softraid after install
I am trying to install OpenBSD on a box without a CDROM. After I perform the install, it will only boot with the CDROM attached. It doesn't have to have the CD, just as long as the IDE CD ROM is seen. I have gone into UKC and disabled softraid and during boot up, is states softraid is disabled, then looks for a boot device. Any help would be appreciated. Regards, Chris
Re: isakmpd will not initiate connection to Cisco ASA
Looks like they are sending a delete. I guess I will delete and recreate this tunnel isakmpd: Peer 1.1.1.1 made us delete live SA for proto 1, initiator id: 1.1.1.1, responde r id: 2.2.2.2 On Tue, Nov 17, 2009 at 10:37 AM, Christoph Leser wrote: > Are you sure that obsd does not try to initiate the connection at least > once? > > I have noticed the following problem with cisco: > > Some Cisco models delete the security association after an inactivity > timeout, they call it "Cisco IPSec Security Association Idle Timers". > > When this happens, openBSDs drop the information for this tunnel and is > unable to recreate it. Cisco keeps the information and can reestablish the > connection when someone pings or otherwise addresses the remote end. > > I had a short conversation about this with Hans-Jvrg Hvxer, but cannot say > whether this behaviour is desired or considered a bug. > > I would try to delete the tunnel complete and configure it again while > running tcpdump on the external interface ( or enable isakmpd packet > capture, see the -L switch of isakmpd ). > > This will at least answer the question, whether openBSD attempts to > establish the connection when the tunnel is defined for the first time. > > Regards > > Christoph > > > -Urspr|ngliche Nachricht- > > Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] > > Im Auftrag von Chris Bullock > > Gesendet: Dienstag, 17. November 2009 15:45 > > An: misc@openbsd.org > > Betreff: isakmpd will not initiate connection to Cisco ASA > > > > > > We have many tunnels and for some reason I just set up a > > tunnel with a Cisco ASA and we can not initiate the > > connection from the OpenBSD side. If the Cisco side pings a > > device on the OpenBSD side the tunnel comes up. On the Cisco > > side they have bidirectional enabled, and they are not seeing > > the OpenBSD try to initiate the tunnel. Any help would be > > appreciated, Regards, Chris Bullock
isakmpd will not initiate connection to Cisco ASA
We have many tunnels and for some reason I just set up a tunnel with a Cisco ASA and we can not initiate the connection from the OpenBSD side. If the Cisco side pings a device on the OpenBSD side the tunnel comes up. On the Cisco side they have bidirectional enabled, and they are not seeing the OpenBSD try to initiate the tunnel. Any help would be appreciated, Regards, Chris Bullock
NAT and like networks
I have a problem and hopefully someone will have a solution. I have a pf firewall with multiple NICs. Inside interface em0 has an IP address of 10.1.1.1/24 and outside interface dc3 has an IP address of 10.1.2.1/24. Problem is that the outside site has a network with the same scheme as one of the inside networks. What I have tried to do is nat the traffic from the outside network destined to the inside network to the IP address of the outside interface like this. Both sites have a 10.1.3.1/24network, but the remote sites 10.1.3.1/24 needs to access local sites 10.1.1.1/29 devices, but the firwall thinks that 10.1.3.1/24 is local. nat on dc3 from 10.1.3.1/24 to 10.1.1.1/29 -> 10.1.2.1 It appears that it isn't even trying to NAT. Bad drawing of what I want to do. My Site
Re: multi port ethernet card
I need 100mb interfaces. I will probable go in a low end server class machine. On Fri, Feb 1, 2008 at 12:29 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2008/02/01 12:21, Chris Bullock wrote: > > I need a recommendation for a quad port nic to put in my > router/firewall. > > What is the recommendation? > > > > What speed? > What bus? > How much do you want to pay?
multi port ethernet card
I need a recommendation for a quad port nic to put in my router/firewall. What is the recommendation?
Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
Some say that isakmpd is resource intensive. What is the recommended hardware for a 5mb full duplex optical Internet connection that is doing nothing but VPN. Regards, Chris On 11/4/07, Chris Bullock <[EMAIL PROTECTED]> wrote: > > We have been using OpenBSD my entire IT career, 5 1/2 years, I like the > way its easy to roll out, configure and the cost the most. > > I would like an honest opinion of the group. We have customers that > maintain their own firewalls and VPNs and it appears to us that that those > sites seem to transmit data quicker than the sites that we maintain with > OpenBSD firewalls and VPNs, assuming identical bandwidth. We have an > OpenBSD VPN/firewall at our main site, so realistically, all of our data > does transpose OpenBSD before it ultimately hits our network. > > My question is should I consider a non OpenBSD solutions, ie Cisco devs or > should I attempt to tweak my existing boxes? > Regards, > Chris
OpenBSD isakmpd and pf vs Cisco PIX or ASA
We have been using OpenBSD my entire IT career, 5 1/2 years, I like the way its easy to roll out, configure and the cost the most. I would like an honest opinion of the group. We have customers that maintain their own firewalls and VPNs and it appears to us that that those sites seem to transmit data quicker than the sites that we maintain with OpenBSD firewalls and VPNs, assuming identical bandwidth. We have an OpenBSD VPN/firewall at our main site, so realistically, all of our data does transpose OpenBSD before it ultimately hits our network. My question is should I consider a non OpenBSD solutions, ie Cisco devs or should I attempt to tweak my existing boxes? Regards, Chris
creating a vpn tunnel to all
Background: We are using Metro Ethernet to connect several sites to our main office. In order to save money the telco has a couple of sites riding the same vlan coming into us. One of these sites is one of our remote offices and the other is a competing office. Problem: Since we are on the vlan there is no way I can route without the possibility of someone running a sniffer and sniffing my packets, so my goal is I want all my traffic from my remote office to come through my main office even Internet. To map this tunnel using isakmpd would I just create a tunnel to 0.0.0.0? Regards, Chris
ipsecctl giving error on syntax
We have been using isakmpd for VPN since about version 3.4. We currently wanted to start using the ipsecctl utility. When we try to check the contents of our working isakmpd.conf file it gives us a syntax error. [EMAIL PROTECTED] :/home/cgb]$ sudo ipsecctl -vnf /etc/isakmpd/isakmpd.conf Password: Your mind just hasn't been the same since the electro-shock, has it? Password: /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error /etc/isakmpd/isakmpd.conf: 0: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded [EMAIL PROTECTED] :/home/cgb]$ but: [EMAIL PROTECTED] :/home/cgb]$ sudo ipsecctl -s all FLOWS: flow esp in from 192.168.111.0/24 to 172.24.0.0/24 peer xxx.xxx.xxx.xxx flow esp out from 172.24.0.0/24 to 192.168.111.0/24 peer xxx.xxx.xxx.xxx regards, Chris
using queues to limit bandwidth
Can queues be used to queue overall bandwidth? We have a project where we will be sharing an Internet connection with another company, we will have an IP and they will have an IP each company providing their own firewall. I understand that queuing is able to queue based on protocol, etc on the same box but lets say there is a T1 shared between the companies, The company tells us, you can have one of our IP addresses but you can only use 100k of our bandwidth, can pf do this? I guess this is more bandwitdh throttling more so than queuing. TIA, Chris