OpenSSH vpn without using remote root user
Hey all, I've been trying to see if it's possible to setup SSH based vpn's using user accounts on the remote end. While I don't think it says anywhere explicitly that it's _not_ possible, I haven't found any references so far of people doing it successfully ;-) I've gone over the mailing list several times, I've read the ssh and tun man pages, and I've experimented with creating tun devices and changing the perms of the /dev/tun* devices to allow read+write by users. I'm yet to have any luck so far though - I get the below transcribed message. Can anyone say definitively if this is (im)possible ?? And if it is possible, how they managed it ? Cheers Dave == debug1: Remote: Failed to open the tunnel device. channel 1: open failed: administratively prohibited: open failed
Had a strange problem with CARP preemption
Hey all, I've got a CARP rig running as a firewall pair, and I use preemption to make sure only one host is master of all links at any given time. However just now I saw a situation where a single carp interface had gone to BACKUP and passed across to the other host, while all other carp interfaces stayed as MASTER on the otherwise 'live' host. The PF rulesets pass all carp as follows, pass on {$int_if, $dmz_if, $c1_if, $c2_if} proto carp keep state and I've read the pflog dump and there are no blocked carp packets in there. There are also no interface errors identified for the interfaces by netstat either. Because carp doesn't log it's state changes etc, I've been writing the output of ifconfig into a log file every minute, and I can see that this one interface failed over at a specific time (12:37pm for those who are interested ;-) ) which matches on both the host that became backup, and the host that took over as master. I did notice that net.inet.ip.ifq.drops had grown a bit since the weekend, so I've upped net.inet.ip.ifq.maxlen to 1024 from its 256 default. At the moment, both hosts share the same advskew value since I'm not particular about which is master at any given time (the less switches the better for me) with the carp interface setup as follows, carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:1e carp: MASTER carpdev em1 vhid 30 advbase 3 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:11e%carp2 prefixlen 64 scopeid 0xc inet 172.16.2.253 netmask 0xff00 broadcast 172.16.2.255 Are there any obvious gotchas that I'm missing here ? Any known behaviours that I'm not aware of ?? Cheers Dave
Daily insecurity report and drop priv accounts for handling automated tasks
Hi all, I've been wondering how to deal with this particular issue for quite some time now, and I can't find any references to the right way(TM) to handle it. I always prefer to run automated tasks as limited privilege users on my OpenBSD hosts - such as tasks that pull files across from other hosts, and other such nightly tasks. To make this work the drop priv user account needs a shell and a home dir (for SSH keys etc), and has no need for a password. However this causes the /etc/security script to generate warnings every night such as, Login nightlysync is off but still has a valid shell and alternate access files in home directory are still readable. The tasks that this user performs are scheduled through cron. Is there a better way for me to be setting up these kinds of tasks so that this warning doesn't get raised ? Or is the warning spurious ? Cheers Dave
Re: Quad ethernet card
Henning Brauer wrote: * Ronnie Garcia [EMAIL PROTECTED] [2007-06-06 13:04]: Henning Brauer a icrit : * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) What other tool would you recommend, then ? they all suck. best simulation is recording your real-world traffic using tcpdump and then use tcpreplay. but that is tricky too. Well if you're interested in working out a vaguely real benchmark for the throughput of your appliance I recommend you choose a type of traffic and focus on it. So perhaps that's HTTP, SMTP or some other obvious protocol. Pick a diverse corpus of files or emails to handle, then pass the traffic through the host and see how you go. If you're just looking for a big number, open a single TCP session and send alot of traffic through it so you don't have to continually start new sessions (sessions are comparatively expensive). Henning has something in saying that most of the tools aren't great, in the end all benchmarks are artificial in some measure. Replaying traffic is equally artificial as it's only indicative of the traffic you recorded - which is likely to be biased towards whatever was happening at the time on your LAN. When all's said and done, benchmark for the traffic you expect and work from there. HTH Dave
Re: Quad ethernet card
Matt Rowley wrote: best simulation is recording your real-world traffic using tcpdump and then use tcpreplay. but that is tricky too. Henning has something in saying that most of the tools aren't great, in the end all benchmarks are artificial in some measure. Replaying traffic is equally artificial as it's only indicative of the traffic you recorded - which is likely to be biased towards whatever was happening at the time on your LAN. Also worth noting is that if you're generating traffic from a single host, you're bound by the interrupt rates that host is capable of. Generate traffic from multiple sources if you really want to gauge high load. Definitely. My personal experience is that an e1000 tops out at about ~820-850 Mb/s of raw throughput - i.e. on a single TCP session. Other things that may get in the way of Truly Awesome Throughput (TM) include things like socket timeouts on either client or server host, and file descriptors ; note that those only come into play when you're trying to simulate a web server or the like. However I'm not aware of any tools that handle that kind of distributed benchmark.. anyone ?
Re: OpenLDAP question
Henning Brauer wrote: * Dave Harrison [EMAIL PROTECTED] [2007-05-21 08:26]: Henning Brauer wrote: * Uv Pzaf [EMAIL PROTECTED] [2007-05-20 23:12]: I wonder why OpenBSD packages (i.e. openldap-server-2.3.24.tgz) still uses ldbm as database backend especially since the OpenLDAP folks are stating that this is no good any more: (http://www.openldap.org/faq/data/cache/756.htm) and not bdb or hdb. because ldbm works fine, very much opposed to the other two you mention. My personal experiences with ldbm were equally fine, I recommend you use it unless you are performing frequent writes, or are in need of high performance lookups. Once I started making regular writes, ldbm started to pack it in rather frequently (db corruption) so I went to bdb, however bdb takes careful tuning to get right. now that is funny, in the, what, 5 years? of using openldap/ldbm, i have never seen database corruption. trying to use bdb, pretty much immediately. As I said, depends on how you're using it. After a year, as the usage grew, I found ldbm was corrupting regularly and bdb solved the problem nicely. 3 years later, bdb is still perfectly fine. Obviously the other, valid, concern is what the OpenLDAP project intends to support. With this kind of thing I think the mantra of YMMV is probably wise.
Re: OpenLDAP question
Henning Brauer wrote: * Uv Pzaf [EMAIL PROTECTED] [2007-05-20 23:12]: I wonder why OpenBSD packages (i.e. openldap-server-2.3.24.tgz) still uses ldbm as database backend especially since the OpenLDAP folks are stating that this is no good any more: (http://www.openldap.org/faq/data/cache/756.htm) and not bdb or hdb. because ldbm works fine, very much opposed to the other two you mention. My personal experiences with ldbm were equally fine, I recommend you use it unless you are performing frequent writes, or are in need of high performance lookups. Once I started making regular writes, ldbm started to pack it in rather frequently (db corruption) so I went to bdb, however bdb takes careful tuning to get right. There also seems to be lots of noise about ldbm support becoming deprecated in the 2.4+ releases of OpenLDAP. You should review the OpenLDAP lists to research this more if that's of concern.
Re: mail dovecot: pipe() failed: Too many open files
Stefan Beke wrote: Hello Nico, thanks for quick reply. Does dovecot actually run under this login class? I did modify login.conf # cap_mkdb /etc/login.conf than kill -HUP _dovecot_PID I hope that's enough to run it under dovecot class. How do I find out? If you perform a `ps aux` you will see what user dovecot is running as, that's the user whose class you want to check. Then `grep username /etc/master.passwd` (I presume you can sudo) and the 5th field is the user's class. What does `sysctl kern.maxfiles` say? $sysctl kern.maxfiles kern.maxfiles=1772 It's less than my setting in login.conf, but this should be enough anyway. You might find dovecot is not running at the user you think it is (or at least isn't in the class you think it is). As a side note I have noticed that Dovecot can be a bit fd hungry. HTH Dave
Re: mail dovecot: pipe() failed: Too many open files
Stefan Beke wrote: If you perform a `ps aux` you will see what user dovecot is running as, that's the user whose class you want to check. [EMAIL PROTECTED] ~ $sudo ps waxu | grep dovecot root 26251 0.0 0.2 620 912 ?? Ss15Jan07 0:55.12/usr/local/sbin/dovecot _dovecot 13219 0.0 0.3 560 1580 ?? S 8:02AM0:00.11 pop3-login _dovecot 3653 0.0 0.3 652 1584 ?? S 8:02AM0:00.12 pop3-login _dovecot 9416 0.0 0.3 540 1564 ?? S 8:02AM0:00.11 imap-login root 32241 0.0 0.2 592 1012 ?? S 8:02AM0:00.09dovecot-auth _dovecot 16174 0.0 0.3 576 1564 ?? S 8:12AM0:00.11 pop3-login _dovecot 19555 0.0 0.3 520 1592 ?? S 10:29AM0:00.01 imap-login _dovecot 13961 0.0 0.3 504 1564 ?? S 10:29AM0:00.01 imap-login ico 6 0.0 0.1 448 504 p6 S+10:30AM0:00.00 grep dovecot [EMAIL PROTECTED] ~ $sudo lsof -p 26251 | wc -l 38 Right now nobody is connected. I can imagine if someone connects and wants to read bigger maildir through IMAP, it can be more than default 64. Yep, it LOVES to chew fd's :-) My daemon class is now on 512 files. Removed dovecot class. I'll try this for a while. That's probably the less preferable option. The best way would be to leave the dovecot class, make sure the _dovecot user is allocated to that class (Nico's post will show you that) and then modify the limits for that class only - modifying the daemon class will affect all processes that come it. Dave
Python2.5 in 4.0 ports tree ?
Hey guys, I've looked at the web front end for the cvs tree and looking in ports/lang/python/ with the filter of OPENBSD_4_0 and 2.5 seems to be in there. http://www.openbsd.org/cgi-bin/cvsweb/ports/lang/python/?only_with_tag=OPENBSD_4_0 But when I do a `cvs checkout -rOPENBSD_4_0 ports` I don't get a 2.5 directory. Am I doing something wrong ?? Cheers Dave
State timeouts
Hi all, I'm looking at the set optimization policies for PF, and while it's clear that there are varying levels of aggression towards expiring state entries, I can't find exact numbers of what those levels represent. I assume they're based on a time and/or traffic metric ?? My current policy is just the default (ie. normal), but I have one particular system that wants to do an 60 second heartbeat, which I suspect is being killed by the state expiry purges. Is there somewhere that specifies the definition (or metric) on which the expiry occurs ?? (I can't find it in either the FAQ or the man pages for pf / pf.conf / pfctl) Cheers Dave
PPPoA and OpenBSD
Hi all, I'm searching high and low for some documentation on setting up a PPPoA link (yes, it's for the UK and it's definitely PPPoA _not_ PPPoE) under OpenBSD and drawing a blank. The FAQ says that it seems to be possible, but the ppp man page doesn't seem to have any references, and all my googling is drawing a blank too. Can anyone point me at the place where some doco on doing this is ? Is it even possible ?? Thanks for you help, Dave
Re: PPPoA and OpenBSD
Stuart Henderson wrote: On 2006/04/09 17:43, Dave Harrison wrote: I'm searching high and low for some documentation on setting up a PPPoA link (yes, it's for the UK and it's definitely PPPoA _not_ PPPoE) under OpenBSD in-tree: ueagle(4) otherwise: iirc there are some USB Speedtouch drivers Is it not possible to configure in a way similar to a ppp PPPoE setup ?? I have a modem that I'm connecting to via ethernet, then it plugs into the phone line. Can I drive PPPoA with the ppp daemon ?? Dave
isakmpd and nat-t
Hi all, I've got a machine sitting behind a NAT box, and another machine with a public IP. X.X.X.X -- NAT Y.Y.Y.Y === Z.Z.Z.Z I want to establish a nat-t IPsec vpn between X.X.X.X and Z.Z.Z.Z But I'm having a problem where X.X.X.X tries to contact Z.Z.Z.Z on port 500 and never goes over to 4500. Is there a flag I'm supposed to set in the isakmpd.conf file to tell it to use NAT-T ?? Do I configure Z.Z.Z.Z to be aware of the other peer by the public IP that NAT box provides ?? or should I be using the private IP the box actually has ?? Cheers Dave
Interface groups PF route-to
Hi all, I've been trying to get interface groups going on a machine and have met with a possibly interesting problem. I have declared an interface to be part of a group, and that group shows up correctly if I `ifconfig foogroup` or `pfctl -s Interfaces` I have a setup where I have one VPN come in over one ISP link, and another over a second (from different remote IPs to different local IPs). I have the following macros defined, [NB: Yes I changed the IPs] link2_if = em0 #link2_if = MyIFGroup link2_gw = 1.1.1.1 link2_ip1 = 1.1.1.20 remote_link0_ip1 = 200.200.200.200 To test, I comment out the 'em0' line and uncomment the IFGroup line. I also have the following rules in place to correctly handle my VPN on that link pass in log quick on $link2_if reply-to ($link2_if $link2_gw)\ proto esp from $remote_link0_ip1 to $link2_ip1 keep state pass out log quick on $link2_if route-to ($link2_if $link2_gw)\ proto esp from $link2_ip1 to $remote_link0_ip1 keep state pass in log on $link2_if reply-to ($link2_if $link2_gw)\ proto udp from $remote_link0_ip1 port = isakmp to $link2_if\ port = isakmp keep state pass out log quick on $link2_if route-to ($link2_if $link2_gw)\ proto udp from $link2_if port = isakmp to $remote_link0_ip1\ port = isakmp keep state What I find is that when I go over to using the MyIFGroup declaration, my rules stop matching and the VPN doesn't get established on the group'd interface (the other VPN comes up fine). Is there something I'm missing ?? From reading the posts and 'man ifconfig' about interface groups I'm pretty sure I just have to assign an interface to the group and nothing more. Is that correct ?? Any help appreciated, Cheers Dave
PF, anchors and macros
Hi all, I'm updating my PF rules to include an anchor for my manual routing rules (using route-to) which can then be updated by ifstated when it notices that one of my links has fallen over. As the documentation says, macros are not visible in anchors. Which means that my (growing and rather extensive) list of macros and tables that I use have to be copied and pasted into the top of each anchor file and my pf.conf. Has anyone found a good way of somehow including macros (macros as an anchor don't seem to be possible) into multiple anchors ?? Cheers Dave
two vpn endpoints ... 3 net connections
Hi all, Here's my problem, I have a remote machine that has two links, one is high bandwidth but has bad latency, the other has low bandwidth but good latency. I need two VPN tunnels running between these machines, but one over each link as below. The reasons why are due to the traffic I need to push over them, some is important but not high in volume, other is less important but there's alot of it. Link2 + +--- | +---+ Link || | Machine 1 | ---+| Machine 2 +---+|| +--- | Link1 + My problem is that I can't seem to find a way around the need for Machine 2 to have two default routes. My understanding of my problem is that any time Machine 2 receives a connection (irrespective of which link) it tries to respond over the link that is the default route (for example Link1). This means that whenever Link2 gets a connection, Link1 tries to respond for it. Can anyone suggest a solution for this problem ? Do I not need multiple default routes ? Do I misunderstand my problem ? All help is appreciated as ever, Cheers Dave
Re: two vpn endpoints ... 3 net connections
Stuart Henderson wrote: --On 14 October 2005 08:32 +1000, Dave Harrison wrote: Here's my problem, I have a remote machine that has two links, one is high bandwidth but has bad latency, the other has low bandwidth but good latency. pf.conf(5), look at 'route-to' and 'reply-to'. Use PF rules to send ssh over the fast link and ftp over the fat link (etc). The problem is that it's not the routed traffic I'm concerned with, it's the ISAKMP traffic that is directed to the firewall/vpn endpoint itself (as opposed to something behind that machine). Route-to doesn't work for the firewall machine itself I don't think, just for those machines passing traffic through it (although I had considered using reply-to, but I'm not sure how to use it for this scenario).
Using PF, route-to with prejudice ;-)
Hi all, I have two links, a rather costly one, and a cheap high bandwidth one. I prefer to use the cheap one whenever possible, but if it goes down I want to fail over onto the expensive one. This rule (from the PF FAQ) will let me round-robin my outgoing connections : pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ from $lan_net to any keep state But is there a way I can say try this one first, then try this one ? or is that going to require a routing daemon's control (ospf, bgp etc) ? Cheers Dave
SSH, SFTP, chroot and no login shells
Hi all, I've been googling around for a couple of days now, and there is little consensus on how to solve the 'sftp no shell access' problem. I've found references to people that are using patched versions of OpenSSH (a solution I think begs for problems to occur) to facilitate chroot-ing users at login, restricted shells (to prevent users doing certain things like changing directories etc), and chrooting a user to their home dir using a chroot-ed shell. The most straight forward solution seems to be offered by this link : http://turquoise.thing.dk/#create_chroot_home However I'm still a little concerned that I don't necessarily have the right solution to this problem. So here's the problem (I have trawled the misc@ list archives and recognise people have put forward this problem before, but I haven't seen a definite solution appear - or at least not one I feel happy with). I want to be able to provide sftp access to users, these users are not anonymous - they will have accounts that I create for them. However I don't want them to be able to get outside their home dirs (as with chroot-ed ftp), and I don't want them to have 'shells' (ie. I don't want them to be able to log in over ssh, or if they must, they must be chroot-ed to their home dir). Cheers for any help, Dave
Multiple SSH daemons
Hi, I'm interested to know if anyone has a better solution (or has a solution to my existing question) for the following situation. I have a remote login box that also functions as a local login box. Users connect to the machine over the local network to run X apps, they can also connect to it remotely (from other sites) using SSH to do the same sort of thing. Many users never access it from remote, but do use it locally alot. Others use it both locally and remotely. Locally, it is more effort than it's worth to enforce use of public keys (a proportion are windows users), however I want to mandate public keys for remote connections. My current solution is to run a second sshd on another port and have that be the externally accessible sshd (and configure it to only allow public key connections). However the way sshd logs, I can't work out what was logged by which daemon. Are there any other solutions people can think of ? Is there an option I don't know about ? Cheers for your help, Dave
PPP, PPPoE, and OpenBSD 3.7
Hi all, I've been looking through all the upgrade notes etc and I can't see that any major changes have occurred in the ppp daemon, nor the pppoe translator that would cause me problems. However since I upgraded to 3.7 (from 3.4) I've been unable to connect to my ADSL providor. My ppp.conf is thus : swiftdsl: set log Phase Chat IPCP CCP tun command set device !/usr/sbin/pppoe -i em2 -v set reconnect 5 18 disable acfcomp protocomp deny acfcomp set mtu max 1440 set mru max 1440 set speed sync set cd 5 set dial set login set timeout 0 set authname myusername set authkey myauthkey enable mssfixup I've also tried enable LQR, and using allow users as well, but to no avail. I've gone through using interactive mode as well, and same result, no connection. The actual error from the daemon log is as follows : Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: Connect time: 0 secs: 44 octets in, 0 octets out Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: 24 packets in, 0 packets out Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: total 44 bytes/sec, peak 0 bytes/sec on Sun Jun 26 13:01:17 2005 Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: HUPing 8204 Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: hangup - opening Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: Enter pause (5) for redialing. Jun 26 13:01:17 hiro ppp[3815]: tun0: Chat: deflink: Reconnect try 6 of 18 Jun 26 13:01:22 hiro ppp[3815]: tun0: Chat: deflink: Redial timer expired. Jun 26 13:01:22 hiro ppp[3815]: tun0: Warning: Carrier settings ignored Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: Connected! Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: opening - dial Jun 26 13:01:22 hiro ppp[3815]: tun0: Chat: deflink: Dial attempt 1 of 1 Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: dial - carrier Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: carrier - login Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: login - lcp Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: read (2): Connection reset by peer Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: Disconnected! Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: lcp - logout Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: logout - hangup Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: Disconnected! I've tried speaking to my ISP, aside from them not having much of a clue, they did claim to have reset my connection with them, but still not change to my situation - and I can only reset my modem so many times before I go insane ;-) Anything anyone can spot that might help me sort this out ? I even tried the kernel based pppoe device, but no joy there either. Cheers Dave
PPP, PPPoE, and OpenBSD 3.7
Hi all, I've been looking through all the upgrade notes etc and I can't see that any major changes have occurred in the ppp daemon, nor the pppoe translator that would cause me problems. However since I upgraded to 3.7 (from 3.4) I've been unable to connect to my ADSL providor. My ppp.conf is thus : swiftdsl: set log Phase Chat IPCP CCP tun command set device !/usr/sbin/pppoe -i em2 -v set reconnect 5 18 disable acfcomp protocomp deny acfcomp set mtu max 1440 set mru max 1440 set speed sync set cd 5 set dial set login set timeout 0 set authname myusername set authkey myauthkey enable mssfixup I've also tried enable LQR, and using allow users as well, but to no avail. I've gone through using interactive mode as well, and same result, no connection. The actual error from the daemon log is as follows : Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: Connect time: 0 secs: 44 octets in, 0 octets out Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: 24 packets in, 0 packets out Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: total 44 bytes/sec, peak 0 bytes/sec on Sun Jun 26 13:01:17 2005 Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: HUPing 8204 Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: hangup - opening Jun 26 13:01:17 hiro ppp[3815]: tun0: Phase: deflink: Enter pause (5) for redialing. Jun 26 13:01:17 hiro ppp[3815]: tun0: Chat: deflink: Reconnect try 6 of 18 Jun 26 13:01:22 hiro ppp[3815]: tun0: Chat: deflink: Redial timer expired. Jun 26 13:01:22 hiro ppp[3815]: tun0: Warning: Carrier settings ignored Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: Connected! Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: opening - dial Jun 26 13:01:22 hiro ppp[3815]: tun0: Chat: deflink: Dial attempt 1 of 1 Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: dial - carrier Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: carrier - login Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: login - lcp Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: read (2): Connection reset by peer Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: Disconnected! Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: lcp - logout Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: logout - hangup Jun 26 13:01:22 hiro ppp[3815]: tun0: Phase: deflink: Disconnected! I've tried speaking to my ISP, aside from them not having much of a clue, they did claim to have reset my connection with them, but still not change to my situation - and I can only reset my modem so many times before I go insane ;-) Anything anyone can spot that might help me sort this out ? I even tried the kernel based pppoe device, but no joy there either. Cheers Dave
Upgrade to 3.7 and VPN no longer works
I just upgraded my firewall to 3.7, but I've found my VPN is now not working. I keep seeing NAT detected messages, but both machines have real IPs so it doesn't make sense. The client machine is a 3.6 install, and the server machine was a 3.4 machine which I used the media CD to upgrade. I've also checked out the latest src tree and recompiled both the kernel and the binaries on the newly installed 3.7 machine, but same problem persists. I _have_ just found that if I allow port 4500 through on both machines, the VPN sets itself up correctly and works. But I don't want to use NAT-T ... anyone got any ideas ? is this a simple conf problem ? help ? isakmpd output, and conf files are transcribed below Cheers Dave Server side : -- isakmpd output : 115833.011175 Timr 10 timer_add_event: event exchange_free_aux(0x3c065a00) added last, expiration in 120s 115833.011409 Exch 10 exchange_setup_p1: 0x3c065a00 Dors-peer OpenBSD-main-mode policy responder phase 1 doi 1 exchange 2 step 0 115833.011463 Exch 10 exchange_setup_p1: icookie faca10932e1a71b0 rcookie b5e563b3774c4389 115833.011509 Exch 10 exchange_setup_p1: msgid 115833.011574 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 115833.011633 Exch 10 dpd_check_vendor_payload: DPD capable peer detected 115833.011684 Misc 30 ipsec_responder: phase 1 exchange 2 step 0 115833.011749 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok 115833.011859 Negt 20 ike_phase_1_validate_prop: success 115833.011907 Negt 30 message_negotiate_sa: proposal 1 succeeded 115833.011954 Misc 20 ipsec_decode_transform: transform 0 chosen 115833.012014 Exch 10 exchange_run: unexpected payload VENDOR 115833.012061 Exch 10 exchange_run: unexpected payload VENDOR 115833.012120 Misc 30 ipsec_responder: phase 1 exchange 2 step 1 115833.012270 Trpt 30 transport_send_messages: message 0x3c069480 scheduled for retransmission 1 in 7 secs 115833.012325 Timr 10 timer_add_event: event message_send_expire(0x3c069480) added before exchange_free_aux(0x3c065a00), expiration in 7s 115833.220797 Mesg 20 message_free: freeing 0x3c069480 115833.220854 Timr 10 timer_remove_event: removing event message_send_expire(0x3c069480) 115833.220907 Misc 30 ipsec_responder: phase 1 exchange 2 step 2 115833.220977 Exch 10 nat_t_exchange_check_nat_d: NAT detected, we're behind it 115833.221026 Mesg 20 message_free: freeing 0x3c069380 115833.221086 Misc 30 ipsec_responder: phase 1 exchange 2 step 3 115833.231526 Trpt 30 transport_send_messages: message 0x3c069380 scheduled for retransmission 1 in 7 secs 115833.231600 Timr 10 timer_add_event: event message_send_expire(0x3c069380) added before exchange_free_aux(0x3c065a00), expiration in 7s 115840.240055 Timr 10 timer_handle_expirations: event message_send_expire(0x3c069380) 115840.240244 Trpt 30 transport_send_messages: message 0x3c069380 scheduled for retransmission 2 in 9 secs 115840.240298 Timr 10 timer_add_event: event message_send_expire(0x3c069380) added before exchange_free_aux(0x3c065a00), expiration in 9s 115849.250013 Timr 10 timer_handle_expirations: event message_send_expire(0x3c069380) 115849.250211 Trpt 30 transport_send_messages: message 0x3c069380 scheduled for retransmission 3 in 11 secs 115849.250273 Timr 10 timer_add_event: event message_send_expire(0x3c069380) added before exchange_free_aux(0x3c065a00), expiration in 11s 115900.260012 Timr 10 timer_handle_expirations: event message_send_expire(0x3c069380) 115900.260204 Default transport_send_messages: giving up on message 0x3c069380, exchange Dors-peer 115900.260265 Default transport_send_messages: either this message did not reach the other peer 115900.260312 Default transport_send_messages: or this is an attempted IKE scan 115900.260369 Mesg 20 message_free: freeing 0x3c069380 server isakmpd.conf : - ## # Phase 1 ## [Phase 1] CLIENTIP = Dors-peer ## # Phase 2 ## [Phase 2] Passive-connections = Dors-connection # # Phase 1 Peers # [Dors-peer] Phase = 1 Configuration = OpenBSD-main-mode Address = CLIENTIP Authentication = mypassphrase ## # Phase 2 Connections ## [Dors-connection] Phase = 2 ISAKMP-peer = Dors-peer Configuration = OpenBSD-quick-mode Local-ID= Sydney-net Remote-ID = PA-net ## # Phase 2 Host ID's ## [Sydney-net] ID-type=IPV4_ADDR_SUBNET Network=SYDNEYNET Netmask=255.255.252.0 [PA-net] ID-type=IPV4_ADDR_SUBNET Network=PANET Netmask=255.255.255.0 Client: --- 125747.300124 Timr 10 timer_handle_expirations: event connection_checker(0x3c1eabf0) 125747.300245 Timr 10 timer_add_event: event
Re: Upgrade to 3.7 and VPN no longer works
Stephen Marley wrote: On Sun, Jun 19, 2005 at 01:34:06PM +1000, Dave Harrison wrote: I just upgraded my firewall to 3.7, but I've found my VPN is now not working. I keep seeing NAT detected messages, but both machines have real IPs so it doesn't make sense. The client machine is a 3.6 install, and the server machine was a 3.4 machine which I used the media CD to upgrade. I've also checked out the latest src tree and recompiled both the kernel and the binaries on the newly installed 3.7 machine, but same problem persists. I _have_ just found that if I allow port 4500 through on both machines, the VPN sets itself up correctly and works. But I don't want to use NAT-T ... anyone got any ideas ? is this a simple conf problem ? help ? Have you tried the -T option to isakmpd? Seems like the option I want ... but I can't see it in the man page on either my 3.6 or 3.7 machines, and isakmpd won't accept -T as a flag on either machine. Is that something that's only available in -current ?