-B is supported, but since I'm encrypting with GPG, the contents are opaque to me. I don't see a way in the man page or a tool to decode an encrypted SPA packet. The contents on the two clients' saved output (from -B) are (as I would expect) very different.
In a similar vein, I ran fwknop --test --verbose -n <destination> on both clients and compared the output. Other than the expected differences (timestamps, random numbers, etc.) the two runs look largely similar. The one significant (to me) difference is the FKO version: 2.0.2 on the non-working client, and 3.0.0 on the working client. Hmmmmm... I *thought* I'd done this... I compared the dumped data (with --verbose) on the client with the contents of the packet as captured on one of the servers VERBOSE 2 in fwknopd.conf. I see now that the packet from the failing client is truncated when displayed in the log by the server. The packet contents from the working client are identical to the VERBOSE output on the server. It looks like the failing client is sending seventeen *more* characters than server is receiving. Just eyeballing it, the two packet contents are identical up to the truncation point. I feel like I've run into this before in a slightly different context. I'm running the test suite now ... Thanks! ~David On 04/09/2018 02:48 PM, sean.gre...@gmail.com wrote: > Hey, hadda check😀 > > Have you used the -B on the clients and compared the two generated SPA > packets? (I think it’s still a valid flag to the command line client) I > can’t check st the moment as there is a huge power outage in my area. > > Regards Sean > > > > Sent from my iPhone > >> On 9 Apr 2018, at 18:25, David Klann <dkl...@grunch.org> wrote: >> >> Good call Sean, and yes -- all four computers are running either ntpd or >> the systemd equivalent. Time is synchronized on all of them. >> >> Thanks for your thought! >> >> ~David >> >> >>> On 04/09/2018 12:16 PM, sean.gre...@gmail.com wrote: >>> Just a really arb squirrel check.... the Arch Linux time is synchronised >>> right? >>> >>> I k ow it’s obvious but had to check. >>> >>> Regards Sean >>> >>> Sent from my iPhone >>> >>>> On 9 Apr 2018, at 17:47, David Klann <dkl...@grunch.org> wrote: >>>> >>>> Greetings! >>>> >>>> I am a longtime user of fwknop (thanks for your work Michael!), and I >>>> have run into a problem that has been vexing me for several months. >>>> >>>> I have two servers into which I log in via SSH after authorizing with >>>> fwknop from two clients. Authorization from the Ubuntu client (Client 1) >>>> works as expected. Authorization from the Arch Linux-based client >>>> (Client 2) fails with both servers. >>>> >>>> I have compared the contents of the SPA packets at the clients and at >>>> the servers, and they appear to arrive correctly at the servers (using >>>> verbose fwknop(1) output and tcpdump). >>>> >>>> Can anyone help with troubleshooting pointers? I'm happy to provide more >>>> details as needed. >>>> >>>> Thanks! >>>> >>>> ~David Klann >>>> >>>> >>>> Here are some version and configuration details: >>>> >>>> - Server 1: Current gentoo, net-firewall/fwknop version 2.6.9-r1 >>>> >>>> fwknopd --version >>>> fwknopd server 2.6.9, compiled for firewall bin: /sbin/iptables >>>> >>>> - Server 2: Ubuntu 16.04, fwknop-server 2.6.0-2.2 >>>> >>>> sudo fwknopd --version >>>> fwknopd server 2.6.0 >>>> >>>> SPA authorization from Client 1 works with both of these servers. SPA >>>> authorization from Client 2 *fails* with both servers. Details: >>>> >>>> - Client 1 (working): Ubuntu 17.10, fwknop-client 2.6.9-1build1 >>>> >>>> fwknop --version >>>> fwknop client 2.6.9, FKO protocol version 3.0.0 >>>> >>>> - Client 2 (not working): current Arch Linux, community/fwknop 2.6.9-4 >>>> >>>> fwknop --version >>>> fwknop client 2.6.9, FKO protocol version 2.0.2 >>>> >>>> Client and server configurations are at the following pastebins: >>>> - client 1 .fwknoprc: https://pastebin.com/eNL4Fskp >>>> - client 2 .fwknoprc: https://pastebin.com/tN5ryw83 >>>> - server 1 fwknopd.conf: https://pastebin.com/UgiXHXMV >>>> - server 1 access.conf: https://pastebin.com/Jakk07gj >>>> - server 2 fwknopd.conf: https://pastebin.com/inxC1S6G >>>> - server 2 access.conf: https://pastebin.com/NGRTJqW5 >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Fwknop-discuss mailing list >>>> Fwknop-discuss@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
