the same machine IKEv2 and IKEv1 running? How can I open IKEv2 socket only on an IP or an interface? Perhaps with different routing tables? Nice regards -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain

Re: IPSec heavy traffic slows down all network traffic

t week, I upgraded a couple of firewalls using carp/pfsync and >> sasyncd >> > from 6.0 to 6.7 (yes, big jump !). >> > >> > I also applied all the 6.7 published patches. >> > >> > When some heavy traffic takes one of the IPSec tunnel, I noticed

Re: IPSec heavy traffic slows down all network traffic

from 6.0 to 6.7 (yes, big jump !). > > > > I also applied all the 6.7 published patches. > > > > When some heavy traffic takes one of the IPSec tunnel, I noticed that : > > - all network connections are slowed down > > - unused network bandwidth increase instead of d

Re: l2ip + ipsec question

n use "from my.gate.ip port 1701 to any port 1701" if you want. btw I strongly recommend avoiding l2tp+ipsec if you have another choice. Plain ipsec (ikev1 or ikev2) or other protocols like wireguard/openvpn cope better if you end up on a natted network. i'm sorry but i still do not

Re: l2ip + ipsec question

On 2020-07-20, kasak wrote: > Hello misc. > Recently, i needed to setup l2tp-ipsec for some ip phones to reach my > network. > > so, the l2tp part is not trouble at all with npppd, but, the ipsec part > is harder to understand. > > after reading ipsec and ipsec.conf man,

l2ip + ipsec question

Hello misc. Recently, i needed to setup l2tp-ipsec for some ip phones to reach my network. so, the l2tp part is not trouble at all with npppd, but, the ipsec part is harder to understand. after reading ipsec and ipsec.conf man, i tryed to add just one line: ike passive from my.ga.te.ip

  1   2   3   4   5   6   7   8   9   10   >