ipsec ipcomp howto - OpenBSD 5.7
configuring ipsec.conf with ipcomp seem to be difficult then I thought. I enable ipcomp # sysctl -a | grep ipcomp net.inet.ipcomp.enable=1 ipcomp is enabled on both gateways. Here is ipsec.conf: flow ipcomp from 10.10.10.0/24 to 10.10.2.0/24 \ peer 192.168.1.57 ike esp from 10.10.10.0/24 to 10.10.2.0/24 \ peer 192.168.1.57 \ main auth hmac-sha2-256 enc 3des group modp1024 lifetime 86400 \ quick auth hmac-sha2-256 enc 3des lifetime 86400 \ psk f15490b4ebc2bfc41a9a009509c91ceb443547f6 my local LAN 10.10.10.0/24 remote LAN 10.10.2.0/24 # ipsecctl -s all FLOWS: flow esp in from 10.10.2.0/24 to 10.10.10.0/24 peer 192.168.1.57 type require flow esp out from 10.10.10.0/24 to 10.10.2.0/24 peer 192.168.1.57 type require SAD: esp tunnel from 192.168.1.57 to 192.168.125.157 spi 0xc259f59d auth hmac-sha2-256 enc 3des-cbc esp tunnel from 192.168.125.157 to 192.168.1.57 spi 0xe9b1976d auth hmac-sha2-256 enc 3des-cbc # any ideas? documentation man ipsec.conf has poor information about ipcomp, in my point of view.
client limit (100) reached, refusing connection from xx.xxx.x.26 OpenBSD 5.1
I see the following error in my firewall log: client limit (100) reached, refusing connection from xx.xxx.x.26 (this IP is on the firewall interface facing the public) proxy cannot connect to server xx.xxx.x.48: No route to host Thanks, _Motty
Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device
Thank you for your suggestion,
I already have connections to peers using isakmpd, am afraid to bring
those connections down to switch over to ipsec.
On 07/11/2015 05:02 PM, carlos albino garcia grijalba wrote:
use ipsec.conf the new configuration are simple i have connections
from cisco peers and the only problem were using
wrong credentials
Date: Fri, 10 Jul 2015 12:59:56 -0700
From: motty.c...@gmail.com
To: misc@openbsd.org; motty.c...@gmail.com
Subject: OpenBSD 5.5 won't initiate VPN (Ipsec
site-to-site)connection to Cisco device
Hello,
I have a gateway machine OpenBSD 5.5 that won't not initiate connection
to peer. The one way to establish VPN tunnel is if peer ping IP in my
subnet.
in pf.conf
IpsecClients={ 173.16.2.20/32, 139.19.10.51/32 }
IpsecHosts={ 192.16.38.24/27 }
# IPSec VPN tunnel
pass in on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts
port 500
pass in on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts
isakmpd.conf
phase 1
139.19.10.51= ISAKMP-peer-CORP1
phase 2
connections = IPsec-CORP1-DataCenter1
#Phase 1 peers
## CORP1
[ISAKMP-peer-CORP1]
Phase= 1
Transport= udp
Address= 139.19.10.51
Configuration= Default-main-mode3
Authentication= psecret
# phase 2
[IPsec-CORP1-DataCenter1]
Phase= 2
ISAKMP-peer= ISAKMP-peer-CORP1
Configuration= Default-quick-mode3
Local-ID= Net-datacenter1
Remote-ID= Net-corp1
[IPsec-CORP1-DataCenter2]
Phase= 2
ISAKMP-peer= ISAKMP-peer-CORP1
Configuration= Default-quick-mode3
Local-ID= Net-datacenter2
Remote-ID= Net-corp2
any ideas?
OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device
Hello,
I have a gateway machine OpenBSD 5.5 that won't not initiate connection
to peer. The one way to establish VPN tunnel is if peer ping IP in my
subnet.
in pf.conf
IpsecClients={ 173.16.2.20/32, 139.19.10.51/32 }
IpsecHosts={ 192.16.38.24/27 }
# IPSec VPN tunnel
pass in on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts
port 500
pass in on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts
isakmpd.conf
phase 1
139.19.10.51= ISAKMP-peer-CORP1
phase 2
connections = IPsec-CORP1-DataCenter1
#Phase 1 peers
## CORP1
[ISAKMP-peer-CORP1]
Phase= 1
Transport= udp
Address=139.19.10.51
Configuration= Default-main-mode3
Authentication= psecret
# phase 2
[IPsec-CORP1-DataCenter1]
Phase= 2
ISAKMP-peer=ISAKMP-peer-CORP1
Configuration= Default-quick-mode3
Local-ID= Net-datacenter1
Remote-ID= Net-corp1
[IPsec-CORP1-DataCenter2]
Phase= 2
ISAKMP-peer=ISAKMP-peer-CORP1
Configuration= Default-quick-mode3
Local-ID= Net-datacenter2
Remote-ID= Net-corp2
any ideas?
route show does not show routes announce by BGP on OpenBSD 5.5 i386
running the command route show does not get the full internet routing table as I should. However, if I run bgpctl show rib I get the full routing table. Router is routing packets fine, however, I am concern that something may be wrong. any explanation as to why this is happening? # bgpctl show Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd level27X32 100853278 0 02:17:31 532191 level17X32300278 0 02:17:16 1 gateway2 22X8274272 0 02:15:01 1 gateway1 22X8274272 0 02:15:01 1 #netstat -rn Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default19.25.16.13 UGS1 8485 - 8 em0 19.25.16.12/30 link#1 UC 10 - 4 em0 19.25.16.13 2c:6b:f5:a4:df:40 UHLc 2 583 - 4 em0 127/8 127.0.0.1 UGRS 00 33192 8 lo0 127.0.0.1 127.0.0.1 UH 10 33192 4 lo0 19.16.26/24 199.96.38.85 UGS0 882702 - 8 em1 Thanks,
bgp sending community string
trying to send a community string to our neighbor here is my configuration:
# ISP peer 1 announcements only#
neighbor 19.25.16.13 {
remote-as 7X32
descr level1
announce all
set community 7X32:100
tcp md5sig password passwd2
}
here is how our neighbor see my router:
KRT in-kernel 19.16.16.0/22 - {19.25.16.14}
Page 0 idx 0 Type 1 val a4e65a0
Nexthop: 19.25.16.14
MED: 0
Localpref: 300
AS path: [3XX2] 2XX1 2XX12XX12XX1I
Communities: 3xx2:2900
I want localpref to be much lower for them. They have configured the
community string on their side, however we're not sending that string,
I believe my syntax may be wrong.
any ideas?
Thanks,
help! BGP receive updates from one peer and broadcast to a different peer - OpenBSD 5.5
Hello, My company is getting another Internet connection, our new ISP ask that we setup bgp to peer with one of their router to receive updates and peer to another router to broadcast our routes. ISP gave us the following setup example: My questions is how would this setup be done in OpenBSD 5.5 bpgd.conf. Thanks Motty
OpenBSD 5.5 ISAKMPD
Hello All, I'm trying to setup IPSec Tunnel using the following parameters. Phase 1 exchange encryption: AES256 Data Integrity: SHA256 DH: group 20 Agressive Mode phase 2 encryption: AESGCM256 HASH: SHA384 I can't find examples to configure isakmpd.conf using parameters above. [fw2-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES256-SHA2-GRP20 [fw2-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AESGCM-SHA2-SUITE [QM-ESP-AESGCM-256-SHA2-SUITE] TRANSFORM_ID= AESGCM ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA2 GROUP_DESCRIPTION= EC_384 Life= LIFE_3600_SECS using this configuration I get the following error: isakmpd[30247]: exchange_run: doi-initiato Thanks in advance, -Motty
Re: OpenBSD 5.5 ISAKMPD
Thanks Br, I tried it but did not generated isakmpd for me. do you have any idea of what exchange_run: doi-initiator means? Thanks, Motty On 01/16/2015 01:16 PM, mxb wrote: Hey, You probably want to start with ipsec.conf(5). isakmpd.conf is generated out of ipsec.conf. I think people running 5.4+ don’t even use it any more. Br //mxb On 16 jan 2015, at 21:22, Motty Cruz motty.c...@gmail.com wrote: Hello All, I'm trying to setup IPSec Tunnel using the following parameters. Phase 1 exchange encryption: AES256 Data Integrity: SHA256 DH: group 20 Agressive Mode phase 2 encryption: AESGCM256 HASH: SHA384 I can't find examples to configure isakmpd.conf using parameters above. [fw2-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES256-SHA2-GRP20 [fw2-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AESGCM-SHA2-SUITE [QM-ESP-AESGCM-256-SHA2-SUITE] TRANSFORM_ID= AESGCM ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_SHA2 GROUP_DESCRIPTION= EC_384 Life= LIFE_3600_SECS using this configuration I get the following error: isakmpd[30247]: exchange_run: doi-initiato Thanks in advance, -Motty
Packet Filter router i368 vs 64bit
Hello all, I am searching for hardware to build a router with OpenBSD. I have found mixed signals as to fastest system with i386 or 64bit. I know in the past i386 OpenBSD used to perform a lot better than 64bit system. Any suggestions! Thanks, Motty
Re: Packet Filter router i368 vs 64bit
Thank you Juan, I appreciate your suggestions and advice. I am planning on using Dual socket B2 (LGA 1356) supports Intel® Xeon® processor E5-2400 v2, I suppose i386 would perform better rather than 64bit amd processor. Thank you again! Thanks, Motty On 11/25/2014 03:01 PM, Juan J. Fernandez wrote: Greetings Motty Cruz, In general, you could achieve performance by configuring your kernel according to your hardware. You can use dmesg(8) and 'GENERIC' kernel configuration as a guide for your hardware. Sometimes i386 will run faster than 64 bit (see http://www.openbsd.org/amd64.html). Juan J. Fernandez On 11/25/14 16:52, Motty Cruz wrote: Hello all, I am searching for hardware to build a router with OpenBSD. I have found mixed signals as to fastest system with i386 or 64bit. I know in the past i386 OpenBSD used to perform a lot better than 64bit system. Any suggestions! Thanks, Motty
reload isakmpd
Hello, how to reload configuration without restarting isakmpd? Thanks,
Re: reload isakmpd
Thank you all, I used this command. ps aux kill 29309 kill 7908 ps aux isakmpd -S sasyncd Thanks, On Fri, Jul 25, 2014 at 8:29 AM, Reyk Floeter r...@openbsd.org wrote: On Fri, Jul 25, 2014 at 08:17:15AM -0700, motty cruz wrote: Hello, how to reload configuration without restarting isakmpd? Thanks, Have a look at THE FIFO USER INTERFACE in isakmpd(8): NOTE: Sending isakmpd a SIGHUP or an R through the FIFO will void any updates done to the configuration. You can also try to SIGHUP and re-run ipsecctl afterwards. Good luck! Reyk
