On Tue, Dec 12, 2023 at 07:38:30AM +0100, Sebastian John wrote:
> Hello,
>
> I installed (not upgrade) OpenBSD 7.4 (amd64) on a brand new
> machine. I put the isakmpd.conf from the old maschine (7.3) on the
> new one. Also some other configurations (interfaces, pf...). All
> works fine but the
Hello,
I installed (not upgrade) OpenBSD 7.4 (amd64) on a brand new
machine. I put the isakmpd.conf from the old maschine (7.3) on the
new one. Also some other configurations (interfaces, pf...). All
works fine but the incomming IPSec packets are not tagged anymore.
[.. isakmpd.conf ..]
PF-Tag=
On 2022-03-11, Axel Rau wrote:
>
>
>> Am 09.03.2022 um 11:44 schrieb Axel Rau :
>>
>> are both able to support the same network topologies with both IPv4 and IPv6?
> Seems to be a difficult question.
Nobody wants to decode the isakmpd.conf to work out what the existing
configuration does :-)
> Am 11.03.2022 um 14:32 schrieb Tobias Heider :
>
> looks like your setup should also work with iked.
So I will try this in a few weeks and report back.
Thanks for responding,
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
to get an answer / a comment of one of the experts?
>
> Axel
Hey Axel,
looks like your setup should also work with iked. Keep in mind
however that running iked and isakmpd on the same machine does not work,
so you will probably have to switch all machines at the same time without
overlap.
F
> Am 09.03.2022 um 11:44 schrieb Axel Rau :
>
> are both able to support the same network topologies with both IPv4 and IPv6?
Seems to be a difficult question.
What can I do to get an answer / a comment of one of the experts?
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
, the other 2 are road warriors, where IP
of others changes about once a month.
As this is an operational setup, moving from isakmpd to iked seems to be a
challenge. (-:
Can the transition be done without loosing functionality?
Axel
PS: To illustrate further, I include the connections from
isakmpd syslogs into another file
On Thu, 2021-12-30 at 08:59 +, Hayri Can KAVAK wrote:
Hello,
I'm trying to separate isakmpd/ipsec logs to another file instead of
/var/log/messages.
Here my config at the top of /etc/syslog.conf
!!isakmpd
daemon.info
Thanks Martijn; it worked by creating these files.
Gönderen: Martijn van Duren adına
owner-m...@openbsd.org
Gönderildi: 30 Aralık 2021 Perşembe 12:46
Kime: Hayri Can KAVAK ; misc@openbsd.org
Konu: Re: howto separate isakmpd syslogs into another file
On Thu
On Thu, 2021-12-30 at 08:59 +, Hayri Can KAVAK wrote:
> Hello,
>
> I'm trying to separate isakmpd/ipsec logs to another file instead of
> /var/log/messages.
> Here my config at the top of /etc/syslog.conf
> !!isakmpd
> daemon.info
Hello,
I'm trying to separate isakmpd/ipsec logs to another file instead of
/var/log/messages.
Here my config at the top of /etc/syslog.conf
!!isakmpd
daemon.info /var/log/ipsec_info.log
daemon.debug/var/log
;> Hi all
>>
>> I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820.
>>
>> In my last VPN config (unsing 6.8) I see in the logs that isakmpd is
>> expexting RSA_SIG as authentication method, while in ipsec.conf I set the
>> psk value.
>
&g
On 2021-05-04, Giacomo Marconi wrote:
> Hi all
>
> I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820.
>
> In my last VPN config (unsing 6.8) I see in the logs that isakmpd is
> expexting RSA_SIG as authentication method, while in ipsec.conf I set the psk
>
Hi all
I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820.
In my last VPN config (unsing 6.8) I see in the logs that isakmpd is expexting
RSA_SIG as authentication method, while in ipsec.conf I set the psk value.
May 4 18:11:44 fw-donmilani isakmpd[37871]: attribute_unacceptable
Christoph Leser wrote:
Hi,
after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd
does no longer write pcap files in /var/run.
In /var/log/messages we see the following message:
isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w")
faile
gt; after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd does no
> longer write pcap files in /var/run.
>
> In /var/log/messages we see the following message:
>
> isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") failed:
> Permissi
Hi,
after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd does no
longer write pcap files in /var/run.
In /var/log/messages we see the following message:
isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") failed:
Permission denied
Any idea
Tommy Nevtelen wrote on 31-8-2018 16:12:
On 2018-08-31 10:44, Daniel Polak wrote:
Tommy Nevtelen wrote on 30-8-2018 23:13:
We use isakmpd to interconnect 30ish routers and I would like to switch
to iked, but since there is no support to run both at the same time it
makes it quite hard
Hello Philipp,
I use to (reliably) run from two to four parallel instances of isakmpd on
same boxes (for years) - first using different ports, then different IPs.
It seems like they've had to (peacefully) share the SADB. Did I just not
have enough tunnels to trigger the problem? If this isn't
On 2018-08-31 10:44, Daniel Polak wrote:
Tommy Nevtelen wrote on 30-8-2018 23:13:
We use isakmpd to interconnect 30ish routers and I would like to switch
to iked, but since there is no support to run both at the same time it
makes it quite hard to migrate slowly. Will basically need to do
Am Donnerstag, August 30, 2018 17:39 CEST, Philipp Buehler
schrieb:
> Hi,
>
> Am 30.08.2018 10:27 schrieb Sebastian Reitenbach:
> > Hi,
> >
> > I'm wondering if it would be possible to add iked to my box already
> > running isakmpd.
> > I found this quite
Tommy Nevtelen wrote on 30-8-2018 23:13:
We use isakmpd to interconnect 30ish routers and I would like to switch
to iked, but since there is no support to run both at the same time it
makes it quite hard to migrate slowly. Will basically need to do it all
at the same time and that is not very
On 2018-08-30 22:06, Daniel Polak wrote:
> On 30/08/2018 17:39, Philipp Buehler wrote:
>> I was not following development too closely, but I think that on the
>> kernel side
>> things have not changed. Which means iked and isakmpd will happily
>> "toe tap"
On 30/08/2018 17:39, Philipp Buehler wrote:
I was not following development too closely, but I think that on the
kernel side
things have not changed. Which means iked and isakmpd will happily
"toe tap"
on each others SADB in the kernel (even if there is *some* PID handling).
Hi,
Am 30.08.2018 10:27 schrieb Sebastian Reitenbach:
Hi,
I'm wondering if it would be possible to add iked to my box already
running isakmpd.
I found this quite old thread:
http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html
Why is it "always&qu
Hi,
I'm wondering if it would be possible to add iked to my box already running
isakmpd.
I found this quite old thread:
http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html
just checking to see if things might have changed since then.
Ive a vio0 interface
Dear Friends,
IPSEC+L2TP fails with the following messages on IPSEC router:
isakmpd[76756]: message_recv: cleartext phase 2
isakmpd[76756]: dropped message from
192.168.1.1 port 500 due to notification type INVALID_FLAGS Aug 17
isakmpd[76756]: transport_send_messages: giving up on
exchange peer
Hello I have a very simple isakampd.conf configuration for a VPN to AWS. I'm
able to bring up the VPN but it crashed 15 minutes later. When ISAKMP
crashed, I unable to ping outside or ping the machine until I kill isakmp
process. Any ideas?
--
Sent from:
ifo"
results mostly in:
ui_delete: command "d 7e0aab1278867246f26398203e60007f -" found no SA
3.)
collateral problem:
I'm not able to accept a new connection by the remote peer (with a new
cookie) because isakmpd logs:
transport_send_messages: giving up on exchange peer-, no response
Hello Philipp,
sorry for the late answer
Thanks for the hint with the cookies.
Works in my environment
I'm much happier now ;-)
Best regards
Andre
Am 15.05.18 um 05:15 schrieb Philipp Buehler:
Hello Andre,
Am 14.05.2018 13:38 schrieb Andre Ruppert:
I got the tips from this 2013
Hello Andre,
Am 14.05.2018 13:38 schrieb Andre Ruppert:
I got the tips from this 2013 undeadly.org article:
Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
https://undeadly.org/cgi?action=article=20131125041429
Apparently I wrote that article, and I feel your pain :-)
2.) less
Remark below...
Am 14.05.18 um 13:38 schrieb Andre Ruppert:
Hello @misc,
I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain"
ISAKMPD/ipsec.
The peering vpn gateways have different brandings from OpenBSD, linux,
cisco to watchguard appliances etc...
Intero
Hello @misc,
I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain"
ISAKMPD/ipsec.
The peering vpn gateways have different brandings from OpenBSD, linux,
cisco to watchguard appliances etc...
Interoperability works most like a charm and is a no-brainer in most
Fri, 16 Mar 2018 13:25:49 +0100
Janne Johansson :
> 2018-03-16 12:26 GMT+01:00 Andre Ruppert :
>
> > Hello @misc,
> >
> > after a nightly release upgrade of our VPN-Gateway(s) from 6.0 via
> > 6.1 to 6.2 (amd64) I noticed some trouble with my VPN
2018-03-16 12:26 GMT+01:00 Andre Ruppert :
> Hello @misc,
>
> after a nightly release upgrade of our VPN-Gateway(s) from 6.0 via 6.1 to
> 6.2 (amd64) I noticed some trouble with my VPN connections.
>
Almost always when you get "expected 3DES" it means "the confs are not
hos,
Fortigate, Cisco , ... ).
- ISAKMPD/ipsec (no iked yet)
- no syntax errors in ipsec.conf files (checked)
- with release 6.0 no problems at all.
- with 6.2 sometimes several of the connections drop nearly at the same
time and I have do restart them manually.
Configuration:
ipsec.conf inclu
Am 2017-12-07 13:34, schrieb Jeremie Courreges-Anglas:
On Thu, Dec 07 2017, Bernd wrote:
Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
On Wed, Dec 06 2017, Bernd wrote:
[...]
As a result, the IPSec tunnel can not be established.
On Thu, Dec 07 2017, Bernd wrote:
> Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
>> On Wed, Dec 06 2017, Bernd wrote:
[...]
>>> As a result, the IPSec tunnel can not be established. What did
>>> I overlook here?
>>
>> Looks like
tried to fire up IPSec
from there – it also failed.)
isakmpd is being started as described in ipsec.conf(5) et al: ``-K''
set
as its flag(s) in /etc/rc.conf.local
However, it seems to ignore the settings made in ipsec.conf (without
complaining about them, though):
Dec 1 14:01:20 myhostna
, and tried to fire up IPSec
> from there – it also failed.)
>
> isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
> as its flag(s) in /etc/rc.conf.local
>
> However, it seems to ignore the settings made in ipsec.conf (without
> complaining about them,
be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use a
fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from
there – it also failed.)
isakmpd is being started as described in ipsec.conf(5) et al:
On 2017-09-29, BARDOU Pierre <bardo...@mipih.fr> wrote:
> Hello,
>
> I don't know if I should post this to misc@ or bugs@...
> If this is the wrong list tell me I'll file a proper bug report.
>
> I need to add a default route in rdomain 1 to be able to use the tunne
Hello,
I don't know if I should post this to misc@ or bugs@...
If this is the wrong list tell me I'll file a proper bug report.
I need to add a default route in rdomain 1 to be able to use the tunnels
created by isakmpd.
That is a bit weird, routes should be injected by isakmpd.
Here is my
On 17/06/17(Sat) 09:49, Nicolas Repentin wrote:
> No one ?
>
> Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas <nico...@shivaserv.fr> a écrit :
> >Hi everyone
> >
> >I'm searching some help about isakmpd, which is eating a lot of memory,
> >until the machine
p modp1024 lifetime 3600
srcid
psk ''
tag vpn
Actually the isakmpd process is eating more than 100MB of memory per day.
Nicolas
17 juin 2017 11:13 "Michał Koc" a écrit:
Hi Nicolas,
We are currently investigating some isakmpd memory problem with the
devs.
No one ?
Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas <nico...@shivaserv.fr> a écrit :
>Hi everyone
>
>I'm searching some help about isakmpd, which is eating a lot of memory,
>until the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti).
>After 3 days, the process is
Hi everyone
I'm searching some help about isakmpd, which is eating a lot of memory, until
the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti).
After 3 days, the process is using 650MB of memory.
When she's "freezed", she's unreachable on network, and on console she's
blink
Hi Stuart,
Rising openfiles-cur does not change anything.
Best Regards
M.K.
-- Wiadomość oryginalna --
*Temat: *Re: isakmpd dies quietly with over 100 tunnels
*Nadawca: *Stuart Henderson <s...@spacehopper.org>
*Adresat: *misc@openbsd.org
*Data: *30.05.2017 11:55
On 2017-05-28,
denly run on
> problems.
> The isakmpd deaemon keeps dying quietly. Probably I'm running out of
> something, but I need some help to find out what it is and how to
> monitor it and tweak.
Does it help to raise openfiles-cur for the daemon class in /etc/login.conf?
On 2017-05-29, Alexis VACHETTE <avache...@sisteer.com> wrote:
> I didn't think it was isakmpd related back then.
> Maybe a configuration issue on my end or the partner's.
If isakmpd crashes, there is a bug in isakmpd. No network input should
cause that to happen.
Hi All,
the trace is below, give mi a notice if anything else is needed:
Program received signal SIGSEGV, Segmentation fault.
[Switching to thread 162385]
conf_get_str (section=0xa8735b03f80 ' 0xa8735b04000 out of bounds>, tag=0xa8459272809 "Phase") at
/usr/src/sbin/isakmpd/
Hi all,
we are setting up a test environment, will be back soon with the traces.
Best Regards
M.K.
-- Wiadomość oryginalna --
*Temat: *Re: isakmpd dies quietly with over 100 tunnels
*Nadawca: *Alexis VACHETTE <avache...@sisteer.com>
*Adresat: *Theo de Raadt <dera...@op
I didn't think it was isakmpd related back then.
Maybe a configuration issue on my end or the partner's.
But sure we need to post traces.
Nonetheless OpenBSD is an amazing piece of software, so thank you !
Regards,
Alexis.
On 29/05/2017 11:14, Theo de Raadt wrote:
Great thing is you all have
Great thing is you all have source code, and can run the same
debuggers live in your key-happy situations, and then generate traces
to expose the problem so that someone can help you.
But, yet, that doesn't happen. Strange isn't it?
Hi all,
I got to admit I've seen isakmpd dying on 5.9*
(amd64 on VMware). But after having to deal
with half a dozen peers all over Europe using
different proprietary solutions a cronjob like
"rcctl ls faulty | grep isakmpd && rcctl restart…"
worked well enough for me.
I won
Koc wrote:
Hi all,
I'm running 6.0/amd64 inside KVM/Quemu with over 100 ipsec tunnels.
Everything was running just fine when the number of tunnels was lower.
But as we have been setting up more and more tunnels we suddenly run
on problems.
The isakmpd deaemon keeps dying quietly. Probably I'm
Hi all,
I'm running 6.0/amd64 inside KVM/Quemu with over 100 ipsec tunnels.
Everything was running just fine when the number of tunnels was lower.
But as we have been setting up more and more tunnels we suddenly run on
problems.
The isakmpd deaemon keeps dying quietly. Probably I'm running
Thanks so much I was looking at the wrong place and was expecting it to be a
parameter...
Original Message
Subject: Re: isakmpd listen address
Local Time: May 25, 2017 9:06 PM
UTC Time: May 25, 2017 7:06 PM
From: hrv...@srce.hr
To: misc@openbsd.org
On 25.5.2017. 20:46, mabi
On 25.5.2017. 20:46, mabi wrote:
> Hello,
> I can't seem to find an option in isakmpd in order to have it listen only on
> one interface or IP address respectively. Is there an option for that I am
> not aware of? I just saw the -p option but that's for the port number.
> Than
Hello,
I can't seem to find an option in isakmpd in order to have it listen only on
one interface or IP address respectively. Is there an option for that I am not
aware of? I just saw the -p option but that's for the port number.
Thanks,
M.
S-256 / Lifetime 86400s
>> Phase 2: Tunnel mode / SHA1 / No PFS / Authentication with PSK / CIPHER
>> AES-128 / Lifetime 3600s
>>
>> So I end up with the following in ipsec.conf:
>> ike active esp tunnel \
>> from 10.85.98.16/29 to \
>> {10.249.0
of isakmpd.policy explains all this
excellently, but I didn't read it because I misunderstood what the manpage
of ipsec.conf says: "The keying daemon, isakmpd(8), can be enabled to run
at boot time via the isakmpd_flags variable in rc.conf.local(8). Note that
it will probably need to be run with at least t
Am 19.03.2017 15:36 schrieb Jurjen Oskam:
So, to validate that I'm indeed hitting this bug (and also as a
workaround)
I tried to set up the OpenBSD side to not use SHA2. I haven't been able
to
get this running yet: isakmpd always seems to offer HMAC_SHA2_256.
It's not offering
on the
specifics of the Linux kernel that happens to be used for the device. See
https://code.google.com/p/android/issues/detail?id=196939 for more
information).
I suspect I'm hit by this bug. The isakmpd negotiations seem to work fine,
but npppd doesn't see any traffic. When tcpdumping the external
ec.conf:
> ike active esp tunnel \
> from 10.85.98.16/29 to \
> {10.249.0.0/21} \
> peer \
> main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \
> quick auth hmac-sha1 enc aes-128 group none lifetime 3600 \
> srcid "&qu
> It's look like good to me and conform to the provided specs. Phase 1 is ok
> > but no phase 2:
> > 155851.640374 Default ipsec_validate_id_information: dubious ID information
> > accepted
> > 155851.640478 Default isakmpd: phase 1 done: initiator id 196.207.241.154,
&
On 2017-03-11, Simon McFarlane <s...@desu.ne.jp> wrote:
> Hi all,
>
> I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are
> helping
> me annouce an IPv4 allocation. We are having some trouble authenticating with
> isakmpd. We got it to connect w
gt; but no phase 2:
> 155851.640374 Default ipsec_validate_id_information: dubious ID information
> accepted
> 155851.640478 Default isakmpd: phase 1 done: initiator id 196.207.241.154,
> responder id 80.125.165.142, src: 192.168.254.2 dst: 80.125.165.142
> 155918.682560 Default transport_send_messa
5.98.16/29 to \
    {10.249.0.0/21} \
  peer \
  main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \
  quick auth hmac-sha1 enc aes-128 group none lifetime 3600 \
  srcid "" \
  psk "****"
I'm starting the ipsec like this :
isakmpd
hmac-sha1 enc aes-128 group none lifetime 3600 \
srcid "" \
psk ""
I'm starting the ipsec like this :
isakmpd -Kdvvv (to see what is happening)
and
ipsecctl -f /etc/ipsec.conf
It's look like good to me and conform to the provided specs. Phase 1 is ok
but no ph
keepalive parameter as well.
Since I've seen this on several occassions, check that isakmpd is /not/
having the flag -T. But you might want to use -L and look into the
resulting
/var/run/isakmpd.pcap (hint: tail -fc+0 isakmpd.pcap|tcpdump -netttvvr
-)
and watch out for the vendor lines in the proposal
Hello Sebastien,I'm not sure there's something special to force nat-t, it's
automatic.The natted side has to initiate the flow to the non natted side.If
the two sides are natted then there should be a port forward to one of
them.There should be a nat keepalive parameter as well.
Le Lundi 13
Hi,
I'm trying to set up a NAT-T IPSec VPN with one of my client.
Is this configuration ok on ipsec.conf for NAT-T?
ike esp \
from 10.85.98.16/29 to {10.249.0.0/21} \
peer \
main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \
quick auth hmac-sha1 enc aes-256 group
On 03/11/2017 02:47 PM, Simon McFarlane wrote:
> Any isakmpd experts know how I might make this work? They can give me a
> client cert
> with an arbitrary subjectaltname if that would fix it. Would they need to add
> a
> subjectaltname field to their server cert?
Hi all,
I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are helping
me annouce an IPv4 allocation. We are having some trouble authenticating with
isakmpd. We got it to connect with a PSK, but can't get certificates or public
key auth working (they don't do secrets as a matter
Disclaimer: I don't want to sound too negative, I really appreciate all the
hard work that went in to OpenIKED but I've just made the reverse trip;
OpenIKED (IKEv2) to isakmpd (IKEv1). We just couldn't get our connections
stable with OpenIKED. We backported multiple patches from the master
On Tue, Feb 07, 2017 at 01:30:13PM -0500, Christopher Sean Hilton wrote:
> On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote:
> > I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD
> > 6.0. This also manages a VPN between
On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote:
> I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD
> 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0.
>
Some more information on this and possibly a real qu
How hard is it to transition from an isakmpd managed IPsec VPN to iked
managment? I have a certificate based isakmpd solution that works. It
is mainly just a matter of rsyncing the directories and using a little
editor magic on the ipsec.conf file to create iked.conf?
Thanks in advance,
-- Chris
I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD
6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0.
The example describes a situation where you have one self signed root
certificate located in /etc/isakmpd/ca/root.crt and otherside::client.cr
On 2017-01-02, Peter Fraser wrote:
> I want the fixed IP address so I don't have to drive there to fix problems.
PS: I haven't used it recently, but I've found ports/sysutils/autossh useful
in the past for these.
system I have isakmpd_flags=-K -v -D A=10
After reading code and trying things out I settled on using this as my
standard config for systems where I'm interested in getting logging out of
isakmpd:
isakmpd_flags="-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30
-D10=20"
Then if
I apologise if it has already been said but we have heaps of clients with
Office 365 where Microsoft do not control the DNS. The client does but you
need special TXT records. Then again, none are charities with that special
$1/month/user deal.
Regards - Damian
Pacific Engineering Systems
On Mon, 2017-01-02 at 22:05 +, Peter Fraser wrote:
[...]
> any hint as to what I am doing wrong?
Your config looks strange for sure!
Please read http://www.kernel-panic.it/openbsd/vpn/vpn3.html and http:/
/stuffresearch.tor.hu/?p=64
In addition I recomend reading
iginal Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Steve Williams
> Sent: Monday, January 2, 2017 6:57 PM
> To: Peter Fraser <p...@thinkage.ca>; 'misc@openbsd.org' <misc@openbsd.org>
> Subject: Re: isakmpd set up
>
>
Subject: Re: isakmpd set up
> ike from egress to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa ike from
> 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa
>
Have you tri
[mailto:owner-m...@openbsd.org] On Behalf Of
Steve Williams
Sent: Monday, January 2, 2017 6:57 PM
To: Peter Fraser <p...@thinkage.ca>; 'misc@openbsd.org' <misc@openbsd.org>
Subject: Re: isakmpd set up
Hi,
I have been using OpenBSD on a dynamic IP address for 10+ years.
I have an account
> ike from egress to 192.102.11/24 peer 192.102.11.1 srcid kwaccessability.ca
> dstid thinkage.ca tag ipsec-kwa
> ike from 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa
>
Have you tried to replace 192.102.11/24 with 192.102.11.0/24
nto
/etc/hostname.enc0
up
when I try to start isakmpd on the remote system I get only a message about
privilege droping.
on my local system I get
Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event
ui_conn_reinit(0x0) added last, expiration in 5s
Jan 2 16:23:55 gateway isakm
up later
On both system I have isakmpd_flags=-K -v -D A=10
because of some of the readings I also put on both systems into
/etc/hostname.enc0
up
when I try to start isakmpd on the remote system I get only a message about
privilege droping.
on my local system I get
Jan 2 16:23:55 gateway
psk "XXX"
...
> I tried all proposals from dump I got from both client packets and
> server site with no luck.
>
> Anybody have success with OS X client and isakmpd? It will be nice to
> see working main and quick config parts.
>
this is an older configuration, but wo
:25:43 vpn isakmpd[88568]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_3072
Jul 9 17:25:43 vpn isakmpd[88568]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Jul 9 17:25:43 vpn isakmpd[88568]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC
15 -> $ntp reached
and return traffic
$ntp -> rdomain 10 ->but nothing leaves via enc0 again
thanks for any help
2016-05-18 21:30 GMT+02:00 utob <g...@gmail.com>:
> hi,
>
> i'm using a carp+vlan+trunk setup and isakmpd.
> after migrating to rdomains
hi,
i'm using a carp+vlan+trunk setup and isakmpd.
after migrating to rdomains, i've planned to have $ext_if
and isakmpd+enc0 in different rdomains, but that didn't
work out, as nothing would listen on $ext_if:500 then.
the main thing is, that communication via enc0 is only
possible if i drop
tem and my OS X
system, while I find the identification payload in the first quick mode
message to be the same, I actually discovered a difference in the final
segment of the main mode Identity Protection phase:
In 3rd and final exchange in IKE phase 1 (Identity protection, main mode):
*isakm
On Wed, Feb 17, 2016 at 1:38 AM, Stuart Henderson <s...@spacehopper.org>
wrote:
>
> A more generic (but more complicated) approach would be to use ifstated
> to wait until the interface is up before running isakmpd.
Stu,
Thanks a bunch for this suggestion. This turned out t
Am 19.02.2016 15:31 schrieb Christopher Sean Hilton:
* Am I right to assume that when connecting to isakmpd the soekris
box will match to the "Remote router" stanza because it's trying
to build a tunnel from "srcid <-> dstid" or is isakmpd using the
ffee shops or clients work sites.
The soekris box as a fqdn certificate. The laptops have user-fqdn
certs. My question is:
* Am I right to assume that when connecting to isakmpd the soekris
box will match to the "Remote router" stanza because it's trying
to build a tunnel from &q
ot;!sleep 5" or something to hostname.pppoe0 but obviously
this would be racy and won't help if the connection is down when you
boot.
A more generic (but more complicated) approach would be to use ifstated
to wait until the interface is up before running isakmpd.
Yes, the Listen-on is static. Unfortunately, changing the 0.0.0.0 in
hostname.pppoe0 breaks PPPoE.
I think I could work around this in netstart by simply sleeping until the
link comes up (or a pre-defined timer elapses) but I'm struggling to come
up with a more generic approach. There might be
1 - 100 of 632 matches
Mail list logo