Re: issues with PHP and cURL curl_exec() function within OpenBSD chroot
Kevin, I ran into this issue setting up zencart on OpenBSD. My guess is you need to copy /etc/resolv.conf to /var/www/etc/resolv.conf. You can verify that by chroot'ing yourself manually into /var/www and trying to curl something. Good luck! -Matt- On Tue, 20 Mar 2007, Kevin wrote: Hello all, We're having issues with php 5.1.6 and cURL within OpenBSD's (v4.0) jail. Hopefully, someone knows how to solve this. We're using PHP's built-in cURL function, curl_exec(), to connect to remote servers (both HTTP and HTTPS). We then send an HTTP POST request (or GET--it doesn't matter) expecting to get data back from the other end. Unfortunately, the response is empty where we should get the HTML output of the remote server. Outside of the OBSD chroot it works fine; in the chroot there's no output, yet it doesn't report an error--either to the browser or to the apache logs. In the less-than-believable but completely true words of the poor guy testing this part of our software, It just didn't work. Nothing. As for the kernel itself, we're running OpenBSD 4.0-stable. Lastly, at the suggestion of one person, we tried (to no avail) altering our php.ini to have: allow_url_fopen = On Anyone got any ideas on this? (Clue sticks welcome.) As always, thanks much, folks. Kevin -- http://www.ebiinc.com : Background Screening for Employers from EBI Professional background checks... anywhere.
Re: missing isakmpd.fifo
Hello, I am experiencing the same problem. I am testing it to see if I can find what is causing it. I am running OpenBSD 4.0-stable and I went to add a new tunnel today and was greeted with a message the isakmpd.fifo did not exist. I have isakmpd enabled in /etc/rc.conf with flags -K. Even though I do not specify a location on the command line of isakmpd for the fifo to occur, it does exist in fact when the process is launched and sometime later dies off. This is what I found today: # echo ike esp from 172.31.33.0/24 to 10.9.9.0/24 peer aaa.bbb.ccc.ddd psk | ipsecctl -f - ipsecctl: ike_ipsec_establish: open(/var/run/isakmpd.fifo): No such file or directory Where as before the exact same command has worked fine. Thanks, -Matt- On Wed, 7 Feb 2007, Dag Richards wrote: Toni Mueller wrote: Hi Dag, On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards [EMAIL PROTECTED] wrote: locations. Yesterday I needed to add a tunnel, there was no /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid The fifo was recreated, I could use it to control isakmpd. OK. Today I look for isakmpd.fifo, it has disappeared again. and nothing I do not expect to see. I am not running out of disk space ... anybody seen this before? please check again using -i in order to find out whether you have enough disk space. Best, --Toni++ hsdcert0:root:/root #df -i Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/sd0a 4126462 35180 3884960 1%2204 533602 0% / /dev/sd0e 103030244978744 0% 16 144238 0% /home /dev/sd0d 1030302 2978786 0% 1 144253 0% /tmp /dev/sd0f10318830391228 9411662 4% 13887 1305023 1% /usr /dev/sd0g16423486 1080606 14521706 7%3564 2077842 0% /var Nope plenty inodes too.
Re: missing isakmpd.fifo
Anyone know if there would be a negative affect on isakmpd if the immutable flag was set on the file /var/run/isakmpd.fifo ? On Sat, 17 Feb 2007, Matthew Closson wrote: Hello, I am experiencing the same problem. I am testing it to see if I can find what is causing it. I am running OpenBSD 4.0-stable and I went to add a new tunnel today and was greeted with a message the isakmpd.fifo did not exist. I have isakmpd enabled in /etc/rc.conf with flags -K. Even though I do not specify a location on the command line of isakmpd for the fifo to occur, it does exist in fact when the process is launched and sometime later dies off. This is what I found today: # echo ike esp from 172.31.33.0/24 to 10.9.9.0/24 peer aaa.bbb.ccc.ddd psk | ipsecctl -f - ipsecctl: ike_ipsec_establish: open(/var/run/isakmpd.fifo): No such file or directory Where as before the exact same command has worked fine. Thanks, -Matt- On Wed, 7 Feb 2007, Dag Richards wrote: Toni Mueller wrote: Hi Dag, On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards [EMAIL PROTECTED] wrote: locations. Yesterday I needed to add a tunnel, there was no /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid The fifo was recreated, I could use it to control isakmpd. OK. Today I look for isakmpd.fifo, it has disappeared again. and nothing I do not expect to see. I am not running out of disk space ... anybody seen this before? please check again using -i in order to find out whether you have enough disk space. Best, --Toni++ hsdcert0:root:/root #df -i Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/sd0a 4126462 35180 3884960 1%2204 533602 0% / /dev/sd0e 103030244978744 0% 16 144238 0% /home /dev/sd0d 1030302 2978786 0% 1 144253 0% /tmp /dev/sd0f10318830391228 9411662 4% 13887 1305023 1% /usr /dev/sd0g16423486 1080606 14521706 7%3564 2077842 0% /var Nope plenty inodes too.
Re: packages
On Wed, 15 Nov 2006, Darrin Chandler wrote: On Wed, Nov 15, 2006 at 08:24:16AM -0500, Marc Ravensbergen wrote: Hi, is there any way I can find out the entire list of files (and dependencies) needed before installing a given package? Let's say I want to add wget to openbsd. I export the PKG_PATH to the appropriate mirror, then type pkg_add wget. This will do the installation of wget and all dependencies, but I would like to know before the actual installation what files are needed (if possible of course). My reason for this is so that I can generate a complete list of files needed to download for a given program, run over to a computer with high speed, download, run back to my computer, dump the files in the correct directory (/var/db/pkg) and then install the package. In this case, wget is very small, but what about Gnome, KDE... I am thinking of the feature in Synaptic that lets you generate an installation script; all the files and dependencies needed for a given package are then saved to a text file as a script. If this is possible, can somebody let me know? Thanks, Marc There are probably other ways to do this, but the first thing that comes to mind is to run pkg_add -nv package which will give you a list of dependencies. Recurse until done, checking the dependencies so far to avoid infinite recursion and excessive work. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | I agree pkg_add -nv will give you what you want. Unfortunately for Marc however I do not believe it will do it quickly on a dialup line. In order for pkg_add to determine the dependancies it must download and decompress the packages to get to the files which specify dependancies. It may be better to get ports.tar.gz and use that framework to determine which packages are dependant. Although I don't have a good script to traverse it right off hand. Here is an example output of doing a pkg_add -nv kdebase: # pkg_add -nv kdebase Error from ftp://ftp.openbsd.org/pub/OpenBSD/4.0/packages/i386/: Unknown command. parsing kdebase-3.5.4 Dependencies for kdebase-3.5.4 resolve to: glib2-2.10.3, qt3-mt-3.5p8, libusb-0.1.10ap1, openldap-client-2.3.24, kdelibs-3.5.4, cyrus-sasl-2.1.21p2 (todo: glib2-2.10.3,libusb-0.1.10ap1,kdelibs-3.5.4,qt3-mt-3.5p8,qt3-mt-3.5p8) kdebase-3.5.4:parsing glib2-2.10.3 Dependencies for glib2-2.10.3 resolve to: gettext-0.14.5p1, libiconv-1.9.2p3 Pretending to add kdebase-3.5.4:glib2-2.10.3 kdebase-3.5.4:parsing libusb-0.1.10ap1 Pretending to add kdebase-3.5.4:libusb-0.1.10ap1 kdebase-3.5.4:parsing kdelibs-3.5.4 Dependencies for kdelibs-3.5.4 resolve to: arts-1.5.4, OpenEXR-1.2.2p2, libart-2.3.17, hicolor-icon-theme-0.5p0, jasper-1.701.0p1, libidn-0.6.1, tiff-3.8.2p0, bzip2-1.0.3, qt3-mt-3.5p8, pcre-6.4p1, aspell-0.50.5p4, libxslt-1.1.17 (todo: libidn-0.6.1,jasper-1.701.0p1,libart-2.3.17,OpenEXR-1.2.2p2,tiff-3.8.2p0,aspell-0.50.5p4,hicolor-icon-theme-0.5p0,arts-1.5.4,qt3-mt-3.5p8,qt3-mt-3.5p8) kdebase-3.5.4:parsing libidn-0.6.1 Dependencies for libidn-0.6.1 resolve to: gettext-0.14.5p1, libiconv-1.9.2p3 Pretending to add kdebase-3.5.4:libidn-0.6.1 kdebase-3.5.4:parsing jasper-1.701.0p1 Pretending to add kdebase-3.5.4:jasper-1.701.0p1 kdebase-3.5.4:parsing libart-2.3.17 Pretending to add kdebase-3.5.4:libart-2.3.17 kdebase-3.5.4:parsing OpenEXR-1.2.2p2 Pretending to add kdebase-3.5.4:OpenEXR-1.2.2p2 kdebase-3.5.4:parsing tiff-3.8.2p0 Dependencies for tiff-3.8.2p0 resolve to: jpeg-6bp3 Pretending to add kdebase-3.5.4:tiff-3.8.2p0 kdebase-3.5.4:parsing aspell-0.50.5p4 Pretending to add kdebase-3.5.4:aspell-0.50.5p4 kdebase-3.5.4:parsing hicolor-icon-theme-0.5p0 Pretending to add kdebase-3.5.4:hicolor-icon-theme-0.5p0 kdebase-3.5.4:parsing arts-1.5.4 Dependencies for arts-1.5.4 resolve to: glib2-2.10.3, qt3-mt-3.5p8, libaudiofile-0.2.6p0, libvorbis-1.1.2p0, libmad-0.15.1bp1, esound-0.2.34p0, libogg-1.1.3 (todo: esound-0.2.34p0,libmad-0.15.1bp1,libogg-1.1.3,libvorbis-1.1.2p0,libaudiofile-0.2.6p0,qt3-mt-3.5p8,qt3-mt-3.5p8) kdebase-3.5.4:parsing esound-0.2.34p0 Dependencies for esound-0.2.34p0 resolve to: libaudiofile-0.2.6p0 (todo: libaudiofile-0.2.6p0) kdebase-3.5.4:parsing libaudiofile-0.2.6p0 Pretending to add kdebase-3.5.4:libaudiofile-0.2.6p0 Pretending to add kdebase-3.5.4:esound-0.2.34p0 The file /etc/esd.conf would be installed from /usr/local/share/examples/esound/esd.conf kdebase-3.5.4:parsing libmad-0.15.1bp1 Pretending to add kdebase-3.5.4:libmad-0.15.1bp1 kdebase-3.5.4:parsing libogg-1.1.3 Pretending to add kdebase-3.5.4:libogg-1.1.3 kdebase-3.5.4:parsing libvorbis-1.1.2p0 Dependencies for libvorbis-1.1.2p0 resolve to: libogg-1.1.3 Pretending to add kdebase-3.5.4:libvorbis-1.1.2p0 kdebase-3.5.4:parsing qt3-mt-3.5p8 Dependencies for qt3-mt-3.5p8 resolve to: libmng-1.0.9p1, png-1.2.12 (todo: libmng-1.0.9p1) kdebase-3.5.4:parsing libmng-1.0.9p1 Dependencies for libmng-1.0.9p1 resolve to: lcms-1.15,
Re: % stdout?
On Thu, 9 Nov 2006, Cassio B. Caporal wrote:
Hey,
I have problems to print '%' in stdout... Suppose code below:
#include stdio.h
main() {
char foo[] = bar=30%\n;
fprintf(stdout, bar);
}
OpenBSD returns : bar=30
Linux returns : bar=30%
How can I solve this? Thanks,
Use the format specifier with fprintf:
#include stdio.h
int main()
{
char foo[] = bar=30%\n;
fprintf(stdout, %s, foo);
}
cc test.c
./a.out
bar=30%
-Matt-
Re: Question about the book Secure architecture with OpenBSD
On Sun, 15 Oct 2006, Jean-Daniel Beaubien wrote: Hi everyone, I was just about to order the 4.0 CDs and I figured I'd get a book along with it. I was thinking on getting 'Secure architecture with OpenBSD'. My question is since it was written in 2004 is it still up-to-date? Also is there a 2nd edition in the works? Thank you for your time, Jd I think you will find that the vast majority of the information is still relevant and up to date. One area that has seen a lot of enhancement is in the IPSEC configuration. This area has been simplified quite a bit. Aside from that most everything else is the same and I would definately recommend it as a good book to purchase. -Matt-
Re: Soekris network problems - 48 hour deadline
On Sat, 14 Oct 2006, Richard P. Koett wrote: I'm having throughput problems using a Soekris net4801 as a firewall running OpenBSD 3.9. This is replacing a SonicWALL device that was working fine from the user's perspective. (I want to replace it because, among other things, I abhor SonicWALL's licensing). I won't post a dmesg unless requested because I think this platform is pretty well known. Hosts on the internal network are able to access the Internet but report that access seems slow. Some operations fail consistently. For example, users can send and receive e-mail e-mails but can't send e-mail with attachments larger than about 20K. I ran a browser-based ADSL speed test from an internal host and found download speeds to be quite good but upload tests fail to complete. I found a few similar problems in the archives but the posted solutions haven't worked for me. I can't see that pf is blocking anything I want passed. At the moment I am running a stripped down pf.conf as follows: # DECLARATIONS: Ext_If=sis0 Int_If=sis1 DMZ_If=sis2 Int_Net=192.168.5.0/24 # OPTIONS: set loginterface $Ext_If # NAT / REDIRECTION: nat on $Ext_If from $Int_Net to any - ($Ext_If) rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3391 \ - 192.168.5.1 port 3391 rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3392 \ - 192.168.5.2 port 3392 I think I can rule out things like speed and duplex problems between the Soekris and the local switch because the problem only affects outbound traffic. I tried a few scrub options to no avail but may not have been doing the right thing. I would really appreciate any suggestions on how to troubleshoot this. If I can't get this resolved by Monday morning I'm going to take some heat. Thanks, RPK. What kind of link is sis0 on? Do you know what your interface MTU was set to on the SonicWall? -Matt-
Re: Oldest Server you run
On Fri, 13 Oct 2006, Jason George wrote: I can't believe people with PIIs and PIIIs even responded to this thread, however. You GOT to be kidding me...That ain't old. That's almost as new as I get! Exactly. Today on my way to work I found a Pentium 100mhz, 48MB EDO, 480MB hdd in a ditch on the side of the road. Naturally being curious I picked it up, installed 2 PCI NIC's and installed a snapshot. It runs great aside from being a little short on disk space. In short garbage + OpenBSD = new firewall. Thanks OpenBSD! -Matt-
Re: OPENBSD isakmpd VPN Problems
On Thu, 10 Aug 2006, Steve Glaus wrote: Daniel Ouellet wrote: Steve Glaus wrote: Hello all, I'm finally desperate enough to post this to a list... I have been trying for two days to set up a basic VPN between my OpenBSD box at home and my OpenBSD box at work. The box at home is running 3.7 and the box here at work is running 3.9. May be worth to have 3.9 both place. Here is something that might help: http://www.securityfocus.com/infocus/1859 Also may be good to read: http://www.undeadly.org/cgi?action=articlesid=2006062116 and this specially: http://www.undeadly.org/cgi?action=articlesid=20060606210130 man 8 ipsecctl man 8 isakmpd man 5 isakmpd.conf So many changes happened in the last few months and many things have been replace that I think trying to setup a VPN using what we may call the old way is a waist of time. I have seen many articles and examples in the last few months explaining all the great changes to this that I would say trying to use 3.7 for this is wrong. But I may be wrong for sure. It's just based on what was posted in the lately really. I am not 100% sure, but I think even some of the best changes are in current that make the setup very simple now based on articles on undeadly.org about the subject. Just a thought. Hope this help you some. Hello again, Thanks for your help earlier. I haven't really had time to look at this problem in the last few weeks. I've started trying to use ipsecctl on my 3.9 box to connect to the actual service we will be using this for and I've made SOME progress so thank you for steering me in the right direction. Now, Whenever I try to connect to one of our cheesy little VPN routers (DLINK DFL-300's) using ipsectl it works perfectly. The tunnel comes up everything looks beautiful. But I can't stop there I'm afraid (though GOD I wish I could) I'm trying to connect to a sonicwall 4060 VPN that our software vendor uses. When I try to do this using the same setup (with the appropriate changes made) I get NO_PROPOSAL_CHOSEN messages. One glaring difference that I can see is that when I connect to the DLINK I use a passive connection and isakpmd sits and listens for incoming connections. Could this be a lifetime issue? Tech support at the other end said this is possible. How do you set the lifetime using ipsecctl (I've read that this is only possible with -current) Another item - IS PFS disabled or enabled by default when one uses ipsecctl? Can this be set? Looking at my logs I'm pretty sure that it's making it through phase1. Our vendors phase1 and phase2 use identical encryption/authorization so I don't quite understand why I would be getting NO_PROPOSALS for only phase2. The lifetimes for both phases are also identical on the vendors end. This is the relevant configuration info: ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk XX The debug outpout can be found here: http://ww2.bartowpc.com:8080/isakmpd_out I really don't know where to go from here. I've invested hours hours into this and we've (foolishly?) commited to this direction. Thanks for any help anyone can give. Ask the SonicWall4060 admin how he/she is defining their network objects. You have specified 172.28.128.0/21. On SonicOS enhanced you can define address objects as Single Host, Network, or Address Range. I think they want to use Network, and specify the netmask rather than address range, that could be an issue. Also SonicOS also uses 28800/28800 SA lifetime's as opposed to 86400/28800. Good luck! I've connected to a 4060 multiple times before but not using the new ipsecctl syntax, I used the old isakmpd.conf syntax. Later, -Matt-
Re: IPSec traffic stalls with large chunks of data
On Tue, 25 Jul 2006, Heinrich Rebehn wrote: Matthew Closson wrote: On Mon, 24 Jul 2006, Heinrich Rebehn wrote: Hi list, I am running into a strange problem with IPSec, MTU? fragmentation? which i am unable to resolve. My Setup: @home i have one PC which connects to our institute network with IPSec. The PC connects to the internet via a DSL modem using Linux/PPPoE or Windows XP/SP2. This has been running fine for years now. Last week i bought a Netgear WTG624V3 WLAN router in order to allow our notebook to connect to the internet too. This router is now connected between the PC and the DSL modem and does the job of bringing up the internet connection with PPPoE. IPSec from my PC still works, but the symptoms are as follows: - The tunnel is brought up and i can use it to ssh to our institute's firewall/ipsec gateway. On the gateway (OpenBSD 3.8), i can work in the shell as long as i want, but as soon as i do a ls -lR / or something else that produces large output, the connection is stalled. However,the tunnel is still usable, i can do a 2nd ssh and continue working. This leads me to the conclusion that it cannot be a rekeying issue. Under the second login, i can see both connections: [EMAIL PROTECTED] [~]# netstat -anptcp | grep 192.168.1.2 tcp0 48 134.102.176.250.22 192.168.1.2.40010 ESTABLISHED tcp0 16304 134.102.176.250.22 192.168.1.2.40009 ESTABLISHED All MTUs (PC, WLAN router, firewall) are set to 1500. I played with max-mss in pf.conf, as was suggested on the misc@ ML: scrub in on enc0 all max-mss 1318 but it did not help. Parallel to the ls -lR / mentioned above, i did a tcpdump on the firewall's external if, which can be found at: http://www.ant.uni-bremen.de/~rebehn/vlan1.dump The dump shows that fragmentation does occur. The same symptom can also be observed when connecting to our www server behind the firewall, very small pages are displayed, bigger ones get stalled. Can anyone help me on this? I am not familiar with the internals of TCP/IP, especially MTUs and fragmentation. If you need isakmpd.conf, pf.conf or anything else, please let me know. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 http://archives.neohapsis.com/archives/openbsd/2006-06/1666.html Thanks to all who replied, but i am still having the problem. While i will be looking at the MTU's on the path, can someone help me understand what what's up in the above mentioned dump at http://www.ant.uni-bremen.de/~rebehn/vlan1.dump ? 134.102.176.250 213.172.119.236: icmp: 134.102.176.250 protocol 4 unreachable What does protocol 4 unreachable mean? According to /etc/protocols, 4 is IP encapsulated in IP (officially ``IP'') ??? As one can see at the end of the dump, fragmentation does occur. Is this absolutely lethal for IPSec? --Heinrich I believe what you are seeing is Path MTU discovery failing. When the IPSEC router sees a packet which is too large for it to route it is sending back an ICMP Unreachable packet (because it is too large) but, if some intermediary device on the way back is over-zealously filtering ICMP this ICMP unreachable packet will never get back to the sender, instead it will timeout and keep sending packets which are too large and thus you will never be able to view the webpage or other resource. A good test would be if you had root access on one of the remote locations which is giving you a problem, you could run tcpdump and see if those ICMP packets are reaching that location or not. If there is some router in the middle filtering this type of ICMP and the administrator is unwilling to change it then that is going to pose a real problem to your connectivity to those sites. Maybe someone else who has expertise with this issue can confirm that is what might be going on. Good luck! -Matt-
Re: IPSec traffic stalls with large chunks of data
On Mon, 24 Jul 2006, Heinrich Rebehn wrote: Hi list, I am running into a strange problem with IPSec, MTU? fragmentation? which i am unable to resolve. My Setup: @home i have one PC which connects to our institute network with IPSec. The PC connects to the internet via a DSL modem using Linux/PPPoE or Windows XP/SP2. This has been running fine for years now. Last week i bought a Netgear WTG624V3 WLAN router in order to allow our notebook to connect to the internet too. This router is now connected between the PC and the DSL modem and does the job of bringing up the internet connection with PPPoE. IPSec from my PC still works, but the symptoms are as follows: - The tunnel is brought up and i can use it to ssh to our institute's firewall/ipsec gateway. On the gateway (OpenBSD 3.8), i can work in the shell as long as i want, but as soon as i do a ls -lR / or something else that produces large output, the connection is stalled. However,the tunnel is still usable, i can do a 2nd ssh and continue working. This leads me to the conclusion that it cannot be a rekeying issue. Under the second login, i can see both connections: [EMAIL PROTECTED] [~]# netstat -anptcp | grep 192.168.1.2 tcp0 48 134.102.176.250.22 192.168.1.2.40010 ESTABLISHED tcp0 16304 134.102.176.250.22 192.168.1.2.40009 ESTABLISHED All MTUs (PC, WLAN router, firewall) are set to 1500. I played with max-mss in pf.conf, as was suggested on the misc@ ML: scrub in on enc0 all max-mss 1318 but it did not help. Parallel to the ls -lR / mentioned above, i did a tcpdump on the firewall's external if, which can be found at: http://www.ant.uni-bremen.de/~rebehn/vlan1.dump The dump shows that fragmentation does occur. The same symptom can also be observed when connecting to our www server behind the firewall, very small pages are displayed, bigger ones get stalled. Can anyone help me on this? I am not familiar with the internals of TCP/IP, especially MTUs and fragmentation. If you need isakmpd.conf, pf.conf or anything else, please let me know. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 http://archives.neohapsis.com/archives/openbsd/2006-06/1666.html
Re: more: NAT through encryption interface
On Tue, 4 Jul 2006, Stephen Bosch wrote: Stephen Bosch wrote: Hi, all: I am configuring an IPsec tunnel like so: local_internal_IP - alias_IP -remote_peer_IP - remote_internal_IP local host| openBSD | Cisco PIX | remote internal host alias_IP is a carp alias. It is one end of an IPsec security association. netstat -rn gives this (altered) output: Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) remote_internal_subnet/23 0 alias_IP/32 0 0 remote_peer_IP/50/use/in alias_IP/32 0 remote_internal_subnet/23 0 0 remote_peer_IP/50/require/out The SA is coming up. I am natting over the alias_IP with this line: nat on $enc_if from $local_internal_IP to any - $alias_IP (to pre-empt misunderstanding, I have also tried nat on $ext_if from $local_internal_IP to any - $alias_IP) From the OpenBSD box, I can ping remote_internal_IP like so: ping -I alias_IP remote_internal_IP When pinging from the local host, however, pings time out. It would appear that there is a problem with natting. The ping works even with all the NAT lines commented out, so it looks like the nat isn't doing anything at all... -Stephen- I don't think what you want to do is currently possible: Here is your problem: Let's say you have these settings internal_host 10.0.0.5 internal_openbsd_nic 10.0.0.1 external_openbsd_nic AAA.AAA.AAA.AAA Remote_concentrator BBB.BBB.BBB.BBB Remote_internal_host 192.168.0.10 and they say they need you to look like you are coming from 192.168.0.5 (it happens frequently because of the other side's policy or poor planning). So you think no problem, you configure isakmpd and bring up an SA between 192.168.0.5 --- IPSEC_SA --- 192.168.0.10 You setup an IP alias on one of your NIC's and assign it that address, then you think you can do NAT on your enc0. But you can't. Because here is what happens: 1. packet comes in from 10.0.0.5 - 10.0.0.1 destined for 192.168.0.10 2. your box looks at it to see if it matches an existing flow in the Security Association Database (SADB). It does NOT. You have a flow between 192.168.0.5 and 192.168.0.10, NOT between 10.0.0.5 and 192.168.0.10. So at this point there is no further route to get to that destination and the packet is dropped. It never reaches your enc0 interface to actually get NAT'd because it FIRST has to match a flow. In setting up about 30 ISPEC tunnels on an OpenBSD box in the past 6 months I had this issue come up with about 4 of the remote peers. Typically it is one of two problems. 1. They have a made a policy level decision somewhere and say they will only route traffic to public IP's or they want to assign you a public IP from their IP space. Typically this is because they don't want to deal with the issue of multiple remote networks sharing the same private IP space. 2. Your IP space conflicts with another existing IP space they are routing to across another tunnel so they need you to NAT and make it look like you are coming from somewhere else. So here is what you can do: 1. Place another box in front of your box doing IPSEC and NAT the traffic before it gets there based on its destination. I got my setup working fine this way. Cheap boxes are easy to come by for simply doing NAT. 2. Submit a patch which I'm sure a lot of people would be interested in that alllows NAT to take place before SADB flow matching, perhaps a sysctl would be nice. A lot of VPN adminsitrators seem to think that you should have no problem NAT'ing this way because many of the current popular VPN concentrators allow you to do this all on one box. If you want to test any ideas or setup's privately email me off the list and I'd be happy to help. Good luck! man 4 ipsec NAT can also be applied to enc# interfaces, but special care should be taken because of the interactions between NAT and the IPsec flow match- ing, especially on the packet output path. Inside the TCP/IP stack, packets go through the following stages: UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF UL/R PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF With IF being the real interface and UL/R the Upper Layer or Routing code. The [X] stage on the output path represents the point where the packet is matched against the IPsec flow database (SPD) to determine if and how the packet has to be IPsec-processed. If, at this point, it is determined that the packet should be IPsec-processed, it is processed by the PF/NAT code. Unless PF drops the packet, it will then be IPsec-pro- cessed, even if the packet has been modified by NAT. -Matt-
Re: pf isakmpd: NAT through encryption interface?
On Wed, 28 Jun 2006, Stephen Bosch wrote: Hi, Roy: Roy Morris wrote: Yes it does work! I guess I better hold on to these two boxes I have. Seems they are the only ones that do! lol I have A. clients on each end behind a vpn/pf box B. enc0 binat from internal client to public IP of other side client C. /etc/hostname.if alias for the binat IP D. isakmpd.conf uses public IP (A) for phase 1, and (B internal client nat) for phase 2 I've had a closer look at this... In my case, the other peer expects a private IP on my internal network. Your directions involve an alias. Do I need this alias? Can I not just nat on the encryption interface like so? nat on $enc_if from $internal_ip to $remote_internal_ip - $private_nat_address? This is really confusing me. -Stephen- If you do nat on $enc_if your incoming packets will not match an existing IPSEC flow and will never get routed to your enc0 interface in the first place. man ipsec shows a flow diagram of how packets move in the kernel -Matt-
Re: IPsec + PPP causing slowdown: MTU issue or something else?
On Mon, 26 Jun 2006, Damon McMahon wrote: Greetings, I have an OpenBSD 3.9-RELEASE wireless gateway using ral(4) in Infrastructure mode to provide a wireless LAN secured using ESP. It is connecting to the internet via IPv4 using kernel ppp(4) and pppd(8) - not userland ppp(8) - and routing to IPv4 wireless clients using NAT in pf.conf temporarily until I can arrange for ADSL. After an initial burst of activity routed connections slow down to something worse than a crawl. I have confirmed that activity between the gateway and the internet i.e. just ppp(4) performs as expected, and similarly activity between the gateway and wireless clients i.e. just ESP over 802.11b performs as expected. This leads me to hypothesise that the cause must be in the routing between the two networks. Could this be a fragmentation issue. If so/not does anyone have any suggestions? If my dmesg, pf.conf or IPsec configuration files are required for diagnosis please let me know. Thanks in advance, Damon Sounds like MTU to me. there are two pf/scrub options you should play with max-mss no-df Incoming ESP packets will probably have the DF flag set since you don't want fragmented IPSEC traffic. Those packets may be to large for your DSL interface and now they can't be fragmented. Or enforce outbound max-mss set it to 1300 and see if that clears things up scrub in on $int_if all no-df max-mss 1300 See if a variation on that helps. Good Luck! -Matt-
Re: isakmpd + nat (Yes Again!)
On Tue, 20 Jun 2006, Roy Morris wrote: ok, I know I've seen this before but can't seem to find the link. I am setting up a vpn using isakmpd and for the regular net to net stuff it works fine. I am trying to use an alias ip on each gateway and nat to the internal host. The isakmpd.conf would use phase one real-ip-1 and use real-ip-2 (nat/binat)to the internal client. Is this making sense? .. I1 (172.30.1.2) - GW1(10.0.1.1/24) -router - GW2(10.0.2.1/24) I1--NAT -10.0.1.2 x-router-x 10.0.2.2 NAT -I2 (172.31.1.2) pf.conf should? have binat on enc0 from 172.30.1.2 to any -10.0.1.2 and would also have /etc/hostname.xyz inet alias 10.0.1.2 and the same stuff on the other end. Packet capture shows it using the external interface with no nat to get out. What am I doing wrong? - a link, doc or whack upside the head is accepted! thanks Roy Roy, I tried for weeks to get this to work and eventually abandonned the idea due to a deadline to just get it working. I ended up sticking another cheap box (P133) in front of the box doing IPSEC and performing NAT on there. Then I would create IP aliases on the NAT box as well as the IPSEC box for those cases and that worked fine. Problem is that the OpenBSD kernel does IPSEC flow processing before it does NAT. So if you try to do both on the same box your packets will not match your defined IPSEC SA because they have not yet been NAT'd in which case they will just be dropped by the kernel. This is from man ipsec: --- NAT can also be applied to enc# interfaces, but special care should be taken because of the interactions between NAT and the IPsec flow match- ing, especially on the packet output path. Inside the TCP/IP stack, packets go through the following stages: UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF UL/R PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF With IF being the real interface and UL/R the Upper Layer or Routing code. The [X] stage on the output path represents the point where the packet is matched against the IPsec flow database (SPD) to determine if and how the packet has to be IPsec-processed. If, at this point, it is determined that the packet should be IPsec-processed, it is processed by the PF/NAT code. Unless PF drops the packet, it will then be IPsec-pro- cessed, even if the packet has been modified by NAT. - There are some older posts by Cedric that indicate at least on old versions of OpenBSD/isakmpd you could manually add a fake flow to the SADB using ipsecadm that basically said 170.30.1.2 - other_side is a valid IPSEC flow, that way the packet would be processed, then you could do NAT on the enc0 interface and cause the source IP to be NAT'd and match the real IPSEC flow. However I never got this working and comments from the original post made it seem to me that this does not work in the current version of OpenBSD. Good Luck! -Matt-
Re: box freezes immediately at boot (kernel loading)
On Mon, 29 May 2006, Uwe Dippel wrote: I have tried the archives and google, but didn't find any good pointer (maybe a problem of keywords ?): After some 20 cycles of power outage / restore - that is some twenty crashes - a database server of mine doesn't reboot any longer. It gets stuck at booting hd0a:/bsd 4804448+939504 [52+247296+228813] entry point at 0x100120 I tried bsd.old and bsd.rd All with a similar result (similar: other numbers). Now I wonder what is best recommended to get this production box back at work ? I hope to avoid a complete re-install ... . Someone will flame me for backup. Alas, the icing on the cake is, that the backup was scheduled exactly during those outage cycles and is spoiled as well. I might dig out the backup of one week ago, but then, the data of the database are not exactly fresh. Thanks for any suggestion, Uwe What makes you think it is not a hardware problem? Try throwing the drive in another box for starters. There is no need to reinstall the OS if the board or memory are shot. What kind of hardware as well? -Matt-
Re: 3.7: weird IP address problem
On Mon, 24 Apr 2006, Toni Mueller wrote: Hello, I have a box that once had two IP addresses on one interface. I deconfigured one of them using ifconfig -alias. Now, when I want to use any (?) program on that box to go over this interface, it wants to use the addresses which is no longer present. I double-checked to ensure that there is no NAT in the way, and also used all netstat and ifconfig otions I know to convince myself that the old address is gone. I also tried to 'ifconfig ifname inet the-one-and-only-address' just in case there would be a different handling of addresses assigned with and without using -alias, but to no avail. What could that be, and why can't I see this address anywhere? I'd rather not reboot only to make a change in IP numbers effective... Best, --Toni++ Can you send us the output of ifconfig ifname0 for example if you had an fxp card then: ifconfig fxp0 Also did you do this? ifconfig ifname delete inet alias aaa.bbb.ccc.ddd ? Sounds like the alias is not deleted. Or try setting your default gateway route add default gw aaa.bbb.ccc.ddd -Matt-
Re: Multi Firewalls Admin
On Wed, 19 Apr 2006, Joachim Schipper wrote:
On Tue, Apr 18, 2006 at 12:47:31AM +0200, xanadu wrote:
Hi,
I have to remote admin 54 OpenBSD firewalls.
What tools can help me for that (Monitoring, Updates or PF broadcasts,
getting firewalls logs, automate processes, ...), is there all in one ?
It's usually better to assemble something from the individual best
components. Some possible choices:
- centralized syslog server(s) running syslog-ng, stock syslogd,
or whatever syslogd best suits your needs, taking into account
that the network being traversed is untrusted (i.e. some VPN
solution makes sense);
- automated log monitoring using, for instance, sec
(sysutils/sec)[1] or one of the other packages (swatch,
logsurfer, ...);
- automated network monitoring using, for instance, nagios[2]
(or mon, or ...);
- some custom scripting to handle pflog, or just keep it on the
host until needed - or just don't log it;
- distributing configuration and binaries using rdist (in base,
and works well, but uses a lot of bandwidth), rsync, or
something all-in like cfengine; or a simple FTP server; most
choices here allow you to run scripts;
- remote login using sshd, possibly augmented using something
that will run a command on N hosts;
- something more exotic, like using a single AFS-mounted image
for all of the firewalls, and telling the various syslogd
processes to log to the proper place.
Additionally, cron and/or /etc/{daily,weekly,monthly}.local is your
friend. Some custom scripting will be desired; use a Bourne shell, Perl,
Python, or whatever suits you.
Take into account that any package you do not need to install, is one
more package you don't have to depend on. Especially for a firewall,
the stock install is likely to be sufficient.
Joachim
[1] Sec is very powerful, but the documentation is a little lacking in
examples and writing a good ruleset will take time. OTOH, it is more
flexible, more powerful, and writing a good ruleset always takes time. I
have some working configurations for you, should you decide to take this
route.
Whatever you choose, it is vitally important that you *do* see anything
you have not mentioned in the configuration file. Those tend to be the
most 'interesting'.
[2] Nagios is quite useful, and makes pretty pictures. Good for showing
people.
I use this as well for distributed command execution and it works great.
http://tentakel.biskalar.de - Tentakel
-Matt-
Re: openbsd and the money -solutions
On Fri, 24 Mar 2006, Chet Uber wrote: 1. Read the damn FAQ's, newbies, and do a Google search on what you are about to waste list bandwidth on. People on the project spend good time getting this done for us. 2. Buy the CD, and quit bitching about it. For that matter be a good neighbor and buy one copy per machine you run the OS on. 3. If you think that the price is unwarranted and unaffordable, you really need to get a job so you can afford the meager fee. Or donate some blood? 4. The stickers make it all worth it. CU Chet Uber President and Chief Scientist SecurityPosture, Inc. 3718 N 113 Plaza, Omaha, NE 68164 vox +1 (402) 505-9684 | fax +1 (402) 932-2130 | cell (402) 813-3211 -- This communication is confidential to the parties it was intended to serve I kind of like #3 (donate blood) easy $10 for OpenBSD and help save someone's existence at the same time. I'm sure we can all spare a little and the ratio of clean usable computer geek blood is bound to be higher than the average seeing as how many of us spend 90% of time in front of a monitor leaving us only 10% of time to go out and impurify ourselves. -Matt-
Re: no internet with cable provider (videotron.ca)
On Tue, 21 Mar 2006, Peter wrote: --- Damian Gerow [EMAIL PROTECTED] wrote: Thus spake Peter ([EMAIL PROTECTED]) [21/03/06 00:56]: : Hi everyone. I am troubleshooting a client (running OpenBSD 3.8) who : cannot connect to a Canadian cable provider (videotron.ca) with : dhclient. dhclient cannot find a dhcp server. Is there anything : special one needs to do besides 'dhclient int'? The connection is : made instantly when win2k box is connected directly to the modem. Was the Win2k box connected first? Many (most?) Canadian cable providers cache the MAC address of the connected machine, and generally speaking, unplugging the cable modem for five minutes should re-set the cached address on their side. Otherwise... logs? I did hear of the caching feature so I unplugged the power but only for about 10 seconds. Five minutes you say? I don't see any logs being generated except for it not being able to find a dhcp server. On one occasion only did I see something to the effect accepted blah length not same as blah length. Like what it received was not the length of what is was supposed to receive. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Yes, 5 minutes is the required amount of time to clear the cache on most cable modems I've worked with (Toshiba, 3com, Motorola, Terayon), 10 seconds will not do. Otherwise you could probably copy the MAC address off your win2k box and use that. on win2k box: ipconfig /all get the MAC address on OpenBSD box: # ifconfig fxp0 lladdr 11:22:33:44:55:66 (substituting real MAC and interface name) # pkill dhclient # dhclient fxp0 -Matt-
Re: no internet with cable provider (videotron.ca)
On Tue, 21 Mar 2006, Peter wrote: --- Damian Gerow [EMAIL PROTECTED] wrote: Thus spake Peter ([EMAIL PROTECTED]) [21/03/06 01:46]: : Was the Win2k box connected first? Many (most?) Canadian cable : providers : cache the MAC address of the connected machine, and generally : speaking, : unplugging the cable modem for five minutes should re-set the cached : address : on their side. : : Otherwise... logs? : : I did hear of the caching feature so I unplugged the power but only for : about 10 seconds. Five minutes you say? Yeah, give it five minutes. That /should/ clear it out. (You may want to unplug power as well -- I've heard conflicting reports about that.) : I don't see any logs being generated except for it not being able to : find a dhcp server. On one occasion only did I see something to the : effect accepted blah length not same as blah length. Like what it : received was not the length of what is was supposed to receive. Strange. My guess is the caching -- it really is as simple as running 'dhclient interface'. You could also try calling them up to see if they cache the MAC or not, for how long if they do, and what it takes to flush the cache. Well I unplugged for a good five minutes and still nothing. Indeed, I first heard of this caching from one of their technicians and I was instructed to simply unplug the power cable; he did not specify a timeout. The device is a telephony modem (the users have opted for the videotron trio: cable-telephone, cable-tv, and cable-internet). It is an Arris TM502G. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Also Make sure you remove the battery for 5 minutes as well. They come with a backup battery in case the commercial power provider goes down. -Matt-
Re: OpenBSD - Cisco IPSEC
On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Paolo, As others have said we need more details. I have setup isakmpd and IPSEC in tunnel mode with Cisco PIX's, as well as Cisco 3000 series VPN concentrators (which is really from Altiga Networks). Getting the tunnel established between these devices is never a problem, especially if you define out every section in isakmpd.conf and only offer a single encryption/hash algorithm in your proposals. The biggest problem I have had is rekeying. I have had a lot of issues with tunnels getting out of sync, where my side keeps using XXX SA/SPI, while the other said moves on to another one or the reverse of that. Cisco devices I have seen default their lifetime's to 86400 seconds for IKE and 28800 seconds for IPSEC. This is of course different from isakmpd so you will want to keep that in mind. I would highly recommend you read all the info listed here. https://www.icsalabs.com/icsa/main.php?pid=fggfgd iCSA does interoperability testing between various IPSEC implementations and they cover several Cisco products. As well as in their paper: IPSEC VPN Advanced Troubleshooting - they state that an excellent tools for debugging interoperability problems in the field is OpenBSD's isakmpd. A lot of information on the specific cisco device you want to talk to may be available at http://www.cisco.com/univercd I am also curious as to the successes and failures other people have had with cisco devices and rekeying, especially cisco 3005, cisco 3030 concentrators. -Matt-
Re: IPSEC negotiation on demand
On Sat, 25 Feb 2006, Matthew Closson wrote: On Sat, 25 Feb 2006, Joachim Schipper wrote: On Sat, Feb 25, 2006 at 10:29:11AM -0500, Matthew Closson wrote: Rather than have isakmpd bring up all tunnels when the daemon starts up, is there a way to have it bring up the tunnels on demand? For example. host_a router_b router_c - host_d Is there a way to setup isakmpd so that if host_a tries to send a packet to host_d, router_b will start IPSEC negotiation with router_c at that point, instead of as soon as isakmpd starts? Why would you want to do that? It's not like keeping a tunnel up will use any significant amount of resources, while on-demand tunneling will prove to impose quite a bit of delay. Joachim Some of my IKE-peers seem to operate this way. For example more than one cisco admin has called me to ask why we have active tunnels but no data going through them. And some remote implementations such as Sonicwall seem to take the tunnel down when there is being no data passed back and forth without sending me a teardown notify message. I realize that on-demand tunneling will present a delay to startup the tunnel, but I am still curious to know if it is possible to do this on OpenBSD/isakmpd and how I might go about doing it. Thanks, -Matt- Okay so I've been trying to find out exactly how cisco handle's renegotiation when lifetime's expire and I found this: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt4/scipsec.htm#xtocid2141715 How These Lifetimes Work Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. The security association (and corresponding keys) will expire according to whichever comes sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes is passed (specified by the kilobytes keyword). Security associations that are established manually (via a crypto map entry marked as ipsec-manual) have an infinite lifetime. A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever comes first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. -- So lets say I establish a tunnel between a cisco device and OpenBSD and 3600 seconds later lifetime expires but no traffic has been passed during the entire life of the security association. OpenBSD will try to renegotiate the security association, will the cisco as well, or will it not because there is no traffic has taken place which would actually use the tunnel? -Matt-
IPSEC negotiation on demand
Rather than have isakmpd bring up all tunnels when the daemon starts up, is there a way to have it bring up the tunnels on demand? For example. host_a router_b router_c - host_d Is there a way to setup isakmpd so that if host_a tries to send a packet to host_d, router_b will start IPSEC negotiation with router_c at that point, instead of as soon as isakmpd starts? Thanks, -Matt-
Re: IPSEC negotiation on demand
On Sat, 25 Feb 2006, Joachim Schipper wrote: On Sat, Feb 25, 2006 at 10:29:11AM -0500, Matthew Closson wrote: Rather than have isakmpd bring up all tunnels when the daemon starts up, is there a way to have it bring up the tunnels on demand? For example. host_a router_b router_c - host_d Is there a way to setup isakmpd so that if host_a tries to send a packet to host_d, router_b will start IPSEC negotiation with router_c at that point, instead of as soon as isakmpd starts? Why would you want to do that? It's not like keeping a tunnel up will use any significant amount of resources, while on-demand tunneling will prove to impose quite a bit of delay. Joachim Some of my IKE-peers seem to operate this way. For example more than one cisco admin has called me to ask why we have active tunnels but no data going through them. And some remote implementations such as Sonicwall seem to take the tunnel down when there is being no data passed back and forth without sending me a teardown notify message. I realize that on-demand tunneling will present a delay to startup the tunnel, but I am still curious to know if it is possible to do this on OpenBSD/isakmpd and how I might go about doing it. Thanks, -Matt-
IPSEC tunnels timing out
Hello, I have isakmpd setup talking to about 15 IKE peers and doing about 100 Phase 2 SA's. However, frequently I will attempt to initiate traffic over one of the tunnels and will not get any response. If I issue a command to the FIFO like so : echo S /tmp/isakmpd.fifo and then view the state of the SA's in /var/run/isakmpd.result They show existing Phase 1 and 2 SA's with lifetime's set counting away. If I do: netstat -rnfencap I see existing esp flows for the SA's. When I watch tcpdump -i enc0 I see traffic going out, but not coming back. Now, if I do a pkill -TERM isakmpd; isakmpd -v -f /tmp/isakmpd.fifo -DA=10 to restart the daemon then I can connect over all the tunnels okay again. I believe that some of the remote VPN concentrators have a timeout where they drop the tunnel if it doesn't have any traffic coming over it for a period of time. Whereas isakmpd simply continues to think the tunnel is up just fine and waits until the end of it's SA's lifetime to attempt rekeying the connection. This leaves intermittent periods of not being able to connect across these tunnels. Is there anything that can be done to detect this and remedy it? Is there a way to only bring up the tunnels when traffic is destined for an IP address on the other side rather than rekey and keep it up all the time? How are other people dealing with this issue. I am talking to Cisco3000 series, Checkpoint-VPN1, Watchguard, and Nortel Contivity concentrators. The problem doesn't seem to be specific to a certain one. Thanks for any ideas or info, I am running OpenBSD3.9-current -Matt-
Sera Systems no more
Maybe someone else has mentioned this already on the list, I happened to go to Sera Systems site today while looking for some 1U OpenBSD boxes, and I found this: --- After many pleasurable years, we have decided to close SeraSystems and focus on other opportunities. We would like to thank our many customers for your patronage, support, and just being who you are. Questions or comments may be directed to serasystems (-: at :-) protectix.com or directly to our parent company, Protectix, Inc. So long and thanks for all the fish! --- Anyhow they are occasionaly mentioned when people ask about hardware so I figured I'd post it. So long Sera Systems... -Matt-
DPD isakmpd question
Hello, If you enable RFC3706 - Dead Peer Detection in isakmpd.conf, what is the result of a peer-failing the DPD check. Will it Start over with Phase1 negotiations again for that ISAKMP peer, or will it simply remove the SA and cookies and not try to renegotiate. If anyone know off hand, thanks. -Matt-
OT: Nortel Contivity SA Lifetime
Hello, I'm setting up IPSEC between isakmpd and a Nortel Contivity Extranet Switch and I haven't been able to get the Nortel device's admin to give me this information. Does anyone know what the default IKE/IPSEC SA Lifetime's are for a Nortel device? Thanks, if anyone knows. Sorry to be a little bit off topic. -Matt-
Re: X11 exploit info
On Sat, 11 Feb 2006, Dave Feustel wrote: On Saturday 11 February 2006 10:59, Roman Hunt wrote: Dude what is your major f*^%! malfunction? Years ago this sh!^ would've never been allowed to fly on this list. Sorry. I don't intend to offend or to irritate. Just out of curiosity, how old are you? Also, to which post are you referring? Maybe you think that posting all this ridiculous shit is funny but it's really not. Actually, I don't think it's rediculous or funny, but you have a right to your opinion and also to express it. Go take a class at a community college and learn the basics before you post again. I may well be the only person in Fort Wayne using OpenBSD or even pretending to know anything about it. I am not aware of any courses in BSD around here. PLEASE! And definitely stop wasting your time trying To discover how to exploit systems you are unable to comprehend. Actually, I am in defensive mode. My system is clearly being penetrated. I am trying to find and plug the holes. So far running pf with a block in all' seems to be the most effective defense. I opened up port 80 to run Apache, but I started having problems again, so I went back to the 'block all' rule. I've found and reported to kde and misc a security problem in the way kde is currently ported to OpenBSD. The kde developers understand the problem and, last I heard, had a fix in the pipeline. I've got a kludge fix for that problem now. But I am still seeing signs of intrusion, so there are either still unblocked (kde or x11) holes that I haven't found that provide intruders with at least user privileges, or my system was rooted at some point in the past and will continue to be rooted until I either reinstall or upgrade to 3.9 sometime after May. Today I found two attempts to access port 6000. One from China, the other from Korea. That said If you ever need serious system administration help for a serious issue (not one you make up when you are all paranoid and gunning to be a BIG HACKER HERO) then feel free to ask me and I'll be happy to help. I have no interest in being a cracker. I've looked at what is typically involved in cracking a system or creating shell code and I have no interest in spending my time doing either, although I have more than enough experience with x86 assembly code for that time-wasting activity. I have other projects that I need to spend time on. Are you interested in general relativity, electromagnetism, or tensors? I definitely need help with tensors. And I do appreciate your offer of help. I only wish it weren't so hard to explain things by email. Dave - Roman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Feustel Sent: Saturday, February 11, 2006 6:04 AM To: misc@openbsd.org Subject: X11 exploit info at http://www.hackinglinuxexposed.com/articles/ is a 3-part series on X-11 exploits which those who think they understand x11 security might wish to read and comment upon. I clearly don't understand x11 security so I have no comments, but I will read with great interest comments by anyone else. 05-Jul-2004: SSH Users beware: The hazards of X11 forwarding Logging into another machine can compromise your desktop... 08-Jun-2004: The ease of (ab)using X11, Part 2 Abusing X11 for fun and passwords. 13-May-2004: The ease of (ab)using X11, Part 1 X11 is the protocol that underlies your graphical desktop environment, and you need to be aware of its security model. Dave Feustel -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing Okay, seriously whoever is cracking into Dave's system will you please post to the list what your magic hole is so we can all get on with life? And Dave, you did read the carefully prepared memo on commonly used passwords didn't you? Thanks, -Matt-
isakmpd cannot teardown Phase1 SA
http://archives.neohapsis.com/archives/openbsd/2005-09/0007.html In summary, a user reported that isakmpd will not current teardown a Phase1 SA when recieving a 't name' command via the fifo user interface. Hans replies that there is a patch for it, but it won't make 3.8 release. Has this been implemented in -current or if not could anyone send me the patch? Thanks, -Matt-
Re: isakmpd cannot teardown Phase1 SA
I was given some info off list and checked the webcvs, indeed this feature has been added to -current. Thanks. On Sun, 5 Feb 2006, Matthew Closson wrote: http://archives.neohapsis.com/archives/openbsd/2005-09/0007.html In summary, a user reported that isakmpd will not current teardown a Phase1 SA when recieving a 't name' command via the fifo user interface. Hans replies that there is a patch for it, but it won't make 3.8 release. Has this been implemented in -current or if not could anyone send me the patch? Thanks, -Matt-
view available inodes on partition
Hello, Is there a way to view how many inodes are still available on a partition. I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And I'm not really concerned about running out of space, but possibly out of inodes, I just used the default parameters creating the filesystem, which is ffs. Thanks, -Matt-
Re: view available inodes on partition
Thanks for all the replies, that obviously worked fine. On Wed, 25 Jan 2006, Otto Moerbeek wrote: On Wed, 25 Jan 2006, Matthew Closson wrote: Hello, Is there a way to view how many inodes are still available on a partition. I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And I'm not really concerned about running out of space, but possibly out of inodes, I just used the default parameters creating the filesystem, which is ffs. df -i -Otto
ip_forward() function
Where is the code for the ip_forward() function in 3.8? I found the prototype in: /usr/src/sys/netinet/ip_var.h voidip_forward(struct *mbuf, int); but no function definition. I also did a grep -sR ip_forward /usr/src and all I found was the function being called several times from /usr/src/sys/netinet/ip_input.c, but no actual code showing how the function works. I'm probably looking for this in the wrong way, any ideas? Thanks, -Matt-
ip_forward() function
Never mind on my previous post. ip_forward() definition is in: /usr/src/sys/netinet/ip_input.c it's late, I missed it. -Matt-
Re: Xwindows Security Hole in OpenBSD 3.8
On Sat, 24 Dec 2005, Dave Feustel wrote: I hate to send this Christmas present to misc, but there is definitely a security hole in Xwindows which permits exploits to be committed at least with user permissions, if not root permissions. Since the problem appears to be in Xwindows, using KDE may be inadviseable. I'm considering going back totally to console mode now that I'm aware of the problem. Dave Feustel -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing Dave, And do you care to share this monumental discovery of yours? Also if your flaw is in X then what does KDE have to do with that? Merry Christmas, -Matt-
NAT/pf before IPSEC
Hello, I'm running into an issue which was brought up on the list before, the last reference I found was in 2004: http://archive.openbsd.nu/?ml=openbsd-pfa=2004-10m=430206 I have an OpenBSD 3.8 machine. dc0 is an internal NIC assigned 192.168.20.250 fxp0 is an external NIC assigned a.b.c.d public_IP_address 10.0.20.254 is an inet alias on fxp0 192.168.20.0/24 is my internal network. 192.168.20.0/24 | | | 192.168.20.250 - dc0 10.0.20.254 - inet alias on fxp0 a.b.c.d - fxp0 public_IP | | IPSEC Tunnel | | e.f.g.h - public_IP tunnel endpoint 192.168.60.0/24 remote network According to the parameters of the tunnel setup (of which I cannot change) the remote IPSEC tunnel endpoint expects traffic from my network to look like it is coming from 10.0.20.254/32. This works: ping -I 10.0.20.254 192.168.20.10 I get responses back from the pings, now I need to nat my internal network to appear to be coming from 10.0.20.254 So I can do: nat pass on enc0 from 192.168.20.0/24 to 192.168.60.0/24 - 10.0.20.254 And what happens is, packets coming in from the 192.168.20.0/24 network hit my internal NIC, are evaluated for IPSEC routing, are not part of an SPI and are not sent over enc0. This is because IPSEC routing takes place before pf and nat. In the message I linked to above, Cedric said that you can get around this by creating a fake flow into an existing SPI so that your incoming traffic gets routed into enc0 and then nat'd appropriately. He said you could run this flow from a cron script, I suppose that would run every period of time that your SPI times out. This doesn't seem real solid to me if you need traffic to stay up over your tunnel. If your script doesn't run at the right time, your existing connections over the tunnel are going to fall apart. In another message someone suggested patching isakmpd to modify this behavior. My questions are: Is there a better or newer way of doing NAT before IPSEC routing? Does anyone have a script for adding fake flows to SPI's periodically? Does anyone have a source patch for isakmpd that solves this issue? Any info is much appreciated, I am subscribed to the list. Thanks, -Matt-
Re: NAT/pf before IPSEC
On Wed, 21 Dec 2005, Christoph Leser wrote: Does this imply that I must not mention VPN-2 in the isakmpd.conf Connections statement? Thanks for your help. I tried with and without and didn't get it working either way. I think if you do not include it in your Connections statement then it is irrelevant. You need to specify it in that statement to generate an SPI. From what I've read when packets come in they see if they match an existing SPI to determine if they should be sent to the enc0 interface or not. But like I said I still haven't got it to work so take that with a grain of salt. -Matt- -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Nick Suckling Gesendet: Mittwoch, 21. Dezember 2005 15:32 An: misc@openbsd.org Betreff: Re: NAT/pf before IPSEC No the other side does not need to know about this additional section if you are using NAT as described. Nick On Wed, 2005-12-21 at 14:06 +0100, Christoph Leser wrote: If you add this extra section to your isakmpd.conf, do you need to add it to the remote site too? Does this extra section change the negotiation between the two endpoints. Thanks -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Nick Suckling Gesendet: Mittwoch, 21. Dezember 2005 12:52 An: misc@openbsd.org Betreff: Re: NAT/pf before IPSEC One easier way I have had this working is to add an additional section to your isakmpd.conf. Something like the following. Your NAT then takes care of the rest. [VPN-1] Phase= 2 ISAKMP-peer=remote Configuration= Default-quick-mode Local-ID= ip-10.0.20.254 Remote-ID= network-192.168.60.0/255.255.255.0 [VPN-2] Phase= 2 ISAKMP-peer=remote Configuration= Default-quick-mode Local-ID= network-192.168.20.0/255.255.255.0 Remote-ID= network-192.168.60.0/255.255.255.0 [ip-10.0.20.254] ID-type= IPV4_ADDR Address= 10.0.20.254 [network-192.168.20.0/255.255.255.0] ID-type= IPV4_ADDR_SUBNET Network= 192.168.20.0 Netmask= 255.255.255.0 [network-192.168.60.0/255.255.255.0] ID-type= IPV4_ADDR_SUBNET Network= 192.168.60.0 Netmask= 255.255.255.0 Nick On Wed, 2005-12-21 at 04:09 -0500, Matthew Closson wrote: Hello, I'm running into an issue which was brought up on the list before, the last reference I found was in 2004: http://archive.openbsd.nu/?ml=openbsd-pfa=2004-10m=430206 I have an OpenBSD 3.8 machine. dc0 is an internal NIC assigned 192.168.20.250 fxp0 is an external NIC assigned a.b.c.d public_IP_address 10.0.20.254 is an inet alias on fxp0 192.168.20.0/24 is my internal network. 192.168.20.0/24 | | | 192.168.20.250 - dc0 10.0.20.254 - inet alias on fxp0 a.b.c.d - fxp0 public_IP | | IPSEC Tunnel | | e.f.g.h - public_IP tunnel endpoint 192.168.60.0/24 remote network According to the parameters of the tunnel setup (of which I cannot change) the remote IPSEC tunnel endpoint expects traffic from my network to look like it is coming from 10.0.20.254/32. This works: ping -I 10.0.20.254 192.168.20.10 I get responses back from the pings, now I need to nat my internal network to appear to be coming from 10.0.20.254 So I can do: nat pass on enc0 from 192.168.20.0/24 to 192.168.60.0/24 - 10.0.20.254 And what happens is, packets coming in from the 192.168.20.0/24 network hit my internal NIC, are evaluated for IPSEC routing, are not part of an SPI and are not sent over enc0. This is because IPSEC routing takes place before pf and nat. In the message I linked to above, Cedric said that you can get around this by creating a fake flow into an existing SPI so that your incoming traffic gets routed into enc0 and then nat'd appropriately. He said you could run this flow from a cron script, I suppose that would run every period of time that your SPI times out. This doesn't seem real solid to me if you need traffic to stay up over your tunnel. If your script doesn't run at the right time, your existing connections over the tunnel are going to fall apart. In another message someone suggested patching isakmpd to modify this behavior. My questions are: Is there a better or newer way of doing NAT before IPSEC routing? Does anyone have a script for adding fake flows to SPI's periodically? Does anyone have a source patch for isakmpd that solves this issue? Any info is much appreciated, I am subscribed to the list. Thanks, -Matt- _ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
Re: NAT/pf before IPSEC
On your question, this is what I have used form my IPSec tunnel's nat:
Internal network 192.168.8.0/24
Remote network 192.168.1.0/24
vpnip=192.168.1.1
scrub in
nat on enc0 from { gem0, gem0:network } - $vpnip
Together with:
# cat /etc/hostname.enc0
up
!ipsecadm flow -out -require -proto esp -src 192.168.8.254 -dst
REMOTE-ENDPOINT -addr 192.168.8.0/24 192.168.1.0/24
Is 192.168.8.254 is the IP address of your internal NIC?
Once this has been done, and a fake phase2 entry has been made for the
internal network in the isakmpd.conf file, what else needs to be done.
I tried this and added the flow and phase2 connection (on my end only) and
when I try to access hosts across the tunnel from my internal LAN and run
tcpdump -i enc0 I still see no traffic coming across.
Any ideas of what I could be missing? I did
ipsecadm flow -out -require -proto esp -src 192.168.20.250 -dst a.b.c.d
-addr 192.168.20.0/24 192.168.60.0/24
Thanks,
-Matt-
And that worked fine for me. So you'll need to 'manually' add a Security
Association.
Kind regards,
--
Stephan
On 21-dec-2005, at 10:09, Matthew Closson wrote:
Hello,
I'm running into an issue which was brought up on the list before, the last
reference I found was in 2004:
http://archive.openbsd.nu/?ml=openbsd-pfa=2004-10m=430206
I have an OpenBSD 3.8 machine.
dc0 is an internal NIC assigned 192.168.20.250
fxp0 is an external NIC assigned a.b.c.d public_IP_address
10.0.20.254 is an inet alias on fxp0
192.168.20.0/24 is my internal network.
192.168.20.0/24
|
|
|
192.168.20.250 - dc0
10.0.20.254 - inet alias on fxp0
a.b.c.d - fxp0 public_IP
|
|
IPSEC Tunnel
|
|
e.f.g.h - public_IP tunnel endpoint
192.168.60.0/24 remote network
According to the parameters of the tunnel setup (of which I cannot change)
the remote IPSEC tunnel endpoint expects traffic from my network to look
like it is coming from 10.0.20.254/32.
This works:
ping -I 10.0.20.254 192.168.20.10
I get responses back from the pings, now I need to nat my internal network
to appear to be coming from 10.0.20.254
So I can do:
nat pass on enc0 from 192.168.20.0/24 to 192.168.60.0/24 - 10.0.20.254
And what happens is, packets coming in from the 192.168.20.0/24 network hit
my internal NIC, are evaluated for IPSEC routing, are not part of an SPI
and are not sent over enc0. This is because IPSEC routing takes place
before pf and nat.
In the message I linked to above, Cedric said that you can get around this
by creating a fake flow into an existing SPI so that your incoming traffic
gets routed into enc0 and then nat'd appropriately. He said you could run
this flow from a cron script, I suppose that would run every period of time
that your SPI times out.
This doesn't seem real solid to me if you need traffic to stay up over your
tunnel. If your script doesn't run at the right time, your existing
connections over the tunnel are going to fall apart. In another message
someone suggested patching isakmpd to modify this behavior.
My questions are:
Is there a better or newer way of doing NAT before IPSEC routing? Does
anyone have a script for adding fake flows to SPI's periodically?
Does anyone have a source patch for isakmpd that solves this issue?
Any info is much appreciated,
I am subscribed to the list.
Thanks,
-Matt-
Re: isakmpd does not enter phase 2
given is an ipsec gateway (i think it's running some older openswan or some other swan) to which i need to connect, establishing a net-net tunnel. the parameters needed are IKE rekeying 1440 minutes (24 hours), IPSEC 3600 seconds (1 hour), both with 3DES/SHA1, no PFS, and these are carved in stone, i was told. The 3DES-SHA1 is included with isakmpd's default main-mode and quick-mode definitions, try those instead of redefining them. i can't seem to get isakmpd to establish a tunnel with that site. it seems as if phase 1 would have been negotiatied fine, but when isakmpd then sends an `initial contact', then gets back an ipv4_addr, then things literally stop happening here. What version of OpenBSD? 3.8? Can you show us: sudo ipsecctl -s all after isakmpd has been started and stops making progress? Thanks, -Matt-
routing over IPSEC tunnel
Hello, I have an IPSEC tunnel on OpenBSD3.8 to a cisco3000 concentrator. I am able to successfully reach several subnets through the tunnel, however one of the sites I need to reach through the tunnel is in the range of 50.0.0.0/8. So I setup a flow to it in my /etc/isakmpd/ipsec.conf file, but when I try to access one of the addresses in that range traffic gets sent out over my public IP and default route to the internet instead of through the tunnel. I am assuming this is because 50.0.0.0/8 is not an internal IP range. I have no control over the remote site's IP scheme so I can't change that. Is there any way to route access to these IP's over my enc0 device? Thanks, -Matt-
