(the same as on the CD).
If you don't mind getting your files from an non-official source, you
can install or update from
ftp://ftp.openbsd-stable.org./pub/OpenBSD-stable/4.9-stable/
The patch for isakmpd is included in these file sets.
Maurice
BTW: openbsd-stable.org is my pet project, so I'm
On 2011-07-15, MG mas...@fourseasonsnow.com wrote:
On 7/14/2011 9:31 PM, Kenneth R Westerback wrote:
On Thu, Jul 14, 2011 at 11:28:44PM +0200, rancor wrote:
Are there many updates of the source that is not published as an
errata (on stable)?
Yes.
Ken
// rancor
2011/7/14 Stuart
Hi all,
Sorry this has been asked before but I can find no answer.
Is there going to be an official patch for ISAKMPD for 4.8 4.9.
I did see something in the bug tracking a while back but I now get the
following error when I try to access it.
Not FoundThe requested URL /cgi-bin/query-pr
On Thu, Jul 14, 2011 at 06:41:06AM -0700, Steve wrote:
Hi all,
Sorry this has been asked before but I can find no answer.
Is there going to be an official patch for ISAKMPD for 4.8 4.9.
Do remedy what problem?
I did see something in the bug tracking a while back but I now get
It's tagged for 4.9-STABLE
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Steve
Sent: Thursday, July 14, 2011 9:41 AM
To: misc@openbsd.org
Subject: ISAKMPD
Hi all,
Sorry this has
On Thu, Jul 14, 2011 at 10:36:54AM -0400, Wade, Daniel wrote:
It's tagged for 4.9-STABLE
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
And I just comitted a corresponding diff into 4.8 stable.
Dunno if this warrants a patch. It's easy to pull the diff from cvs.
-Otto
of the
errata pages.
--Paul
On Jul 14, 2011, at 10:45 AM, Otto Moerbeek wrote:
On Thu, Jul 14, 2011 at 10:36:54AM -0400, Wade, Daniel wrote:
It's tagged for 4.9-STABLE
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/dh.c
And I just comitted a corresponding diff into 4.8 stable.
Dunno
On Thu, Jul 14, 2011 at 11:49:16AM -0400, Paul Suh wrote:
Folks,
Hmm -- it's not showing on the 4.9 or 4.8 Errata pages:
http://www.openbsd.org/errata49.html
http://www.openbsd.org/errata48.html
If it's easy to pull the diff it shouldn't be hard to post it, and it would be
a nice
On 2011-07-14, Paul Suh pl...@goodeast.com wrote:
If it's easy to pull the diff it shouldn't be hard to post it
It's not about difficulty.
and it would be a nice thing to do for folks have scripts that
notify them on changes of the errata pages.
It's normal to have things in -stable where no
Are there many updates of the source that is not published as an
errata (on stable)?
// rancor
2011/7/14 Stuart Henderson s...@spacehopper.org:
On 2011-07-14, Paul Suh pl...@goodeast.com wrote:
If it's easy to pull the diff it shouldn't be hard to post it
It's not about difficulty.
and it
On Thu, Jul 14, 2011 at 11:28:44PM +0200, rancor wrote:
Are there many updates of the source that is not published as an
errata (on stable)?
Yes.
Ken
// rancor
2011/7/14 Stuart Henderson s...@spacehopper.org:
On 2011-07-14, Paul Suh pl...@goodeast.com wrote:
If it's easy to
Hmm.. sounds like this might be a candidate for -STABLE?
--Paul
On Jul 8, 2011, at 10:09 AM, Stuart Henderson wrote:
On 2011-07-08, Tony Sarendal t...@polarcap.org wrote:
If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
up src/sbin/isakmpd/dh.c to r1.14 otherwise you
/var/log/messages once every hour or two
Jul 2 08:14:54 hostname isakmpd[28247]: message_recv: invalid
cookie(s) 576scrambled03c2
Jul 2 08:14:54 hostname isakmpd[28247]: dropped message from
x.x.x.x port 500 due to notification type INVALID_COOKIE
The tunnels works perfect but I still
We are not using the tunnels for production use yet and have not started to
measure uptime but we will do it soon. I have not noticed any problem when
Im using the tunnels, only the messages.
How ever. I was recommended by Stuart to pull up src/sbin/isakmpd/dh.c to
1.14 since there is a bug
On 2011-07-08, Tony Sarendal t...@polarcap.org wrote:
If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly
see problems from time to time.
Is this a cosmetic thing or does it affect connectivity ?
dh.c r1.14
On Fri, Jul 8, 2011 at 4:09 PM, Stuart Henderson s...@spacehopper.orgwrote:
On 2011-07-08, Tony Sarendal t...@polarcap.org wrote:
If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull
up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly
see problems from time
On 2011-07-02, rancor theran...@gmail.com wrote:
Hi.
I have two separate ipsec tunnels from 4.9 boxes and both are
generating this message i /var/log/messages once every hour or two
Jul 2 08:14:54 hostname isakmpd[28247]: message_recv: invalid
cookie(s) 576scrambled03c2
Jul 2 08:14:54
Ah =) Thanks!
// rancor
2011/7/4 Stuart Henderson s...@spacehopper.org:
On 2011-07-02, rancor theran...@gmail.com wrote:
Hi.
I have two separate ipsec tunnels from 4.9 boxes and both are
generating this message i /var/log/messages once every hour or two
Jul 2 08:14:54 hostname isakmpd
Hi.
I have two separate ipsec tunnels from 4.9 boxes and both are
generating this message i /var/log/messages once every hour or two
Jul 2 08:14:54 hostname isakmpd[28247]: message_recv: invalid
cookie(s) 576scrambled03c2
Jul 2 08:14:54 hostname isakmpd[28247]: dropped message from
x.x.x.x port
On Jun 5, 2011, at 2:42 PM, Stuart Henderson wrote:
On 2011/06/05 13:09, Paul Suh wrote:
Stuart,
I tried using a symlink, but isakmpd didn't seem to like it.
For the file or the whole directory?
It seems to work with /etc/isakmpd - /somewhere/else.
Stuart,
Sorry about the delay but my
On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote:
On 06/05/2011 02:37 AM, Paul Suh wrote:
Folks,
I've been working with the flashrd system for booting from compact flash
media, and ran across a case where I'd like to make some changes to
isakmpd,
but before I do so I'm not sure that it's
On 2011-06-14, Paul Suh pl...@goodeast.com wrote:
On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote:
I thought you could change those in isakmpd.conf:
# Certificates stored in PEM format
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory
On 06/05/2011 02:37 AM, Paul Suh wrote:
Folks,
I've been working with the flashrd system for booting from compact flash
media, and ran across a case where I'd like to make some changes to isakmpd,
but before I do so I'm not sure that it's a good idea.
The location for certificates, CA's
Can't you just use symlinks?
On 2011-06-05, Paul Suh pl...@goodeast.com wrote:
Folks,
I've been working with the flashrd system for booting from compact flash
media, and ran across a case where I'd like to make some changes to isakmpd,
but before I do so I'm not sure that it's a good idea
Stuart,
I tried using a symlink, but isakmpd didn't seem to like it.
--Paul
On Jun 5, 2011, at 7:00 AM, Stuart Henderson wrote:
Can't you just use symlinks?
On 2011-06-05, Paul Suh pl...@goodeast.com wrote:
Folks,
I've been working with the flashrd system for booting from compact flash
On 2011/06/05 13:09, Paul Suh wrote:
Stuart,
I tried using a symlink, but isakmpd didn't seem to like it.
For the file or the whole directory?
It seems to work with /etc/isakmpd - /somewhere/else.
Folks,
I've been working with the flashrd system for booting from compact flash
media, and ran across a case where I'd like to make some changes to isakmpd,
but before I do so I'm not sure that it's a good idea.
The location for certificates, CA's, private keys, etc. is hard-coded in
/usr/src
Hello,
I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:
ike active esp tunnel from my_internal_net to his_internal_net peer
his_gateway_address main_mode_parameters quick_mode_parameters
preshared_key
My isakmpd.policy file is
# cat /etc/isakmpd/isakmpd.policy
isakmpd.policy file is
# cat /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: POLICY
Conditions: app_domain == IPsec policy
esp_present == yes
esp_enc_alg != null - true;
Every thing works fine.
But today, one of the remote_gateways was replaced
2011/1/10, Christoph Leser le...@sup-logistik.de:
I would like to ask:
1. Is it true, that isakmpd is supposed to accept any ID parameter of
type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
even when it is the 'default' route?
Yes, some people want all their traffic
Am 13.12.2010 um 18:50 schrieb Axel Rau:
no IP address found for pppoe0
This happens with all devices, I have tried.
Anybody succeeded in using an interface name as argument of option
local?
This is 4.8 stable on i386 generic.
Axel
---
axel@chaos1.de PGP-Key:29E99DD6 +49 151
On Mon, Dec 13, 2010 at 18:50 +0100, Axel Rau wrote:
Hi all,
in the man page for iked.conf, I read:
Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names, interface names, or interface group names.
In my iked.conf, I have
local pppoe0
but iked
Am 14.12.2010 um 17:23 schrieb Mike Belopuhov:
mask2prefixlen functions are taken from bgpd. OK?
Thanks, Axel
---
axel@chaos1.de PGP-Key:29E99DD6 +49 151 2300 9283 computing @
chaos claudius
Hi all,
in the man page for iked.conf, I read:
Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names, interface names, or interface group names.
In my iked.conf, I have
local pppoe0
but iked -vn complains:
no IP address found for pppoe0
On 2010-05-26, Jacob Yocom-Piatt j...@fixedpointgroup.com wrote:
i'm looking for an alternative
still very early days, but Reyk just committed an ikev2 daemon, iked...
http://article.gmane.org/gmane.os.openbsd.cvs/97036
http://article.gmane.org/gmane.os.openbsd.cvs/97037
On May 26, 2010, at 1:58 PM, Jacob Yocom-Piatt wrote:
Bryan wrote:
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
j...@fixedpointgroup.com wrote:
over the past several years i have encountered a variety of problems with
isakmpd that range from difficult to translate error messages
Michiel van Baak wrote:
And you want any help after talking to this list that way ?
i explained my problem pretty succinctly in the first email - isakmpd is
episodically unreliable, painful to debug, and i am looking for an
alternative if anyone is using something else on openbsd
Bryan wrote:
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
j...@fixedpointgroup.com wrote:
over the past several years i have encountered a variety of problems with
isakmpd that range from difficult to translate error messages to tunnels
dropping without explanation.
snipped
over the past several years i have encountered a variety of problems
with isakmpd that range from difficult to translate error messages to
tunnels dropping without explanation.
i have just recently had a rash of tunnel dropping, which can frequently
be fixed by one endpoint doing
pkill -x
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
j...@fixedpointgroup.com wrote:
over the past several years i have encountered a variety of problems with
isakmpd that range from difficult to translate error messages to tunnels
dropping without explanation.
snipped...
Greetings,
Did
This has been committed. Thanks.
-mark
lum@
===
Hello,
while playing with isakmpd, I found that it would be nice to have a
complement for the isakmpd: exiting log entry.
Index: isakmpd.c
Looks like they are sending a delete. I guess I will delete and recreate
this tunnel
isakmpd: Peer 1.1.1.1 made us delete live SA unnamed for proto 1,
initiator id: 1.1.1.1, responde
r id: 2.2.2.2
On Tue, Nov 17, 2009 at 10:37 AM, Christoph Leser
le...@sup-logistik.dewrote:
Are you sure
We have many tunnels and for some reason I just set up a tunnel with a Cisco
ASA and we can not initiate the connection from the OpenBSD side. If the
Cisco side pings a device on the OpenBSD side the tunnel comes up. On the
Cisco side they have bidirectional enabled, and they are not seeing the
or considered a bug.
I would try to delete the tunnel complete and configure it again while running
tcpdump on the external interface ( or enable isakmpd packet capture, see the
-L switch of isakmpd ).
This will at least answer the question, whether openBSD attempts to establish
the connection when
on the external interface ( or enable isakmpd packet capture, see the
-L switch of isakmpd ).
This will at least answer the question, whether openBSD attempts to establish
the connection when the tunnel is defined for the first time.
Regards
Christoph
-Urspr|ngliche Nachricht-
Von: owner
I have seen this same behaviour with a configured Cisco ASA endpoint.
The Cisco end needs to ping our network to initiate the connection, and
from watching the IPSEC negotiations from the isakmpd capture files, the
Cisco end rejects our proposal, but we accept their proposal. As Dag
says
to be the most critical subnet and so causes
quite a problem. The really odd thing is that when I run isakmpd in
debug mode (on the problem routers) the subnet route does not get
dropped. Even more odd/annoying is this problem is intermittent and
tends to only affect one of the routers at any one
it is to log into the remote side and do the following
shell commands:
# kill $(cat /var/run/isakmpd.pid)
# /sbin/isakmpd -K
# /sbin/ipsecctl -f /etc/ipsec.conf
I just spent an hour working on the remote side and I've come up with
more information on the problem. Particularly
appears to be okay.
My question is this: When you use certficates does isakmpd still use
/etc/isakmpd/private/local.key
as the private key for the crypto negotiation or can that be changed.
Thanks for the followups. IT looks like local.key is the key if you
don't use the local tag
certficates does isakmpd still use
/etc/isakmpd/private/local.key
as the private key for the crypto negotiation or can that be changed.
-- Chris
Chris Hilton tildeChris -- http://myblog.vindaloo.com
email -- chris/at/vindaloo/
dot/com
and everything appears to be okay.
My question is this: When you use certficates does isakmpd still use
/etc/isakmpd/private/local.key
as the private key for the crypto negotiation or can that be changed.
By default isakmpd will use local.key, if you wish to use more than one
private key you
Hey List !
quick question... Is there a way to clear one specific VPN in the
ipsecctl reference table or a really need to clear the entire table ? (
ipsecctl -F )
Example... I got a bunch of VPN ( 50 + ) , need to flush the state of
this particular one:
BSD 4.3 // config in
Hello,
I am debugging an IPsec tunnel by running
isakmpd -L -d -DA=90 /root/scripts/isakmpd.log 21
and I can't find a way how to switch or convert the time to a human
readable form.
Logfile shows:
...
103749.319100 Default log_debug_cmd: log level changed from 0 to 90 for class
0 [priv
Sorry,
I had a blackout, the time is obvious.
mp
-Original Message-
From: Petvalsky, Martin
Sent: Wednesday, April 22, 2009 11:14 AM
To: 'misc@openbsd.org'
Subject: isakmpd log file - time in human form?
Hello,
I am debugging an IPsec tunnel by running
isakmpd -L -d -DA=90 /root
Hi misc,
I've been trying to configure the following IPSec client using
certificates, but with no success. I want to use it a roadwarrior setup:
http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html
Of course, I'm using isakmpd on the OpenBSD side (4.3). I did
I found that some of my problems are related to 'DELETE' messages from the
peer ( cisco ASA's , for example ). There is another thread in this forum
discussion this issue.
Hans-Joerg Hoexer said that obsd/isakmpd should handle this case, but he will
look into it.
I would be interested to know
Christoph Leser le...@sup-logistik.de wrote:
I'm still struggling to keep my ipsec vpns running smoothly.
FWIW, I mostly use IPsec on my home WLAN and I observe a similar
lack of reliability. My laptop sets up two IPsec associations, one
IPv4 and one IPv6, and from time to time one of these or
Hi,
I noticed that the cisco end of a VPN I configured on my openBSD sends a
DELETE message after a certain amount of idle time.
This feature is described in
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle
.html#wp1045897
The effect is, that the VPN no longer works.
Hi,
On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote:
I noticed that the cisco end of a VPN I configured on my openBSD sends a
DELETE message after a certain amount of idle time.
Which SAs get deleted? isakmp, ipsec or both?
HJ.
Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer a icrit :
Hi,
On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote:
I noticed that the cisco end of a VPN I configured on my openBSD
sends a
DELETE message after a certain amount of idle time.
Which SAs get deleted? isakmp, ipsec or
-Urspr|ngliche Nachricht-
Von: dug [mailto:d...@xgs-france.com]
Gesendet: Montag, 19. Januar 2009 17:44
An: Hans-Joerg Hoexer
Cc: Christoph Leser; misc@openbsd.org
Betreff: Re: Cisco IPSec Security Association Idle Timers and isakmpd
Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer
the exchanges proceed other than they normally do.
For example I see that 'normally' my isakmpd enters into phase-2
exchange immediately after phase-1 is established. But sometimes it
delays to initiate phase-2 for up to 10 minutes ater phase-1 completes,
and it often fails in these case ( no response
/ipsec.conf and ipsecctl to
drive isakmpd, and /etc/isakmpd/isakmpd.conf directly, skipping
ipsecctl.
But I still see attribute LIFE_DURATION = 1200 in QUICK_MODE
exchanges and 3600 in ID_PROT exchanges.
What am I missing here? I'm at my wit's end, all suggestions welcome.
I include the configurations
:23.55, we have:
All:
Back in 01/2006, circa 3.8, there was a thread related to the use of
gre(4) and Transport Mode ipsec(4) in isakmpd(8) to protect v4 tunnels.
There was a repeatable kernel panic related to gre(4) packets needing a
smaller MTU as they are encapsualted in ipsec(4) packets
All:
Back in 01/2006, circa 3.8, there was a thread related to the use of
gre(4) and Transport Mode ipsec(4) in isakmpd(8) to protect v4 tunnels.
There was a repeatable kernel panic related to gre(4) packets needing a
smaller MTU as they are encapsualted in ipsec(4) packets, before being
thanks for the clarification.
Indeed I can see in the traces that obsd isakmpd accepts 61443 and send out
it's reply with the same value.
But it uses 3, if it initiates the exchange.
if so, I would guess that is the reason for the 'NO PROPOSAL CHOSEN' messages.
Can I configure 61443 es
Hi,
I see the above message in the tcpdump of /var/run/isakmpd.pcap, when a
cisco router establishes quick mode to my openbsd. The connect works ok,
just wondering what this message could mean. I have only seen
'ENCAPSULATION MODE = TUNNEL' in this context.
As connect setup fails in the opposite
On 2008-11-25, Christoph Leser [EMAIL PROTECTED] wrote:
I see the above message in the tcpdump of /var/run/isakmpd.pcap, when a
cisco router establishes quick mode to my openbsd. The connect works ok,
just wondering what this message could mean. I have only seen
'ENCAPSULATION MODE = TUNNEL'
Hi,
On Tue, 25.11.2008 at 12:11:42 +0100, Christoph Leser [EMAIL PROTECTED] wrote:
But it uses 3, if it initiates the exchange.
if so, I would guess that is the reason for the 'NO PROPOSAL CHOSEN' messages.
Can I configure 61443 es encapsulation mode in isakmpd.conf?
I'm not aware of such a
Hello,
I have three /24 networks connected to each other through multihomed OpenBSD
4.0 servers using isakmpd(8). Recently, new point-to-point links have been
installed between each of those networks on separate interfaces, and I would
like to make it so traffic coming from/through specific
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Carlos Laviola
Gesendet: Donnerstag, 6. November 2008 13:34
An: misc@openbsd.org
Betreff: isakmpd routing woes
Hello,
I have three /24 networks connected to each other through
multihomed
established well but, in case of internet connections
problems, the vpn went down and never came up again.
Once the vpn went down, the work around was simply to kill isakmpd and
restart it. Not very simple when the vpn went down at 2 AM (and users
complaining at 8)
Analysing an idle VPN connection (we
want to mention that it's my begining with ipsec/isakmpd
tunneling.
My problem is about making connection from OpenBSD 4.3 to Cisco VPN
concentrator 3060.
Cisco concentrator is out of my range so i can't check log there and i
only wish that configuration there is done well.
Here it is my
won't come back after a small link shutdown.
The problem was Cisco 3030 was doing DPD check and not the OpenBSD.
If it's the case for you too, you should add these lines to
/etc/isakmpd/isakmpd.conf :
--- isakmpd.conf ---
[General]
DPD-check-interval= 30
--- isakmpd.conf ---
But i have
. The tunnels won't come back after a small link shutdown.
The problem was Cisco 3030 was doing DPD check and not the OpenBSD.
If it's the case for you too, you should add these lines to
/etc/isakmpd/isakmpd.conf :
--- isakmpd.conf ---
[General]
DPD-check-interval= 30
--- isakmpd.conf ---
Thanks
a strange problem when
the connection goes down. The tunnels won't come back after a
small link shutdown.
The problem was Cisco 3030 was doing DPD check and not the OpenBSD.
If it's the case for you too, you should add these lines to
/etc/isakmpd/isakmpd.conf :
--- isakmpd.conf ---
[General
Hi,
On Sun, 21.09.2008 at 16:04:11 +0200, Mariusz Makowski [EMAIL PROTECTED]
wrote:
a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net
What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net
-- isakmpd.conf --
[General]
Listen-on=
On Fri, Sep 19, 2008 at 12:33:36AM +0200, Lukas Ratajski wrote:
IPsec tunnel between two computers - a Soekris net5501 running
[...]
key_encrypt: bits 256:
The crypto driver for the net5501 does not support 256bit AES.
you have to switch to 128bit AES keys or backport revision 1.15
Hello,
Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling.
My problem is about making connection from OpenBSD 4.3 to Cisco VPN
concentrator 3060.
Cisco concentrator is out of my range so i can't check log there and i only
wish that configuration there is done well
Mariusz Makowski wrote:
Hello,
Firstly i want to mention that it's my begining with ipsec/isakmpd
tunneling.
My problem is about making connection from OpenBSD 4.3 to Cisco VPN
concentrator 3060.
Cisco concentrator is out of my range so i can't check log there and i
only wish
-sha1 enc aes-256 group modp1536 \
quick auth hmac-sha1 enc aes-256 group modp1536 \
srcid $myip dstid [EMAIL PROTECTED]
This keeps isakmpd looking in
/etc/isakmpd/pubkeys//ufqdn/[EMAIL PROTECTED] for a public key
that I presumably have to create using keynote (right)?
In any case
Hello everyone,
I am experiencing a problem here which - despite of deep analysis,
RTFMing and trying to understand some portions of isakmpd code -
seems impossible to solve for me. I am trying to establish a simple
IPsec tunnel between two computers - a Soekris net5501 running
OpenBSD
On Sat, 2008-08-23 at 13:30 +0200, Daniel Rapp wrote:
Hi, i am looking for example configs on isakmpd where there is more then one
tunnel..
I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
want to add a roadwarrior tunnel to..
There should be a wiki somewhere
Hi,
On Sat, 23.08.2008 at 13:30:28 +0200, Daniel Rapp [EMAIL PROTECTED] wrote:
I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
want to add a roadwarrior tunnel to..
this should work roughly like this:
[Phase 1]
1.2.3.4=Your-Main-Connection # that you have
jared r r spiegel wrote:
On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote:
Now someone would like to add a device which (like some other devices
connecting to this machine) is not on a fixed address so it needs to
use the to any rule. Though it supports AES in phase 2, only DES
:[EMAIL PROTECTED] On Behalf
Of Stefan Sczekalla
Sent: Friday, August 22, 2008 5:40 PM
To: misc@openbsd.org
Subject: Any Ideas ? isakmpd loggs: exchange_setup_p1: unknown exchange
type QUICK_MODE
... and send no answer back to xxx.yyy.zzz.uuu
My Host is an OpenBSD 3.8, the other - remote
I've got a number of VPN clients using X.509 certs to access a
central site configured by ipsec.conf like this.
ike passive esp \
from {$SOMENET, 192.168.40.0/21} to any \
main auth hmac-sha1 enc aes group grp2 \
quick auth hmac-sha1 enc aes group grp2 \
tag
On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote:
Does anyone know of a way, either using ipsec.conf or isakmpd.conf,
to permit use of _either_ AES _or_ 3DES in phase 1? Or do I need to go
to all the other endpoints and reconfigure them to a common algorithm
(i.e. 3DES)?
On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote:
Now someone would like to add a device which (like some other devices
connecting to this machine) is not on a fixed address so it needs to
use the to any rule. Though it supports AES in phase 2, only DES or
3DES are permitted
Hi, i am looking for example configs on isakmpd where there is more then one
tunnel..
I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
want to add a roadwarrior tunnel to..
I think i have seen some sample config before but i cant seem to find any
now..
Any help would
... and send no answer back to xxx.yyy.zzz.uuu
My Host is an OpenBSD 3.8, the other - remote ( xxx.yyy.zzz.uuu ) is a
securepoint using strongswan.
17:11:22.476524 xxx.yyy.zzz.uuu.500 aaa.bbb.ccc.ddd.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie:
Hi folks,
Tinyca allows to export a chain of CA certificates within
one file, but it took me quite some time to recognize that
isakmpd can't handle this. Or can it?
Regards
Harri
the VPN
tunnel, install the new certificate, authenticate again and that'd be
it. But not so. isakmpd logs and sends back: isakmpd[26674]: dropped
message from aaa.bbb.ccc.ddd port 500 due to notification type
INVALID_ID_INFORMATION
On one machine, I had to restart isakmpd to get it to accept
. AFAICS the problem
is that isakmpd doesn't accept the proposal packet with
:
payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248)
:
If I setup an IPsec tunnel between 2
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Harald Dunkel
Sent: Monday, June 30, 2008 9:17 AM
To: [EMAIL PROTECTED]
Cc: Misc OpenBSD
Subject: Re: isakmpd -- NCP IPsec client: peer proposed
invalid phase 2 IDs
Hi Prabhu,
I do get
On 2008-06-30, Mitja Muenih [EMAIL PROTECTED] wrote:
It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
/32.
It would make more sense for isakmpd to treat IPV4_ADDR_SUBNET /32
and IPV4_ADDR as equivalent, otherwise I think you're unable to use
0.0.0.0 to accept dynamic
Mitja Muenih wrote:
It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
/32.
As I already explained to you in a private mail, ipsecctl will export both
192.168.1.249 and 192.168.1.249/32 into IPV4_ADDR=192.168.1.249 while your
windows client is sending IPV4_ADDR_SUBNET
PS: If I don't define any remote networks in NCP client, then it tries
to send all ip traffic via esp to the OpenBSD gateway, but isakmpd
whoes:
responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id
c0a801f9: 192.168.1.249, responder id /: 0.0.0.0/0.0.0.0
On 2008-06-30, Harald Dunkel [EMAIL PROTECTED] wrote:
Mitja Muenih wrote:
It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
/32.
As I already explained to you in a private mail, ipsecctl will export both
192.168.1.249 and 192.168.1.249/32 into IPV4_ADDR
My failover isakmpd setup doesn't fail over transparently when the
master goes down. SAs and flows are properly synced using sasyncd, but
when the backup node becomes master (and isakmpd is set to active
mode), it fails to find any SAs and continues to renegotiate both
phase 1 and 2, resulting
201 - 300 of 632 matches
Mail list logo