Re: removing a pesky file
why can't you use ls -i, find the inode, and do find . -inum INODENUM -exec rm {} \; is it a list of file that you want to remove put all the files in a text file and do a for loop. HTH! Prabhu - On May 14, 2009, at 5:47 PM, Ryan Flannery wrote: I've been in similar situations countless times, but this one is throwing me a for a loop. I have a file that I'm trying to remove with non-printable characters in the name. Additionally, some of the characters appear to be backspace/delete/etc. All my normal tricks with rm(1) fail. Using vim on the directory to try and delete the entry fails. I can get the inode of the file with ls(1), and used that to write the following program which I thought would help, but sadly it too fails. #include stdio.h #include sys/types.h #include dirent.h #include err.h #include unistd.h int main(void) { /* open directory */ DIR *usr; if ((usr = opendir(/usr)) == NULL) err(1, failed to opendir); /* read through until we find the evil one... */ struct dirent *entry; while ((entry = readdir(usr)) != NULL) { /* check against known evil inode */ if (entry-d_fileno == 1065344) { /* got it */ printf(found file...name length is: %d\n, entry-d_namlen); /* build filename as a char* */ uint8_t i; for (i = 0; i entry-d_namlen; i++) printf(%d , entry-d_name[i]); /* cross fingers */ printf(\n\nattempting to unlink...\n); if (unlink(entry-d_name) 0) err(1, failure, crack 'nother beer); } } closedir(usr); return 0; } the program outputs the following: found file...name length is: 194 -104 38 13 40 -22 101 -13 -4 -68 -107 69 86 49 -92 69 37 -90 -95 -52 20 27 -104 -24 -60 82 -49 46 -50 79 -70 23 -30 66 -29 56 89 29 -100 -127 59 83 -115 28 26 -121 30 81 -45 67 -53 -100 -76 103 15 109 -88 17 95 69 -102 87 -35 -41 -83 -13 -18 9 62 76 44 -52 99 33 -5 39 79 -100 49 -111 6 -64 -94 -97 19 -10 34 104 -87 100 28 125 4 -52 -101 84 -85 85 92 13 -2 -84 -11 63 125 -1 119 -67 82 27 96 -113 -79 -1 84 -87 -43 55 -14 -1 53 -124 69 -29 -65 74 27 96 -113 -71 -1 -111 75 -91 -51 -8 -81 33 -120 -58 127 85 54 -64 30 115 -1 83 44 -41 55 -25 -65 53 -124 -51 -3 -49 -41 29 -60 -12 -65 26 27 96 -39 -9 63 114 66 -2 91 -86 -105 54 -12 -65 -122 -80 104 -4 55 60 -31 -21 8 66 -6 95 -111 13 -80 44 -6 attempting to unlink... a.out: failure, crack 'nother beer: No such file or directory Questions: 1. Any whacks of a clue-stick would be greatly appreciated. 2. When I printf dirent struct's d_namlen field, is says 302... grep'ing /usr/include, isn't this 255? How can this happen? 3. Passing the d_name field directly to unlink(2)... this should work, correct? (I tried this with a sample setup elsewhere and it did). Any thoughts why this would fail? To those who are curious, the file was created when I went to unpack a ports.tar.gz and forgot the 'z' switch... d'oh. Anyway, I could try deleting the parent directory, but it's /usr. -Ryan
Re: Intel quad port PRO/1000QP 82575GB chipset
, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support uhub5 at uhub0 port 1 Dell product 0xa001 rev 2.00/0.00 addr 2 uhidev0 at uhub5 port 1 configuration 1 interface 0 Dell DRAC5 rev 1.10/0.00 a ddr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub5 port 1 configuration 1 interface 1 Dell DRAC5 rev 1.10/0.00 a ddr 3 uhidev1: iclass 3/1 ums0 at uhidev1 ums0: X report 0x0002 not supported uhub6 at uhub0 port 5 Cypress Semiconductor USB2 Hub rev 2.00/0.0b addr 4 softraid0 at root root on sd0a swap on sd0b dump on sd0b bnx1: address 00:22:19:0b:a9:ee brgphy0 at bnx1 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6 bnx0: address 00:22:19:0b:a9:f0 brgphy1 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6 On Oct 23, 2008, at 4:30 PM, Chris Kuethe wrote: On Thu, Oct 23, 2008 at 4:14 PM, Prabhu Gurumurthy [EMAIL PROTECTED] wrote: I installed 4.4 (current) on Dell 2950, dmesg at the bottom, I am having trouble seeing the Intel quad port PRO/1000 QP card in OpenBSD. When I look into /usr/src/sys/dev/pci/{pcidevs, pcidevs.h} I see that the chipset is listed, Does it require a firmware of some sort, because em(4) does not list this chipset, however it lists the card, which implies this card has more chipsets. In pcidevs.h: #define PCI_PRODUCT_INTEL_82575GB_QUAD_CPR 0x10d6 /* PRO/ 1000 QP (82575GB) */ try patch it in to sys/dev/pci/if_em.c, there's a big table near the top of this file listing all the devices the driver supports... this might work, or it might need something else (like the em variant found in lenovo X200's) As I side note, this system has 32G of memory, any chance it would work? I can only see 3GB maximum on 4.3/amd64 mp kernel. this has already been discussed this month. the answers you seek are in the archives. Thanks! dmesg: OpenBSD 4.4-current (GENERIC.MP) #947: Tue Oct 21 16:00:28 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686- class) 2.67 GHz cpu0: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR real mem = 2142142464 (2042MB) avail mem = 2062811136 (1967MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/29/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (67 entries) bios0: vendor Dell Inc. version 2.3.1 date 04/29/2008 bios0: Dell Inc. PowerEdge 2950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 332MHzcpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686- class) 2.66 GHz cpu1: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686- class) 2.66 GHz cpu2: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686- class) 2.66 GHz cpu3: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPRcpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686- class) 2.66 GHz cpu4: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686- class) 2.66 GHz cpu5: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR cpu6 at mainbus0: apid 3 (application processor) cpu6: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686- class) 2.66 GHz cpu6: FPU ,V86 ,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16
Intel quad port PRO/1000QP 82575GB chipset
I installed 4.4 (current) on Dell 2950, dmesg at the bottom, I am having trouble seeing the Intel quad port PRO/1000 QP card in OpenBSD. When I look into /usr/src/sys/dev/pci/{pcidevs, pcidevs.h} I see that the chipset is listed, Does it require a firmware of some sort, because em(4) does not list this chipset, however it lists the card, which implies this card has more chipsets. In pcidevs.h: #define PCI_PRODUCT_INTEL_82575GB_QUAD_CPR 0x10d6 /* PRO/1000 QP (82575GB) */ As I side note, this system has 32G of memory, any chance it would work? I can only see 3GB maximum on 4.3/amd64 mp kernel. Thanks! dmesg: OpenBSD 4.4-current (GENERIC.MP) #947: Tue Oct 21 16:00:28 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu0: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR real mem = 2142142464 (2042MB) avail mem = 2062811136 (1967MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/29/08, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.5 @ 0x7fb9c000 (67 entries) bios0: vendor Dell Inc. version 2.3.1 date 04/29/2008 bios0: Dell Inc. PowerEdge 2950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 332MHzcpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.66 GHz cpu1: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.66 GHz cpu2: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.66 GHz cpu3: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPRcpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.66 GHz cpu4: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.66 GHz cpu5: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR cpu6 at mainbus0: apid 3 (application processor) cpu6: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.66 GHz cpu6: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class) 2.66 GHz cpu7: FPU ,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0)acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 0 (PE2P) acpiprt6: no apic found for irq 64 acpiprt6: no apic found for irq 65 acpiprt6: no apic found for irq 78 acpiprt7 at acpi0: bus 13 (PEX4) acpiprt8 at acpi0: bus 15 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 17 (COMP) acpicpu0 at acpi0: C3 acpicpu1 at acpi0: C3 acpicpu2 at acpi0: C3 acpicpu3 at acpi0: C3acpicpu4 at acpi0: C3 acpicpu5 at acpi0: C3 acpicpu6 at acpi0: C3 acpicpu7 at acpi0: C3 bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00 0xcc000/0x5e00 0xec000/0x4000! ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep disabled by BIOS pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev
NAT/PAT over IPsec (enc0 interface)
All - How can I do NAT/PAT over IPsec. To explain more. I have 4 hosts in 2 different networks (10.200.0/22 and 10.57.132/24). They are 10.57.132.18, 10.57.132.24, 10.57.132.41 and 10.200.1.208. When these hosts access 10.200.200/24, 10.200.136/24, 10.200.205/24 and 10.200.132/24 I want to NAT them to 207.129.36.65. My IPsec policies are ike esp from { 207.129.36.65 } to { 10.200.200/24, 10.200.136/24, 10.200.205/25, 10.200.132/24 } \ local X.X.X.X ... ... psk Z My IPsec tunnels are up, however I have trouble NAT'ing. I followed some pointers given in ipsec(4), NAT can also be applied to enc# interfaces, but special care should be taken because of the interactions between NAT and the IPsec flow match- ing, especially on the packet output path. Inside the TCP/IP stack, packets go through the following stages: UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF UL/R PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF With IF being the real interface and UL/R the Upper Layer or Routing code. The [X] stage on the output path represents the point where the packet is matched against the IPsec flow database (SPD) to determine if and how the packet has to be IPsec-processed. If, at this point, it is determined that the packet should be IPsec-processed, it is processed by the PF/NAT code. Unless PF drops the packet, it will then be IPsec-pro- cessed, even if the packet has been modified by NAT. and this email thread, http://marc.info/?l=openbsd-miscm=121866081214667w=2 My pf.conf snippet: table MY_HOSTS persist { \ 10.57.132.18, \ 10.57.132.24, \ 10.57.132.41. \ 10.200.1.208 } table OTHER_HOSTS persist { \ 10.200.200/24, \ 10.200.136/24, \ 10.200.205/24, \ 10.200.132/24 } NAT_IP = 207.129.36.65 enc_if = enc0 nat on $enc_if from MY_HOSTS to OTHER_HOSTS - $NAT_IP pass quick on $enc_if ... I had set skip on $enc_if, which I removed following the above thread. Any pointers? Thanks! Prabhu -
Re: OSPFd and ipsec routes
May be use redistribute static from ospfd, but I dont think there is a way for doing it automatically. hope this helps! Prabhu - On Sep 25, 2008, at 10:32 AM, B A wrote: Hello! Can ospfd redistribute routes in Encap table `netstat -nr -f encap` ? Are they considering static? There is no such info in ospfd.conf...
Re: make ls not show dot-files as root
man ls shows -A option is implicit when using as root. So in short it would be no. On Jul 28, 2008, at 3:33 PM, Jesus Sanchez wrote: Hi, using 4.2. Just for curiosity... Can I make ls to NOT show the hidden files (.xinitrc , .vimrc, etc) when using as Root?? Thanks 4 all.
blackholed route on 4.3 (stable, generic)
I have got a weird problem with my network setup. I have a pair of identical OpenBSD 4.3 (stable, GENERIC) boxes running in Active/Standby failover using carp, pfsync and sasyncd uname: OpenBSD nitehawk.contoso.com 4.3 GENERIC#698 i386 The CARP boxes external interface (bge0) are: 172.21.171.{6, 7} and they share 172.21.171.5 The CARP boxes internal interface (bge1) are: 172.21.100.{2, 3} and they share 172.21.100.1 They failover interface (em0) are: 172.21.123.{2,3} I have a pair of Cisco ASA (Active/Standby failover) behind the CARP boxes on the bge1 interface. The ASA interface IP is 172.21.100.4 The ASA has one network behind it (172.21.69.0/24) There are 5 routers apart from the CARP boxes on the bge0 interface. I have two separate IPsec tunnels terminating on two Cisco 2811 routers. The cisco routers have one network behind them, 192.168.171/24 and 192.168.101/24 respectively One of my requirement is to do policy based static NAT with 172.21.69.0/24. To explain it more, when the traffic is to/from 192.168.101.0/24, the ASA would static NAT 172.21.69.0/24 to 172.21.169.0/24 The interesting traffic for the second tunnel essentially is: 192.168.101.0/24 = 172.21.169.0/24. For completeness, the interesting traffic for the first tunnel is 192.168.171.0/24 = 172.21.69.0/24 netstat -rnf encap on the master: nitehawk (OpenBSD): [~] ttyp0: [700]# netstat -rnf encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 192.168.101/24 0 172.21.169/24 0 0 172.21.171.9/esp/use/in 172.21.169/24 0 192.168.101/24 0 0 172.21.171.9/esp/require/out 192.168.171/24 0 172.21.69/24 0 0 172.21.171.8/esp/use/in 172.21.69/24 0 192.168.171/24 0 0 172.21.171.8/esp/require/out I have enabled OSPF routing on all network devices (i.e. CARP boxes, 5 routers on the outside and the ASA on the inside) ifconfig on the master: nitehawk (OpenBSD): [~] ttyp0: [686]# ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:15:17:51:81:75 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 172.21.123.2 netmask 0xff00 broadcast 172.21.123.255 inet6 fe80::215:17ff:fe51:8175%em0 prefixlen 64 scopeid 0x1 inet6 fd1b:d92f:84f3:123:215:17ff:fe51:8175 prefixlen 64 bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1c:23:e1:cb:85 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 172.21.171.6 netmask 0xff00 broadcast 172.21.171.255 inet6 fe80::21c:23ff:fee1:cb85%bge0 prefixlen 64 scopeid 0x2 inet6 fd1b:d92f:84f3:171:21c:23ff:fee1:cb85 prefixlen 64 bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1c:23:e1:cb:86 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 172.21.100.2 netmask 0xff00 broadcast 172.21.100.255 inet6 fe80::21c:23ff:fee1:cb86%bge1 prefixlen 64 scopeid 0x3 inet6 fd1b:d92f:84f3:100:21c:23ff:fee1:cb86 prefixlen 64 enc0: flags=0 mtu 1536 lo127: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 172.21.127.6 netmask 0x inet6 fd1b:d92f:84f3:127:31e1:bb3f:20c8:7f06 prefixlen 128 pfsync0: flags=41UP,RUNNING mtu 1460 pfsync: syncdev: em0 syncpeer: 224.0.0.240 maxupd: 128 groups: carp pfsync pflog0: flags=141UP,RUNNING,PROMISC mtu 33208 groups: pflog carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev bge0 vhid 1 advbase 1 advskew 0 groups: carp inet 172.21.171.5 netmask 0xff00 broadcast 172.21.171.255 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x7 inet6 fd1b:d92f:84f3:171:f9a0:3201:525c:671 prefixlen 64 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:02 carp: MASTER carpdev bge1 vhid 2 advbase 1 advskew 0 groups: carp inet 172.21.100.1 netmask 0xff00 broadcast 172.21.100.255 inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x8 inet6 fd1b:d92f:84f3:100:1983:b905:3d8e:3dc7 prefixlen 64 When 172.21.69.17 (behind the ASA) tries to talk to 192.168.171.0/24, I can see that the traffic is reaching the bge1 interface, then getting encapsulated in ESP tunnel and then sent across. In short, works as expected. Example: From: 172.21.69.17 (behind ASA) # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1
Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
I do not know whether Windows XP native IPsec stack supports AES, I know it only supports upto 3des. With OpenBSD, the default is AES (128), that is why IKE is giving you NO_PROPOSAL_CHOSEN. Change you settings to include 3des and sha1 (or md5 may be) and you would get quick mode working. Prabhu - Harald Dunkel wrote: Hi folks, I am trying to setup an IPsec connection between OpenBSD and WindowsXP (NCP IPsec client). ipsec.conf is just a single line: ike passive esp from 192.168.5.1 to 192.168.1.249 (192.168.1.249 is the Windows PC.) Phase I seems to work, but in Phase II isakmpd complains: Jun 27 14:55:34 fw01 isakmpd[30626]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.dump Jun 27 14:56:30 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:30 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:35 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:35 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:38 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:38 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:41 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:41 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Looking into the negotiation packets I see at the beginning of Phase II: 14:56:30.370925 192.168.1.249.500 192.168.5.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 45305a4f len: 220 payload: HASH len: 24 payload: SA len: 92 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x8b62522d payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 256 payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xdc14778f payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 128 payload: NONCE len: 44 payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248) 14:56:30.371301 192.168.5.1.500 192.168.1.249.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 93170a11 len: 64 payload: HASH len: 24 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92) Obviously isakmpd doesn't like something in the negotiation packet sent by the NCP IPsec client on Windows. Anybody got an idea? Regards Harri
ipsec.conf question
All, I have a question regarding ipsec.conf. Example: IPsec peers: 3.3.3.3, 3.3.3.2 Interesting traffic: 1.1.1.1 - 192.168.100.2 2.2.2.2 - 192.168.100.0/24 Main/Quick mode crypto/groups being: aes, sha1 and group2 PSK being test123 How can I define the above concisely? I can, for example, do the following: ike esp from 1.1.1.1 to 192.168.100.2 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 ike esp from 2.2.2.2 to 192.168.100.0/24 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 Is there any way to shorten it? since most of it seem to be redundant except for the interesting traffic part. FWIW, I am running 4.3-current: OpenBSD pgurumur-vm-openbsd.xxx.com 4.3 GENERIC#732 i386 Thanks Prabhu -
Re: Bind stopped Listening on UDP port suddenly in 4.2
Siju George wrote: Hi, I was using the Internet and name resolution suddenly stopped. When I checked I found out = $ netstat -an |grep 53 tcp0 0 127.0.0.1.953 *.*LISTEN tcp0 0 59.93.35.248.53*.*LISTEN tcp0 0 127.0.0.1.53 *.*LISTEN udp0 0 59.93.35.248.53*.* udp0 0 127.0.0.1.53 *.* tcp6 0 0 ::1.953*.*LISTEN tcp6 0 0 *.53 *.*LISTEN udp6 0 0 *.53 === Bind is no longer listening on udp 127.0.0.1.53. According to the output you provided, it seems to be listening (see line 5 in netstat) For the time being i use OpenDNS. Could some one please let me know how to fix this? === $ cat /etc/resolv.conf lookup file bind nameserver 127.0.0.1 nameserver 208.67.222.222 $ cat /etc/rc.conf.local pf=YES named_flags= $ sudo ps aux |grep named _syslogd 5452 0.0 0.2 532 724 ?? S 9:42AM0:00.01 syslogd -a /var/named/dev/log -a /var/empty/dev/log named15162 0.0 0.7 2504 3064 ?? I 9:42AM0:00.07 named root 32198 0.0 0.2 1604 728 ?? Is 9:42AM0:00.00 named: [priv] (named) === Thank you so much Kind Regards Siju What does host www.google.com 127.0.0.1 say and what does tcpdump -env -i lo0 udp port 53 say?
ICMP6 message size
Hi all, I have two hosts, one in OpenBSD 4.2 (stable) and another is Redhat ESv4u4 When I ping (ipv6) from OpenBSD to Redhat with custom size for icmp6 (-s option), I cannot go past 8184, 8185 and above give me an error EMSGSIZE. Whereas pinging from Redhat to OpenBSD I can go beyond 8184, infact I am able to go 1, above that I have not tried it yet. Is this behavior expected?, OpenBSD IPv6 Address: fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 Redhat IPv6 Address: fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 command: ping6 -s SIZE -c 5 HOST Test from OpenBSD Basic ping with 56 bytes: openbsd-test: [~] [84]$ ping6 -c 2 fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 PING6(56=40+8+8 bytes) fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 -- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 16 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=0 hlim=63 time=7.987 ms 16 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=1 hlim=63 time=2.029 ms --- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.029/5.008/7.987/2.979 ms Ping with custom size set to 8184 bytes: openbsd-test: [~] [85]$ ping6 -c 2 -s 8184 fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 PING6(8232=40+8+8184 bytes) fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 -- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 8192 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=0 hlim=63 time=24.35 ms 8192 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=1 hlim=63 time=19.296 ms --- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 19.296/21.823/24.350/2.527 ms Ping with custom size set to 8185 bytes: openbsd-test: [~] [86]$ ping6 -c 2 -s 8185 fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 PING6(8233=40+8+8185 bytes) fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 -- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6: sendmsg: Message too long ping6: wrote fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 8193 chars, ret=-1 ping6: sendmsg: Message too long ping6: wrote fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 8193 chars, ret=-1 --- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6 statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss Test from Redhat: Basic ping: [EMAIL PROTECTED] ~]# ping6 -c 2 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 56 data bytes 64 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=3.17 ms 64 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=1.79 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.797/2.487/3.178/0.692 ms, pipe 2 Ping with custom size set to 8184: [EMAIL PROTECTED] ~]# ping6 -c 2 -s 8184 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 8184 data bytes 8192 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=9.37 ms 8192 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=9.32 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.322/9.349/9.377/0.100 ms, pipe 2 Ping with custom size set to 8185: [EMAIL PROTECTED] ~]# ping6 -c 2 -s 8185 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 8185 data bytes 8193 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=9.36 ms 8193 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=9.40 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.362/9.382/9.403/0.099 ms, pipe 2 Ping with custom size set to 1: [EMAIL PROTECTED] ~]# ping6 -c 2 -s 1 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 1 data bytes 10008 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=11.0 ms 10008 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=21.0 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 11.086/16.044/21.002/4.958 ms, pipe 2 OpenBSD uname: OpenBSD openbsd-test.contoso.com 4.2 GENERIC#375 i386 ifconfig from OpenBSD: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 pcn0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:8d:f7:32 groups: egress
OSPF and CARP question
All - This is going to be a lengthy email, Sorry about that, I have question about running CARP + OSPF, I looked at all the email pertaining to it on marc.info website? Network scenario: I have an ethernet segment (172.21.171.0/24) Cisco 1760 (.1), Cisco 2621(.4), Dell PowerConnect(.2), OpenBSD 4.2 systems(.6, .7 sharing .5 using carp) with OpenBSD systems running carp + pfsync. Cisco 1760 is connected to DSL and I redistribute default route from 1760, which gets propagated as E2 type to all the nodes participating in OSPF I have another ethernet segment (172.21.71/24) with above mentioned OpenBSD 4.2 systems (.2, .3 sharing .1 using carp) and another Cisco 2610 (.4) I have a linux host behind c2610 (network: 172.21.55/24) cisco being .1, linux host being .17 All hosts are in single area (area 0) I also have 4 networks sitting behind PowerConnect device, 172.21.{167, 145, 125, 99}/24. Each and every time I try to connect to 172.21.55.17 from 172.21.125.23, I am seeing tcp connection being shared by two OpenBSD firewalls because of the fact that they are running OSPF and cisco 2610 is seeing two equal paths to 172.21.125/24 network through the OpenBSD firewalls. When I connect to Internet from the linux host, I am seeing packets being sent to the backup instead of the master. Configuration: Stock OpenBSD kernel running on 2 PowerEdge 860s with twin broadcom GigE ethernet interfaces. # uname -a OpenBSD carp02.contoso.com 4.2 GENERIC#375 i386 Since this email already is big, I am not including dmesg, if it is needed, Ill post it. configuration from OpenBSD system: 172.21.171.6, ip addresses, /etc/hostname.bge0: inet 172.21.171.6 255.255.255.0 NONE /etc/hostname.bge1: inet 172.21.71.2 255.255.255.0 NONE /etc/hostname.carp0: inet 172.21.171.5 255.255.255.0 172.21.171.255 vhid 1 pass Char!i3 /etc/hostname.carp1: inet 172.21.71.1 255.255.255.0 172.21.71.255 vhid 2 pass F00bar /etc/hostname.lo127: inet 172.21.127.6 255.255.255.255 NONE /etc/hostname.pfsync0: up syncif bge1 # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1c:23:e1:cb:85 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 172.21.171.6 netmask 0xff00 broadcast 172.21.171.255 inet6 fe80::21c:23ff:fee1:cb85%bge0 prefixlen 64 scopeid 0x1 bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1c:23:e1:cb:86 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 172.21.71.2 netmask 0xff00 broadcast 172.21.71.255 inet6 fe80::21c:23ff:fee1:cb86%bge1 prefixlen 64 scopeid 0x2 enc0: flags=0 mtu 1536 lo127: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 172.21.127.6 netmask 0x pfsync0: flags=41UP,RUNNING mtu 1460 pfsync: syncdev: bge1 syncpeer: 224.0.0.240 maxupd: 128 groups: carp pfsync carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: BACKUP carpdev bge0 vhid 1 advbase 1 advskew 0 groups: carp inet 172.21.171.5 netmask 0xff00 broadcast 172.21.171.255 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x6 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:02 carp: BACKUP carpdev bge1 vhid 2 advbase 1 advskew 0 groups: carp inet 172.21.71.1 netmask 0xff00 broadcast 172.21.71.255 inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x7 /etc/ospfd.conf: router-id 172.21.127.6 redistribute default set { metric 30 type 2 } area 0.0.0.0 { demote carp 1 interface lo127 interface carp0 { demote carp } interface carp1 { demote carp } interface bge1 { auth-type crypt auth-md 1 R0ut1ng auth-md-keyid 1 } interface bge0 { auth-type crypt auth-md 1 R0ut1ng auth-md-keyid 1 } } # ospfctl show neigh ID Pri StateDeadTime Address Iface Uptime 172.21.127.20 FULL/OTHER 00:00:34 172.21.171.2bge0 00:32:03 172.21.127.11 FULL/OTHER 00:00:32 172.21.171.1bge0 00:32:08 172.21.127.71 FULL/OTHER 00:00:34 172.21.171.7bge0 00:30:48 172.21.127.41 FULL/DR 00:00:31 172.21.171.4bge0 00:34:54 172.21.127.71 FULL/OTHER 00:00:34 172.21.71.3 bge1 00:30:43 172.21.127.81 FULL/DR 00:00:39 172.21.71.4 bge1 00:35:29 Configuration on OpenBSD system: 172.21.171.7
Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
Brian A Seklecki (Mobile) wrote: On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote: On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote: Have you try openbsd 4.2 ? PF have been really improved in this release. pf(4) has nothing to do with isakmpd(8), except as it relates to recent addition of routing tags. - PIX/ASA is going to get you a default packet ASA forwarding based on interface weights - PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH VPN Road-warrior clients - PIX has functional object-groups/group-object inheritance - PIX/ASA has proprietary serial console fail-over (which is marginally faster than waiting for CARP) - PIX/ASA has some magical black-box inline transparent protocol fixups - PIX has a 4 hour SmartNet support contract option - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on) I don't know about ASA, but the 5xx PIX doesn't support IPv6 Otherwise they're both software-based stateful IP packet forwarding engines running on i386 with NAT and IPSec and 802.1q support. OpenBSD will always scale better because you can run it on the harwdare platform of your choice. ~BAS 1. VPN is computationally heavy -- is your hardware fast enough? 2. Try playing with queueing in PF to handle some types of traffic faster than others. AFAIK, it is normal to find this kind of configuration in commercial, black-box solutions, disguised as buzzy slogans like Built-in QoS Super-Routing :-) Just my two cents. Martin Are you sure PIX 515 and above does not support IPv6. By that do you mean IPv6 routing, if that is the case, yes. But PIX 515E and ASA does support IPv6 fine when you use 7.X and above version of image. In addition to your 4th point, PIX and ASA support failover using LAN, only PIX supports serial based failover. To the OP: We use ASA and OpenBSD in our production environment and we spent close to $10,000 buying twin ASAs (using GigE) for failover, but only $2000 to buy two dell boxes to put OpenBSD (using GigE) on them and use them as failover i.e. pf + pfsync + sasyncd and its being fine for past 11 months. Where do you see OpenBSD lagging behind, if it is a transfer rate you can tweak tcp settings using sysctl, you can upgrade to 4.2 as the other post indicated. And are you willing to spend money to buy expensive gear that is the question?
Re: problem with ipsec tunnel between pix and openbsd
Sebastian Reitenbach wrote: Hi, I setup a tunnel between a pix and an openbsd isakmpd to connect two networks behind each tunnel endpoint. pinging through the tunnel from both sides works, for the first 15 minutes. then the ping stops working. When I recreate the tunnel, then the ping starts to work again. I start isakmpd with isakmpd -k and I use ipsecctl to activate the tunnel. To work around the problem I added dead peer detection to the isakmpd.conf file. It checks every 10 seconds for a dead peer, this detects that the tunnel is not in a good state, and restarts it. I also found in an old howto that I have to create a policy file, that says that the OpenBSD box is the initiator of the tunnel. I have not found a way to prevent the tunnel to go into that bad state. I think I have a problem with rekeying. In my eyes activating the DPD is only a working on the symptoms, so I assume there must be a better way to fix the problem. here my isakmpd.conf file: [General] Listen-on=131.103.56.171 Default-phase-1-lifetime= 28800,60:86400 Default-phase-2-lifetime= 1200,60:86400 DPD-check-interval= 10 Policy-File=/etc/isakmpd/isakmpd.policy and here my ipsecctl.conf file: ike active esp from 192.168.0.0/24 to 10.1.0.0/24 \ local $my_gw peer $remote_gw \ main auth hmac-md5 enc 3des group grp2 \ quick auth hmac-md5 enc aes group none \ psk MyTopSecretKey any idea what I can try to prevent the tunnel stop working? kind regards Sebastian It will be helpful, if you can give the corresponding PIX configuration as well. your ipsecctl.conf seems to be good! Can you give us the output of ipsecctl -vv -sa and tail -f /var/log/{daemon, messages} Prabhu -
Re: ipsec slave
Steven Surdock wrote: Can anyone provide some insight as to the correct configuration of a sasyncd slave server with respect to /etc/rc.conf.local? For example, is the following correct? --- ntpd_flags= # enabled during install sasyncd_flags=# for normal use: pf=YES # Packet filter / NAT pf_rules=/etc/pf.conf # Packet filter rules file pflogd_flags= # add more flags, ie. -s 256 isakmpd_flags=-K # for normal use: ipsec=YES# IPsec ipsec_rules=/etc/ipsec.conf # IPsec rules file --- Where /etc/ipsec.conf is identical to the master server. I originally had ipsec=NO but the SA's did not renegotiate eight hours (or so) after a failover:-( Do I need a -a for isakmpd? Thanks! -Steve S. Can you provide details of your /etc/sasyncd.conf file Mine looks like this on master: interface carp1 peer 192.168.30.2 sharedkey F00Mat1cA3S|3n On slave: interface carp1 peer 192.168.30.1 sharedkey F00Mat1cA3S|3n apart from the usual isakmpd_flags=-K ipsec=YES on both the hosts and valid config file on both hosts Hope this helps! Prabhu -
Re: Problems with second ipsec(ctl) tunnel
Steven Surdock wrote: Greetings, I recently converted from isakmpd.conf to ipsec.conf and I seem to be having problem bringing up a second tunnel to a PIX. It _appears_ that the OBSD side is trying to use the default hmac (sha2_256) even though it is configured to use md5 for the second tunnel. Oddly, the first tunnel comes up fine. Any insight or trouble-shooting tips would be appreciated. BTW, Is there anyway to see what flows have been configured? ipsecctl -sf seemed to only show a flow when phase I was complete. ipsecctl -sf flow esp in from 192.168.60.192/28 to 10.10.0.0/16 peer 192.168.40.8 srcid 192.168.13.4/32 dstid 192.168.40.8 type use flow esp out from 10.10.0.0/16 to 192.168.60.192/28 peer 192.168.40.8 srcid 192.168.13.4/32 dstid 192.168.40.8 type require The local peer (OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT 2007) is configured like: ike esp from { 10.10.0.0/16 , 10.5.0.0/24 } to 192.168.60.192/28 \ peer 192.168.40.8 \ local 192.168.13.4 \ main auth hmac-md5 enc aes group modp1024 \ psk Hereismylovelykey /var/log/messages: Apr 23 12:28:52 fw1 isakmpd[965]: transport_send_messages: giving up on exchange IPsec-10.5.0.0/24-192.168.60.192/28, no response from peer 192.168.40.8:500 Apr 23 12:28:52 fw1 isakmpd[965]: message_recv: bad message length Apr 23 12:28:52 fw1 isakmpd[965]: dropped message from 192.168.40.8 port 500 due to notification type Unknown 0 ...more of the above Apr 23 12:29:37 fw1 isakmpd[965]: dropped message from 192.168.40.8 port 500 due to notification type Unknown 0 Apr 23 12:30:25 fw1 isakmpd[965]: message_validate_notify: protocol not supported Apr 23 12:30:33 fw1 isakmpd[965]: message_recv: bad message length The remote is a PIX configured like: access-list 100 permit ip 192.168.60.192 255.255.255.240 10.10.0.0 255.255.0.0 access-list 100 permit ip 192.168.60.192 255.255.255.240 10.5.0.0 255.255.255.0 sysopt connection permit-ipsec crypto ipsec transform-set RMT esp-aes esp-md5-hmac crypto map RMT 10 ipsec-isakmp crypto map RMT 10 match address 100 crypto map RMT 10 set peer 192.168.13.4 crypto map RMT 10 set transform-set RMT crypto map RMT interface outside isakmp enable outside isakmp key address 192.168.13.4 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 The PIX debug says: crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3599058422 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 1200 ISAKMP: encaps is 1 ISAKMP: authentication algorithm... What? 5? ISAKMP: group is 2 ISAKMP: key length is 128IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 5) not supported ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): retransmitting phase 2 (0/1)... mess_id 0xd68545f6 crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xd68545f6 I too have the same problem. I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it works flawlessly with another OpenBSD system as the peer. I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5)) I defined quick auth hmac-sha enc aes, when I do that I get phase 1 completed. ipsec.conf ike esp from 172.30.75.0/24 to 192.168.137.0/24 \ local 10.200.3.7 peer 10.200.3.1 \ main auth hmac-sha1 enc aes \ quick auth hmac-sha enc aes \ srcid 10.200.3.7 psk F00F00Bar snippet from PIX firewall: crypto ipsec transform-set IPSEC_SET esp-aes-256 esp-sha-hmac crypto map VPN_MAP 1 ipsec-isakmp crypto map VPN_MAP 1 match address VPN_ACL crypto map VPN_MAP 1 set peer 10.200.3.7 crypto map VPN_MAP 1 set transform-set IPSEC_SET crypto map VPN_MAP interface outside isakmp enable outside isakmp key address 10.200.3.7 netmask 255.255.255.255 no-xauth isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 1800
Re: Problems with second ipsec(ctl) tunnel
Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: ... I too have the same problem. I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it works flawlessly with another OpenBSD system as the peer. I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5)) I defined quick auth hmac-sha enc aes, when I do that I get phase 1 completed. ipsec.conf ike esp from 172.30.75.0/24 to 192.168.137.0/24 \ local 10.200.3.7 peer 10.200.3.1 \ main auth hmac-sha1 enc aes \ quick auth hmac-sha enc aes \ srcid 10.200.3.7 psk F00F00Bar ... I don't think hmac-sha is a valid argument for your Phase II. -Steve S. Yes, thanks but that was a typo.. sorry for the confusion, still the tunnel does not come up. Thanks Prabhu -
Re: Problems with second ipsec(ctl) tunnel
Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: ... Yes, thanks but that was a typo.. sorry for the confusion, still the tunnel does not come up. What does your ACL VPN_ACL look like? How about the output from a debug crypto isakmp from the PIX? -Steve S. Ah.. finally figured it out! Mismatch on encryption: On PIX side I had: crypto ipsec transform-set IPSEC_SET esp-aes-256 esp-sha-hmac On OpenBSD side I had: ike esp from 172.30.75.0/24 to 192.168.137.0/24 \ local 10.200.3.7 peer 10.200.3.1 \ main auth hmac-sha1 enc aes \ quick auth hmac-sha1 enc aes \ srcid 10.200.3.7 psk !PS3c1nf0 When I enabled debug crypto ipsec and debug crypto isakmp: crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 1 policyp ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (basic) of 3600 ISAKMP: keylength of 256 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:10.200.3.7/53766 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:10.200.3.7/53766 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 2634506259 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 1200 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-SHA ISAKMP: group is 2 ISAKMP: key length is 128IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response IPSec SA failed to form because of mismatch in AES using CBC key length: PIX expected AES 256 OpenBSD offered AES 128! *Does anybody know how to fix that in OpenBSD ipsec.conf?* when I changed my crypto transform-set to: crypto ipsec transform-set IPSEC_SET esp-aes esp-sha-hmac IPSec SA gets established ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xb2b675d9 ISAKMP (0): retransmitting phase 2 (2/1)... mess_id 0xb2b675d9 crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:59402 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISADB: reaper checking SA 0xa2e6ac, conn_id = 0 crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 3959032696, spi size = 4 ISAKMP (0): deleting other-spi 3182850060 message ID = 2998302169 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 285204, spi size = 16 ISAKMP (0): deleting SA: src 10.200.3.7, dst 10.200.3.1 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xa2e6ac, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:10.200.3.7/53766 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:10.200.3.7/53766
IPSec OSPF
All - Scenario: We have two OpenBSD firewalls/VPN gateways working in failover mode using pf, pfsync, carp and sasync. The firewalls on their inside network is connected to a Cisco router which is connected back to the main corp network using a P2P serial connections (two bonded T1s). The corp side of the router is also another Cisco device. We have OSPF running on corp network and the remote network. Presently the corp network is connected to a 2MB/s DSL, which is also another Cisco box and the OpenBSD firewalls are connected to 10MBs ethernet connection, so we want to switch the default route to the OpenBSD firewalls. We want to: 1. connect the Cisco DSL router to the OpenBSD firewalls using L2L IPSec for redundant connectivity. 2. monitor the serial interface on the Cisco, which we can use HSRP, VRRP, OSPF with metrics, I would like to connect Cisco DSL router to the OpenBSD firewall using L2L IPsec tunnel. This would help if we lose the serial connection then we can route all traffic going to the remote network to ride the IPSec tunnel. Question: 1. How do I specify route to the corp network thru the IPSec tunnel to distribute into the OSPF cloud in OpenBSD? If I can, then we can use route metric to make sure that the IPSec tunnel can fail over in case we lose serial connectivity to the remote network. Hope this makes sense. Thanks for all your responses!. Prabhu -
Re: Symbolic link insecure?
Heinrich Rebehn wrote: Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I am actually using a symbolic link for /etc/pf.conf: ls -l /etc/pf.conf* lrwxr-xr-x 1 root wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001 -rw--- 1 root wheel 10529 Nov 14 10:18 /etc/pf.conf.000 -rw--- 1 root wheel 10582 Nov 30 18:12 /etc/pf.conf.001 I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? I could use hard links instead of soft links as a workaround, but then one cannot as easily see where the link points to. Sorry if this might sound like nitpicking, but i do not want to get used to ignoring security warnings. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 Two things, use rcs.. that save you headaches, instead of multiple versions of file, use one file, with multiple diffs.. Other the email is really about the sym link as others pointed out. If you use RCS you can have the versioning system in place as you already have it, although in a scalable way IMO, and no /etc/security email about shouldbe, reallyis HTH Prabhu -
Re: ksh .profile not evaluated using screen, xterm or subshells
Bruno Carnazzi wrote: Hi misc, I export/alias some important stuff in my ksh .profile. It works normally, but since I run screen or xterm, my .profile is not evaluated (or even if I launch a sub-shell). I know there is a difference between login shell and sub shell but how can I have some environment variables and aliases in all context, everytime ? I use OpenBSD/i386 3.9-release's pdksh. Best regards, Bruno. You should have searched the archives. In .Xdefaults XTerm*loginShell: true will do the trick. Prabhu -
ipsecctl parser behavior on OpenBSD 4.0 running generic kernel#1137
I wanted to test ipsec.conf before loading it and I noticed this odd behavior. pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [570]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw psk test123 pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [571]$ ipsecctl -n -f ipsec.conf pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [572]$ echo $? 0 *This is expected!* pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [573]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw psk test123 pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [574]$ ipsecctl -n -f ipsec.conf ipsec.conf: 2: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [575]$ echo $? 1 *This is expected* pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [576]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw psk test123 pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [577]$ ipsecctl -n -f ipsec.conf ipsec.conf: 3: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [578]$ echo $? 1 *This is expected* pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [579]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw psk test123 pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [580]$ ipsecctl -n -f ipsec.conf pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [581]$ echo $? 0 *Is this expected? I am missing a ending quote on line three and the parser thinks this is correct* pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [582]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw psk test123 pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [583]$ ipsecctl -n -f ipsec.conf ipsec.conf: 5: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [584]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [585]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [586]$ ipsecctl -n -f ipsec.conf ipsec.conf: 3: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [587]$ echo $? 1 *When I remove the psk string, the parser notices the problem and errors out* pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [588]$ cat ipsec.conf remote_gw = 192.168.0.1 remote_net = { 10.0.100.0/22, 10.0.2/24 } local_net = { 172.16.18.0/26 } ike esp from $local_net to $remote_net peer $remote_gw psk test123 pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [589]$ ipsecctl -n -f ipsec.conf pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [590]$ echo $? 0 pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] 10.200.0.46: [591]$ uname -a OpenBSD pgurumur-vm-openbsd.silverspringnet.com 4.0 GENERIC#1137 i386 dmesg: OpenBSD 4.0-current (GENERIC) #1137: Wed Oct 4 06:34:08 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS real mem = 267939840 (261660K) avail mem = 236720128 (231172K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(53) BIOS, date 07/29/05, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @
OpenNTPD Question/Problem on OpenBSD 3.9 (stable) GENERIC #617 kernel
All - This is going to be a long email. My apologies for that! I have a question regarding performance of OpenNTPD vs generic/DaveMills NTPD. Setup: 1. We have 3 machines in our DMZ which act as our primary NTP servers. 2. We have close to 8 machines in our Intranet which act as secondary NTP servers, which serve all our network and they all get their time(rather try to) from our Primary NTP servers. All the 3 primary NTP servers run OpenBSD 3.9 stable (i.e from the CD) and GENERIC kernel. and are in DMZ. All the them have identical hardware, in fact Dell PowerEdge 650 and all have same setup, * same release install i.e 3.9 install from OpenBSD CD. * GENERIC kernel and NO modification using ukc or recompile DMZ NTP servers. dmz-ntp1 uname: OpenBSD dmz-ntp1.XXX.YYY 3.9 GENERIC#617 i386 Snippet of dmesg: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC dmz-ntp2 uname: OpenBSD dmz-ntp2.XXX.YYY 3.9 GENERIC#617 i386 OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC dmz-ntp3 uname: OpenBSD dmz-ntp3 XXX.YYY 3.9 GENERIC#617 i386 OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC ntpd configuration is the same for all the DMZ boxes. Shown below are with comments removed! [Begin Conf] server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org server dmz-ntp1.XXX.YYY server dmz-ntp2.XXX.YYY server dmz-ntp3.XXX.YYY listen on * [End Conf] All our internal boxes run RHEL4u2 Linux arrowhead.XXX.YYY 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686 i386 GNU/Linux ntpd configuration is the same for all internal boxes. Show below are with comments removed. [Begin Conf] server dmz-ntp1.XXX.YYY server dmz-ntp2.XXX.YYY server dmz-ntp3.XXX.YYY peer ntp01.XXX.YYY peer ntp02.XXX.YYY peer ntp03.XXX.YYY peer ntp04.XXX.YYY peer ntp05.XXX.YYY peer ntp06.XXX.YYY peer ntp07.XXX.YYY peer ntp08.XXX.YYY peer ntp09.XXX.YYY peer ntp10.XXX.YYY server 127.127.1.0 fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/drift [End Conf] All NTP machines are reachable on port 123. Problem: There seems to be a lot of jitter on OpenNTPD based machines (i.e DMZ machines). This prevents the Intranet machines to sync up to the OpenBSD machines. So we installed NTPD (not OpenNTPD) from ports and restared NTP on the dmz-ntp3 and lo and behold all Linux boxes starting syncing up with this box, but not to any other OpenNTPD based machines (which are 2 right now). NTP stats from the Intranet boxes. Please ignore NTP stats from our Intranet box called arrowhead running RHEL4u2 --== ntpq -p arrowhead ==-- remoterefid st t when poll reach delay offset jitter == dmz-ntp1 93.5.230.181 4 u 22 1024 3770.734 -270.18 87.034 -dmz-ntp3 24.123.214.973 u 903 1024 3771.373 -10.758 3.727 xdmz-ntp2 220.249.119.159 4 u 960 1024 3770.932 -213.16 246.533 arrowhead .STEP. 16 u- 102400.0000.000 4000.00 +aspen10.200.2.65 5 u 559 1024 3764.154 -0.673 0.142 +baldy10.200.1.243 5 u 270 1024 3773.3640.145 1.597 buttermilk 10.200.2.87 5 u 576 1024 3762.3870.718 0.203 -copper 10.200.1.222 4 u 971 1024 3763.1301.433 0.584 cypress 10.200.2.87 5 u 426 1024 3764.032 -0.456 0.111 *heavenly 10.200.1.222 4 u 772 1024 3763.314 -0.136 0.630 -kirkwood 10.200.2.68 3 u 610 1024 3774.017 -2.248 3.995 -shasta 66.92.68.11 2 u 747 1024 376 10.674 -12.836 3.089 LOCAL(0)LOCAL(0)10 l 63 64 NTP stats from our Intranet box called aspen running RHEL4u2 --== ntpq -p aspen ==-- remote refid st t when poll reach delay offset jitter == xdmz-ntp1 93.5.230.181 4 u 292 1024 3770.867 -240.39 86.761 -dmz-ntp3 24.123.214.973 u 797 1024 3771.143 -12.227 3.712 xdmz-ntp2 220.249.119.159 4 u 908 1024 3772.641 -222.98 247.827 -arrowhead 10.200.1.245 5 u 552 1024 3773.8450.828 0.409 aspen .STEP. 16 u- 102400.0000.000 4000.00 -baldy 10.200.1.222 4 u 1015 1024 3764.710 -0.608 0.941 +buttermilk 10.200.1.245 5 u 888 1024 3763.9130.013 0.210 *copper10.200.1.222 4 u 979 1024 3766.0860.130 0.248 -cypress 10.200.2.87 5 u 989 1024 3763.7890.254 0.437 -heavenly 10.200.2.87 5 u 299 1024 3775.3261.349 0.759 +kirkwood 199.184.165.135 3 u 284 1024 3779.448 -0.471 0.523 -shasta 66.33.216.11 3 u 26 1024 3765.536 -16.241 4.331 LOCAL(0) LOCAL(0)10 l 52 64 3770.0000.000
Re: Active Directory authentication
Steve Shockley wrote: Prabhu Gurumurthy wrote: How about using login_radius feature by modifying login.conf to add a new radius profile and authenticate against a RADIUS server. You can compile freeradius and have rad_ldap plugin on the RADIUS server to authenticate against AD. Will that still require creating entries in /etc/passwd? How would it choose which login class the user's in? Yes, it will require adding entries on /etc/passwd, in other words you have to user useradd program, specifically -L option in useradd. userinfo username will give you the login class of a particular user. Remember you dont need to (re)set the password of the user if it is under radius profile. Prabhu
Re: Active Directory authentication
Steve Shockley wrote: I'm researching setting up a wireless gateway using OpenBSD and authpf. We've got an existing Active Directory (2003) domain with about 5000 user accounts that I'd like to authenticate against. LDAP seemed like the obvious choice, but it appears I need to create local accounts to use login_ldap, and it'd be unwieldy to sync 5000 users. There's also a patch for nsswitch, but I'd rather not use a custom build if I don't have to. Kerberos also sounded like a good idea, but if I understand correctly, the clients would need a Kerberized ssh client, and they'd have to be able to access the KDC before logging in to the gateway. Is there a better way to do this? How about using login_radius feature by modifying login.conf to add a new radius profile and authenticate against a RADIUS server. You can compile freeradius and have rad_ldap plugin on the RADIUS server to authenticate against AD. Direct LDAP would have been my first choice but for time constraints. Prabhu --
Re: Why ksh?
Pedro Timsteo wrote: Speaking of ksh, is there any way to configure it to clear the screen with CTRL+L, as bash does? Thanks. Was in the mailing list before I guess, but you can bind it (being Ctrl-L) on your .profile or .kshrc, bind -m '^L'=clear^M
Re: pf on loopback interfaces?
If I understand correctly, pf will see packets on all interfaces by default unless you specify set skip on lo { which tells pf to skip seeing packets on the specified interface, in this case loopback } - Prabhu Christian Weisgerber wrote: Say I create a loopback interface lo1 lo1: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 172.16.2.1 netmask 0xff00 and have a network program bind to that IP address. On any external interface, the address is NATed. Will pf ever see any packets on lo1?