Re: rm: fts_read: No such file or directory
On Wed, Jan 13, 2021 at 09:46:27PM +0100, Paul de Weerd wrote: > Hi all, > > While doing some clean-up on my backup filesystem (which extensively > uses hardlinks), I came across the error in Subject: > > rm: fts_read: No such file or directory > > Traversing the hierarchy I was trying to remove, I get similar > fts_read errors when I `ls` in certain places, but a repeated rm runs > to completion fine (the tree is gone afterwards). > > There's nothing in dmesg suggesting filesystem corruption, the > filesystem unmounts and remounts cleanly, I'm running a forced fsck > now which says "** File system is already clean". It's a rather large > filesystem with many inodes in use, so it'll take some time to > complete. Also, it's on a softraid crypto device, if that matters: > > sd2: 5231654MB, 512 bytes/sector, 10714427745 sectors > > Reading fts_read(3) wasn't really enlightening as to why a directory > that's supposedly there, wouldn't be there anymore. (note that I > wasn't running another rm in the same tree in parallel when I got > these errors - I did try to force the error by doing just that, but > that went through without a single error). > > Could there be some TOCTOU issue here somewhere? Or some cache > misbehaviour? Or is it really dying hardware? My first bet would be some form of corruption. FLipped bits in e..g directories while operating normally cannot be seen by the clean/unclean flag in the superblock. That one only records if the filesystem was unmounted before reboot, shutdown or crash. The forced fsck might reveal more. -Otto > > Paul 'WEiRD' de Weerd > > OpenBSD 6.8-current (GENERIC.MP) #267: Sat Jan 9 19:23:55 MST 2021 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 34311208960 (32721MB) > avail mem = 33256046592 (31715MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6690 (57 entries) > bios0: vendor Dell Inc. version "2.10.0" date 05/24/2018 > bios0: Dell Inc. PowerEdge R210 II > acpi0 at bios0: ACPI 4.0 > acpi0: sleep states S0 S4 S5 > acpi0: tables DSDT FACP SPMI DMAR ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT > SSDT SPCR HEST ERST BERT EINJ > acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) XHC_(S4) RP01(S5) > PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) > PXSX(S4) RP06(S5) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpihpet0 at acpi0: 14318179 Hz > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.91 MHz, 06-2a-07 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 99MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu1: 256KB 64b/line 8-way L2 cache > cpu1: smt 1, core 0, package 0 > cpu2 at mainbus0: apid 2 (application processor) > cpu2: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu2: 256KB 64b/line 8-way L2 cache > cpu2: smt 0, core 1, package 0 > cpu3 at mainbus0: apid 3 (application processor) > cpu3: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu3: 256KB 64b/line 8-way L2 cache > cpu3: smt 1, core 1, package 0 > cpu4 at mainbus0: apid 4 (application processor) > cpu4: Intel(R) Xeon(R) CPU E31260L @
Re: RAID Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So the resolution to this, barring some intermittent disk strangeness, is that I had a SATA cable with crap connex. No surprise. Silver stays shiny about 3 hours here. Dhu On Wed, 13 Jan 2021 19:19:40 -0700 Duncan Patton a Campbell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Wed, 13 Jan 2021 21:06:57 -0500 > Nick Holland wrote: > > > On 1/12/21 9:41 PM, Duncan Patton a Campbell wrote: > > > > > > Howdy all? I'm wondering if more than one RAID1 array is supported in > > > 6.7++ > > > > > > I'm having problems that could be bios limitations, OS, or a bad SATA > > > (Pwr?) cable. > > > Currently I'm going with the latter and rebuilding the RAID (again) but > > > was > > > just wondering if anyone has run a config with more than one RAID array... > > > ... > > > > > > Volume Status Size Device > > > softraid0 0 Rebuild 4000786694656 sd5 RAID1 3% done > > >0 Rebuild 4000786694656 0:0.0 noencl > > >1 Online 4000786694656 0:1.0 noencl > > > softraid0 1 Rebuild 2000396018176 sd6 RAID1 72% done > > >0 Rebuild 2000396018176 1:0.0 noencl > > >1 Online 2000396018176 1:1.0 noencl > > > > > > Thanks, > > > > > > Dhu (dmesg attached, oh and Happy New Years to you;) > > > > /home/nick $ doas bioctl softraid0 > > Volume Status Size Device > > softraid0 0 Online 6001174724608 sd5 RAID1 > >0 Online 6001174724608 0:0.0 noencl > >1 Online 6001174724608 0:1.0 noencl > > softraid0 1 Online 4000786726912 sd6 RAID1 > >0 Online 4000786726912 1:0.0 noencl > >1 Online 4000786726912 1:1.0 noencl > > softraid0 2 Online 6001174323200 sd7 CRYPTO > >0 Online 6001174323200 2:0.0 noencl > > > > so ... uh...yeah. > > And yes, that crypto is on top a RAID1 set. Doing things wrong, I am. :) > > > > What's the problem you are having? > > > > That being said -- I did have some issues here that may have been related > > to a couple old disks of uncertain history. Pretty sure it ultimately > > boiled down to bad spot on this drive, different bad spot on that drive, > > and as a result, neither drive could rebuild onto the other. That > > definitely happens with RAID1. > > > > Nick. > > > > > Yes, Thank you. > It's good to know it'll work as it's stiiill chugging away ... > > Dhu > > > > - -- > Je suis Canadien. Ce n'est pas Francais ou Anglaise. > C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) > -BEGIN PGP SIGNATURE- > > iQIcBAEBAgAGBQJf/6o8AAoJEI6Vun3D6YUP1ZIP/RIJ9+3Gm/LxLfkyCKJpBYs8 > YOMz5jJ2Jbar7guuL5NfrAxf5+8MMZTXSDTvYkF66u/ALXMRBPlJuzlRpt20x+pj > 9Y8tucbATXr+Vp+cgifY59Hc4g6oXGYaYxkaRtE9mVQ71/npBXzqDSwCxfhsQDGF > Sp7yld6JangxiLulws0opuG23Mvf+R+8mdesFI3xHxDDkQpDSYHuerzjj54E9yzk > k2k0CBw5gzNJ2vpWguEkSXbt6QX3nsWZ1fTc/aDK4btQmQFoWQpWU8aLAP9Wfi0J > k6H7oYgDteDCEJBZPB1G51Nr5smaXiz7pUyfF4fnW9MIJgQ4MQa9530ueCK9GExm > I5dtIPcuZYmxL05TI0YnlCFMljEWmBR/Ut6ry2ZT1AL0Mvh3ZBv2perab2Ooa0sv > SeQlPLnASHoaSSo+BCuaHxqbQ8kW0qXkFcrZFyJylJcPUj36k1ocVmLRqhPCb4OU > WrTxtOfHullk0B1gt0YcPohtJ+tMVh8aAROYgxFAz26PDtQ/uWiGbmfY9UbvcnA6 > /bUWBL7VBN2mLcg3iMp+hhaaT2KIWNOCxqVf9/hhSxNPZBgORvaUaWUQxSQTEUe5 > sNRFV8Z356G6Y3QKhfG9Ee1fW3MduUumwJzOkn30Kmym/EsmDKnuyOEUVR2+MdXO > tp3wZN9hJ45l1mIfz2yb > =ov1i > -END PGP SIGNATURE- - -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJf/9S9AAoJEI6Vun3D6YUPh3sP/iXIUb+/idcay5j1HrefUl1P oLJkQSMkS3NaE64U/C/Bimk4Scdz/RwBwqHZJShJJqIO/vJfCg93x2bzsIgsMdRi H4vkXFnq4wbT+rKUKlMNF6Gd5FZFuzsfm+lLjdMaLZrl0yHbqxsxagmsuyMhZ8+L r9K9QD98MM74GDXDo0nnnx5IKKG3s5Z+YTdLlWRGzI/Im8CCBfflw/RuFO6EDx4Q hBGDrVnxaQL5xJhFMyjSdK3korwqSSPxaReNKTtIpuxeA6mK0nqSS2ikFIpxQqew hpyyIWacmCVkgwdSmkTS1hUkwzdGRKBVeZ69zHa7IpIES9u7UtrhHKfLrDdfdV6Z v69PxA3FDutVVX9ZZJTWlbmaXi+3PEjUI3CfLNZGS6MxDf5ftLDpGlU98YUSkjRW c9OEZAZaiqUozhY/TkSyHBWHUPpUAu58tC3dHs81UBm4BEmVX9jozc7l1DzCPKN2 3pm9C/3sGOktm91t89i4mLH/gevRu4sCFMvofBLilXWiRHigKjtasHbPch+j1rYX bWHron+aAR6WulD+exXkdlxxibGAh3DnF52wYW+47UOkd6s2+Mb4ePrN876FEpJH hlIUTAqbFXS6xqdrxsIm3hfsZYgWPJDwJu+foAWFSWL0GaNlooCmvoErlN1Y/jn+ wqWgvZr4dpxjGy7h2kyH =JcUG -END PGP SIGNATURE-
Re: RAID Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 13 Jan 2021 21:06:57 -0500 Nick Holland wrote: > On 1/12/21 9:41 PM, Duncan Patton a Campbell wrote: > > > > Howdy all? I'm wondering if more than one RAID1 array is supported in 6.7++ > > > > I'm having problems that could be bios limitations, OS, or a bad SATA > > (Pwr?) cable. > > Currently I'm going with the latter and rebuilding the RAID (again) but was > > just wondering if anyone has run a config with more than one RAID array... > > ... > > > > Volume Status Size Device > > softraid0 0 Rebuild 4000786694656 sd5 RAID1 3% done > >0 Rebuild 4000786694656 0:0.0 noencl > >1 Online 4000786694656 0:1.0 noencl > > softraid0 1 Rebuild 2000396018176 sd6 RAID1 72% done > >0 Rebuild 2000396018176 1:0.0 noencl > >1 Online 2000396018176 1:1.0 noencl > > > > Thanks, > > > > Dhu (dmesg attached, oh and Happy New Years to you;) > > /home/nick $ doas bioctl softraid0 > Volume Status Size Device > softraid0 0 Online 6001174724608 sd5 RAID1 >0 Online 6001174724608 0:0.0 noencl >1 Online 6001174724608 0:1.0 noencl > softraid0 1 Online 4000786726912 sd6 RAID1 >0 Online 4000786726912 1:0.0 noencl >1 Online 4000786726912 1:1.0 noencl > softraid0 2 Online 6001174323200 sd7 CRYPTO >0 Online 6001174323200 2:0.0 noencl > > so ... uh...yeah. > And yes, that crypto is on top a RAID1 set. Doing things wrong, I am. :) > > What's the problem you are having? > > That being said -- I did have some issues here that may have been related > to a couple old disks of uncertain history. Pretty sure it ultimately > boiled down to bad spot on this drive, different bad spot on that drive, > and as a result, neither drive could rebuild onto the other. That > definitely happens with RAID1. > > Nick. > > Yes, Thank you. It's good to know it'll work as it's stiiill chugging away ... Dhu - -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJf/6o8AAoJEI6Vun3D6YUP1ZIP/RIJ9+3Gm/LxLfkyCKJpBYs8 YOMz5jJ2Jbar7guuL5NfrAxf5+8MMZTXSDTvYkF66u/ALXMRBPlJuzlRpt20x+pj 9Y8tucbATXr+Vp+cgifY59Hc4g6oXGYaYxkaRtE9mVQ71/npBXzqDSwCxfhsQDGF Sp7yld6JangxiLulws0opuG23Mvf+R+8mdesFI3xHxDDkQpDSYHuerzjj54E9yzk k2k0CBw5gzNJ2vpWguEkSXbt6QX3nsWZ1fTc/aDK4btQmQFoWQpWU8aLAP9Wfi0J k6H7oYgDteDCEJBZPB1G51Nr5smaXiz7pUyfF4fnW9MIJgQ4MQa9530ueCK9GExm I5dtIPcuZYmxL05TI0YnlCFMljEWmBR/Ut6ry2ZT1AL0Mvh3ZBv2perab2Ooa0sv SeQlPLnASHoaSSo+BCuaHxqbQ8kW0qXkFcrZFyJylJcPUj36k1ocVmLRqhPCb4OU WrTxtOfHullk0B1gt0YcPohtJ+tMVh8aAROYgxFAz26PDtQ/uWiGbmfY9UbvcnA6 /bUWBL7VBN2mLcg3iMp+hhaaT2KIWNOCxqVf9/hhSxNPZBgORvaUaWUQxSQTEUe5 sNRFV8Z356G6Y3QKhfG9Ee1fW3MduUumwJzOkn30Kmym/EsmDKnuyOEUVR2+MdXO tp3wZN9hJ45l1mIfz2yb =ov1i -END PGP SIGNATURE-
Re: RAID Question
On 1/12/21 9:41 PM, Duncan Patton a Campbell wrote: Howdy all? I'm wondering if more than one RAID1 array is supported in 6.7++ I'm having problems that could be bios limitations, OS, or a bad SATA (Pwr?) cable. Currently I'm going with the latter and rebuilding the RAID (again) but was just wondering if anyone has run a config with more than one RAID array... ... Volume Status Size Device softraid0 0 Rebuild 4000786694656 sd5 RAID1 3% done 0 Rebuild 4000786694656 0:0.0 noencl 1 Online 4000786694656 0:1.0 noencl softraid0 1 Rebuild 2000396018176 sd6 RAID1 72% done 0 Rebuild 2000396018176 1:0.0 noencl 1 Online 2000396018176 1:1.0 noencl Thanks, Dhu (dmesg attached, oh and Happy New Years to you;) /home/nick $ doas bioctl softraid0 Volume Status Size Device softraid0 0 Online 6001174724608 sd5 RAID1 0 Online 6001174724608 0:0.0 noencl 1 Online 6001174724608 0:1.0 noencl softraid0 1 Online 4000786726912 sd6 RAID1 0 Online 4000786726912 1:0.0 noencl 1 Online 4000786726912 1:1.0 noencl softraid0 2 Online 6001174323200 sd7 CRYPTO 0 Online 6001174323200 2:0.0 noencl so ... uh...yeah. And yes, that crypto is on top a RAID1 set. Doing things wrong, I am. :) What's the problem you are having? That being said -- I did have some issues here that may have been related to a couple old disks of uncertain history. Pretty sure it ultimately boiled down to bad spot on this drive, different bad spot on that drive, and as a result, neither drive could rebuild onto the other. That definitely happens with RAID1. Nick.
Re: IKEv2 on Windows 10
> On 13 Jan 2021, at 06:04, Cand Tec wrote: > > This is my first time responding to a post so forgive me if I violate any > protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, > all running on high-end repurposed desktops. Due to covid I've had to quickly > setup ikev for a very small number of home users, none of which are > roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't > chew me out, at the time it was just quicker. > Using the UI in Win10 is not the way to go. Apparently the Win10 default > parameters via UI does not provide the required ciphers. > I used powershell to modify the parameters first then use the vpn connection > properties to finalize the settings. It worked 100% of the times without > fail. When I duplicated using only the Win10 UI iand t failed in every > instance. > > Here are the powershell cmds I used to modify my default vpn settings which > has worked everytime - > PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com > -TunnelType "L2tp" > PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" > -AuthenticationTransformConstants None -CipherTransformConstants AES256 > -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup > Group14 -PassThru -Force Indeed that does not work for IKEv2: ikev1_recv: header ispi 0x94edd5a8931477d9 rspi 0x nextpayload 1 version 0x10 exchange 2 flags 0x00 msgid 0 length 256 ikev1_recv: IKEv1 not supported Looking at some of the other information provided, I tried this along with the registry edit below: PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -Force PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "IPB2" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None -PassThru -AllUserConnection But that doesn’t seem to help anything. > Here's some info I found helpful - > > > > > > L2TP issues with Win 10 – phase1 does not form due to insecure default > parameters > REGISTRY SOLUTION: > https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html > > Create a registry key that enforces modern cipher and transform sets. > > STEP 1: Edit Registry or create GPO: > > HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ > STEP 2: Create new DWORD value: > NegotiateDH2048_AES256 > STEP 3: Modify DWORD value: 2 > > > > One caveat, whenever a major Win10 update is installed it tends to reset the > Win10 vpn parameters you modified. It's not consistent, but I've had to reset > it a few times. Other than that it has been flawless so far...if you can call > it that. > > Hopefully this helps. >
rm: fts_read: No such file or directory
Hi all, While doing some clean-up on my backup filesystem (which extensively uses hardlinks), I came across the error in Subject: rm: fts_read: No such file or directory Traversing the hierarchy I was trying to remove, I get similar fts_read errors when I `ls` in certain places, but a repeated rm runs to completion fine (the tree is gone afterwards). There's nothing in dmesg suggesting filesystem corruption, the filesystem unmounts and remounts cleanly, I'm running a forced fsck now which says "** File system is already clean". It's a rather large filesystem with many inodes in use, so it'll take some time to complete. Also, it's on a softraid crypto device, if that matters: sd2: 5231654MB, 512 bytes/sector, 10714427745 sectors Reading fts_read(3) wasn't really enlightening as to why a directory that's supposedly there, wouldn't be there anymore. (note that I wasn't running another rm in the same tree in parallel when I got these errors - I did try to force the error by doing just that, but that went through without a single error). Could there be some TOCTOU issue here somewhere? Or some cache misbehaviour? Or is it really dying hardware? Paul 'WEiRD' de Weerd OpenBSD 6.8-current (GENERIC.MP) #267: Sat Jan 9 19:23:55 MST 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34311208960 (32721MB) avail mem = 33256046592 (31715MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6690 (57 entries) bios0: vendor Dell Inc. version "2.10.0" date 05/24/2018 bios0: Dell Inc. PowerEdge R210 II acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SPMI DMAR ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT SPCR HEST ERST BERT EINJ acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) XHC_(S4) RP01(S5) PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) PXSX(S4) RP06(S5) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.91 MHz, 06-2a-07 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 cpu4 at mainbus0: apid 4 (application processor) cpu4: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2394.58 MHz, 06-2a-07 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 2, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Xeon(R) CPU E31260L @
VirtIO SCSI device recognized by boot loader but not kernel
I am trying to get OpenBSD running on Oracle Cloud [0]. They do not
offer OpenBSD as an image, nor do they let you mount an ISO image, but
they do let you import your own VMDK or qcow2 image. Unfortunately,
neither OpenBSD's ramdisk nor its default install recognize the VirtIO
SCSI device used by Oracle.
I created an OpenBSD 6.8 VMDK image using QEMU, loosely following these
instructions [1], and managed to import it. Unfortunately, though the
image boots, I am unable to get OpenBSD 6.8 to recognize the VirtIO SCSI
devices Oracle Cloud provides: booting the installed image gets stuck at
a prompt to pick my root disk.
I then tried booting into the ramdisk /bsd.rd included on the installed
image. There too, I manage to boot, but the ram disk does not recognize
the underlying disk from which it was booted. Indeed, the installer
reports:
Available disks are: .
Which disk is the root disk? ('?' for details)
Does anybody have any suggestions on how to get OpenBSD to recognize the
disk? Below, I have included OpenBSD dmesg output I got over the serial
console, and dmesg output from an identical VM running Linux.
Thanks,
Ryan
[0] In particular, their free tier, which gives you two free VMs with
100GB of combined storage: https://www.oracle.com/cloud/free/
[1] https://www.skreutz.com/posts/autoinstall-openbsd-on-qemu/ ,
changing qcow2 to VMDK, and from 6.7 to 6.8.
--- BEGIN OPENBSD DMESG --
>> OpenBSD/amd64 BOOT 3.52
boot> machine diskinfo
DiskBIOS# TypeCylsHeads SecsFlags Checksum
hd0 0x80label 1023255 63 0x2 0xd5bb9ad8
boot> boot /bsd.rd
NOTE: random seed is being reused.
booting hd0a:/bsd.rd: 3822285+1573888+3882232+0+761856
[324353+128+468792+313530]=0xaa3780
entry point at 0x81001000
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2020 OpenBSD. All rights reserved. https://www.OpenBSD.org
OpenBSD 6.8 (RAMDISK_CD) #94: Sun Oct 4 18:21:11 MDT 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 1056817152 (1007MB)
avail mem = 1020825600 (973MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf7050 (9 entries)
bios0: vendor SeaBIOS version
"?-20171121_152543-x86-ol7-builder-01.us.oracle.com-4.el7.1" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: tables DSDT FACP APIC HPET
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD EPYC 7551 32-Core Processor, 1996.61 MHz, 17-01-02
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,TOPEXT,CPCTR,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,VIRTSSBD,XSAVEOPT,XSAVEC,XGETBV1
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache, 16MB 64b/line 16-way L3 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: apic clock running at 1000MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu at acpi0 not configured
pvbus0 at mainbus0: KVM
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
"Intel 82371SB ISA" rev 0x00 at pci0 dev 1 function 0 not configured
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
"Intel 82371AB Power" rev 0x03 at pci0 dev 1 function 3 not configured
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
vga1: aperture needed
wsdisplay1 at vga1 mux 1
wsdisplay1: screen 0 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 02:00:17:00:34:07
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00
vioscsi0 at virtio1: qsize 128
scsibus0 at vioscsi0: 255 targets
virtio1: msix shared
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
Re: iked && outgoing auth
On 2021-01-13, Gregory Edigarov wrote: > sorry for possible misunderstanding, but is iked capable of doing > outgoing eap mschap-v2 auth? no.
iked && outgoing auth
Hello, everybody sorry for possible misunderstanding, but is iked capable of doing outgoing eap mschap-v2 auth? because in my situation I need to connect to server which requires this. thanks. -- With best regards, Gregory Edigarov
kbd mapping issue
misc@ i use jp.swapctrlcaps as my keyboard mapping in amd64 and macppc OpenBSD 6.8 -snapshot via /etc/kbdtype. i use amd64 (GENERIC.MP #266) more often so i observed this weirdness in amd64. after several days, the kbd mapping goes weird for the swapped keys. normal jp.swapctrlcaps caps -> ctrl ctrl -> caps (changes LED status too) when issue occurs caps -> does nothing ctrl -> ctrl when the issue occurs i try changing kbd keymaps (jp, or en) but there is no change in behavior. reboot fixes things. amd64 is normal use laptop ... dwm, tmux, ssh, firefox-esr. i noticed this too on a previous snapshot (before #266). today i just upgraded my -snapshot to #232. the issue has not occured on macppc (now #827) ... i just use this Powerbook for dwm, tmux, ssh, fetchmail, mutt, cvs repo sync. rgc ~
iamahuman
Modifying and resending due to advisory received... This is my first time responding to a post so forgive me if I violate any protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, all running on high-end repurposed desktops. Due to covid I've had to quickly setup ikev for a very small number of home users, none of which are roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't chew me out, at the time it was just quicker. Using the UI in Win10 is not the way to go. Apparently the Win10 default parameters via UI does not provide the required ciphers. I used powershell to modify the parameters first then use the vpn connection properties to finalize the settings. It worked 100% of the times without fail. When I duplicated using only the Win10 UI iand t failed in every instance. Here are the powershell cmds I used to modify my default vpn settings which has worked everytime - PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com -TunnelType "L2tp" PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force Here's some info I found helpful - L2TP issues with Win 10 – phase1 does not form due to insecure default parameters REGISTRY SOLUTION: https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html Create a registry key that enforces modern cipher and transform sets. STEP 1: Edit Registry or create GPO: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ STEP 2: Create new DWORD value: NegotiateDH2048_AES256 STEP 3: Modify DWORD value: 2 One caveat, whenever a major Win10 update is installed it tends to reset the Win10 vpn parameters you modified. It's not consistent, but I've had to reset it a few times. Other than that it has been flawless so far...if you can call it that. Hopefully this helps. On Wed, Jan 13, 2021 at 8:04 AM Cand Tec wrote: > > This is my first time responding to a post so forgive me if I violate any > protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, > all running on high-end repurposed desktops. Due to covid I've had to quickly > setup ikev for a very small number of home users, none of which are > roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't > chew me out, at the time it was just quicker. > Using the UI in Win10 is not the way to go. Apparently the Win10 default > parameters via UI does not provide the required ciphers. > I used powershell to modify the parameters first then use the vpn connection > properties to finalize the settings. It worked 100% of the times without > fail. When I duplicated using only the Win10 UI iand t failed in every > instance. > > Here are the powershell cmds I used to modify my default vpn settings which > has worked everytime - > > PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com > -TunnelType "L2tp" > > PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" > -AuthenticationTransformConstants None -CipherTransformConstants AES256 > -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup > Group14 -PassThru -Force > > > > Here's some info I found helpful - > > > L2TP issues with Win 10 – phase1 does not form due to insecure default > parameters > > REGISTRY SOLUTION: > https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html > > > > Create a registry key that enforces modern cipher and transform sets. > > STEP 1: Edit Registry or create GPO: > > HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ > STEP 2: Create new DWORD value: > NegotiateDH2048_AES256 > > STEP 3: Modify DWORD value: 2 > > > One caveat, whenever a major Win10 update is installed it tends to reset the > Win10 vpn parameters you modified. It's not consistent, but I've had to reset > it a few times. Other than that it has been flawless so far...if you can call > it that. > > Hopefully this helps. > > > On Wed, Jan 13, 2021 at 5:30 AM Patrick Wildt wrote: >> >> Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: >> > Hi, >> > >> > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK >> > with macOS without issue. Changing to EAP MSCHAP for use with Windows >> > results in the following error: >> > >> > "The network connection between your computer and the VPN server could not >> > be established because the remote server is not responding. The could be >> > because one of the network devices (e.g. firewalls, NAT, routers, etc.) >> > between your computer and the remote server is not configured to allow VPN >> > connections." >> > >> > I’ve worked through many examples online, but I’m not sure what's the next >> > step to troubleshoot this? >> > >> > Thanks! >> > >> > >> > >> > # uname -rsv >> > OpenBSD 6.8 GENERIC.MP#2 >>
Re: IKEv2 on Windows 10
This is my first time responding to a post so forgive me if I violate any protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, all running on high-end repurposed desktops. Due to covid I've had to quickly setup ikev for a very small number of home users, none of which are roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't chew me out, at the time it was just quicker. Using the UI in Win10 is not the way to go. Apparently the Win10 default parameters via UI does not provide the required ciphers. I used powershell to modify the parameters first then use the vpn connection properties to finalize the settings. It worked 100% of the times without fail. When I duplicated using only the Win10 UI iand t failed in every instance. Here are the powershell cmds I used to modify my default vpn settings which has worked everytime - PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com -TunnelType "L2tp" PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force Here's some info I found helpful - [image: image.png] L2TP issues with Win 10 – phase1 does not form due to insecure default parameters *REGISTRY SOLUTION:* https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html Create a registry key that enforces modern cipher and transform sets. *STEP 1*: Edit Registry or create GPO: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ *STEP 2:* Create new DWORD value: NegotiateDH2048_AES256 *STEP 3:* Modify DWORD value: 2 One caveat, whenever a major Win10 update is installed it tends to reset the Win10 vpn parameters you modified. It's not consistent, but I've had to reset it a few times. Other than that it has been flawless so far...if you can call it that. Hopefully this helps. On Wed, Jan 13, 2021 at 5:30 AM Patrick Wildt wrote: > Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > > Hi, > > > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK > with macOS without issue. Changing to EAP MSCHAP for use with Windows > results in the following error: > > > > "The network connection between your computer and the VPN server could > not be established because the remote server is not responding. The could > be because one of the network devices (e.g. firewalls, NAT, routers, etc.) > between your computer and the remote server is not configured to allow VPN > connections." > > > > I’ve worked through many examples online, but I’m not sure what's the > next step to troubleshoot this? > > > > Thanks! > > > > > > > > # uname -rsv > > OpenBSD 6.8 GENERIC.MP#2 > > > > > > # > > # iked.conf > > # > > > > ikev2 "vpn-psk" passive esp \ > > from 0.0.0.0/0 to 0.0.0.0/0 \ > > Hi, > > if you're using config address (as in giving peers a tunnel IP), you > need to configure > > from 0.0.0.0/0 to 0.0.0.0 \ > > The "to" becomes a /32, a /0 is wrong. This is because of internal > semantics. Anyway, this confusing bit has been changed in -current, > as you can read here: > > https://www.openbsd.org/faq/current.html > > But unless you're using current, you still need the line above. > > But since you're complaining about EAP MSCHAP, I don't know what's the > issue there. Maybe tobhe@ or sthen@ have an idea. > > Patrick > > > local egress peer any \ > > srcid vpn.company.com \ > > eap "mschap-v2" \ > > config address 10.0.2.0/24 \ > > config netmask 255.255.0.0 \ > > config name-server 10.0.0.1 \ > > tag "$name-$id" > > > > # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for > macOS. > > > > > > # > > # Generate certificates > > # > > > > pkg_add zip > > > > ikectl ca vpn create > > ikectl ca vpn install > > > > # CN should be same as srcid in iked.conf > > ikectl ca vpn certificate vpn.company.com create > > ikectl ca vpn certificate vpn.company.com install > > > > # CN should be same as client ip address > > ikectl ca vpn certificate 10.0.2.100 create > > ikectl ca vpn certificate 10.0.2.100 export > > > > > > # > > # Windows config > > # > > > > - VPN device > >- General tab > > - Server: vpn.company.com > >- Security tab > > - VPN type: IKEv2 > > - Authentication: Use machine certificates > > > > - Certs install > >- ca.crt --> Certificates (Local Computer)/Trusted Root Certification > Authorities/Certificates > >- 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates > > > > > > # > > # iked log > > # > > > > doas iked -dvv > > create_ike: using signature for peer > > ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 > local 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group >
Re: IKEv2 on Windows 10
Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > Hi, > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with > macOS without issue. Changing to EAP MSCHAP for use with Windows results in > the following error: > > "The network connection between your computer and the VPN server could not be > established because the remote server is not responding. The could be because > one of the network devices (e.g. firewalls, NAT, routers, etc.) between your > computer and the remote server is not configured to allow VPN connections." > > I’ve worked through many examples online, but I’m not sure what's the next > step to troubleshoot this? > > Thanks! > > > > # uname -rsv > OpenBSD 6.8 GENERIC.MP#2 > > > # > # iked.conf > # > > ikev2 "vpn-psk" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ Hi, if you're using config address (as in giving peers a tunnel IP), you need to configure from 0.0.0.0/0 to 0.0.0.0 \ The "to" becomes a /32, a /0 is wrong. This is because of internal semantics. Anyway, this confusing bit has been changed in -current, as you can read here: https://www.openbsd.org/faq/current.html But unless you're using current, you still need the line above. But since you're complaining about EAP MSCHAP, I don't know what's the issue there. Maybe tobhe@ or sthen@ have an idea. Patrick > local egress peer any \ > srcid vpn.company.com \ > eap "mschap-v2" \ > config address 10.0.2.0/24 \ > config netmask 255.255.0.0 \ > config name-server 10.0.0.1 \ > tag "$name-$id" > > # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS. > > > # > # Generate certificates > # > > pkg_add zip > > ikectl ca vpn create > ikectl ca vpn install > > # CN should be same as srcid in iked.conf > ikectl ca vpn certificate vpn.company.com create > ikectl ca vpn certificate vpn.company.com install > > # CN should be same as client ip address > ikectl ca vpn certificate 10.0.2.100 create > ikectl ca vpn certificate 10.0.2.100 export > > > # > # Windows config > # > > - VPN device >- General tab > - Server: vpn.company.com >- Security tab > - VPN type: IKEv2 > - Authentication: Use machine certificates > > - Certs install >- ca.crt --> Certificates (Local Computer)/Trusted Root Certification > Authorities/Certificates >- 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates > > > # > # iked log > # > > doas iked -dvv > create_ike: using signature for peer > ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local > 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > ikesa enc aes-256,aes-192,aes-128,3des prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc > aes-256,aes-192,aes-128 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid > vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config > address 10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1 > /etc/iked.conf: loaded 2 configuration rules > ca_privkey_serialize: type RSA_KEY length 1192 > ca_pubkey_serialize: type RSA_KEY length 270 > config_new_user: inserting new user windows > user "windows" "password" > config_getpolicy: received policy > ca_privkey_to_method: type RSA_KEY method RSA_SIG > config_getpfkey: received pfkey fd 3 > ca_getkey: received private key type RSA_KEY length 1192 > config_getcompile: compilation done > config_getsocket: received socket fd 4 > config_getsocket: received socket fd 5 > config_getsocket: received socket fd 6 > config_getsocket: received socket fd 7 > config_getstatic: dpd_check_interval 60 > config_getstatic: no enforcesingleikesa > config_getstatic: no fragmentation > config_getstatic: mobike > config_getstatic: nattport 4500 > ca_getkey: received public key type RSA_KEY length 270 > ca_dispatch_parent: config reset > ca_reload: loaded ca file ca.crt > ca_reload: loaded crl file ca.crl > ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > ca_reload: loaded 1 ca certificate > ca_reload: loaded cert file 10.0.0.1.crt > ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer > mismatch > ca_reload: local cert type X509_CERT > config_getocsp: ocsp_url none tolerate 0 maxage -1 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > > policy_lookup: setting policy 'vpn-eap' >
xwd - BadColor (invalid Colormap parameter)
This is current/amd64, making a screenshot with xwd > file.xwd X Error of failed request: BadColor (invalid Colormap parameter) Major opcode of failed request: 91 (X_QueryColors) Resource id in failed request: 0x0 Serial number of failed request: 114 Current serial number in output stream: 114 That's a window dump of chrome. A window dump of xterm or mupdf works just fine. I am not sure where the error is. Does chrome use some Colormap that xwd cannot cope with? Does it make a difference to xwd which window it is dumping? Jan
IKEv2 on Windows 10
Hi, I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with macOS without issue. Changing to EAP MSCHAP for use with Windows results in the following error: "The network connection between your computer and the VPN server could not be established because the remote server is not responding. The could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections." I’ve worked through many examples online, but I’m not sure what's the next step to troubleshoot this? Thanks! # uname -rsv OpenBSD 6.8 GENERIC.MP#2 # # iked.conf # ikev2 "vpn-psk" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local egress peer any \ srcid vpn.company.com \ eap "mschap-v2" \ config address 10.0.2.0/24 \ config netmask 255.255.0.0 \ config name-server 10.0.0.1 \ tag "$name-$id" # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS. # # Generate certificates # pkg_add zip ikectl ca vpn create ikectl ca vpn install # CN should be same as srcid in iked.conf ikectl ca vpn certificate vpn.company.com create ikectl ca vpn certificate vpn.company.com install # CN should be same as client ip address ikectl ca vpn certificate 10.0.2.100 create ikectl ca vpn certificate 10.0.2.100 export # # Windows config # - VPN device - General tab - Server: vpn.company.com - Security tab - VPN type: IKEv2 - Authentication: Use machine certificates - Certs install - ca.crt --> Certificates (Local Computer)/Trusted Root Certification Authorities/Certificates - 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates # # iked log # doas iked -dvv create_ike: using signature for peer ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address 10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1 /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1192 ca_pubkey_serialize: type RSA_KEY length 270 config_new_user: inserting new user windows user "windows" "password" config_getpolicy: received policy ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpfkey: received pfkey fd 3 ca_getkey: received private key type RSA_KEY length 1192 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file 10.0.0.1.crt ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer mismatch ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 policy_lookup: setting policy 'vpn-eap' spi=0x804dbcb818c0c11e: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:56819 local 23.AAA.AAA.129:500, 624 bytes, policy 'vpn-eap' ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x ikev2_policy2id: srcid FQDN/vpn.ipaperbox.com length 21 ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 624 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id
