Re: Defending OpenBSD Performance
I've heard a different version of that one: ...is like teaching a pig to sing, it wastes your time and it annoys the pig. Saludos, Jose. On Mon, 14 Sep 2009 13:44:55 -0400, STeve Andre' and...@msu.edu wrote: Attempting to prove the worth of OpenBSD to folks who are not able to figure things out for themsevles is much like trying to teach butterflies Calculus. It doesn't work and wastes your time. --STeve Andre'
Re: HD 'Analysis'
I use this http://smartmontools.sourceforge.net/ Saludos, Jose. L. V. Lammert wrote: At 06:06 PM 5/4/2009 -0400, STeve Andre' wrote: The best way is to get a new disk. I'm serious. Disks are cheap enough, and the value of whats on them is high enough that if you think its going, get a new one. Even if this is a hobby system, I'd do that. And I'm serious too - how many hard drives to you throw away before you realize that might not be the problem? There is disk testing software from the OEMs you can use. But if you think its acting weird don't trust it. That's why I'm looking for a way to gather some hard data. Lee
Re: Help with CARP
Not set on the MASTER, 230 on the backup. Saludos, Jose. Jonathan Carter wrote: I have it set to (1) on the promary and (100) on the backup. How high did you set yours? Jonathan -Original Message- From: Jose Quinteiro [mailto:[EMAIL PROTECTED] Sent: 20 September 2008 20:45 To: Jonathan Carter Cc: misc@openbsd.org Subject: Re: Help with CARP I had similar problems with a couple of little Soekris boxes. I solved it by increasing advskew. I think they can't handle the interrupt load at peak times. I'm in the process of replacing them. HTH, Jose. Jonathan Carter wrote: Hi Any ideas with this one please? I have 2 openBSD boxes running as pair of firewalls using CARP + PF. This set up is already working for 12 months. Last week I was troubleshooting network problems reported by my clients and I noticed that several CARP interfaces had failed over. I checked that there were no more problems with the Primary firewall and I set the interfaces on the backup firewall back to BACKUP and made sure that the the primary firewall interfaces were all set to MASTER. However I had intermittent timeout problems for the next 24hrs. Eventually I enabled loud debugging on PF and I saw that traffic was coming through both firewalls evenn though the backup firewall has all its CARP interfaces set back to BACKUP. I tried several basic TCP debugging techniques but in the end I set all of the CARP interfaces on the backup firewall to down. This is where I am at the moment. Can anyone point me in the direction of how I can investigate this further. I want to bring up the backup firewall interfaces as soon as possible so that I have my redundant set up but at the moment I am at a loss to think of what could be wrong. The only thing I can think off is that I have accidentally enabled load balancing - but I have checked the basics from the CARP documentation and , on the surface it does not look like it. I am running 4.1 GENERIC#874 amd64 Regards Jonathan
Re: Help with CARP
33224 pfsync0: flags=0 mtu 1460 pfsync: syncdev: sis4 syncpeer: 224.0.0.240 maxupd: 128 enc0: flags=0 mtu 1536 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: BACKUP carpdev sis0 vhid 1 advbase 1 advskew 230 groups: carp egress inet 6.2.8.8 netmask 0xfff8 broadcast carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: BACKUP carpdev sis1 vhid 3 advbase 1 advskew 230 groups: carp inet 1.3.7.8 netmask 0xffc0 broadcast carp4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: BACKUP carpdev sis2 vhid 4 advbase 1 advskew 230 groups: carp inet 10.40.28.1 netmask 0xff00 broadcast 10.40.28.255 # netstat -s -p carp carp: 16025115 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 3957383 discarded because packet too short 0 discarded for bad authentication 7805754 discarded for bad vhid 0 discarded because of a bad address list 10029 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error # netstat -s -p pfsync pfsync: 22453363 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 10017225 failed state lookup/inserts 8397043 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 0 send error Thanks, Jose. Bryan Irvine wrote: On Mon, Sep 22, 2008 at 8:30 AM, Jose Quinteiro [EMAIL PROTECTED] wrote: Not set on the MASTER, 230 on the backup. Can you post the output of 'ifconfig' and 'netstat -s -p carp' and 'netstat -s -p pfsync' from both firewalls? -B
Re: Help with CARP
I had similar problems with a couple of little Soekris boxes. I solved it by increasing advskew. I think they can't handle the interrupt load at peak times. I'm in the process of replacing them. HTH, Jose. Jonathan Carter wrote: Hi Any ideas with this one please? I have 2 openBSD boxes running as pair of firewalls using CARP + PF. This set up is already working for 12 months. Last week I was troubleshooting network problems reported by my clients and I noticed that several CARP interfaces had failed over. I checked that there were no more problems with the Primary firewall and I set the interfaces on the backup firewall back to BACKUP and made sure that the the primary firewall interfaces were all set to MASTER. However I had intermittent timeout problems for the next 24hrs. Eventually I enabled loud debugging on PF and I saw that traffic was coming through both firewalls evenn though the backup firewall has all its CARP interfaces set back to BACKUP. I tried several basic TCP debugging techniques but in the end I set all of the CARP interfaces on the backup firewall to down. This is where I am at the moment. Can anyone point me in the direction of how I can investigate this further. I want to bring up the backup firewall interfaces as soon as possible so that I have my redundant set up but at the moment I am at a loss to think of what could be wrong. The only thing I can think off is that I have accidentally enabled load balancing - but I have checked the basics from the CARP documentation and , on the surface it does not look like it. I am running 4.1 GENERIC#874 amd64 Regards Jonathan
Re: scsi disk i/o hanging 4.3 system
Had this same problem with some 1750s. Found it only happens on BIOS rev. A10. Rev. A12 resolves the problem. Saludos, Jose. Rick Aliwalas wrote: I think the problem I'm having is different as 4.2-RELEASE works like a charm. Again, copying a few gig worth files from say sd1h to sd0h locks up the 1750's using 4.3-RELEASE up to last night's snap. Both Dell 1750's have the non-RAID controller (dmesg from an older snap attached). Anything I can try before reverting to 4.2-RELEASE? many thanks, -rick On Sat, 28 Jun 2008, Marco Peereboom wrote: That is fixed in 4.3 or in -current not sure if it made the previous release. On Sat, Jun 28, 2008 at 10:17:02AM +0200, Torsten Frost wrote: I have a few machines with the same behavior. The boxes run fine unless you tax them with things like unpacking ports, du on a large tree or dd'ng some /dev/zero to disk. The 1950 can route 400mbit ethernet with no problems for weeks if you don't mess with the disks, so i guess the hardware is reasonably unbroken. Broken hardware or some driver/chipset issue? Dell 1950 with a PERC5 raid1 SATA 160gb mirror. 4.2-RELEASE A 300mb dd write makes an unkillable process. Outputs a few sd0: not queued, error 5 lines. Recently flashed the card to the latest firmware. Behaves somewhat better. Happens with a single drive too. Needs rebooting to be able to write to the drive after it has started to behave. Takes forever to unpack ports.tar.gz, i aborted the unpacking after 20 minutes and about 100mb unpacked. Is at least stable, doesn't die, just writes to the disk really slow. Like previous poster, unkillable processes and weird behaviour. Needs rebooting to be able to write to the drive after it has started to behave. - Dell 1750 scsi Our two 1750 scsi boxes works good though. Doesn't seem to crash from dd. - OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.39 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 1073147904 (1023MB) avail mem = 1029640192 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/13/04, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xfb320 (56 entries) bios0: vendor Dell Computer Corporation version A07 date 01/13/2004 bios0: Dell Computer Corporation PowerEdge 1750 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR acpi0: wakeup devices RTC_(S5) PCI0(S5) PCI3(S5) PCI2(S5) PCI1(S5) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PCI4) acpiprt2 at acpi0: bus 3 (PCI3) acpiprt3 at acpi0: bus 2 (PCI2) acpiprt4 at acpi0: bus 1 (PCI1) acpicpu0 at acpi0 bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE Host (GC-LE) rev 0x33 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pci1 at pchb1 bus 1 fxp0 at pci1 dev 4 function 0 Intel 8255x rev 0x0d, i82550: irq 7, address 00:02:b3:f0:4c:b5 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pci2 at pchb2 bus 3 vga1 at pci0 dev 14 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: SMBus disabled pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, K.9A SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: irq 11, version 1.0, legacy support pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00 pchb3 at pci0 dev 16 function 0 ServerWorks CIOB-E rev 0x12 pchb4 at pci0 dev 16 function 2 ServerWorks CIOB-E rev 0x12 pci3 at pchb4 bus 2 bge0 at pci3 dev 0 function 0 Broadcom BCM5704C rev 0x02, BCM5704 A2 (0x2002): irq 5, address 00:0f:1f:66:01:40 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 0 function 1 Broadcom BCM5704C rev 0x02, BCM5704 A2 (0x2002): irq 7, address 00:0f:1f:66:01:41 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 pchb5 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05 pchb6 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05 pci4 at pchb6 bus 4 mpi0 at pci4 dev 5 function 0 Symbios Logic 53c1030 rev 0x07: irq 5 scsibus1 at mpi0: 16 targets sd0 at scsibus1 targ 0 lun 0: FUJITSU, MAP3735NC, 5608 SCSI3 0/direct fixed sd0: 70007MB, 47996 cyl, 4 head, 746 sec, 512 bytes/sec, 143374650 sec total sd1 at scsibus1 targ 1 lun
pf.conf syntax error
The pf.conf man page sez: Macros are not expanded inside quotes. For example, ext_if = kue0 all_ifs = { $ext_if lo0 } However, that following fails with a syntax error on 4.3. On 4.2 something like this worked: foo = 123 bar = 456 fubar_ports = { $foo $bar } However, that does not work on 4.3 either. Thanks, Jose.
Re: pf.conf syntax error
That's pretty basic stuff. What I want to do is create a list of macros. The pf faq says: Macros can be defined recursively. Since macros are not expanded within quotes the following syntax must be used: host1 = 192.168.1.1 host2 = 192.168.1.2 all_hosts = { $host1 $host2 } (http://www.openbsd.org/faq/pf/macros.html) That works. But try this: host1 = 192 host2 = 192.168.1.2 all_hosts = { $host1 $host2 } You'll get: /etc/pf.conf:linenum: syntax error pfctl: Syntax error in config file: pf rules not loaded Now try this: host1 = 192.1 host2 = 192.168.1.2 all_hosts = { $host1 $host2 } That'll work too. Can't use macros for port numbers if dots are required. Thanks, Jose. phoenixcomm wrote: Jose Quinteiro-5 wrote: The pf.conf man page sez: Macros are not expanded inside quotes. For example, ext_if = kue0 all_ifs = { $ext_if lo0 } However, that following fails with a syntax error on 4.3. On 4.2 something like this worked: foo = 123 bar = 456 fubar_ports = { $foo $bar } However, that does not work on 4.3 either. Thanks, Jose. the book is alway right Macro names must start with a letter and may contain letters, digits, and underscores. Macro names cannot be reserved words such as pass, out, or queue. ext_if = fxp0 block in on $ext_if from any to any This creates a macro named ext_if. When a macro is referred to after it's been created, its name is preceded with a $ character. Macros can also expand to lists, such as: friends = { 192.168.1.1, 10.0.2.5, 192.168.43.53 } good luck
Re: pf.conf syntax error
Thanks, I searched the archives but didn't find it. Saludos, Jose. nate wrote: Jose Quinteiro wrote: host1 = 192 host2 = 192.168.1.2 all_hosts = { $host1 $host2 } You'll get: /etc/pf.conf:linenum: syntax error pfctl: Syntax error in config file: pf rules not loaded That's a bug in pf, which appears to be fixed in current, I had a thread on this topic about a week ago. (pf not properly resolving $host1 to 192 for example). nate
Re: developer laptop choices
Super quick and dirty check, and I'd have to get it with Windows Vista Ultimate. Ultimate what? is the question that comes immediately to mind. No thanks. Personally, I'd buy a Dell Insipidron N-series, purely for political reasons. Saludos, Jose. Lars D. Noodin wrote: On Mon, 16 Jun 2008, Michiel van Baak wrote: On 09:33, Mon 16 Jun 08, Michael Gale wrote: I just picked up a IBM Thinkpad T61p. I have the same and really love it. How were either of you able to get one without the Windows tax? EU reports last autumn showed that is about half the cost. I've had small handful of ThinkPad's but stopped in 2002 when I got stuck with a bad unit and burned by a local dealer. The specs are attractive and I figure is about time look at them again, but only if they University are available with an open source system pre-installed. I'm looking at the lenovo shop pages and don't see the open source models available. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: bsdanywhere
5. Bowlfish http://www.kernel-panic.it/software/bowlfish/ http://www.kernel-panic.it/software/bowlfish/ Predrag Punosevac wrote: Pau wrote: a nice thing to test hardware and get dmesg http://bsdanywhere.org/ Of course, I guess that booting the obsd installer cd is much faster and you get also dmesg but this is an interesting alternative This is the little bit longer list of distros based on OpenBSD. Active projects: 1. flashdist http://www.nmedia.net/flashdist/ http://www.bsd-srbija.org/dokumentacija/doku.php/flashdist 2. MirBSD http://www.mirbsd.org/main.htm http://www.bsd-srbija.org/dokumentacija/doku.php/mirbsd 3. LiveCD http://www.jggimi.homeip.net/ http://www.jggimi.homeip.net/ 4. BSDanywhere http://bsdanywhere.org/ http://www.bsd-srbija.org/dokumentacija/doku.php/bsdanywhere Dead or inactive projects: 1. Anonym.OS no web site available anymore http://www.bsd-srbija.org/dokumentacija/doku.php/anonym.os 2. CompactBSD http://compactbsd.sourceforge.net/ http://www.bsd-srbija.org/dokumentacija/doku.php/compactbsd 3. ekkoBSD http://en.wikipedia.org/wiki/EkkoBSD http://www.bsd-srbija.org/dokumentacija/doku.php/ekkobsd 4. EmBSD no web site available anymore http://www.bsd-srbija.org/dokumentacija/doku.php/embsd 5. Flashboot http://www.mindrot.org/projects/flashboot/ http://www.bsd-srbija.org/dokumentacija/doku.php/flashboot 6. MicroBSD http://www.microbsd.net/ http://www.bsd-srbija.org/dokumentacija/doku.php/microbsd 7. OliveBSD http://g.paderni.free.fr/olivebsd/ http://www.bsd-srbija.org/dokumentacija/doku.php/olivebsd 8. OpenBSD Live-CD Firewall http://www.alti.at/knowhow/obsdlivecd/fw.php http://www.bsd-srbija.org/dokumentacija/doku.php/openbsd_live-cd_firewall 9. PsygNAT http://www.feu-nrmf.ph/norbert/projects/psygnat/ http://www.bsd-srbija.org/dokumentacija/doku.php/psygnat 10. SONaFR http://www.freebsd.nfo.sk/opbsd/openbsdeng.htm http://www.bsd-srbija.org/dokumentacija/doku.php/sonafr
Re: Decipering Understanding IP addressing
Looks like the exponentiation operator got eaten up somewhere. 2 to the 32nd power (2^32) is 4,294,967,296. 2^3 == 8. HTH, Jose. Kendall Shaw wrote: In the networking section of the OpenBSD FAQ it suggests reading Understanding IP addressing: http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf I'm having a hard time understanding it. In many places they use 2 numbers, e.g. 2(21) or 232 (4,294,967,296). Can you understand what they are saying? For example, on page 3: IPv4 defines a 32-bit address which means that there are only 232 (4,294,967,296) IPv4 addresses available. 232 what? On page 11: The first step in the planning process is to take the maximum number of subnets required and round up to the nearest power of two. For example, if an organization needs nine subnets, 23 (or 8) will not provide enough subnet addressing space, so the network administrator will need to round up to 24 (or 16). 23 or 8 what? Bits? What are 23 and 8 alternatives of? 24 or 16 looks like alternative prefix lengths for class A or B networks, but I don't get 23 or 8. Kendall
Re: ipsec home network to colo server
http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html try ipsec.conf on fire: angie = 208.70.72.13 fire = 10.0.0.0/24 ike esp from $fire to $angie local egress \ srcid fire.sporkton.com dstid angie.sporkton.com ipsec.conf on angie: angie = 208.70.72.13 fire = 10.0.0.0/24 ike passive esp from $angie to $fire \ srcid angie.sporkton.com dstid fire.sporkton.com HTH, Jose. Lord Sporkton wrote: 2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn
Re: ipsec home network to colo server
No, egress is an interface group. Man ifconfig. You have to use that 'cause you outgoing (egress) IP address changes. The pf-style (eth0) syntax where eth0 is your outside interface may work too. Try it and see. Saludos, Jose. Lord Sporkton wrote: So egress being something very much like any then? 2008/5/17 Jose Quinteiro [EMAIL PROTECTED]: http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html try ipsec.conf on fire: angie = 208.70.72.13 fire = 10.0.0.0/24 ike esp from $fire to $angie local egress \ srcid fire.sporkton.com dstid angie.sporkton.com ipsec.conf on angie: angie = 208.70.72.13 fire = 10.0.0.0/24 ike passive esp from $angie to $fire \ srcid angie.sporkton.com dstid fire.sporkton.com HTH, Jose. Lord Sporkton wrote: 2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4
CARP traffic goes over the ipsec tunnel when it's not supposed to
I have two firewalls running OpenBSD 4.2 x86. I've set up an ipsec tunnel using ipsec.conf. These machines also serve up a shared ip address using a carp interface. Here's hostname.carp1 on machine1: inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ... And on machine2: inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ... advskew 100 And ipsec.conf on both machines: local_ip = a.a.a.a peer_ip = b.b.b.b local_net = 10.40.31.224/27 ike esp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish flow esp from $local_net to $local_net type bypass Everything worked great until isakmpd brought up the ipsec tunnel. Both firewalls showed MASTER for the carp interface, and pretty much nothing worked over the internal net. Using tcpdump on the enc0 interface at the far end of the tunnel I determined that all the carp traffic was getting sent over the tunnel. Also, the backup firewall was inexplicably advertising about ten times as often as the master, despite the higher advskew. I thought this would fix it: flow esp proto carp from any to any type bypass But it had no effect. After some trial and error, I found that the solution was to only allow some protocols through the tunnel: ike esp proto icmp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish ike esp proto tcp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish ike esp proto udp from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish Now everything seems to work, though the icmp flow doesn't come up sometimes, for some reason. Unfortunately, this syntax is not correct: ike esp proto { tcp udp icmp } from $local_net to any local $local_ip peer $peer_ip \ quick enc blowfish This would clean up my file quite a bit. Why doesn't flow esp proto carp from any to any type bypass work? Thanks, Jose.