Re: Defending OpenBSD Performance

2009-09-14 Thread Jose Quinteiro 
I've heard a different version of that one: ...is like teaching a pig to
sing, it wastes your time and it annoys the pig.

Saludos,
Jose.

On Mon, 14 Sep 2009 13:44:55 -0400, STeve Andre' and...@msu.edu wrote:
 
 Attempting to prove the worth of OpenBSD to folks who are not able to
 figure things out for themsevles is much like trying to teach
butterflies 
 Calculus.
 
 It doesn't work and wastes your time.
 
 --STeve Andre'

Re: HD 'Analysis'

2009-05-04 Thread Jose Quinteiro 

I use this http://smartmontools.sourceforge.net/

Saludos,
Jose.

L. V. Lammert wrote:

At 06:06 PM 5/4/2009 -0400, STeve Andre' wrote:

The best way is to get a new disk.  I'm serious.  Disks are cheap 
enough, and
the value of whats on them is high enough that if you think its going, 
get a

new one.  Even if this is a hobby system, I'd do that.


And I'm serious too - how many hard drives to you throw away before you 
realize that might not be the problem?



There is disk testing software from the OEMs you can use.

But if you think its acting weird don't trust it.


That's why I'm looking for a way to gather some hard data.

Lee

Re: Help with CARP

2008-09-22 Thread Jose Quinteiro 

Not set on the MASTER, 230 on the backup.

Saludos,
Jose.

Jonathan Carter wrote:

I have it set to (1) on the promary and (100) on the backup.

How high did you set yours?

Jonathan


-Original Message-
From: Jose Quinteiro [mailto:[EMAIL PROTECTED] 
Sent: 20 September 2008 20:45

To: Jonathan Carter
Cc: misc@openbsd.org
Subject: Re: Help with CARP

I had similar problems with a couple of little Soekris boxes.  I solved it
by increasing advskew.  I think they can't handle the interrupt load at peak
times.  I'm in the process of replacing them.

HTH,
Jose.

Jonathan Carter wrote:

Hi
 
Any ideas with this one please?
 
I have 2 openBSD boxes running as pair of firewalls using CARP + PF.  
This set up is already working for 12 months.
 
Last week I was troubleshooting network problems reported by my 
clients and I noticed that several CARP interfaces had failed over.  I 
checked that there were no more problems with the Primary firewall and 
I set the interfaces on the backup firewall back to BACKUP and made 
sure that the the primary firewall interfaces were all set to MASTER.
 
However I had intermittent timeout problems for the next 24hrs. 
Eventually I enabled loud debugging on PF and I saw that traffic was 
coming through both firewalls evenn though the backup firewall has all 
its CARP interfaces set back to BACKUP.  I tried several basic TCP 
debugging techniques but in the end I set all of the CARP interfaces on

the backup firewall to down.
 
This is where I am at the moment.  Can anyone point me in the 
direction of how I can investigate this further.  I want to bring up 
the backup firewall interfaces as soon as possible so that I have my 
redundant set up but at the moment I am at a loss to think of what could

be wrong.
 
The only thing I can think off is that I have accidentally enabled 
load balancing - but I have checked the basics from the CARP 
documentation and , on the surface it does not look like it.
 
I am running 4.1 GENERIC#874 amd64


 
Regards
 
Jonathan

Re: Help with CARP

2008-09-22 Thread Jose Quinteiro 
 33224
pfsync0: flags=0 mtu 1460
pfsync: syncdev: sis4 syncpeer: 224.0.0.240 maxupd: 128
enc0: flags=0 mtu 1536
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
carp: BACKUP carpdev sis0 vhid 1 advbase 1 advskew 230
groups: carp egress
inet 6.2.8.8 netmask 0xfff8 broadcast
carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
carp: BACKUP carpdev sis1 vhid 3 advbase 1 advskew 230
groups: carp
inet 1.3.7.8 netmask 0xffc0 broadcast
carp4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
carp: BACKUP carpdev sis2 vhid 4 advbase 1 advskew 230
groups: carp
inet 10.40.28.1 netmask 0xff00 broadcast 10.40.28.255
# netstat -s -p carp
carp:
16025115 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
3957383 discarded because packet too short
0 discarded for bad authentication
7805754 discarded for bad vhid
0 discarded because of a bad address list
10029 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
# netstat -s -p pfsync
pfsync:
22453363 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for bad ttl
0 packets shorter than header
0 packets discarded for bad version
0 packets discarded for bad HMAC
0 packets discarded for bad action
0 packets discarded for short packet
0 states discarded for bad values
0 stale states
10017225 failed state lookup/inserts
8397043 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
0 send error


Thanks,
Jose.


Bryan Irvine wrote:

On Mon, Sep 22, 2008 at 8:30 AM, Jose Quinteiro [EMAIL PROTECTED] wrote:

Not set on the MASTER, 230 on the backup.


Can you post the output of 'ifconfig' and 'netstat -s -p carp' and
'netstat -s -p pfsync' from both firewalls?

-B

Re: Help with CARP

2008-09-20 Thread Jose Quinteiro 
I had similar problems with a couple of little Soekris boxes.  I solved 
it by increasing advskew.  I think they can't handle the interrupt load 
at peak times.  I'm in the process of replacing them.


HTH,
Jose.

Jonathan Carter wrote:

Hi
 
Any ideas with this one please?
 
I have 2 openBSD boxes running as pair of firewalls using CARP + PF.  This

set up is already working for 12 months.
 
Last week I was troubleshooting network problems reported by my clients and

I noticed that several CARP interfaces had failed over.  I checked that
there were no more problems with the Primary firewall and I set the
interfaces on the backup firewall back to BACKUP and made sure that the
the primary firewall interfaces were all set to MASTER.
 
However I had intermittent timeout problems for the next 24hrs. Eventually I

enabled loud debugging on PF and I saw that traffic was coming through
both firewalls evenn though the backup firewall has all its CARP interfaces
set back to BACKUP.  I tried several basic TCP debugging techniques but in
the end I set all of the CARP interfaces on the backup firewall to down.
 
This is where I am at the moment.  Can anyone point me in the direction of

how I can investigate this further.  I want to bring up the backup firewall
interfaces as soon as possible so that I have my redundant set up but at the
moment I am at a loss to think of what could be wrong.
 
The only thing I can think off is that I have accidentally enabled load

balancing - but I have checked the basics from the CARP documentation and ,
on the surface it does not look like it.
 
I am running 4.1 GENERIC#874 amd64


 
Regards
 
Jonathan

Re: scsi disk i/o hanging 4.3 system

2008-08-08 Thread Jose Quinteiro 
Had this same problem with some 1750s.  Found it only happens on BIOS 
rev.  A10.  Rev. A12 resolves the problem.


Saludos,
Jose.

Rick Aliwalas wrote:

I think the problem I'm having is different as 4.2-RELEASE works like a
charm.  Again, copying a few gig worth files from say sd1h to sd0h locks 
up the 1750's using 4.3-RELEASE up to last night's snap.  Both Dell 1750's

have the non-RAID controller (dmesg from an older snap attached).  Anything
I can try before reverting to 4.2-RELEASE?

many thanks,
-rick

On Sat, 28 Jun 2008, Marco Peereboom wrote:


That is fixed in 4.3 or in -current not sure if it made the previous
release.

On Sat, Jun 28, 2008 at 10:17:02AM +0200, Torsten Frost wrote:

I have a few machines with the same behavior. The boxes run fine
unless you tax them with
things like unpacking ports, du on a large tree or dd'ng some
/dev/zero to disk. The 1950 can route 400mbit
ethernet with no problems for weeks if you don't mess with the disks,
so i guess the hardware is
reasonably unbroken.


Broken hardware or some driver/chipset issue?


Dell 1950 with a PERC5 raid1 SATA 160gb mirror. 4.2-RELEASE

A 300mb dd write makes an unkillable process. Outputs a few sd0: not
queued, error 5 lines.


Recently flashed the card to the latest firmware. Behaves somewhat better.

Happens with a single drive too.

Needs rebooting to be able to write to the
drive after it has started to behave.
Takes forever to unpack ports.tar.gz, i aborted the unpacking after 20
minutes and about 100mb unpacked.
Is at least stable, doesn't die, just writes to the disk really slow.
Like previous poster, unkillable processes and weird behaviour. Needs
rebooting to be able to write to the
drive after it has started to behave.

-

Dell 1750 scsi

Our two 1750 scsi boxes works good though. Doesn't seem to crash from dd.

-

OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.39 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 1073147904 (1023MB)
avail mem = 1029640192 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/13/04, BIOS32 rev. 0 @ 0xffe90, SMBIOS 
rev. 2.3 @ 0xfb320 (56 entries)
bios0: vendor Dell Computer Corporation version A07 date 01/13/2004
bios0: Dell Computer Corporation PowerEdge 1750
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR
acpi0: wakeup devices RTC_(S5) PCI0(S5) PCI3(S5) PCI2(S5) PCI1(S5)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PCI4)
acpiprt2 at acpi0: bus 3 (PCI3)
acpiprt3 at acpi0: bus 2 (PCI2)
acpiprt4 at acpi0: bus 1 (PCI1)
acpicpu0 at acpi0
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE Host (GC-LE) rev 0x33
pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE Host (GC-LE) rev 0x00
pci1 at pchb1 bus 1
fxp0 at pci1 dev 4 function 0 Intel 8255x rev 0x0d, i82550: irq 7, address 
00:02:b3:f0:4c:b5
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE Host (GC-LE) rev 0x00
pci2 at pchb2 bus 3
vga1 at pci0 dev 14 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: SMBus disabled
pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, K.9A SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2
ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: irq 11, 
version 1.0, legacy support
pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00
pchb3 at pci0 dev 16 function 0 ServerWorks CIOB-E rev 0x12
pchb4 at pci0 dev 16 function 2 ServerWorks CIOB-E rev 0x12
pci3 at pchb4 bus 2
bge0 at pci3 dev 0 function 0 Broadcom BCM5704C rev 0x02, BCM5704 A2 
(0x2002): irq 5, address 00:0f:1f:66:01:40
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci3 dev 0 function 1 Broadcom BCM5704C rev 0x02, BCM5704 A2 
(0x2002): irq 7, address 00:0f:1f:66:01:41
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
pchb5 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05
pchb6 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05
pci4 at pchb6 bus 4
mpi0 at pci4 dev 5 function 0 Symbios Logic 53c1030 rev 0x07: irq 5
scsibus1 at mpi0: 16 targets
sd0 at scsibus1 targ 0 lun 0: FUJITSU, MAP3735NC, 5608 SCSI3 0/direct fixed
sd0: 70007MB, 47996 cyl, 4 head, 746 sec, 512 bytes/sec, 143374650 sec total
sd1 at scsibus1 targ 1 lun

pf.conf syntax error

2008-08-08 Thread Jose Quinteiro 

The pf.conf man page sez:

Macros are not expanded inside quotes.

 For example,

   ext_if = kue0
   all_ifs = { $ext_if lo0 }


However, that following fails with a syntax error on 4.3.  On 4.2 
something like this worked:


foo = 123
bar = 456

fubar_ports = { $foo $bar }

However, that does not work on 4.3 either.

Thanks,
Jose.

Re: pf.conf syntax error

2008-08-08 Thread Jose Quinteiro 
That's pretty basic stuff.  What I want to do is create a list of 
macros.  The pf faq says:



Macros can be defined recursively. Since macros are not expanded within 
quotes the following syntax must be used:


host1 = 192.168.1.1
host2 = 192.168.1.2
all_hosts = { $host1 $host2 }

(http://www.openbsd.org/faq/pf/macros.html)

That works.  But try this:

host1 = 192
host2 = 192.168.1.2
all_hosts = { $host1 $host2 }

You'll get:

/etc/pf.conf:linenum: syntax error
pfctl: Syntax error in config file: pf rules not loaded

Now try this:

host1 = 192.1
host2 = 192.168.1.2
all_hosts = { $host1 $host2 }

That'll work too.  Can't use macros for port numbers if dots are required.

Thanks,
Jose.


phoenixcomm wrote:

Jose Quinteiro-5 wrote:

The pf.conf man page sez:

Macros are not expanded inside quotes.

  For example,

ext_if = kue0
all_ifs = { $ext_if lo0 }


However, that following fails with a syntax error on 4.3.  On 4.2 
something like this worked:


foo = 123
bar = 456

fubar_ports = { $foo $bar }

However, that does not work on 4.3 either.

Thanks,
Jose.






the book is alway right
Macro names must start with a letter and may contain letters, digits, and
underscores. Macro names cannot be reserved words such as pass, out, or
queue.

ext_if = fxp0

block in on $ext_if from any to any

This creates a macro named ext_if. When a macro is referred to after it's
been created, its name is preceded with a $ character.

Macros can also expand to lists, such as:

friends = { 192.168.1.1, 10.0.2.5, 192.168.43.53 } 


good luck

Re: pf.conf syntax error

2008-08-08 Thread Jose Quinteiro 

Thanks, I searched the archives but didn't find it.

Saludos,
Jose.


nate wrote:

Jose Quinteiro wrote:

host1 = 192
host2 = 192.168.1.2
all_hosts = { $host1 $host2 }

You'll get:

/etc/pf.conf:linenum: syntax error
pfctl: Syntax error in config file: pf rules not loaded



That's a bug in pf, which appears to be fixed in current, I had a
thread on this topic about a week ago. (pf not properly resolving
$host1 to 192 for example).

nate

Re: developer laptop choices

2008-06-16 Thread Jose Quinteiro 
Super quick and dirty check, and I'd have to get it with Windows Vista 
Ultimate. Ultimate what?
is the question that comes immediately to mind.  No thanks.

Personally, I'd buy a Dell Insipidron N-series, purely for political reasons.

Saludos,
Jose.

Lars D. Noodin wrote:
 On Mon, 16 Jun 2008, Michiel van Baak wrote:
 On 09:33, Mon 16 Jun 08, Michael Gale wrote:
 I just picked up a IBM Thinkpad T61p.
 I have the same and really love it.
 
 How were either of you able to get one without the Windows tax?
 EU reports last autumn showed that is about half the cost.
 
 I've had small handful of ThinkPad's but stopped in 2002 when I got stuck
 with a bad unit and burned by a local dealer.  The specs are attractive
 and I figure is about time look at them again, but only if they University
 are available with an open source system pre-installed. I'm looking at the
 lenovo shop pages and don't see the open source models available.
 
 -Lars
 
 Lars NoodC)n ([EMAIL PROTECTED])
  Ensure access to your data now and in the future
  http://opendocumentfellowship.org/about_us/contribute

Re: bsdanywhere

2008-06-07 Thread Jose Quinteiro 
5.
Bowlfish  http://www.kernel-panic.it/software/bowlfish/
http://www.kernel-panic.it/software/bowlfish/

Predrag Punosevac wrote:
 Pau wrote:
 a nice thing to test hardware and get dmesg

 http://bsdanywhere.org/

 Of course, I guess that booting the obsd installer cd is much faster
 and you get also dmesg
 but this is an interesting alternative

   
 This is the little bit longer list of distros based on OpenBSD.
 
 Active projects:
 
   1.
  flashdist  http://www.nmedia.net/flashdist/
  http://www.bsd-srbija.org/dokumentacija/doku.php/flashdist
   2.
  MirBSD   http://www.mirbsd.org/main.htm
  http://www.bsd-srbija.org/dokumentacija/doku.php/mirbsd
   3.
  LiveCD http://www.jggimi.homeip.net/
  http://www.jggimi.homeip.net/
   4.
  BSDanywhere http://bsdanywhere.org/
  http://www.bsd-srbija.org/dokumentacija/doku.php/bsdanywhere
 
 Dead or inactive projects:
 
   1.
  Anonym.OS  no web site available anymore
  http://www.bsd-srbija.org/dokumentacija/doku.php/anonym.os
   2.
  CompactBSD  http://compactbsd.sourceforge.net/
  http://www.bsd-srbija.org/dokumentacija/doku.php/compactbsd
   3.
  ekkoBSD http://en.wikipedia.org/wiki/EkkoBSD
  http://www.bsd-srbija.org/dokumentacija/doku.php/ekkobsd
   4.
  EmBSD no web site available anymore
  http://www.bsd-srbija.org/dokumentacija/doku.php/embsd
   5.
  Flashboot http://www.mindrot.org/projects/flashboot/
  http://www.bsd-srbija.org/dokumentacija/doku.php/flashboot
   6.
  MicroBSD http://www.microbsd.net/
  http://www.bsd-srbija.org/dokumentacija/doku.php/microbsd
   7.
  OliveBSD http://g.paderni.free.fr/olivebsd/
  http://www.bsd-srbija.org/dokumentacija/doku.php/olivebsd
   8.
  OpenBSD Live-CD Firewall http://www.alti.at/knowhow/obsdlivecd/fw.php
 
 http://www.bsd-srbija.org/dokumentacija/doku.php/openbsd_live-cd_firewall
   9.
  PsygNAT http://www.feu-nrmf.ph/norbert/projects/psygnat/
  http://www.bsd-srbija.org/dokumentacija/doku.php/psygnat
  10.
  SONaFR http://www.freebsd.nfo.sk/opbsd/openbsdeng.htm
  http://www.bsd-srbija.org/dokumentacija/doku.php/sonafr

Re: Decipering Understanding IP addressing

2008-05-21 Thread Jose Quinteiro 
Looks like the exponentiation operator got eaten up somewhere. 2 to the 32nd 
power (2^32) is
4,294,967,296.  2^3 == 8.

HTH,
Jose.

Kendall Shaw wrote:
 In the networking section of the OpenBSD FAQ it suggests reading
 Understanding IP addressing:
 
 http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf
 
 I'm having a hard time understanding it. In many places they use 2
 numbers, e.g. 2(21) or 232 (4,294,967,296). Can you understand what they
 are saying?
 
 For example, on page 3:
 
 IPv4 defines a 32-bit address which means that there are
 only 232 (4,294,967,296) IPv4 addresses available.
 
 232 what?
 
 On page 11:
 
 The first step in the planning process is to take the maximum number of
 subnets required and round up to the nearest power of two. For example,
 if an organization needs nine subnets, 23 (or 8) will not provide
 enough subnet addressing space, so the network administrator will
 need to round up to 24 (or 16).
 
 23 or 8 what? Bits? What are 23 and 8 alternatives of? 24 or 16 looks
 like alternative prefix lengths for class A or B networks, but I don't
 get 23 or 8.
 
 Kendall

Re: ipsec home network to colo server

2008-05-17 Thread Jose Quinteiro 
http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html

try

ipsec.conf on fire:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike esp from $fire to $angie local egress \
   srcid fire.sporkton.com dstid angie.sporkton.com



ipsec.conf on angie:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike passive esp from $angie to $fire \
   srcid angie.sporkton.com dstid fire.sporkton.com

HTH,
Jose.

Lord Sporkton wrote:
 2008/5/15 Claer [EMAIL PROTECTED]:
 On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:

 2008/5/14 Lord Sporkton [EMAIL PROTECTED]:
 2008/5/14 scott learmonth [EMAIL PROTECTED]:
 On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED]
 wrote:
 I am trying to set up a ipsec link between my home network(private ip
  network behind dynamic public ip)
  and my colo server(single public static ip). I was a bit unclear on
  how to set up a tunnel between a static
  and dynamic ip

  interesting traffic:
  208.70.72.13 - 10.0.0.0/16


  My sad seems to set up ok, however afterward i get no flows and can not
 pass
  data, ive checked out logs, and ipsecctl -m, but see nothing of use.

  Below is data i believe relevant, if anything else is requested i will
  do my best to post it back in a timely fashion
  thank you


  colo server:

  # uname -a
  OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
  # cat /etc/ipsec.conf

  ike passive from 208.70.72.13 to 10.0.0.0/16 \
 aggressive auth hmac-sha1 enc 3des group modp1024   \
 quick auth hmac-sha1 enc 3des \
 srcid angie.sporkton.com dstid fire.sporkton.com \
 psk password
  # ipsecctl -sa
  FLOWS:
  No flows

  SAD:
  esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
  hmac-sha1 enc 3des-cbc
  esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
  hmac-sha1 enc 3des-cbc
  #

  ipsecctl -m output:

  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 spirange: min 0x0100 max 0x
  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
 sa: spi 0x581ea1f0 auth none enc none
 state mature replay 0 flags 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
  sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 208.70.72.13
 address_dst: 67.159.171.204
 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
 key_encrypt: bits 192:
 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
 identity_src: type fqdn id 0: angie.sporkton.com
 identity_dst: type fqdn id 0: fire.sporkton.com
 src_mask: 255.255.255.255
 dst_mask: 255.255.0.0
 protocol: proto 0 flags 0
 flow_type: type unknown direction out
 src_flow: 208.70.72.13
 dst_flow: 10.0.0.0
  sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 208.70.72.13
 address_dst: 67.159.171.204
 identity_src: type fqdn id 0: angie.sporkton.com
 identity_dst: type fqdn id 0: fire.sporkton.com
 src_mask: 255.255.255.255
 dst_mask: 255.255.0.0
 protocol: proto 0 flags 0
 flow_type: type unknown direction out
 src_flow: 208.70.72.13
 dst_flow: 10.0.0.0
  sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
 key_encrypt: bits 192:
 496cd320b35638d36dd8f899b8ce76c150840092db466715
 identity_src: type fqdn id 0: fire.sporkton.com
 identity_dst: type fqdn id 0: angie.sporkton.com
 src_mask: 255.255.0.0
 dst_mask: 255.255.255.255
 protocol: proto 0 flags 0
 flow_type: type unknown direction in
 src_flow: 10.0.0.0
 dst_flow: 208.70.72.13
  sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 identity_src: type fqdn id 0: fire.sporkton.com
 identity_dst: type fqdn

Re: ipsec home network to colo server

2008-05-17 Thread Jose Quinteiro 
No, egress is an interface group.  Man ifconfig.  You have to use that 
'cause you outgoing (egress) IP address changes.  The pf-style (eth0) 
syntax where eth0 is your outside interface may work too.  Try it and see.


Saludos,
Jose.

Lord Sporkton wrote:

So egress being something very much like any then?

2008/5/17 Jose Quinteiro [EMAIL PROTECTED]:

http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html

try

ipsec.conf on fire:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike esp from $fire to $angie local egress \
  srcid fire.sporkton.com dstid angie.sporkton.com



ipsec.conf on angie:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike passive esp from $angie to $fire \
  srcid angie.sporkton.com dstid fire.sporkton.com

HTH,
Jose.

Lord Sporkton wrote:

2008/5/15 Claer [EMAIL PROTECTED]:

On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:


2008/5/14 Lord Sporkton [EMAIL PROTECTED]:

2008/5/14 scott learmonth [EMAIL PROTECTED]:

On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED]
wrote:

I am trying to set up a ipsec link between my home network(private ip
 network behind dynamic public ip)
 and my colo server(single public static ip). I was a bit unclear on
 how to set up a tunnel between a static
 and dynamic ip

 interesting traffic:
 208.70.72.13 - 10.0.0.0/16


 My sad seems to set up ok, however afterward i get no flows and can not
pass
 data, ive checked out logs, and ipsecctl -m, but see nothing of use.

 Below is data i believe relevant, if anything else is requested i will
 do my best to post it back in a timely fashion
 thank you


 colo server:

 # uname -a
 OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
 # cat /etc/ipsec.conf

 ike passive from 208.70.72.13 to 10.0.0.0/16 \
aggressive auth hmac-sha1 enc 3des group modp1024   \
quick auth hmac-sha1 enc 3des \
srcid angie.sporkton.com dstid fire.sporkton.com \
psk password
 # ipsecctl -sa
 FLOWS:
 No flows

 SAD:
 esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
 hmac-sha1 enc 3des-cbc
 #

 ipsecctl -m output:

 sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
address_src: 67.159.171.204
address_dst: 208.70.72.13
spirange: min 0x0100 max 0x
 sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
sa: spi 0x581ea1f0 auth none enc none
state mature replay 0 flags 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
key_encrypt: bits 192:
65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
key_encrypt: bits 192:
496cd320b35638d36dd8f899b8ce76c150840092db466715
identity_src: type fqdn id 0: fire.sporkton.com
identity_dst: type fqdn id 0: angie.sporkton.com
src_mask: 255.255.0.0
dst_mask: 255.255.255.255
protocol: proto 0 flags 0
flow_type: type unknown direction in
src_flow: 10.0.0.0
dst_flow: 208.70.72.13
 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4

CARP traffic goes over the ipsec tunnel when it's not supposed to

2008-04-28 Thread Jose Quinteiro 
I have two firewalls running OpenBSD 4.2 x86.  I've set up an ipsec tunnel 
using ipsec.conf.  These
machines also serve up a shared ip address using a carp interface.  Here's 
hostname.carp1 on machine1:

inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ...

And on machine2:

inet 10.40.31.225 255.255.255.224 10.40.31.255 carpdev vr1 vhid 2 pass ... 
advskew 100


And ipsec.conf on both machines:

local_ip = a.a.a.a
peer_ip = b.b.b.b
local_net = 10.40.31.224/27

ike esp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish

flow esp from $local_net to $local_net type bypass


Everything worked great until isakmpd brought up the ipsec tunnel.  Both 
firewalls showed MASTER
for the carp interface, and pretty much nothing worked over the internal net.  
Using tcpdump on the
enc0 interface at the far end of the tunnel I determined that all the carp 
traffic was getting sent
over the tunnel.  Also, the backup firewall was inexplicably advertising about 
ten times as often as
the master, despite the higher advskew.  I thought this would fix it:

flow esp proto carp from any to any type bypass

But it had no effect.  After some trial and error, I found that the solution 
was to only allow some
protocols through the tunnel:

ike esp proto icmp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish

ike esp proto tcp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish

ike esp proto udp from $local_net to any local $local_ip peer $peer_ip \
quick enc blowfish


Now everything seems to work, though the icmp flow doesn't come up sometimes, 
for some reason.
Unfortunately, this syntax is not correct:

ike esp proto { tcp udp icmp } from $local_net to any local $local_ip peer 
$peer_ip \
quick enc blowfish

This would clean up my file quite a bit.  Why doesn't flow esp proto carp from 
any to any type
bypass work?



Thanks,
Jose.