Re: unwind problems e.g. validation failure ... while building chain of trust
On Sat, Feb 19, 2022 at 07:35:43PM +0100, Why 42? The lists account. wrote: > > Hi All, > > I thought I would try running unwind on my desktop at home. Reading the > manual page, it doesn't seem to require any specific configuration, so I > started it via rcctl and everything seemed to work as expected e.g. it > found the address of my router/DHCP server, resolv.conf was updated and > DNS queries worked: > > mjoelnir:/etc 19.02 18:21:02 # rcctl start unwind > > unwind(ok) > > > mjoelnir:/etc 19.02 18:21:18 # unwindctl status > > 1. recursorvalidating, N/A 3. stub resolving, N/A > > 2. autoconfvalidating, N/A 4. oDoT-autoconf dead, N/A > > > > histograms: lifetime[ms], decaying[ms] > > <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 > > > > > rec 0 0 0 0 0 0 0 0 0 0 0 > > 0 > >0 0 0 0 0 0 0 0 0 0 0 > > 0 > > auto 0 0 0 0 0 0 0 0 0 0 0 > > 0 > >0 0 0 0 0 0 0 0 0 0 0 > > 0 > > stub 0 0 0 0 0 0 0 0 0 0 0 > > 0 > >0 0 0 0 0 0 0 0 0 0 0 > > 0 > > auto* 0 0 0 0 0 0 0 0 0 0 0 > > 0 > >0 0 0 0 0 0 0 0 0 0 0 > > 0 > > > mjoelnir:/etc 19.02 18:21:29 # unwindctl status autoconf > > autoconfiguration forwarders: > > DHCP[em0]: 192.168.178.254 > > After some DNS queries ... > > mjoelnir:/etc 19.02 18:33:02 # unwindctl status > > 1. autoconfvalidating, 50ms 3. stub resolving, Inf > > 2. recursorvalidating, 150ms 4. oDoT-autoconf dead, N/A > > > > histograms: lifetime[ms], decaying[ms] > > <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 > > > > > auto 9132025 9 514 3 1 1 0 > > 0 > >4 91215 6 3 8 2 0 0 0 > > 0 > > rec 2 1 4 0 0 316 4 5 0 1 > > 1 > >1 0 2 0 0 210 3 3 0 0 > > 0 > > stub 8 0 0 0 0 0 0 0 0 0 0 > > 1 > >3 0 0 0 0 0 0 0 0 0 0 > > 0 > > auto* 0 0 0 0 0 0 0 0 0 0 0 > > 0 > >0 0 0 0 0 0 0 0 0 0 0 > > 0 > > However, some time later (in this test a few minutes) resolving of local > hostnames stops working and unwind begins logging messages like these: > > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure > > : no DNSSEC records from 192.168.178.254 for DS > > fritz.box. while building chain of trust > > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure > IN>: no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building > > chain of trust > > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure > > : key for validation fritz.box. is marked as > > invalid because of a previous validation failure > IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while > > building chain of trust > > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure > IN>: key for validation mjoelnir. is marked as invalid because of a > > previous validation failure : no DNSSEC records from > > 192.168.178.254 for DS mjoelnir. while building chain of trust > > Feb 19 18:36:30 mjoelnir unwind[72749]: validation failure > > : key for validation fritz.box. is marked > > as invalid because of a previous validation failure > IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while > > building chain of trust > > Feb 19 18:39:07 mjoelnir unwind[72749]: validation failure > > : no DNSSEC records from 192.168.178.254 for DS > > fritz.box. while building chain of trust > > Feb 19 18:39:59 mjoelnir unwind[72749]: validation failure > IN>: no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building > > chain of trust > > Feb 19 18:40:38 mjoelnir unwind[72749]: validation failure : > > no DNSSEC records from 192.168.178.254 for DS novena. while building chain > > of trust > > mjoelnir is the local system, where unwind is running, and novena is > another (linux) system on the local network. I don't know what zimagez > is. > > Further validation failure messages have what appear to be incorrectly > concatenated names for the local system e.g. > > Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure > > : key for validation fritz.box. is > > marked as invalid because of a previous validation failure > > : no
unwind problems e.g. validation failure ... while building chain of trust
Hi All, I thought I would try running unwind on my desktop at home. Reading the manual page, it doesn't seem to require any specific configuration, so I started it via rcctl and everything seemed to work as expected e.g. it found the address of my router/DHCP server, resolv.conf was updated and DNS queries worked: > mjoelnir:/etc 19.02 18:21:02 # rcctl start unwind > unwind(ok) > mjoelnir:/etc 19.02 18:21:18 # unwindctl status > 1. recursorvalidating, N/A 3. stub resolving, N/A > 2. autoconfvalidating, N/A 4. oDoT-autoconf dead, N/A > > histograms: lifetime[ms], decaying[ms] > <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 > > rec 0 0 0 0 0 0 0 0 0 0 0 0 >0 0 0 0 0 0 0 0 0 0 0 0 > auto 0 0 0 0 0 0 0 0 0 0 0 0 >0 0 0 0 0 0 0 0 0 0 0 0 > stub 0 0 0 0 0 0 0 0 0 0 0 0 >0 0 0 0 0 0 0 0 0 0 0 0 > auto* 0 0 0 0 0 0 0 0 0 0 0 0 >0 0 0 0 0 0 0 0 0 0 0 0 > mjoelnir:/etc 19.02 18:21:29 # unwindctl status autoconf > autoconfiguration forwarders: > DHCP[em0]: 192.168.178.254 After some DNS queries ... > mjoelnir:/etc 19.02 18:33:02 # unwindctl status > 1. autoconfvalidating, 50ms 3. stub resolving, Inf > 2. recursorvalidating, 150ms 4. oDoT-autoconf dead, N/A > > histograms: lifetime[ms], decaying[ms] > <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 > > auto 9132025 9 514 3 1 1 0 0 >4 91215 6 3 8 2 0 0 0 0 > rec 2 1 4 0 0 316 4 5 0 1 1 >1 0 2 0 0 210 3 3 0 0 0 > stub 8 0 0 0 0 0 0 0 0 0 0 1 >3 0 0 0 0 0 0 0 0 0 0 0 > auto* 0 0 0 0 0 0 0 0 0 0 0 0 >0 0 0 0 0 0 0 0 0 0 0 0 However, some time later (in this test a few minutes) resolving of local hostnames stops working and unwind begins logging messages like these: > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure > : no DNSSEC records from 192.168.178.254 for DS > fritz.box. while building chain of trust > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure : > no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building chain > of trust > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure > : key for validation fritz.box. is marked as > invalid because of a previous validation failure : > no DNSSEC records from 192.168.178.254 for DS fritz.box. while building chain > of trust > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure : > key for validation mjoelnir. is marked as invalid because of a previous > validation failure : no DNSSEC records from 192.168.178.254 > for DS mjoelnir. while building chain of trust > Feb 19 18:36:30 mjoelnir unwind[72749]: validation failure > : key for validation fritz.box. is marked as > invalid because of a previous validation failure : > no DNSSEC records from 192.168.178.254 for DS fritz.box. while building chain > of trust > Feb 19 18:39:07 mjoelnir unwind[72749]: validation failure > : no DNSSEC records from 192.168.178.254 for DS > fritz.box. while building chain of trust > Feb 19 18:39:59 mjoelnir unwind[72749]: validation failure : > no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building chain > of trust > Feb 19 18:40:38 mjoelnir unwind[72749]: validation failure : no > DNSSEC records from 192.168.178.254 for DS novena. while building chain of > trust mjoelnir is the local system, where unwind is running, and novena is another (linux) system on the local network. I don't know what zimagez is. Further validation failure messages have what appear to be incorrectly concatenated names for the local system e.g. > Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure > : key for validation fritz.box. is marked > as invalid because of a previous validation failure IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while building > chain of trust > Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure > : key for validation fritz.box. is > marked as invalid because of a previous validation failure > : no DNSSEC records from 192.168.178.254 for DS > fritz.box. while building chain of trust
OpenBSD pppoe and Bell Fibe
Hello all, I've configured hostname.pppoe0 and hostname.re0 as per the pppoe manpage for OpenBSD (I'm running 7) and I'm unable to successfully leverage the Bell HomeHub 4000's pppoe passthrough. I've verified that passthrough does work with my Windows 7 laptop, however, I just can't get pppoe to move past the initialization stage. The PADI gets sent, but ultimately it'll timeout. After adjusting to the second config in the man page where mut1508 is set to the physical device, things get a bit better but only after I manually invoke sh /etc/netstartbecause it seems after bootup there are only two PADI retries. Anyway, enabling debug and starting up netstart I will see pppoe0: ipcp input(starting):
Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients
Hi fix...@gmail.com. I use this set of parameters for l2tp+IPSec. It works fine both with Windows and Apple ( includng iOS15 and OSX 12 ) Hope it'll help you. ike passive esp transport proto udp from 100.88.99.100 to any port 1701 \ main auth hmac-sha1 enc aes-256 group modp2048 \ quick auth hmac-sha1 enc aes \ psk "" Regards. On 19.02.22 00:55, fix...@gmail.com wrote: On Fri, Feb 18, 2022 at 15:06 Stuart Henderson wrote... On Fri, Feb 18, 2022 at 11:43 AM I wrote: ike passive esp transport proto udp from $public_ip to any \ main auth "hmac-sha2-256" enc "aes-256" group "modp2048" \ quick auth "hmac-sha2-256" enc "aes-256" group "modp2048" \ psk "THIS_IS_MY_IPSEC_PASSPHRASE" ike passive esp transport proto udp from $public_ip to any \ main auth "hmac-md5" enc "3des" group "modp1024" \ quick auth "hmac-md5" enc "3des" group "modp1024" \ psk "THIS_IS_MY_IPSEC_PASSPHRASE" With isakmpd and ipsec.conf you can't have two proposals for the default ("to any") peer with different PFS groups, you will have to choose one or the other. As-is the second will overwrite the first config block. (Use ipsecctl -v to see the commands sent by ipsecctl to isakmpd; it generates what are basically isakmpd.conf style config blocks and sends them over the control socket). It still fails even with one block, but this is good to know. Thanks. You will save yourself a lot of trouble if you can move the newer machines to IKEv2 .. (It would not be possible to run both isakmpd and iked on a single OpenBSD machine though). Or alternatively wireguard or openvpn (which _can_ coexist with IKEv1) though IKEv2 generally has a simpler client config. I'm not opposed to this and I've tried, but even now it still gives me proposal errors from both iOS and MacOS Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 ENCR=AES_CBC-128 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 PRF=HMAC_SHA1 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 INTEGR=HMAC_SHA1_96 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 DH=MODP_1024 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 ENCR=3DES Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 PRF=HMAC_SHA1 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 INTEGR=HMAC_SHA1_96 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 DH=MODP_1024 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_add_error: NO_PROPOSAL_CHOSEN Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: send IKE_SA_INIT res 0 peer 100.64.10.10:57904 local 203.0.113.1:500, 36 bytes -- Mit Freundliche Gruesse Dimon tel: +4158 1000428 mobile: +4178 7299592