Re: Performance: OpenVPN vs IPsec
Hello Michael, Wednesday, May 9, 2007, 7:51:35 AM, you wrote: M Now, as I understand it, it isn't possible to create an IPsec connection M from a single host within a NATed network to an external server ... From my experience - in most cases it works (with some limitations). Our employees are using IPSec VPN to work from home, and some of them are behind home network routers. We also doing lot of IPSec from the company's network (behind OpenBSD firewall/NAT) to customers gateways (using various clients). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: load balance and redundancy 2 ISP's
Hello Kintaro, Friday, May 4, 2007, 12:03:22 PM, you wrote: ko I'm setting up a firewall/PF/NAT box for a company. we subscribe 2 E1's ko for our internet for redundancy. So basically what I want is to do load ko balance this 2 E1 internet and will be also become redundancy if one ko isp will go down. I read up in google and I see a syntax about ko round-robin. Could any one give me an advice how to setup for load ko balance and redundancy? We've tried round-robin and it just didn't work for us. Problems start with connection that uses more than one port/protocol simultaneously. ftp is the first example (and enough for us), but vpn could be an another (didn't test it this way). There is a big chance that control and data connections will be routed to a different gateway ports (external IPs), and servers usually don't allow it. Could start looking for a work-around, but complicated is usually unreliable, so we've ended up with dumb (but effective) solution. Based on statistic we had collected before we've split traffic based on the source IP by creating several static routes. Redundancy is provided by a simple script every 3 minutes sending simple http requests to 10 big web sites from both gateway ports (ping is easier, but sometimes might not get through for a different reasons) and deleting/adding routs depending of the result. I've read that multiple default routes are allowed in 4.1. Will do more research about it. ko I've also read about OpenBGP but can't understand how it works. I can't ko picture out how to implement OpenBGP. It's a true balancing, than routers all over the world know that you could be reached through different directions (ISPs). Your ISPs should support it and you'll probably have to pay for it to both ISP. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: : : HP ProLiant DL140 G3 problems
Hello Raimo, Wednesday, May 2, 2007, 9:52:40 AM, you wrote: RN Sorry, I can't make it work. For a DL140 G3 (or rather now a DL145 G3). RN I remember seing something like that on a DL380, though. RN telnet machine gives a weird prompt /./ that has no help and only RN responds with command errors. There is also a HTTP server running RN at the address. But not ssh. RN On Sat, Apr 28, 2007 at 10:46:45PM -0400, Steve Shockley wrote: Darth Lists wrote: Honestly, it blows big-time compared to a real serial console since it has a more or less useless scroll-back buffer. You can ssh in to the ILO IP address and get console redirection. You can even redirect the serial console to the ILO ssh after POST if you want. I believe you need at least iLO Select license to activate ssh and ssl, and DL100/DL300 are coming by default with just iLO Standard. BTW, why don't you call HP and ask them these questions? -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: SSHJail patch for OpenBSD
Hello Rico, Friday, April 27, 2007, 2:25:59 PM, you wrote: I don't know if it is a good idea or not, but I read about this patch yesterday and at first, I was pretty excited. I have been handed the requirement to move an FTP server to something more secure. All the other requirements that have been given to me for this have very strongly pointed right to SSH/SFTP. However, I have yet to figure out how to chroot users into their home folders with SFTP and that is unfortuneately what the boss wants. If someone knows how to do this without patches like these Please let me know. Otherwise, I will have to keep looking. I certianly know enough from lurking on this list to know that if there are this many people on the list opposed to something there has got to be something wrong with it and I don't want it. No patch for me please! We are using the chrootssh.sourceforge.net for our production ftp/sftp server. For an additional security we set sftp users shell to /usr/libexec/openssh/sftp-server. I consider that patch as semi-official. But it sounds like you don't want *any* patches. You can use a commercial ssh - they have chroot feature (similar to the chrootssh). You can also use ftp over ssh2 (we also use it). ssh does encryption and authentication, ftp - speed (it's faster than sftp) and chroot. You'll just need to set up ssh to listen out and ftp - on the localhost only. Downside is that I haven't heard about free client supporting it. But if you can afford to buy something like www.vandyke.com/products/securefx/index.html for every user (or force them to buy it) - this solution is for you. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: bio not working on dl380 g4 with newer ciss fw
Hello Kalle, BM Two logical drives. Not sure about the firmware version, but the BM more than one logical drive issue is in the caveats section of BM ciss(4). I've asked about that caveat in ciss recently, but no one really had answered. Tried even to e-mail directly to [EMAIL PROTECTED] - no reply. I'm planning to get HP server myself. Could you give me some additional information about your configuration and problem? What model of Smart Array are you using? Do you have any problem with these two logical drives besides bioctl not working properly? Does the lack of bio support causing any real problem in your case? Sorry for trying to kind of benefit from your problem, but answers will be really appreciated. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: isakmpd gateway-to-gateway VPN woes...
Hello Jack, Thursday, March 22, 2007, 6:49:14 PM, you wrote: JB ... having some trouble getting a LAN-to-LAN VPN working ... JB10.0.0.2/24 --- 10.0.0.1/24 JB L1 F1 F2 L2 JB 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1 JB L1,L2 - laptops JB F1,F2 - Soekris net4801 firewalls JB What works: JB L1-F1 lan communication JB L2-F2 lan communication JB F1-F2 lan communication JB F1-F2 IPSec communication (evidenced by F1 running ping 10.0.0.1 and JB seeing only esp packets in tcpdump) JB What doesn't work: JB F1-L2 gateway'd VPN JB F2-L1 gateway'd VPN JB L1-L2 gateway-to-gateway'd VPN Sorry if I miss something, but I don't see you trying to test Network-to-Network VPN you are talking about. Does it work from an internal computer in one network to an internal computer in another? Gateway-to-Gateway doesn't (and shouldn't, I think) work out of the box with the Network-to-Network VPN. Adding manual routs helped me to solve it. Something like route add 10.2.12.0/22 10.4.14.1 on the F1 and route add 10.4.12.0/22 10.2.14.1 on the F2. Your numbers a bit confusing, but it's a route add network_on_the_other_side gateways_internal_interface. -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: HP SA P400/P800 ciss support and caveats
Hello Joel, Friday, March 23, 2007, 11:16:20 AM, you wrote: We are looking to buy an HP ProLiant DL320s server with about 5-8 terabyte of storage and Smart Array P400 or P800 for a backup purposes. According to www.openbsd.org/cgi-bin/man.cgi?query=cissarch=i386sektion=4 it should be supported in -current, but the current code only supports one logical volume per controller. This scared me because according to the FAQ there is a 1T limit on the size of the physical disk, but I need to utilize much more. What does logical volume mean here - RAID set or LUN ? In the other words, is there any way to use that storage with OBSD ? JK The FAQ is referring to a RAID volume. JK You should search the archives for discussion of the 1TB limit. Again, what is RAID volume - RAID set or LUN ? Can I have 10 LANs (for example) and see them as separate devices (like sd0, sd1, sd2, etc) ? Then I wont need to worry about a terabyte limit. -- Best regards, Borismailto:[EMAIL PROTECTED]
HP SA P400/P800 ciss support and caveats
Hello guys, We are looking to buy an HP ProLiant DL320s server with about 5-8 terabyte of storage and Smart Array P400 or P800 for a backup purposes. According to www.openbsd.org/cgi-bin/man.cgi?query=cissarch=i386sektion=4 it should be supported in -current, but the current code only supports one logical volume per controller. This scared me because according to the FAQ there is a 1T limit on the size of the physical disk, but I need to utilize much more. What does logical volume mean here - RAID set or LUN ? In the other words, is there any way to use that storage with OBSD ? -- Best regards, Boris mailto:[EMAIL PROTECTED]