Re: removing a pesky file
why can't you use ls -i, find the inode, and do find . -inum INODENUM
-exec rm {} \;
is it a list of file that you want to remove put all the files in a
text file and do a for loop.
HTH!
Prabhu
-
On May 14, 2009, at 5:47 PM, Ryan Flannery wrote:
I've been in similar situations countless times, but this one is
throwing me a for a loop.
I have a file that I'm trying to remove with non-printable characters
in the name. Additionally, some of the characters appear to be
backspace/delete/etc.
All my normal tricks with rm(1) fail.
Using vim on the directory to try and delete the entry fails.
I can get the inode of the file with ls(1), and used that to write the
following program which I thought would help, but sadly it too fails.
#include stdio.h
#include sys/types.h
#include dirent.h
#include err.h
#include unistd.h
int main(void)
{
/* open directory */
DIR *usr;
if ((usr = opendir(/usr)) == NULL)
err(1, failed to opendir);
/* read through until we find the evil one... */
struct dirent *entry;
while ((entry = readdir(usr)) != NULL)
{
/* check against known evil inode */
if (entry-d_fileno == 1065344)
{
/* got it */
printf(found file...name length is: %d\n, entry-d_namlen);
/* build filename as a char* */
uint8_t i;
for (i = 0; i entry-d_namlen; i++)
printf(%d , entry-d_name[i]);
/* cross fingers */
printf(\n\nattempting to unlink...\n);
if (unlink(entry-d_name) 0)
err(1, failure, crack 'nother beer);
}
}
closedir(usr);
return 0;
}
the program outputs the following:
found file...name length is: 194
-104 38 13 40 -22 101 -13 -4 -68 -107 69 86 49 -92 69 37 -90 -95 -52
20 27 -104 -24 -60 82 -49 46 -50 79 -70 23 -30 66 -29 56 89 29 -100
-127 59 83 -115 28 26 -121 30 81 -45 67 -53 -100 -76 103 15 109 -88 17
95 69 -102 87 -35 -41 -83 -13 -18 9 62 76 44 -52 99 33 -5 39 79 -100
49 -111 6 -64 -94 -97 19 -10 34 104 -87 100 28 125 4 -52 -101 84 -85
85 92 13 -2 -84 -11 63 125 -1 119 -67 82 27 96 -113 -79 -1 84 -87 -43
55 -14 -1 53 -124 69 -29 -65 74 27 96 -113 -71 -1 -111 75 -91 -51 -8
-81 33 -120 -58 127 85 54 -64 30 115 -1 83 44 -41 55 -25 -65 53 -124
-51 -3 -49 -41 29 -60 -12 -65 26 27 96 -39 -9 63 114 66 -2 91 -86 -105
54 -12 -65 -122 -80 104 -4 55 60 -31 -21 8 66 -6 95 -111 13 -80 44 -6
attempting to unlink...
a.out: failure, crack 'nother beer: No such file or directory
Questions:
1. Any whacks of a clue-stick would be greatly appreciated.
2. When I printf dirent struct's d_namlen field, is says 302...
grep'ing /usr/include, isn't this 255? How can this happen?
3. Passing the d_name field directly to unlink(2)... this should
work, correct? (I tried this with a sample setup elsewhere and it
did). Any thoughts why this would fail?
To those who are curious, the file was created when I went to unpack a
ports.tar.gz and forgot the 'z' switch... d'oh.
Anyway, I could try deleting the parent directory, but it's /usr.
-Ryan
Re: Intel quad port PRO/1000QP 82575GB chipset
, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
uhub5 at uhub0 port 1 Dell product 0xa001 rev 2.00/0.00 addr 2
uhidev0 at uhub5 port 1 configuration 1 interface 0 Dell DRAC5 rev
1.10/0.00 a
ddr 3
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub5 port 1 configuration 1 interface 1 Dell DRAC5 rev
1.10/0.00 a
ddr 3
uhidev1: iclass 3/1
ums0 at uhidev1
ums0: X report 0x0002 not supported
uhub6 at uhub0 port 5 Cypress Semiconductor USB2 Hub rev 2.00/0.0b
addr 4
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
bnx1: address 00:22:19:0b:a9:ee
brgphy0 at bnx1 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
bnx0: address 00:22:19:0b:a9:f0
brgphy1 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
On Oct 23, 2008, at 4:30 PM, Chris Kuethe wrote:
On Thu, Oct 23, 2008 at 4:14 PM, Prabhu Gurumurthy
[EMAIL PROTECTED] wrote:
I installed 4.4 (current) on Dell 2950, dmesg at the bottom, I am
having
trouble seeing the Intel quad port PRO/1000 QP card in OpenBSD.
When I look into /usr/src/sys/dev/pci/{pcidevs, pcidevs.h} I see
that the
chipset is listed, Does it require a firmware of some sort, because
em(4)
does not list this chipset, however it lists the card, which
implies this
card has more chipsets.
In pcidevs.h:
#define PCI_PRODUCT_INTEL_82575GB_QUAD_CPR 0x10d6 /* PRO/
1000 QP
(82575GB) */
try patch it in to sys/dev/pci/if_em.c, there's a big table near the
top of this file listing all the devices the driver supports... this
might work, or it might need something else (like the em variant found
in lenovo X200's)
As I side note, this system has 32G of memory, any chance it would
work? I
can only see 3GB maximum on 4.3/amd64 mp kernel.
this has already been discussed this month. the answers you seek are
in the archives.
Thanks!
dmesg:
OpenBSD 4.4-current (GENERIC.MP) #947: Tue Oct 21 16:00:28 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-
class) 2.67
GHz
cpu0:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
real mem = 2142142464 (2042MB)
avail mem = 2062811136 (1967MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/29/08, BIOS32 rev. 0 @
0xffe90,
SMBIOS
rev. 2.5 @ 0x7fb9c000 (67 entries)
bios0: vendor Dell Inc. version 2.3.1 date 04/29/2008
bios0: Dell Inc. PowerEdge 2950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST
BERT EINJ
TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 332MHzcpu1 at mainbus0: apid 4
(application
processor)
cpu1: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-
class) 2.66
GHz
cpu1:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-
class) 2.66
GHz
cpu2:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-
class) 2.66
GHz
cpu3:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPRcpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-
class) 2.66
GHz
cpu4:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-
class) 2.66
GHz
cpu5:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,xTPR
cpu6 at mainbus0: apid 3 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-
class) 2.66
GHz
cpu6:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16
Intel quad port PRO/1000QP 82575GB chipset
I installed 4.4 (current) on Dell 2950, dmesg at the bottom, I am
having trouble seeing the Intel quad port PRO/1000 QP card in OpenBSD.
When I look into /usr/src/sys/dev/pci/{pcidevs, pcidevs.h} I see that
the chipset is listed, Does it require a firmware of some sort,
because em(4) does not list this chipset, however it lists the card,
which implies this card has more chipsets.
In pcidevs.h:
#define PCI_PRODUCT_INTEL_82575GB_QUAD_CPR 0x10d6 /* PRO/1000
QP (82575GB) */
As I side note, this system has 32G of memory, any chance it would
work? I can only see 3GB maximum on 4.3/amd64 mp kernel.
Thanks!
dmesg:
OpenBSD 4.4-current (GENERIC.MP) #947: Tue Oct 21 16:00:28 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.67 GHz
cpu0:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
real mem = 2142142464 (2042MB)
avail mem = 2062811136 (1967MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/29/08, BIOS32 rev. 0 @
0xffe90, SMBIOS
rev. 2.5 @ 0x7fb9c000 (67 entries)
bios0: vendor Dell Inc. version 2.3.1 date 04/29/2008
bios0: Dell Inc. PowerEdge 2950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT
EINJ TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 332MHzcpu1 at mainbus0: apid 4
(application processor)
cpu1: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.66 GHz
cpu1:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.66 GHz
cpu2:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.66 GHz
cpu3:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPRcpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.66 GHz
cpu4:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.66 GHz
cpu5:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,xTPR
cpu6 at mainbus0: apid 3 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.66 GHz
cpu6:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz (GenuineIntel 686-class)
2.66 GHz
cpu7:
FPU
,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 0 (PE2P)
acpiprt6: no apic found for irq 64
acpiprt6: no apic found for irq 65
acpiprt6: no apic found for irq 78
acpiprt7 at acpi0: bus 13 (PEX4)
acpiprt8 at acpi0: bus 15 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 17 (COMP)
acpicpu0 at acpi0: C3
acpicpu1 at acpi0: C3
acpicpu2 at acpi0: C3
acpicpu3 at acpi0: C3acpicpu4 at acpi0: C3
acpicpu5 at acpi0: C3
acpicpu6 at acpi0: C3
acpicpu7 at acpi0: C3
bios0: ROM list: 0xc/0x9000! 0xc9000/0x1000 0xca000/0x1e00
0xcc000/0x5e00 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep disabled by BIOS
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 4
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 5
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev
NAT/PAT over IPsec (enc0 interface)
All -
How can I do NAT/PAT over IPsec.
To explain more. I have 4 hosts in 2 different networks (10.200.0/22
and 10.57.132/24). They are 10.57.132.18, 10.57.132.24, 10.57.132.41
and 10.200.1.208. When these hosts access 10.200.200/24,
10.200.136/24, 10.200.205/24 and 10.200.132/24 I want to NAT them to
207.129.36.65.
My IPsec policies are
ike esp from { 207.129.36.65 } to { 10.200.200/24, 10.200.136/24,
10.200.205/25, 10.200.132/24 } \
local X.X.X.X ...
...
psk Z
My IPsec tunnels are up, however I have trouble NAT'ing.
I followed some pointers given in ipsec(4),
NAT can also be applied to enc# interfaces, but special care
should be
taken because of the interactions between NAT and the IPsec flow
match-
ing, especially on the packet output path. Inside the TCP/IP
stack,
packets go through the following stages:
UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF
UL/R PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF
With IF being the real interface and UL/R the Upper Layer or
Routing
code. The [X] stage on the output path represents the point
where the
packet is matched against the IPsec flow database (SPD) to
determine if
and how the packet has to be IPsec-processed. If, at this
point, it is
determined that the packet should be IPsec-processed, it is
processed by
the PF/NAT code. Unless PF drops the packet, it will then be
IPsec-pro-
cessed, even if the packet has been modified by NAT.
and this email thread, http://marc.info/?l=openbsd-miscm=121866081214667w=2
My pf.conf snippet:
table MY_HOSTS persist { \
10.57.132.18, \
10.57.132.24, \
10.57.132.41. \
10.200.1.208 }
table OTHER_HOSTS persist { \
10.200.200/24, \
10.200.136/24, \
10.200.205/24, \
10.200.132/24 }
NAT_IP = 207.129.36.65
enc_if = enc0
nat on $enc_if from MY_HOSTS to OTHER_HOSTS - $NAT_IP
pass quick on $enc_if
...
I had set skip on $enc_if, which I removed following the above thread.
Any pointers?
Thanks!
Prabhu
-
Re: OSPFd and ipsec routes
May be use redistribute static from ospfd, but I dont think there is a way for doing it automatically. hope this helps! Prabhu - On Sep 25, 2008, at 10:32 AM, B A wrote: Hello! Can ospfd redistribute routes in Encap table `netstat -nr -f encap` ? Are they considering static? There is no such info in ospfd.conf...
Re: make ls not show dot-files as root
man ls shows -A option is implicit when using as root. So in short it would be no. On Jul 28, 2008, at 3:33 PM, Jesus Sanchez wrote: Hi, using 4.2. Just for curiosity... Can I make ls to NOT show the hidden files (.xinitrc , .vimrc, etc) when using as Root?? Thanks 4 all.
blackholed route on 4.3 (stable, generic)
I have got a weird problem with my network setup.
I have a pair of identical OpenBSD 4.3 (stable, GENERIC) boxes running in
Active/Standby failover using carp, pfsync and sasyncd
uname: OpenBSD nitehawk.contoso.com 4.3 GENERIC#698 i386
The CARP boxes external interface (bge0) are: 172.21.171.{6, 7} and they share
172.21.171.5
The CARP boxes internal interface (bge1) are: 172.21.100.{2, 3} and they share
172.21.100.1
They failover interface (em0) are: 172.21.123.{2,3}
I have a pair of Cisco ASA (Active/Standby failover) behind the CARP
boxes on the bge1 interface. The ASA interface IP is 172.21.100.4
The ASA has one network behind it (172.21.69.0/24)
There are 5 routers apart from the CARP boxes on the bge0 interface. I have
two separate IPsec tunnels terminating on two Cisco 2811 routers. The
cisco routers have one network behind them, 192.168.171/24 and
192.168.101/24 respectively
One of my requirement is to do policy based static NAT with
172.21.69.0/24. To explain it more, when the traffic is to/from
192.168.101.0/24, the ASA would static NAT 172.21.69.0/24 to
172.21.169.0/24
The interesting traffic for the second tunnel essentially is:
192.168.101.0/24 = 172.21.169.0/24. For completeness, the interesting
traffic for the first tunnel is 192.168.171.0/24 = 172.21.69.0/24
netstat -rnf encap on the master:
nitehawk (OpenBSD): [~]
ttyp0: [700]# netstat -rnf encap
Routing tables
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
192.168.101/24 0 172.21.169/24 0 0 172.21.171.9/esp/use/in
172.21.169/24 0 192.168.101/24 0 0 172.21.171.9/esp/require/out
192.168.171/24 0 172.21.69/24 0 0 172.21.171.8/esp/use/in
172.21.69/24 0 192.168.171/24 0 0 172.21.171.8/esp/require/out
I have enabled OSPF routing on all network devices (i.e. CARP boxes, 5
routers on the outside and the ASA on the inside)
ifconfig on the master:
nitehawk (OpenBSD): [~]
ttyp0: [686]# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:15:17:51:81:75
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.21.123.2 netmask 0xff00 broadcast 172.21.123.255
inet6 fe80::215:17ff:fe51:8175%em0 prefixlen 64 scopeid 0x1
inet6 fd1b:d92f:84f3:123:215:17ff:fe51:8175 prefixlen 64
bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1c:23:e1:cb:85
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.21.171.6 netmask 0xff00 broadcast 172.21.171.255
inet6 fe80::21c:23ff:fee1:cb85%bge0 prefixlen 64 scopeid 0x2
inet6 fd1b:d92f:84f3:171:21c:23ff:fee1:cb85 prefixlen 64
bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1c:23:e1:cb:86
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.21.100.2 netmask 0xff00 broadcast 172.21.100.255
inet6 fe80::21c:23ff:fee1:cb86%bge1 prefixlen 64 scopeid 0x3
inet6 fd1b:d92f:84f3:100:21c:23ff:fee1:cb86 prefixlen 64
enc0: flags=0 mtu 1536
lo127: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet 172.21.127.6 netmask 0x
inet6 fd1b:d92f:84f3:127:31e1:bb3f:20c8:7f06 prefixlen 128
pfsync0: flags=41UP,RUNNING mtu 1460
pfsync: syncdev: em0 syncpeer: 224.0.0.240 maxupd: 128
groups: carp pfsync
pflog0: flags=141UP,RUNNING,PROMISC mtu 33208
groups: pflog
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev bge0 vhid 1 advbase 1 advskew 0
groups: carp
inet 172.21.171.5 netmask 0xff00 broadcast 172.21.171.255
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x7
inet6 fd1b:d92f:84f3:171:f9a0:3201:525c:671 prefixlen 64
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:02
carp: MASTER carpdev bge1 vhid 2 advbase 1 advskew 0
groups: carp
inet 172.21.100.1 netmask 0xff00 broadcast 172.21.100.255
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x8
inet6 fd1b:d92f:84f3:100:1983:b905:3d8e:3dc7 prefixlen 64
When 172.21.69.17 (behind the ASA) tries to talk to 192.168.171.0/24, I
can see that the traffic is reaching the bge1 interface, then getting
encapsulated in ESP tunnel and then sent across. In short, works as
expected.
Example:
From: 172.21.69.17 (behind ASA)
# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1
Re: isakmpd -- NCP IPsec client: peer proposed invalid phase 2 IDs
I do not know whether Windows XP native IPsec stack supports AES, I know it only supports upto 3des. With OpenBSD, the default is AES (128), that is why IKE is giving you NO_PROPOSAL_CHOSEN. Change you settings to include 3des and sha1 (or md5 may be) and you would get quick mode working. Prabhu - Harald Dunkel wrote: Hi folks, I am trying to setup an IPsec connection between OpenBSD and WindowsXP (NCP IPsec client). ipsec.conf is just a single line: ike passive esp from 192.168.5.1 to 192.168.1.249 (192.168.1.249 is the Windows PC.) Phase I seems to work, but in Phase II isakmpd complains: Jun 27 14:55:34 fw01 isakmpd[30626]: log_packet_init: starting IKE packet capture to file /var/run/isakmpd.dump Jun 27 14:56:30 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:30 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:35 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:35 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:38 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:38 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Jun 27 14:56:41 fw01 isakmpd[30626]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id c0a801f9: 192.168.1.249, responder id c0a80501/: 192.168.5.1/255.255.255.255 Jun 27 14:56:41 fw01 isakmpd[30626]: dropped message from 192.168.1.249 port 500 due to notification type NO_PROPOSAL_CHOSEN Looking into the negotiation packets I see at the beginning of Phase II: 14:56:30.370925 192.168.1.249.500 192.168.5.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 45305a4f len: 220 payload: HASH len: 24 payload: SA len: 92 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x8b62522d payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 256 payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xdc14778f payload: TRANSFORM len: 28 transform: 1 ID: AES attribute AUTHENTICATION_ALGORITHM = HMAC_MD5 attribute ENCAPSULATION_MODE = TUNNEL attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 128 payload: NONCE len: 44 payload: ID len: 12 type: IPV4_ADDR = 192.168.1.249 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 192.168.5.1/255.255.255.255 [ttl 0] (id 1, len 248) 14:56:30.371301 192.168.5.1.500 192.168.1.249.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 27b9931138233444-5f559cf7b1c1dda0 msgid: 93170a11 len: 64 payload: HASH len: 24 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 92) Obviously isakmpd doesn't like something in the negotiation packet sent by the NCP IPsec client on Windows. Anybody got an idea? Regards Harri
ipsec.conf question
All, I have a question regarding ipsec.conf. Example: IPsec peers: 3.3.3.3, 3.3.3.2 Interesting traffic: 1.1.1.1 - 192.168.100.2 2.2.2.2 - 192.168.100.0/24 Main/Quick mode crypto/groups being: aes, sha1 and group2 PSK being test123 How can I define the above concisely? I can, for example, do the following: ike esp from 1.1.1.1 to 192.168.100.2 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 ike esp from 2.2.2.2 to 192.168.100.0/24 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 Is there any way to shorten it? since most of it seem to be redundant except for the interesting traffic part. FWIW, I am running 4.3-current: OpenBSD pgurumur-vm-openbsd.xxx.com 4.3 GENERIC#732 i386 Thanks Prabhu -
Re: Bind stopped Listening on UDP port suddenly in 4.2
Siju George wrote: Hi, I was using the Internet and name resolution suddenly stopped. When I checked I found out = $ netstat -an |grep 53 tcp0 0 127.0.0.1.953 *.*LISTEN tcp0 0 59.93.35.248.53*.*LISTEN tcp0 0 127.0.0.1.53 *.*LISTEN udp0 0 59.93.35.248.53*.* udp0 0 127.0.0.1.53 *.* tcp6 0 0 ::1.953*.*LISTEN tcp6 0 0 *.53 *.*LISTEN udp6 0 0 *.53 === Bind is no longer listening on udp 127.0.0.1.53. According to the output you provided, it seems to be listening (see line 5 in netstat) For the time being i use OpenDNS. Could some one please let me know how to fix this? === $ cat /etc/resolv.conf lookup file bind nameserver 127.0.0.1 nameserver 208.67.222.222 $ cat /etc/rc.conf.local pf=YES named_flags= $ sudo ps aux |grep named _syslogd 5452 0.0 0.2 532 724 ?? S 9:42AM0:00.01 syslogd -a /var/named/dev/log -a /var/empty/dev/log named15162 0.0 0.7 2504 3064 ?? I 9:42AM0:00.07 named root 32198 0.0 0.2 1604 728 ?? Is 9:42AM0:00.00 named: [priv] (named) === Thank you so much Kind Regards Siju What does host www.google.com 127.0.0.1 say and what does tcpdump -env -i lo0 udp port 53 say?
ICMP6 message size
Hi all, I have two hosts, one in OpenBSD 4.2 (stable) and another is Redhat ESv4u4 When I ping (ipv6) from OpenBSD to Redhat with custom size for icmp6 (-s option), I cannot go past 8184, 8185 and above give me an error EMSGSIZE. Whereas pinging from Redhat to OpenBSD I can go beyond 8184, infact I am able to go 1, above that I have not tried it yet. Is this behavior expected?, OpenBSD IPv6 Address: fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 Redhat IPv6 Address: fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 command: ping6 -s SIZE -c 5 HOST Test from OpenBSD Basic ping with 56 bytes: openbsd-test: [~] [84]$ ping6 -c 2 fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 PING6(56=40+8+8 bytes) fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 -- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 16 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=0 hlim=63 time=7.987 ms 16 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=1 hlim=63 time=2.029 ms --- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 2.029/5.008/7.987/2.979 ms Ping with custom size set to 8184 bytes: openbsd-test: [~] [85]$ ping6 -c 2 -s 8184 fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 PING6(8232=40+8+8184 bytes) fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 -- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 8192 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=0 hlim=63 time=24.35 ms 8192 bytes from fd1b:d92f:84f3:167:214:22ff:fe7b:cc68, icmp_seq=1 hlim=63 time=19.296 ms --- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 19.296/21.823/24.350/2.527 ms Ping with custom size set to 8185 bytes: openbsd-test: [~] [86]$ ping6 -c 2 -s 8185 fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 PING6(8233=40+8+8185 bytes) fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 -- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6: sendmsg: Message too long ping6: wrote fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 8193 chars, ret=-1 ping6: sendmsg: Message too long ping6: wrote fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 8193 chars, ret=-1 --- fd1b:d92f:84f3:167:214:22ff:fe7b:cc68 ping6 statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss Test from Redhat: Basic ping: [EMAIL PROTECTED] ~]# ping6 -c 2 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 56 data bytes 64 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=3.17 ms 64 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=1.79 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.797/2.487/3.178/0.692 ms, pipe 2 Ping with custom size set to 8184: [EMAIL PROTECTED] ~]# ping6 -c 2 -s 8184 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 8184 data bytes 8192 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=9.37 ms 8192 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=9.32 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.322/9.349/9.377/0.100 ms, pipe 2 Ping with custom size set to 8185: [EMAIL PROTECTED] ~]# ping6 -c 2 -s 8185 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 8185 data bytes 8193 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=9.36 ms 8193 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=9.40 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.362/9.382/9.403/0.099 ms, pipe 2 Ping with custom size set to 1: [EMAIL PROTECTED] ~]# ping6 -c 2 -s 1 fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 PING fd1b:d92f:84f3:125:20c:29ff:fe8d:f732(fd1b:d92f:84f3:125:20c:29ff:fe8d:f732) 1 data bytes 10008 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=0 ttl=63 time=11.0 ms 10008 bytes from fd1b:d92f:84f3:125:20c:29ff:fe8d:f732: icmp_seq=1 ttl=63 time=21.0 ms --- fd1b:d92f:84f3:125:20c:29ff:fe8d:f732 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 11.086/16.044/21.002/4.958 ms, pipe 2 OpenBSD uname: OpenBSD openbsd-test.contoso.com 4.2 GENERIC#375 i386 ifconfig from OpenBSD: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 pcn0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:8d:f7:32 groups: egress
OSPF and CARP question
All -
This is going to be a lengthy email, Sorry about that, I have question about
running CARP + OSPF, I looked at all the email pertaining to it on marc.info
website?
Network scenario:
I have an ethernet segment (172.21.171.0/24) Cisco 1760 (.1), Cisco 2621(.4),
Dell PowerConnect(.2), OpenBSD 4.2 systems(.6, .7 sharing .5 using carp) with
OpenBSD systems running carp + pfsync.
Cisco 1760 is connected to DSL and I redistribute default route from 1760, which
gets propagated as E2 type to all the nodes participating in OSPF
I have another ethernet segment (172.21.71/24) with above mentioned OpenBSD 4.2
systems (.2, .3 sharing .1 using carp) and another Cisco 2610 (.4)
I have a linux host behind c2610 (network: 172.21.55/24) cisco being .1, linux
host being .17
All hosts are in single area (area 0)
I also have 4 networks sitting behind PowerConnect device, 172.21.{167, 145,
125, 99}/24.
Each and every time I try to connect to 172.21.55.17 from 172.21.125.23, I am
seeing tcp connection being shared by two OpenBSD firewalls because of the fact
that they are running OSPF and cisco 2610 is seeing two equal paths to
172.21.125/24 network through the OpenBSD firewalls.
When I connect to Internet from the linux host, I am seeing packets being sent
to the backup instead of the master.
Configuration:
Stock OpenBSD kernel running on 2 PowerEdge 860s with twin broadcom GigE
ethernet interfaces.
# uname -a
OpenBSD carp02.contoso.com 4.2 GENERIC#375 i386
Since this email already is big, I am not including dmesg, if it is needed, Ill
post it.
configuration from OpenBSD system: 172.21.171.6,
ip addresses,
/etc/hostname.bge0: inet 172.21.171.6 255.255.255.0 NONE
/etc/hostname.bge1: inet 172.21.71.2 255.255.255.0 NONE
/etc/hostname.carp0: inet 172.21.171.5 255.255.255.0 172.21.171.255 vhid 1 pass
Char!i3
/etc/hostname.carp1: inet 172.21.71.1 255.255.255.0 172.21.71.255 vhid 2 pass
F00bar
/etc/hostname.lo127: inet 172.21.127.6 255.255.255.255 NONE
/etc/hostname.pfsync0: up syncif bge1
# ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1c:23:e1:cb:85
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.21.171.6 netmask 0xff00 broadcast 172.21.171.255
inet6 fe80::21c:23ff:fee1:cb85%bge0 prefixlen 64 scopeid 0x1
bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1c:23:e1:cb:86
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.21.71.2 netmask 0xff00 broadcast 172.21.71.255
inet6 fe80::21c:23ff:fee1:cb86%bge1 prefixlen 64 scopeid 0x2
enc0: flags=0 mtu 1536
lo127: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet 172.21.127.6 netmask 0x
pfsync0: flags=41UP,RUNNING mtu 1460
pfsync: syncdev: bge1 syncpeer: 224.0.0.240 maxupd: 128
groups: carp pfsync
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
carp: BACKUP carpdev bge0 vhid 1 advbase 1 advskew 0
groups: carp
inet 172.21.171.5 netmask 0xff00 broadcast 172.21.171.255
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x6
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:02
carp: BACKUP carpdev bge1 vhid 2 advbase 1 advskew 0
groups: carp
inet 172.21.71.1 netmask 0xff00 broadcast 172.21.71.255
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x7
/etc/ospfd.conf:
router-id 172.21.127.6
redistribute default set { metric 30 type 2 }
area 0.0.0.0 {
demote carp 1
interface lo127
interface carp0 {
demote carp
}
interface carp1 {
demote carp
}
interface bge1 {
auth-type crypt
auth-md 1 R0ut1ng
auth-md-keyid 1
}
interface bge0 {
auth-type crypt
auth-md 1 R0ut1ng
auth-md-keyid 1
}
}
# ospfctl show neigh
ID Pri StateDeadTime Address Iface Uptime
172.21.127.20 FULL/OTHER 00:00:34 172.21.171.2bge0 00:32:03
172.21.127.11 FULL/OTHER 00:00:32 172.21.171.1bge0 00:32:08
172.21.127.71 FULL/OTHER 00:00:34 172.21.171.7bge0 00:30:48
172.21.127.41 FULL/DR 00:00:31 172.21.171.4bge0 00:34:54
172.21.127.71 FULL/OTHER 00:00:34 172.21.71.3 bge1 00:30:43
172.21.127.81 FULL/DR 00:00:39 172.21.71.4 bge1 00:35:29
Configuration on OpenBSD system: 172.21.171.7
Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
Brian A Seklecki (Mobile) wrote: On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote: On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote: Have you try openbsd 4.2 ? PF have been really improved in this release. pf(4) has nothing to do with isakmpd(8), except as it relates to recent addition of routing tags. - PIX/ASA is going to get you a default packet ASA forwarding based on interface weights - PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH VPN Road-warrior clients - PIX has functional object-groups/group-object inheritance - PIX/ASA has proprietary serial console fail-over (which is marginally faster than waiting for CARP) - PIX/ASA has some magical black-box inline transparent protocol fixups - PIX has a 4 hour SmartNet support contract option - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on) I don't know about ASA, but the 5xx PIX doesn't support IPv6 Otherwise they're both software-based stateful IP packet forwarding engines running on i386 with NAT and IPSec and 802.1q support. OpenBSD will always scale better because you can run it on the harwdare platform of your choice. ~BAS 1. VPN is computationally heavy -- is your hardware fast enough? 2. Try playing with queueing in PF to handle some types of traffic faster than others. AFAIK, it is normal to find this kind of configuration in commercial, black-box solutions, disguised as buzzy slogans like Built-in QoS Super-Routing :-) Just my two cents. Martin Are you sure PIX 515 and above does not support IPv6. By that do you mean IPv6 routing, if that is the case, yes. But PIX 515E and ASA does support IPv6 fine when you use 7.X and above version of image. In addition to your 4th point, PIX and ASA support failover using LAN, only PIX supports serial based failover. To the OP: We use ASA and OpenBSD in our production environment and we spent close to $10,000 buying twin ASAs (using GigE) for failover, but only $2000 to buy two dell boxes to put OpenBSD (using GigE) on them and use them as failover i.e. pf + pfsync + sasyncd and its being fine for past 11 months. Where do you see OpenBSD lagging behind, if it is a transfer rate you can tweak tcp settings using sysctl, you can upgrade to 4.2 as the other post indicated. And are you willing to spend money to buy expensive gear that is the question?
Re: problem with ipsec tunnel between pix and openbsd
Sebastian Reitenbach wrote:
Hi,
I setup a tunnel between a pix and an openbsd isakmpd to
connect two networks behind each tunnel endpoint.
pinging through the tunnel from both sides works, for
the first 15 minutes. then the ping stops working.
When I recreate the tunnel, then the ping starts to
work again. I start isakmpd with isakmpd -k and I use
ipsecctl to activate the tunnel.
To work around the problem I added dead peer detection
to the isakmpd.conf file. It checks every 10 seconds for a
dead peer, this detects that the tunnel is not in a good
state, and restarts it. I also found in an old howto that
I have to create a policy file, that says that the OpenBSD
box is the initiator of the tunnel.
I have not found a way to prevent the tunnel to go into
that bad state. I think I have a problem with rekeying.
In my eyes activating the DPD is only a
working on the symptoms, so I assume there must be a better
way to fix the problem.
here my isakmpd.conf file:
[General]
Listen-on=131.103.56.171
Default-phase-1-lifetime= 28800,60:86400
Default-phase-2-lifetime= 1200,60:86400
DPD-check-interval= 10
Policy-File=/etc/isakmpd/isakmpd.policy
and here my ipsecctl.conf file:
ike active esp from 192.168.0.0/24 to 10.1.0.0/24 \
local $my_gw peer $remote_gw \
main auth hmac-md5 enc 3des group grp2 \
quick auth hmac-md5 enc aes group none \
psk MyTopSecretKey
any idea what I can try to prevent the tunnel stop working?
kind regards
Sebastian
It will be helpful, if you can give the corresponding PIX configuration as well.
your ipsecctl.conf seems to be good! Can you give us the output of ipsecctl -vv
-sa and tail -f /var/log/{daemon, messages}
Prabhu
-
Re: ipsec slave
Steven Surdock wrote: Can anyone provide some insight as to the correct configuration of a sasyncd slave server with respect to /etc/rc.conf.local? For example, is the following correct? --- ntpd_flags= # enabled during install sasyncd_flags=# for normal use: pf=YES # Packet filter / NAT pf_rules=/etc/pf.conf # Packet filter rules file pflogd_flags= # add more flags, ie. -s 256 isakmpd_flags=-K # for normal use: ipsec=YES# IPsec ipsec_rules=/etc/ipsec.conf # IPsec rules file --- Where /etc/ipsec.conf is identical to the master server. I originally had ipsec=NO but the SA's did not renegotiate eight hours (or so) after a failover:-( Do I need a -a for isakmpd? Thanks! -Steve S. Can you provide details of your /etc/sasyncd.conf file Mine looks like this on master: interface carp1 peer 192.168.30.2 sharedkey F00Mat1cA3S|3n On slave: interface carp1 peer 192.168.30.1 sharedkey F00Mat1cA3S|3n apart from the usual isakmpd_flags=-K ipsec=YES on both the hosts and valid config file on both hosts Hope this helps! Prabhu -
Re: Problems with second ipsec(ctl) tunnel
Steven Surdock wrote:
Greetings, I recently converted from isakmpd.conf to ipsec.conf and I
seem to be having problem bringing up a second tunnel to a PIX. It
_appears_ that the OBSD side is trying to use the default hmac
(sha2_256) even though it is configured to use md5 for the second
tunnel. Oddly, the first tunnel comes up fine. Any insight or
trouble-shooting tips would be appreciated. BTW, Is there anyway to see
what flows have been configured? ipsecctl -sf seemed to only show a
flow when phase I was complete.
ipsecctl -sf
flow esp in from 192.168.60.192/28 to 10.10.0.0/16 peer 192.168.40.8
srcid 192.168.13.4/32 dstid 192.168.40.8 type use
flow esp out from 10.10.0.0/16 to 192.168.60.192/28 peer 192.168.40.8
srcid 192.168.13.4/32 dstid 192.168.40.8 type require
The local peer (OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT
2007) is configured like:
ike esp from { 10.10.0.0/16 , 10.5.0.0/24 } to 192.168.60.192/28 \
peer 192.168.40.8 \
local 192.168.13.4 \
main auth hmac-md5 enc aes group modp1024 \
psk Hereismylovelykey
/var/log/messages:
Apr 23 12:28:52 fw1 isakmpd[965]: transport_send_messages: giving up on
exchange IPsec-10.5.0.0/24-192.168.60.192/28, no response from peer
192.168.40.8:500
Apr 23 12:28:52 fw1 isakmpd[965]: message_recv: bad message length
Apr 23 12:28:52 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
500 due to notification type Unknown 0
...more of the above
Apr 23 12:29:37 fw1 isakmpd[965]: dropped message from 192.168.40.8 port
500 due to notification type Unknown 0
Apr 23 12:30:25 fw1 isakmpd[965]: message_validate_notify: protocol not
supported
Apr 23 12:30:33 fw1 isakmpd[965]: message_recv: bad message length
The remote is a PIX configured like:
access-list 100 permit ip 192.168.60.192 255.255.255.240 10.10.0.0
255.255.0.0
access-list 100 permit ip 192.168.60.192 255.255.255.240 10.5.0.0
255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set RMT esp-aes esp-md5-hmac
crypto map RMT 10 ipsec-isakmp
crypto map RMT 10 match address 100
crypto map RMT 10 set peer 192.168.13.4
crypto map RMT 10 set transform-set RMT
crypto map RMT interface outside
isakmp enable outside
isakmp key address 192.168.13.4 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
The PIX debug says:
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3599058422
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 1200
ISAKMP: encaps is 1
ISAKMP: authentication algorithm... What? 5?
ISAKMP: group is 2
ISAKMP: key length is 128IPSEC(validate_proposal): transform
proposal (prot 3, trans 12, hmac_alg 5) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (0/1)... mess_id 0xd68545f6
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:192.168.13.4, dest:192.168.40.8 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xd68545f6
I too have the same problem.
I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it works flawlessly with
another OpenBSD system as the peer.
I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5))
I defined quick auth hmac-sha enc aes, when I do that I get phase 1 completed.
ipsec.conf
ike esp from 172.30.75.0/24 to 192.168.137.0/24 \
local 10.200.3.7 peer 10.200.3.1 \
main auth hmac-sha1 enc aes \
quick auth hmac-sha enc aes \
srcid 10.200.3.7 psk F00F00Bar
snippet from PIX firewall:
crypto ipsec transform-set IPSEC_SET esp-aes-256 esp-sha-hmac
crypto map VPN_MAP 1 ipsec-isakmp
crypto map VPN_MAP 1 match address VPN_ACL
crypto map VPN_MAP 1 set peer 10.200.3.7
crypto map VPN_MAP 1 set transform-set IPSEC_SET
crypto map VPN_MAP interface outside
isakmp enable outside
isakmp key address 10.200.3.7 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800
Re: Problems with second ipsec(ctl) tunnel
Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: ... I too have the same problem. I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it works flawlessly with another OpenBSD system as the peer. I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5)) I defined quick auth hmac-sha enc aes, when I do that I get phase 1 completed. ipsec.conf ike esp from 172.30.75.0/24 to 192.168.137.0/24 \ local 10.200.3.7 peer 10.200.3.1 \ main auth hmac-sha1 enc aes \ quick auth hmac-sha enc aes \ srcid 10.200.3.7 psk F00F00Bar ... I don't think hmac-sha is a valid argument for your Phase II. -Steve S. Yes, thanks but that was a typo.. sorry for the confusion, still the tunnel does not come up. Thanks Prabhu -
Re: Problems with second ipsec(ctl) tunnel
Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: ... Yes, thanks but that was a typo.. sorry for the confusion, still the tunnel does not come up. What does your ACL VPN_ACL look like? How about the output from a debug crypto isakmp from the PIX? -Steve S. Ah.. finally figured it out! Mismatch on encryption: On PIX side I had: crypto ipsec transform-set IPSEC_SET esp-aes-256 esp-sha-hmac On OpenBSD side I had: ike esp from 172.30.75.0/24 to 192.168.137.0/24 \ local 10.200.3.7 peer 10.200.3.1 \ main auth hmac-sha1 enc aes \ quick auth hmac-sha1 enc aes \ srcid 10.200.3.7 psk !PS3c1nf0 When I enabled debug crypto ipsec and debug crypto isakmp: crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 1 policyp ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (basic) of 3600 ISAKMP: keylength of 256 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:10.200.3.7/53766 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:10.200.3.7/53766 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 2634506259 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 1200 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-SHA ISAKMP: group is 2 ISAKMP: key length is 128IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:53766 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response IPSec SA failed to form because of mismatch in AES using CBC key length: PIX expected AES 256 OpenBSD offered AES 128! *Does anybody know how to fix that in OpenBSD ipsec.conf?* when I changed my crypto transform-set to: crypto ipsec transform-set IPSEC_SET esp-aes esp-sha-hmac IPSec SA gets established ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xb2b675d9 ISAKMP (0): retransmitting phase 2 (2/1)... mess_id 0xb2b675d9 crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:59402 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISADB: reaper checking SA 0xa2e6ac, conn_id = 0 crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 3959032696, spi size = 4 ISAKMP (0): deleting other-spi 3182850060 message ID = 2998302169 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:10.200.3.7, dest:10.200.3.1 spt:52106 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 285204, spi size = 16 ISAKMP (0): deleting SA: src 10.200.3.7, dst 10.200.3.1 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xa2e6ac, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:10.200.3.7/53766 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:10.200.3.7/53766
IPSec OSPF
All - Scenario: We have two OpenBSD firewalls/VPN gateways working in failover mode using pf, pfsync, carp and sasync. The firewalls on their inside network is connected to a Cisco router which is connected back to the main corp network using a P2P serial connections (two bonded T1s). The corp side of the router is also another Cisco device. We have OSPF running on corp network and the remote network. Presently the corp network is connected to a 2MB/s DSL, which is also another Cisco box and the OpenBSD firewalls are connected to 10MBs ethernet connection, so we want to switch the default route to the OpenBSD firewalls. We want to: 1. connect the Cisco DSL router to the OpenBSD firewalls using L2L IPSec for redundant connectivity. 2. monitor the serial interface on the Cisco, which we can use HSRP, VRRP, OSPF with metrics, I would like to connect Cisco DSL router to the OpenBSD firewall using L2L IPsec tunnel. This would help if we lose the serial connection then we can route all traffic going to the remote network to ride the IPSec tunnel. Question: 1. How do I specify route to the corp network thru the IPSec tunnel to distribute into the OSPF cloud in OpenBSD? If I can, then we can use route metric to make sure that the IPSec tunnel can fail over in case we lose serial connectivity to the remote network. Hope this makes sense. Thanks for all your responses!. Prabhu -
Re: Symbolic link insecure?
Heinrich Rebehn wrote: Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I am actually using a symbolic link for /etc/pf.conf: ls -l /etc/pf.conf* lrwxr-xr-x 1 root wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001 -rw--- 1 root wheel 10529 Nov 14 10:18 /etc/pf.conf.000 -rw--- 1 root wheel 10582 Nov 30 18:12 /etc/pf.conf.001 I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? I could use hard links instead of soft links as a workaround, but then one cannot as easily see where the link points to. Sorry if this might sound like nitpicking, but i do not want to get used to ignoring security warnings. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 Two things, use rcs.. that save you headaches, instead of multiple versions of file, use one file, with multiple diffs.. Other the email is really about the sym link as others pointed out. If you use RCS you can have the versioning system in place as you already have it, although in a scalable way IMO, and no /etc/security email about shouldbe, reallyis HTH Prabhu -
Re: ksh .profile not evaluated using screen, xterm or subshells
Bruno Carnazzi wrote: Hi misc, I export/alias some important stuff in my ksh .profile. It works normally, but since I run screen or xterm, my .profile is not evaluated (or even if I launch a sub-shell). I know there is a difference between login shell and sub shell but how can I have some environment variables and aliases in all context, everytime ? I use OpenBSD/i386 3.9-release's pdksh. Best regards, Bruno. You should have searched the archives. In .Xdefaults XTerm*loginShell: true will do the trick. Prabhu -
ipsecctl parser behavior on OpenBSD 4.0 running generic kernel#1137
I wanted to test ipsec.conf before loading it and I noticed this odd behavior.
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [570]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [571]$ ipsecctl -n -f ipsec.conf
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [572]$ echo $?
0
*This is expected!*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [573]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [574]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 2: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [575]$ echo $?
1
*This is expected*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [576]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [577]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 3: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [578]$ echo $?
1
*This is expected*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [579]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [580]$ ipsecctl -n -f ipsec.conf
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [581]$ echo $?
0
*Is this expected? I am missing a ending quote on line three and the parser
thinks this is correct*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [582]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [583]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 5: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [584]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [585]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [586]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 3: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [587]$ echo $?
1
*When I remove the psk string, the parser notices the problem and errors out*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [588]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [589]$ ipsecctl -n -f ipsec.conf
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [590]$ echo $?
0
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [591]$ uname -a
OpenBSD pgurumur-vm-openbsd.silverspringnet.com 4.0 GENERIC#1137 i386
dmesg:
OpenBSD 4.0-current (GENERIC) #1137: Wed Oct 4 06:34:08 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS
real mem = 267939840 (261660K)
avail mem = 236720128 (231172K)
using 3296 buffers containing 13500416 bytes (13184K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(53) BIOS, date 07/29/05, BIOS32 rev. 0 @ 0xfd880,
SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @
OpenNTPD Question/Problem on OpenBSD 3.9 (stable) GENERIC #617 kernel
All - This is going to be a long email. My apologies for that! I have a question regarding performance of OpenNTPD vs generic/DaveMills NTPD. Setup: 1. We have 3 machines in our DMZ which act as our primary NTP servers. 2. We have close to 8 machines in our Intranet which act as secondary NTP servers, which serve all our network and they all get their time(rather try to) from our Primary NTP servers. All the 3 primary NTP servers run OpenBSD 3.9 stable (i.e from the CD) and GENERIC kernel. and are in DMZ. All the them have identical hardware, in fact Dell PowerEdge 650 and all have same setup, * same release install i.e 3.9 install from OpenBSD CD. * GENERIC kernel and NO modification using ukc or recompile DMZ NTP servers. dmz-ntp1 uname: OpenBSD dmz-ntp1.XXX.YYY 3.9 GENERIC#617 i386 Snippet of dmesg: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC dmz-ntp2 uname: OpenBSD dmz-ntp2.XXX.YYY 3.9 GENERIC#617 i386 OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC dmz-ntp3 uname: OpenBSD dmz-ntp3 XXX.YYY 3.9 GENERIC#617 i386 OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC ntpd configuration is the same for all the DMZ boxes. Shown below are with comments removed! [Begin Conf] server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org server dmz-ntp1.XXX.YYY server dmz-ntp2.XXX.YYY server dmz-ntp3.XXX.YYY listen on * [End Conf] All our internal boxes run RHEL4u2 Linux arrowhead.XXX.YYY 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686 i386 GNU/Linux ntpd configuration is the same for all internal boxes. Show below are with comments removed. [Begin Conf] server dmz-ntp1.XXX.YYY server dmz-ntp2.XXX.YYY server dmz-ntp3.XXX.YYY peer ntp01.XXX.YYY peer ntp02.XXX.YYY peer ntp03.XXX.YYY peer ntp04.XXX.YYY peer ntp05.XXX.YYY peer ntp06.XXX.YYY peer ntp07.XXX.YYY peer ntp08.XXX.YYY peer ntp09.XXX.YYY peer ntp10.XXX.YYY server 127.127.1.0 fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/drift [End Conf] All NTP machines are reachable on port 123. Problem: There seems to be a lot of jitter on OpenNTPD based machines (i.e DMZ machines). This prevents the Intranet machines to sync up to the OpenBSD machines. So we installed NTPD (not OpenNTPD) from ports and restared NTP on the dmz-ntp3 and lo and behold all Linux boxes starting syncing up with this box, but not to any other OpenNTPD based machines (which are 2 right now). NTP stats from the Intranet boxes. Please ignore NTP stats from our Intranet box called arrowhead running RHEL4u2 --== ntpq -p arrowhead ==-- remoterefid st t when poll reach delay offset jitter == dmz-ntp1 93.5.230.181 4 u 22 1024 3770.734 -270.18 87.034 -dmz-ntp3 24.123.214.973 u 903 1024 3771.373 -10.758 3.727 xdmz-ntp2 220.249.119.159 4 u 960 1024 3770.932 -213.16 246.533 arrowhead .STEP. 16 u- 102400.0000.000 4000.00 +aspen10.200.2.65 5 u 559 1024 3764.154 -0.673 0.142 +baldy10.200.1.243 5 u 270 1024 3773.3640.145 1.597 buttermilk 10.200.2.87 5 u 576 1024 3762.3870.718 0.203 -copper 10.200.1.222 4 u 971 1024 3763.1301.433 0.584 cypress 10.200.2.87 5 u 426 1024 3764.032 -0.456 0.111 *heavenly 10.200.1.222 4 u 772 1024 3763.314 -0.136 0.630 -kirkwood 10.200.2.68 3 u 610 1024 3774.017 -2.248 3.995 -shasta 66.92.68.11 2 u 747 1024 376 10.674 -12.836 3.089 LOCAL(0)LOCAL(0)10 l 63 64 NTP stats from our Intranet box called aspen running RHEL4u2 --== ntpq -p aspen ==-- remote refid st t when poll reach delay offset jitter == xdmz-ntp1 93.5.230.181 4 u 292 1024 3770.867 -240.39 86.761 -dmz-ntp3 24.123.214.973 u 797 1024 3771.143 -12.227 3.712 xdmz-ntp2 220.249.119.159 4 u 908 1024 3772.641 -222.98 247.827 -arrowhead 10.200.1.245 5 u 552 1024 3773.8450.828 0.409 aspen .STEP. 16 u- 102400.0000.000 4000.00 -baldy 10.200.1.222 4 u 1015 1024 3764.710 -0.608 0.941 +buttermilk 10.200.1.245 5 u 888 1024 3763.9130.013 0.210 *copper10.200.1.222 4 u 979 1024 3766.0860.130 0.248 -cypress 10.200.2.87 5 u 989 1024 3763.7890.254 0.437 -heavenly 10.200.2.87 5 u 299 1024 3775.3261.349 0.759 +kirkwood 199.184.165.135 3 u 284 1024 3779.448 -0.471 0.523 -shasta 66.33.216.11 3 u 26 1024 3765.536 -16.241 4.331 LOCAL(0) LOCAL(0)10 l 52 64 3770.0000.000
Re: Active Directory authentication
Steve Shockley wrote: Prabhu Gurumurthy wrote: How about using login_radius feature by modifying login.conf to add a new radius profile and authenticate against a RADIUS server. You can compile freeradius and have rad_ldap plugin on the RADIUS server to authenticate against AD. Will that still require creating entries in /etc/passwd? How would it choose which login class the user's in? Yes, it will require adding entries on /etc/passwd, in other words you have to user useradd program, specifically -L option in useradd. userinfo username will give you the login class of a particular user. Remember you dont need to (re)set the password of the user if it is under radius profile. Prabhu
Re: Active Directory authentication
Steve Shockley wrote: I'm researching setting up a wireless gateway using OpenBSD and authpf. We've got an existing Active Directory (2003) domain with about 5000 user accounts that I'd like to authenticate against. LDAP seemed like the obvious choice, but it appears I need to create local accounts to use login_ldap, and it'd be unwieldy to sync 5000 users. There's also a patch for nsswitch, but I'd rather not use a custom build if I don't have to. Kerberos also sounded like a good idea, but if I understand correctly, the clients would need a Kerberized ssh client, and they'd have to be able to access the KDC before logging in to the gateway. Is there a better way to do this? How about using login_radius feature by modifying login.conf to add a new radius profile and authenticate against a RADIUS server. You can compile freeradius and have rad_ldap plugin on the RADIUS server to authenticate against AD. Direct LDAP would have been my first choice but for time constraints. Prabhu --
Re: Why ksh?
Pedro Timsteo wrote: Speaking of ksh, is there any way to configure it to clear the screen with CTRL+L, as bash does? Thanks. Was in the mailing list before I guess, but you can bind it (being Ctrl-L) on your .profile or .kshrc, bind -m '^L'=clear^M
Re: pf on loopback interfaces?
If I understand correctly, pf will see packets on all interfaces by
default unless you specify
set skip on lo { which tells pf to skip seeing packets on the specified
interface, in this case loopback }
- Prabhu
Christian Weisgerber wrote:
Say I create a loopback interface lo1
lo1: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 172.16.2.1 netmask 0xff00
and have a network program bind to that IP address. On any external
interface, the address is NATed. Will pf ever see any packets on
lo1?
