Re: unwind problems e.g. validation failure ... while building chain of trust

2022-02-19 Thread Otto Moerbeek 
On Sat, Feb 19, 2022 at 07:35:43PM +0100, Why 42? The lists account. wrote:

> 
> Hi All,
> 
> I thought I would try running unwind on my desktop at home. Reading the
> manual page, it doesn't seem to require any specific configuration, so I
> started it via rcctl and everything seemed to work as expected e.g. it
> found the address of my router/DHCP server, resolv.conf was updated and
> DNS queries worked:
> > mjoelnir:/etc 19.02 18:21:02 # rcctl start unwind
> > unwind(ok)
> 
> > mjoelnir:/etc 19.02 18:21:18 # unwindctl status
> > 1. recursorvalidating,   N/A   3. stub resolving,   N/A
> > 2. autoconfvalidating,   N/A   4. oDoT-autoconf dead,   N/A
> > 
> >   histograms: lifetime[ms], decaying[ms]
> >  <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000
> >  >
> >   rec  0 0 0 0 0 0 0 0 0 0 0
> >  0
> >0 0 0 0 0 0 0 0 0 0 0
> >  0
> >  auto  0 0 0 0 0 0 0 0 0 0 0
> >  0
> >0 0 0 0 0 0 0 0 0 0 0
> >  0
> >  stub  0 0 0 0 0 0 0 0 0 0 0
> >  0
> >0 0 0 0 0 0 0 0 0 0 0
> >  0
> > auto*  0 0 0 0 0 0 0 0 0 0 0
> >  0
> >0 0 0 0 0 0 0 0 0 0 0
> >  0
> 
> > mjoelnir:/etc 19.02 18:21:29 # unwindctl status autoconf
> > autoconfiguration forwarders:
> >   DHCP[em0]: 192.168.178.254
> 
> After some DNS queries ...
> > mjoelnir:/etc 19.02 18:33:02 # unwindctl status
> > 1. autoconfvalidating,  50ms   3. stub resolving,   Inf
> > 2. recursorvalidating, 150ms   4. oDoT-autoconf dead,   N/A
> > 
> >   histograms: lifetime[ms], decaying[ms]
> >  <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000
> >  >
> >  auto  9132025 9 514 3 1 1 0
> >  0
> >4 91215 6 3 8 2 0 0 0
> >  0
> >   rec  2 1 4 0 0 316 4 5 0 1
> >  1
> >1 0 2 0 0 210 3 3 0 0
> >  0
> >  stub  8 0 0 0 0 0 0 0 0 0 0
> >  1
> >3 0 0 0 0 0 0 0 0 0 0
> >  0
> > auto*  0 0 0 0 0 0 0 0 0 0 0
> >  0
> >0 0 0 0 0 0 0 0 0 0 0
> >  0
> 
> However, some time later (in this test a few minutes) resolving of local
> hostnames stops working and unwind begins logging messages like these:
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure 
> > : no DNSSEC records from 192.168.178.254 for DS 
> > fritz.box. while building chain of trust
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure  > IN>: no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building 
> > chain of trust
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure 
> > : key for validation fritz.box. is marked as 
> > invalid because of a previous validation failure  > IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while 
> > building chain of trust
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure  > IN>: key for validation mjoelnir. is marked as invalid because of a 
> > previous validation failure : no DNSSEC records from 
> > 192.168.178.254 for DS mjoelnir. while building chain of trust
> > Feb 19 18:36:30 mjoelnir unwind[72749]: validation failure 
> > : key for validation fritz.box. is marked 
> > as invalid because of a previous validation failure  > IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while 
> > building chain of trust
> > Feb 19 18:39:07 mjoelnir unwind[72749]: validation failure 
> > : no DNSSEC records from 192.168.178.254 for DS 
> > fritz.box. while building chain of trust
> > Feb 19 18:39:59 mjoelnir unwind[72749]: validation failure  > IN>: no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building 
> > chain of trust
> > Feb 19 18:40:38 mjoelnir unwind[72749]: validation failure : 
> > no DNSSEC records from 192.168.178.254 for DS novena. while building chain 
> > of trust
> 
> mjoelnir is the local system, where unwind is running, and novena is
> another (linux) system on the local network. I don't know what zimagez
> is.
> 
> Further validation failure messages have what appear to be incorrectly
> concatenated names for the local system e.g.
> > Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure 
> > : key for validation fritz.box. is 
> > marked as invalid because of a previous validation failure 
> > : no

unwind problems e.g. validation failure ... while building chain of trust

2022-02-19 Thread Why 42? The lists account. 


Hi All,

I thought I would try running unwind on my desktop at home. Reading the
manual page, it doesn't seem to require any specific configuration, so I
started it via rcctl and everything seemed to work as expected e.g. it
found the address of my router/DHCP server, resolv.conf was updated and
DNS queries worked:
> mjoelnir:/etc 19.02 18:21:02 # rcctl start unwind
> unwind(ok)

> mjoelnir:/etc 19.02 18:21:18 # unwindctl status
> 1. recursorvalidating,   N/A   3. stub resolving,   N/A
> 2. autoconfvalidating,   N/A   4. oDoT-autoconf dead,   N/A
> 
>   histograms: lifetime[ms], decaying[ms]
>  <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000 >
>   rec  0 0 0 0 0 0 0 0 0 0 0 0
>0 0 0 0 0 0 0 0 0 0 0 0
>  auto  0 0 0 0 0 0 0 0 0 0 0 0
>0 0 0 0 0 0 0 0 0 0 0 0
>  stub  0 0 0 0 0 0 0 0 0 0 0 0
>0 0 0 0 0 0 0 0 0 0 0 0
> auto*  0 0 0 0 0 0 0 0 0 0 0 0
>0 0 0 0 0 0 0 0 0 0 0 0

> mjoelnir:/etc 19.02 18:21:29 # unwindctl status autoconf
> autoconfiguration forwarders:
>   DHCP[em0]: 192.168.178.254

After some DNS queries ...
> mjoelnir:/etc 19.02 18:33:02 # unwindctl status
> 1. autoconfvalidating,  50ms   3. stub resolving,   Inf
> 2. recursorvalidating, 150ms   4. oDoT-autoconf dead,   N/A
> 
>   histograms: lifetime[ms], decaying[ms]
>  <10   <20   <40   <60   <80  <100  <200  <400  <600  <800 <1000 >
>  auto  9132025 9 514 3 1 1 0 0
>4 91215 6 3 8 2 0 0 0 0
>   rec  2 1 4 0 0 316 4 5 0 1 1
>1 0 2 0 0 210 3 3 0 0 0
>  stub  8 0 0 0 0 0 0 0 0 0 0 1
>3 0 0 0 0 0 0 0 0 0 0 0
> auto*  0 0 0 0 0 0 0 0 0 0 0 0
>0 0 0 0 0 0 0 0 0 0 0 0

However, some time later (in this test a few minutes) resolving of local
hostnames stops working and unwind begins logging messages like these:
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure 
> : no DNSSEC records from 192.168.178.254 for DS 
> fritz.box. while building chain of trust
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure : 
> no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building chain 
> of trust
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure 
> : key for validation fritz.box. is marked as 
> invalid because of a previous validation failure : 
> no DNSSEC records from 192.168.178.254 for DS fritz.box. while building chain 
> of trust
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure : 
> key for validation mjoelnir. is marked as invalid because of a previous 
> validation failure : no DNSSEC records from 192.168.178.254 
> for DS mjoelnir. while building chain of trust
> Feb 19 18:36:30 mjoelnir unwind[72749]: validation failure 
> : key for validation fritz.box. is marked as 
> invalid because of a previous validation failure : 
> no DNSSEC records from 192.168.178.254 for DS fritz.box. while building chain 
> of trust
> Feb 19 18:39:07 mjoelnir unwind[72749]: validation failure 
> : no DNSSEC records from 192.168.178.254 for DS 
> fritz.box. while building chain of trust
> Feb 19 18:39:59 mjoelnir unwind[72749]: validation failure : 
> no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building chain 
> of trust
> Feb 19 18:40:38 mjoelnir unwind[72749]: validation failure : no 
> DNSSEC records from 192.168.178.254 for DS novena. while building chain of 
> trust

mjoelnir is the local system, where unwind is running, and novena is
another (linux) system on the local network. I don't know what zimagez
is.

Further validation failure messages have what appear to be incorrectly
concatenated names for the local system e.g.
> Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure 
> : key for validation fritz.box. is marked 
> as invalid because of a previous validation failure  IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while building 
> chain of trust
> Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure 
> : key for validation fritz.box. is 
> marked as invalid because of a previous validation failure 
> : no DNSSEC records from 192.168.178.254 for DS 
> fritz.box. while building chain of trust

OpenBSD pppoe and Bell Fibe

2022-02-19 Thread Brodey Dover 
 Hello all,

 I've configured hostname.pppoe0 and hostname.re0 as per the pppoe manpage
 for OpenBSD (I'm running 7) and I'm unable to successfully leverage the
 Bell HomeHub 4000's pppoe passthrough. I've verified that passthrough does
 work with my Windows 7 laptop, however, I just can't get pppoe to move past
 the initialization stage.

 The PADI gets sent, but ultimately it'll timeout. After adjusting to the
 second config in the man page where mut1508 is set to the physical device,
 things get a bit better but only after I manually invoke sh
 /etc/netstartbecause it seems after bootup there are only two PADI
 retries.

 Anyway, enabling debug and starting up netstart I will see

 pppoe0: ipcp input(starting):

Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

2022-02-19 Thread Dmitry Petrakoff 

Hi fix...@gmail.com.

I use this set of parameters for l2tp+IPSec. It works fine both with 
Windows and Apple ( includng iOS15 and OSX 12 )


Hope it'll help you.

ike passive esp transport proto udp from 100.88.99.100 to any port 1701 \
    main auth hmac-sha1 enc aes-256 group modp2048 \
    quick auth hmac-sha1 enc aes \
    psk ""

Regards.

On 19.02.22 00:55, fix...@gmail.com wrote:

On Fri, Feb 18, 2022 at 15:06 Stuart Henderson wrote...

On Fri, Feb 18, 2022 at 11:43 AM I wrote:

ike passive esp transport proto udp from $public_ip to any \
   main auth "hmac-sha2-256" enc "aes-256" group "modp2048" \
   quick auth "hmac-sha2-256" enc "aes-256" group "modp2048" \
   psk "THIS_IS_MY_IPSEC_PASSPHRASE"

ike passive esp transport proto udp from $public_ip to any \
  main auth "hmac-md5" enc "3des" group "modp1024" \
  quick auth "hmac-md5" enc "3des" group "modp1024" \
   psk "THIS_IS_MY_IPSEC_PASSPHRASE"

With isakmpd and ipsec.conf you can't have two proposals for the default
("to any") peer with different PFS groups, you will have to choose one
or the other. As-is the second will overwrite the first config block.
(Use ipsecctl -v to see the commands sent by ipsecctl to isakmpd;
it generates what are basically isakmpd.conf style config blocks and
sends them over the control socket).

It still fails even with one block, but this is good to know. Thanks.


You will save yourself a lot of trouble if you can move the newer machines
to IKEv2 .. (It would not be possible to run both isakmpd and iked on a
single OpenBSD machine though). Or alternatively wireguard or openvpn
(which _can_ coexist with IKEv1) though IKEv2 generally has a simpler
client config.

I'm not opposed to this and I've tried, but even now it still gives me
proposal errors from both iOS and MacOS

Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 ENCR=AES_CBC-128
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 PRF=HMAC_SHA1
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 INTEGR=HMAC_SHA1_96
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 DH=MODP_1024
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 ENCR=3DES
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 PRF=HMAC_SHA1
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 INTEGR=HMAC_SHA1_96
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 DH=MODP_1024
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_add_error: NO_PROPOSAL_CHOSEN
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: send
IKE_SA_INIT res 0 peer 100.64.10.10:57904 local 203.0.113.1:500, 36
bytes


--
Mit Freundliche Gruesse
Dimon
tel: +4158 1000428
mobile: +4178 7299592