Re: isakmpd does not tag packets

2023-12-19 Thread Tobias Heider
On Tue, Dec 12, 2023 at 07:38:30AM +0100, Sebastian John wrote: > Hello, > > I installed (not upgrade) OpenBSD 7.4 (amd64) on a brand new > machine. I put the isakmpd.conf from the old maschine (7.3) on the > new one. Also some other configurations (interfaces, pf...). All > works fine but the

isakmpd does not tag packets

2023-12-11 Thread Sebastian John
Hello, I installed (not upgrade) OpenBSD 7.4 (amd64) on a brand new machine. I put the isakmpd.conf from the old maschine (7.3) on the new one. Also some other configurations (interfaces, pf...). All works fine but the incomming IPSec packets are not tagged anymore. [.. isakmpd.conf ..] PF-Tag=

Re: functional difference of isakmpd and iked

2022-03-13 Thread Stuart Henderson
On 2022-03-11, Axel Rau wrote: > > >> Am 09.03.2022 um 11:44 schrieb Axel Rau : >> >> are both able to support the same network topologies with both IPv4 and IPv6? > Seems to be a difficult question. Nobody wants to decode the isakmpd.conf to work out what the existing configuration does :-)

Re: functional difference of isakmpd and iked

2022-03-11 Thread Axel Rau
> Am 11.03.2022 um 14:32 schrieb Tobias Heider : > > looks like your setup should also work with iked. So I will try this in a few weeks and report back. Thanks for responding, Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius

Re: functional difference of isakmpd and iked

2022-03-11 Thread Tobias Heider
to get an answer / a comment of one of the experts? > > Axel Hey Axel, looks like your setup should also work with iked. Keep in mind however that running iked and isakmpd on the same machine does not work, so you will probably have to switch all machines at the same time without overlap. F

Re: functional difference of isakmpd and iked

2022-03-11 Thread Axel Rau
> Am 09.03.2022 um 11:44 schrieb Axel Rau : > > are both able to support the same network topologies with both IPv4 and IPv6? Seems to be a difficult question. What can I do to get an answer / a comment of one of the experts? Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius

functional difference of isakmpd and iked

2022-03-09 Thread Axel Rau
, the other 2 are road warriors, where IP of others changes about once a month. As this is an operational setup, moving from isakmpd to iked seems to be a challenge. (-: Can the transition be done without loosing functionality? Axel PS: To illustrate further, I include the connections from

Re: Ynt: howto separate isakmpd syslogs into another file

2021-12-31 Thread Boyd Stephens
isakmpd syslogs into another file On Thu, 2021-12-30 at 08:59 +, Hayri Can KAVAK wrote: Hello, I'm trying to separate isakmpd/ipsec logs to another file instead of /var/log/messages. Here my config at the top of /etc/syslog.conf !!isakmpd daemon.info

Ynt: howto separate isakmpd syslogs into another file

2021-12-30 Thread Hayri Can KAVAK
Thanks Martijn; it worked by creating these files. Gönderen: Martijn van Duren adına owner-m...@openbsd.org Gönderildi: 30 Aralık 2021 Perşembe 12:46 Kime: Hayri Can KAVAK ; misc@openbsd.org Konu: Re: howto separate isakmpd syslogs into another file On Thu

Re: howto separate isakmpd syslogs into another file

2021-12-30 Thread Martijn van Duren
On Thu, 2021-12-30 at 08:59 +, Hayri Can KAVAK wrote: > Hello, > > I'm trying to separate isakmpd/ipsec logs to another file instead of > /var/log/messages. > Here my config at the top of /etc/syslog.conf > !!isakmpd > daemon.info

howto separate isakmpd syslogs into another file

2021-12-30 Thread Hayri Can KAVAK
Hello, I'm trying to separate isakmpd/ipsec logs to another file instead of /var/log/messages. Here my config at the top of /etc/syslog.conf !!isakmpd daemon.info /var/log/ipsec_info.log daemon.debug/var/log

Re: isakmpd ignoring authentication metod

2021-05-10 Thread Giacomo Marconi
;> Hi all >> >> I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820. >> >> In my last VPN config (unsing 6.8) I see in the logs that isakmpd is >> expexting RSA_SIG as authentication method, while in ipsec.conf I set the >> psk value. > &g

Re: isakmpd ignoring authentication metod

2021-05-05 Thread Stuart Henderson
On 2021-05-04, Giacomo Marconi wrote: > Hi all > > I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820. > > In my last VPN config (unsing 6.8) I see in the logs that isakmpd is > expexting RSA_SIG as authentication method, while in ipsec.conf I set the psk >

isakmpd ignoring authentication metod

2021-05-04 Thread Giacomo Marconi
Hi all I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820. In my last VPN config (unsing 6.8) I see in the logs that isakmpd is expexting RSA_SIG as authentication method, while in ipsec.conf I set the psk value. May 4 18:11:44 fw-donmilani isakmpd[37871]: attribute_unacceptable

Re: no pcap file from isakmpd in OBSD6.6

2020-02-06 Thread Marko Cupać
Christoph Leser wrote: Hi, after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd does no longer write pcap files in /var/run. In /var/log/messages we see the following message: isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") faile

Re: no pcap file from isakmpd in OBSD6.6

2019-12-03 Thread Theo de Raadt
gt; after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd does no > longer write pcap files in /var/run. > > In /var/log/messages we see the following message: > > isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") failed: > Permissi

no pcap file from isakmpd in OBSD6.6

2019-12-03 Thread Christoph Leser
Hi, after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd does no longer write pcap files in /var/run. In /var/log/messages we see the following message: isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") failed: Permission denied Any idea

Re: isakmpd and iked on the same box

2018-08-31 Thread Daniel Polak
Tommy Nevtelen wrote on 31-8-2018 16:12: On 2018-08-31 10:44, Daniel Polak wrote: Tommy Nevtelen wrote on 30-8-2018 23:13: We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard

Re: isakmpd and iked on the same box

2018-08-31 Thread Boris Goldberg
Hello Philipp, I use to (reliably) run from two to four parallel instances of isakmpd on same boxes (for years) - first using different ports, then different IPs. It seems like they've had to (peacefully) share the SADB. Did I just not have enough tunnels to trigger the problem? If this isn't

Re: isakmpd and iked on the same box

2018-08-31 Thread Tommy Nevtelen
On 2018-08-31 10:44, Daniel Polak wrote: Tommy Nevtelen wrote on 30-8-2018 23:13: We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do

Re: isakmpd and iked on the same box

2018-08-31 Thread Sebastian Reitenbach
Am Donnerstag, August 30, 2018 17:39 CEST, Philipp Buehler schrieb: > Hi, > > Am 30.08.2018 10:27 schrieb Sebastian Reitenbach: > > Hi, > > > > I'm wondering if it would be possible to add iked to my box already > > running isakmpd. > > I found this quite

Re: isakmpd and iked on the same box

2018-08-31 Thread Daniel Polak
Tommy Nevtelen wrote on 30-8-2018 23:13: We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do it all at the same time and that is not very

Re: isakmpd and iked on the same box

2018-08-30 Thread Tommy Nevtelen
On 2018-08-30 22:06, Daniel Polak wrote: > On 30/08/2018 17:39, Philipp Buehler wrote: >> I was not following development too closely, but I think that on the >> kernel side >> things have not changed. Which means iked and isakmpd will happily >> "toe tap"

Re: isakmpd and iked on the same box

2018-08-30 Thread Daniel Polak
On 30/08/2018 17:39, Philipp Buehler wrote: I was not following development too closely, but I think that on the kernel side things have not changed. Which means iked and isakmpd will happily "toe tap" on each others SADB in the kernel (even if there is *some* PID handling).

Re: isakmpd and iked on the same box

2018-08-30 Thread Philipp Buehler
Hi, Am 30.08.2018 10:27 schrieb Sebastian Reitenbach: Hi, I'm wondering if it would be possible to add iked to my box already running isakmpd. I found this quite old thread: http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html Why is it "always&qu

isakmpd and iked on the same box

2018-08-30 Thread Sebastian Reitenbach
Hi, I'm wondering if it would be possible to add iked to my box already running isakmpd. I found this quite old thread: http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html just checking to see if things might have changed since then. Ive a vio0 interface

isakmpd: dropped message from 192.168.1.1 port 500 due to notification type INVALID_FLAGS

2018-08-17 Thread Jean-Michel Pouré
Dear Friends, IPSEC+L2TP fails with the following messages on IPSEC router: isakmpd[76756]: message_recv: cleartext phase 2 isakmpd[76756]: dropped message from 192.168.1.1 port 500 due to notification type INVALID_FLAGS Aug 17 isakmpd[76756]: transport_send_messages: giving up on exchange peer

ISAKMPD crashed on OpenBSD 6.2

2018-07-10 Thread mottycruz
Hello I have a very simple isakampd.conf configuration for a VPN to AWS. I'm able to bring up the VPN but it crashed 15 minutes later. When ISAKMP crashed, I unable to ping outside or ping the machine until I kill isakmp process. Any ideas? -- Sent from:

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

2018-05-30 Thread Andre Ruppert
ifo" results mostly in: ui_delete: command "d 7e0aab1278867246f26398203e60007f -" found no SA 3.) collateral problem: I'm not able to accept a new connection by the remote peer (with a new cookie) because isakmpd logs: transport_send_messages: giving up on exchange peer-, no response

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

2018-05-16 Thread Andre Ruppert
Hello Philipp, sorry for the late answer Thanks for the hint with the cookies. Works in my environment I'm much happier now ;-) Best regards Andre Am 15.05.18 um 05:15 schrieb Philipp Buehler: Hello Andre, Am 14.05.2018 13:38 schrieb Andre Ruppert: I got the tips from this 2013

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

2018-05-14 Thread Philipp Buehler
Hello Andre, Am 14.05.2018 13:38 schrieb Andre Ruppert: I got the tips from this 2013 undeadly.org article: Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway https://undeadly.org/cgi?action=article=20131125041429 Apparently I wrote that article, and I feel your pain :-) 2.) less

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

2018-05-14 Thread Andre Ruppert
Remark below... Am 14.05.18 um 13:38 schrieb Andre Ruppert: Hello @misc, I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain" ISAKMPD/ipsec. The peering vpn gateways have different brandings from OpenBSD, linux, cisco to watchguard appliances etc... Intero

OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

2018-05-14 Thread Andre Ruppert
Hello @misc, I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain" ISAKMPD/ipsec. The peering vpn gateways have different brandings from OpenBSD, linux, cisco to watchguard appliances etc... Interoperability works most like a charm and is a no-brainer in most

Re: IPsec/ISAKMP-trouble after Upgrade 6.0 --> 6.1 --> 6.2 amd64 : ISAKMPD: got AES_CBC, expected 3DES_CBC

2018-03-17 Thread Andre Ruppert
Fri, 16 Mar 2018 13:25:49 +0100 Janne Johansson : > 2018-03-16 12:26 GMT+01:00 Andre Ruppert : > > > Hello @misc, > > > > after a nightly release upgrade of our VPN-Gateway(s) from 6.0 via > > 6.1 to 6.2 (amd64) I noticed some trouble with my VPN

Re: IPsec/ISAKMP-trouble after Upgrade 6.0 --> 6.1 --> 6.2 amd64 : ISAKMPD: got AES_CBC, expected 3DES_CBC

2018-03-16 Thread Janne Johansson
2018-03-16 12:26 GMT+01:00 Andre Ruppert : > Hello @misc, > > after a nightly release upgrade of our VPN-Gateway(s) from 6.0 via 6.1 to > 6.2 (amd64) I noticed some trouble with my VPN connections. > Almost always when you get "expected 3DES" it means "the confs are not

IPsec/ISAKMP-trouble after Upgrade 6.0 --> 6.1 --> 6.2 amd64 : ISAKMPD: got AES_CBC, expected 3DES_CBC

2018-03-16 Thread Andre Ruppert
hos, Fortigate, Cisco , ... ). - ISAKMPD/ipsec (no iked yet) - no syntax errors in ipsec.conf files (checked) - with release 6.0 no problems at all. - with 6.2 sometimes several of the connections drop nearly at the same time and I have do restart them manually. Configuration: ipsec.conf inclu

Re: isakmpd ignoring contents of /etc/ipsec.conf

2017-12-07 Thread Bernd
Am 2017-12-07 13:34, schrieb Jeremie Courreges-Anglas: On Thu, Dec 07 2017, Bernd wrote: Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas: On Wed, Dec 06 2017, Bernd wrote: [...] As a result, the IPSec tunnel can not be established.

Re: isakmpd ignoring contents of /etc/ipsec.conf

2017-12-07 Thread Jeremie Courreges-Anglas
On Thu, Dec 07 2017, Bernd wrote: > Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas: >> On Wed, Dec 06 2017, Bernd wrote: [...] >>> As a result, the IPSec tunnel can not be established. What did >>> I overlook here? >> >> Looks like

Re: isakmpd ignoring contents of /etc/ipsec.conf

2017-12-07 Thread Bernd
tried to fire up IPSec from there – it also failed.) isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set as its flag(s) in /etc/rc.conf.local However, it seems to ignore the settings made in ipsec.conf (without complaining about them, though): Dec 1 14:01:20 myhostna

Re: isakmpd ignoring contents of /etc/ipsec.conf

2017-12-06 Thread Jeremie Courreges-Anglas
, and tried to fire up IPSec > from there – it also failed.) > > isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set > as its flag(s) in /etc/rc.conf.local > > However, it seems to ignore the settings made in ipsec.conf (without > complaining about them,

isakmpd ignoring contents of /etc/ipsec.conf

2017-12-06 Thread Bernd
be seen, I want the settings to be applied to a /27 network, from where the tunnel initiation is sent out of. I also tried to use a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from there – it also failed.) isakmpd is being started as described in ipsec.conf(5) et al:

Re: IPsec (isakmpd) in rdomain non zero needs default route

2017-09-30 Thread Stuart Henderson
On 2017-09-29, BARDOU Pierre <bardo...@mipih.fr> wrote: > Hello, > > I don't know if I should post this to misc@ or bugs@... > If this is the wrong list tell me I'll file a proper bug report. > > I need to add a default route in rdomain 1 to be able to use the tunne

IPsec (isakmpd) in rdomain non zero needs default route

2017-09-29 Thread BARDOU Pierre
Hello, I don't know if I should post this to misc@ or bugs@... If this is the wrong list tell me I'll file a proper bug report. I need to add a default route in rdomain 1 to be able to use the tunnels created by isakmpd. That is a bit weird, routes should be injected by isakmpd. Here is my

Re: isakmpd memory usage

2017-06-22 Thread Martin Pieuchot
On 17/06/17(Sat) 09:49, Nicolas Repentin wrote: > No one ? > > Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas <nico...@shivaserv.fr> a écrit : > >Hi everyone > > > >I'm searching some help about isakmpd, which is eating a lot of memory, > >until the machine

Re: isakmpd memory usage

2017-06-20 Thread Nicolas
p modp1024 lifetime 3600 srcid psk '' tag vpn Actually the isakmpd process is eating more than 100MB of memory per day. Nicolas 17 juin 2017 11:13 "Michał Koc" a écrit: Hi Nicolas, We are currently investigating some isakmpd memory problem with the devs.

Re: isakmpd memory usage

2017-06-17 Thread Nicolas Repentin
No one ? Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas <nico...@shivaserv.fr> a écrit : >Hi everyone > >I'm searching some help about isakmpd, which is eating a lot of memory, >until the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti). >After 3 days, the process is

isakmpd memory usage

2017-06-13 Thread Nicolas
Hi everyone I'm searching some help about isakmpd, which is eating a lot of memory, until the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti). After 3 days, the process is using 650MB of memory. When she's "freezed", she's unreachable on network, and on console she's blink

Re: isakmpd dies quietly with over 100 tunnels

2017-05-30 Thread Michał Koc
Hi Stuart, Rising openfiles-cur does not change anything. Best Regards M.K. -- Wiadomość oryginalna -- *Temat: *Re: isakmpd dies quietly with over 100 tunnels *Nadawca: *Stuart Henderson <s...@spacehopper.org> *Adresat: *misc@openbsd.org *Data: *30.05.2017 11:55 On 2017-05-28,

Re: isakmpd dies quietly with over 100 tunnels

2017-05-30 Thread Stuart Henderson
denly run on > problems. > The isakmpd deaemon keeps dying quietly. Probably I'm running out of > something, but I need some help to find out what it is and how to > monitor it and tweak. Does it help to raise openfiles-cur for the daemon class in /etc/login.conf?

Re: isakmpd dies quietly with over 100 tunnels

2017-05-30 Thread Stuart Henderson
On 2017-05-29, Alexis VACHETTE <avache...@sisteer.com> wrote: > I didn't think it was isakmpd related back then. > Maybe a configuration issue on my end or the partner's. If isakmpd crashes, there is a bug in isakmpd. No network input should cause that to happen.

Re: isakmpd dies quietly with over 100 tunnels

2017-05-29 Thread Michał Koc
Hi All, the trace is below, give mi a notice if anything else is needed: Program received signal SIGSEGV, Segmentation fault. [Switching to thread 162385] conf_get_str (section=0xa8735b03f80 ' 0xa8735b04000 out of bounds>, tag=0xa8459272809 "Phase") at /usr/src/sbin/isakmpd/

Re: isakmpd dies quietly with over 100 tunnels

2017-05-29 Thread Michał Koc
Hi all, we are setting up a test environment, will be back soon with the traces. Best Regards M.K. -- Wiadomość oryginalna -- *Temat: *Re: isakmpd dies quietly with over 100 tunnels *Nadawca: *Alexis VACHETTE <avache...@sisteer.com> *Adresat: *Theo de Raadt <dera...@op

Re: isakmpd dies quietly with over 100 tunnels

2017-05-29 Thread Alexis VACHETTE
I didn't think it was isakmpd related back then. Maybe a configuration issue on my end or the partner's. But sure we need to post traces. Nonetheless OpenBSD is an amazing piece of software, so thank you ! Regards, Alexis. On 29/05/2017 11:14, Theo de Raadt wrote: Great thing is you all have

Re: isakmpd dies quietly with over 100 tunnels

2017-05-29 Thread Theo de Raadt
Great thing is you all have source code, and can run the same debuggers live in your key-happy situations, and then generate traces to expose the problem so that someone can help you. But, yet, that doesn't happen. Strange isn't it?

Re: isakmpd dies quietly with over 100 tunnels

2017-05-29 Thread Florian Ermisch
Hi all, I got to admit I've seen isakmpd dying on 5.9* (amd64 on VMware). But after having to deal with half a dozen peers all over Europe using different proprietary solutions a cronjob like "rcctl ls faulty | grep isakmpd && rcctl restart…" worked well enough for me. I won

Re: isakmpd dies quietly with over 100 tunnels

2017-05-29 Thread Alexis VACHETTE
Koc wrote: Hi all, I'm running 6.0/amd64 inside KVM/Quemu with over 100 ipsec tunnels. Everything was running just fine when the number of tunnels was lower. But as we have been setting up more and more tunnels we suddenly run on problems. The isakmpd deaemon keeps dying quietly. Probably I'm

isakmpd dies quietly with over 100 tunnels

2017-05-28 Thread Michał Koc
Hi all, I'm running 6.0/amd64 inside KVM/Quemu with over 100 ipsec tunnels. Everything was running just fine when the number of tunnels was lower. But as we have been setting up more and more tunnels we suddenly run on problems. The isakmpd deaemon keeps dying quietly. Probably I'm running

Re: isakmpd listen address

2017-05-25 Thread mabi
Thanks so much I was looking at the wrong place and was expecting it to be a parameter... Original Message Subject: Re: isakmpd listen address Local Time: May 25, 2017 9:06 PM UTC Time: May 25, 2017 7:06 PM From: hrv...@srce.hr To: misc@openbsd.org On 25.5.2017. 20:46, mabi

Re: isakmpd listen address

2017-05-25 Thread Hrvoje Popovski
On 25.5.2017. 20:46, mabi wrote: > Hello, > I can't seem to find an option in isakmpd in order to have it listen only on > one interface or IP address respectively. Is there an option for that I am > not aware of? I just saw the -p option but that's for the port number. > Than

isakmpd listen address

2017-05-25 Thread mabi
Hello, I can't seem to find an option in isakmpd in order to have it listen only on one interface or IP address respectively. Is there an option for that I am not aware of? I just saw the -p option but that's for the port number. Thanks, M.

Re: Isakmpd and NAT-T

2017-03-22 Thread Sébastien Morand
S-256 / Lifetime 86400s >> Phase 2: Tunnel mode / SHA1 / No PFS / Authentication with PSK / CIPHER >> AES-128 / Lifetime 3600s >> >> So I end up with the following in ipsec.conf: >> ike active esp tunnel \ >> from 10.85.98.16/29 to \ >> {10.249.0

Re: L2TP/IPsec VPN server: trying to force HMAC_SHA in phase 2, but isakmpd keeps offering HMAC_SHA2_256?

2017-03-20 Thread Jurjen Oskam
of isakmpd.policy explains all this excellently, but I didn't read it because I misunderstood what the manpage of ipsec.conf says: "The keying daemon, isakmpd(8), can be enabled to run at boot time via the isakmpd_flags variable in rc.conf.local(8). Note that it will probably need to be run with at least t

Re: L2TP/IPsec VPN server: trying to force HMAC_SHA in phase 2, but isakmpd keeps offering HMAC_SHA2_256?

2017-03-19 Thread Philipp Buehler
Am 19.03.2017 15:36 schrieb Jurjen Oskam: So, to validate that I'm indeed hitting this bug (and also as a workaround) I tried to set up the OpenBSD side to not use SHA2. I haven't been able to get this running yet: isakmpd always seems to offer HMAC_SHA2_256. It's not offering

L2TP/IPsec VPN server: trying to force HMAC_SHA in phase 2, but isakmpd keeps offering HMAC_SHA2_256?

2017-03-19 Thread Jurjen Oskam
on the specifics of the Linux kernel that happens to be used for the device. See https://code.google.com/p/android/issues/detail?id=196939 for more information). I suspect I'm hit by this bug. The isakmpd negotiations seem to work fine, but npppd doesn't see any traffic. When tcpdumping the external

Re: Isakmpd and NAT-T

2017-03-17 Thread Sébastien Morand
ec.conf: > ike active esp tunnel \ > from 10.85.98.16/29 to \ > {10.249.0.0/21} \ > peer \ > main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \ > quick auth hmac-sha1 enc aes-128 group none lifetime 3600 \ > srcid "&qu

Re: Isakmpd and NAT-T

2017-03-17 Thread Claer
> It's look like good to me and conform to the provided specs. Phase 1 is ok > > but no phase 2: > > 155851.640374 Default ipsec_validate_id_information: dubious ID information > > accepted > > 155851.640478 Default isakmpd: phase 1 done: initiator id 196.207.241.154, &

Re: Trouble with isakmpd authentication

2017-03-17 Thread Stuart Henderson
On 2017-03-11, Simon McFarlane <s...@desu.ne.jp> wrote: > Hi all, > > I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are > helping > me annouce an IPv4 allocation. We are having some trouble authenticating with > isakmpd. We got it to connect w

Re: Isakmpd and NAT-T

2017-03-17 Thread Stuart Henderson
gt; but no phase 2: > 155851.640374 Default ipsec_validate_id_information: dubious ID information > accepted > 155851.640478 Default isakmpd: phase 1 done: initiator id 196.207.241.154, > responder id 80.125.165.142, src: 192.168.254.2 dst: 80.125.165.142 > 155918.682560 Default transport_send_messa

Re: Isakmpd and NAT-T

2017-03-16 Thread Mik J
5.98.16/29 to \         {10.249.0.0/21} \     peer \     main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \     quick auth hmac-sha1 enc aes-128 group none lifetime 3600 \     srcid "" \     psk "****" I'm starting the ipsec like this : isakmpd

Re: Isakmpd and NAT-T

2017-03-16 Thread Sébastien Morand
hmac-sha1 enc aes-128 group none lifetime 3600 \ srcid "" \ psk "" I'm starting the ipsec like this : isakmpd -Kdvvv (to see what is happening) and ipsecctl -f /etc/ipsec.conf It's look like good to me and conform to the provided specs. Phase 1 is ok but no ph

Re: Isakmpd and NAT-T

2017-03-14 Thread Philipp Buehler
keepalive parameter as well. Since I've seen this on several occassions, check that isakmpd is /not/ having the flag -T. But you might want to use -L and look into the resulting /var/run/isakmpd.pcap (hint: tail -fc+0 isakmpd.pcap|tcpdump -netttvvr -) and watch out for the vendor lines in the proposal

Re: Isakmpd and NAT-T

2017-03-13 Thread Mik J
Hello Sebastien,I'm not sure there's something special to force nat-t, it's automatic.The natted side has to initiate the flow to the non natted side.If the two sides are natted then there should be a port forward to one of them.There should be a nat keepalive parameter as well. Le Lundi 13

Isakmpd and NAT-T

2017-03-13 Thread Sébastien Morand
Hi, I'm trying to set up a NAT-T IPSec VPN with one of my client. Is this configuration ok on ipsec.conf for NAT-T? ike esp \ from 10.85.98.16/29 to {10.249.0.0/21} \ peer \ main auth hmac-sha1 enc aes-256 group modp1536 lifetime 86400 \ quick auth hmac-sha1 enc aes-256 group

Re: Trouble with isakmpd authentication

2017-03-11 Thread Simon McFarlane
On 03/11/2017 02:47 PM, Simon McFarlane wrote: > Any isakmpd experts know how I might make this work? They can give me a > client cert > with an arbitrary subjectaltname if that would fix it. Would they need to add > a > subjectaltname field to their server cert?

Trouble with isakmpd authentication

2017-03-11 Thread Simon McFarlane
Hi all, I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are helping me annouce an IPv4 allocation. We are having some trouble authenticating with isakmpd. We got it to connect with a PSK, but can't get certificates or public key auth working (they don't do secrets as a matter

Re: Isakmpd vs iked

2017-02-18 Thread Jasper Siepkes
Disclaimer: I don't want to sound too negative, I really appreciate all the hard work that went in to OpenIKED but I've just made the reverse trip; OpenIKED (IKEv2) to isakmpd (IKEv1). We just couldn't get our connections stable with OpenIKED. We backported multiple patches from the master

Solved -- Was: Isakmpd Cert question.

2017-02-07 Thread Christopher Sean Hilton
On Tue, Feb 07, 2017 at 01:30:13PM -0500, Christopher Sean Hilton wrote: > On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote: > > I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD > > 6.0. This also manages a VPN between

Re: Isakmpd Cert question.

2017-02-07 Thread Christopher Sean Hilton
On Tue, Feb 07, 2017 at 11:23:29AM -0500, Christopher Sean Hilton wrote: > I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD > 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0. > Some more information on this and possibly a real qu

Isakmpd vs iked

2017-02-07 Thread Christopher Sean Hilton
How hard is it to transition from an isakmpd managed IPsec VPN to iked managment? I have a certificate based isakmpd solution that works. It is mainly just a matter of rsyncing the directories and using a little editor magic on the ipsec.conf file to create iked.conf? Thanks in advance, -- Chris

Isakmpd Cert question.

2017-02-07 Thread Christopher Sean Hilton
I'm using isakmpd to manage an ipsec VPN between OpenBSD 5.8 <-> OpenBSD 6.0. This also manages a VPN between Mac OS X/ IPsecuritas and OpenBSD 6.0. The example describes a situation where you have one self signed root certificate located in /etc/isakmpd/ca/root.crt and otherside::client.cr

Re: isakmpd set up

2017-01-05 Thread Stuart Henderson
On 2017-01-02, Peter Fraser wrote: > I want the fixed IP address so I don't have to drive there to fix problems. PS: I haven't used it recently, but I've found ports/sysutils/autossh useful in the past for these.

Re: isakmpd set up

2017-01-05 Thread Stuart Henderson
system I have isakmpd_flags=-K -v -D A=10 After reading code and trying things out I settled on using this as my standard config for systems where I'm interested in getting logging out of isakmpd: isakmpd_flags="-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 -D10=20" Then if

Re: isakmpd set up

2017-01-03 Thread Damian McGuckin
I apologise if it has already been said but we have heaps of clients with Office 365 where Microsoft do not control the DNS. The client does but you need special TXT records. Then again, none are charities with that special $1/month/user deal. Regards - Damian Pacific Engineering Systems

Re: isakmpd set up

2017-01-03 Thread Armin Tüting
On Mon, 2017-01-02 at 22:05 +, Peter Fraser wrote: [...] > any hint as to what I am doing wrong? Your config looks strange for sure! Please read http://www.kernel-panic.it/openbsd/vpn/vpn3.html and http:/ /stuffresearch.tor.hu/?p=64 In addition I recomend reading

Re: isakmpd set up

2017-01-03 Thread Steve Williams
iginal Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > Steve Williams > Sent: Monday, January 2, 2017 6:57 PM > To: Peter Fraser <p...@thinkage.ca>; 'misc@openbsd.org' <misc@openbsd.org> > Subject: Re: isakmpd set up > >

Re: isakmpd set up

2017-01-03 Thread Peter Fraser
Subject: Re: isakmpd set up > ike from egress to 192.102.11/24 peer 192.102.11.1 srcid > kwaccessability.ca dstid thinkage.ca tag ipsec-kwa ike from > 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid > kwaccessability.ca dstid thinkage.ca tag ipsec-kwa > Have you tri

Re: isakmpd set up

2017-01-03 Thread Peter Fraser
[mailto:owner-m...@openbsd.org] On Behalf Of Steve Williams Sent: Monday, January 2, 2017 6:57 PM To: Peter Fraser <p...@thinkage.ca>; 'misc@openbsd.org' <misc@openbsd.org> Subject: Re: isakmpd set up Hi, I have been using OpenBSD on a dynamic IP address for 10+ years. I have an account

Re: isakmpd set up

2017-01-02 Thread Denis Fondras
> ike from egress to 192.102.11/24 peer 192.102.11.1 srcid kwaccessability.ca > dstid thinkage.ca tag ipsec-kwa > ike from 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid > kwaccessability.ca dstid thinkage.ca tag ipsec-kwa > Have you tried to replace 192.102.11/24 with 192.102.11.0/24

Re: isakmpd set up

2017-01-02 Thread Steve Williams
nto /etc/hostname.enc0 up when I try to start isakmpd on the remote system I get only a message about privilege droping. on my local system I get Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s Jan 2 16:23:55 gateway isakm

isakmpd set up

2017-01-02 Thread Peter Fraser
up later On both system I have isakmpd_flags=-K -v -D A=10 because of some of the readings I also put on both systems into /etc/hostname.enc0 up when I try to start isakmpd on the remote system I get only a message about privilege droping. on my local system I get Jan 2 16:23:55 gateway

Re: OpenBSD isakmpd and OS X El Capitan client

2016-07-11 Thread dewey hylton
psk "XXX" ... > I tried all proposals from dump I got from both client packets and > server site with no luck. > > Anybody have success with OS X client and isakmpd? It will be nice to > see working main and quick config parts. > this is an older configuration, but wo

OpenBSD isakmpd and OS X El Capitan client

2016-07-09 Thread Evgeniy Sudyr
:25:43 vpn isakmpd[88568]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_3072 Jul 9 17:25:43 vpn isakmpd[88568]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Jul 9 17:25:43 vpn isakmpd[88568]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC

Re: rdomains, isakmpd, keep state (if-bound)

2016-05-20 Thread utob
15 -> $ntp reached and return traffic $ntp -> rdomain 10 ->but nothing leaves via enc0 again thanks for any help 2016-05-18 21:30 GMT+02:00 utob <g...@gmail.com>: > hi, > > i'm using a carp+vlan+trunk setup and isakmpd. > after migrating to rdomains

rdomains, isakmpd, keep state (if-bound)

2016-05-18 Thread utob
hi, i'm using a carp+vlan+trunk setup and isakmpd. after migrating to rdomains, i've planned to have $ext_if and isakmpd+enc0 in different rdomains, but that didn't work out, as nothing would listen on $ext_if:500 then. the main thing is, that communication via enc0 is only possible if i drop

isakmpd peculiarities, ipsec.conf manpage inaccuracy

2016-02-28 Thread Andrew Lester
tem and my OS X system, while I find the identification payload in the first quick mode message to be the same, I actually discovered a difference in the final segment of the main mode Identity Protection phase: In 3rd and final exchange in IKE phase 1 (Identity protection, main mode): *isakm

Re: PPPoE / isakmpd race

2016-02-20 Thread Christopher Snell
On Wed, Feb 17, 2016 at 1:38 AM, Stuart Henderson <s...@spacehopper.org> wrote: > > A more generic (but more complicated) approach would be to use ifstated > to wait until the interface is up before running isakmpd. Stu, Thanks a bunch for this suggestion. This turned out t

Re: How does isakmpd determine which config stanza to use?

2016-02-20 Thread Philipp Buehler
Am 19.02.2016 15:31 schrieb Christopher Sean Hilton: * Am I right to assume that when connecting to isakmpd the soekris box will match to the "Remote router" stanza because it's trying to build a tunnel from "srcid <-> dstid" or is isakmpd using the

How does isakmpd determine which config stanza to use?

2016-02-19 Thread Christopher Sean Hilton
ffee shops or clients work sites. The soekris box as a fqdn certificate. The laptops have user-fqdn certs. My question is: * Am I right to assume that when connecting to isakmpd the soekris box will match to the "Remote router" stanza because it's trying to build a tunnel from &q

Re: PPPoE / isakmpd race

2016-02-17 Thread Stuart Henderson
ot;!sleep 5" or something to hostname.pppoe0 but obviously this would be racy and won't help if the connection is down when you boot. A more generic (but more complicated) approach would be to use ifstated to wait until the interface is up before running isakmpd.

Re: PPPoE / isakmpd race

2016-02-16 Thread Christopher Snell
Yes, the Listen-on is static. Unfortunately, changing the 0.0.0.0 in hostname.pppoe0 breaks PPPoE. I think I could work around this in netstart by simply sleeping until the link comes up (or a pre-defined timer elapses) but I'm struggling to come up with a more generic approach. There might be

  1   2   3   4   5   6   7   >