Re: IKEv2: CHILD_SA is not created
I tried to specify an explicit parameter -T to disable NAT-Traversal auto-detection and use `local' parameter. Also according to your advice tried a configuration like this: ikev2 crypto-primary active esp \ from any to any \ local 1.1.1.1 peer 7.7.7.7 \ ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ ikelifetime 86400 lifetime 28800 \ psk "secret" And I got: May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 8 May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_tss: count 1 length 0 May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_ts: malformed payload: too short for header (0 < 8) May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_pld: malformed payload: shorter than minimum header size (0 < 4) Full log: https://pastebin.com/MLC4VXSs P.S. Tried removing the ikelifetime and lifetime parameters as well. Did not help, the same behavior. On Tue, May 11, 2021 at 7:43 PM Tobias Heider wrote: > From my limited understanding of cisco ASA configs i can't see any > obvious problems. > > You could try setting 'from any to any' on your side to see how the server > responds. If the server is configured to narrow traffic selectors, the > handshake > should succeed and the log will tell you the exact traffic selectors you > need > in your config (look for ikev2_pld_ts in the verbose log). > > On Tue, May 11, 2021 at 01:47:53PM +0300, Денис Давыдов wrote: > > Tobias, > > > > The remote side gave me their Cisco ASA 5585 settings and they showed the > > logs: > > > > object network Svc_2_2_2_2 > > host 2.2.2.2 > > object network Svc_3_3_3_3 > > host 3.3.3.3 > > crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 > > protocol esp encryption aes-256 > > protocol esp integrity sha-256 > > > > object-group network Customer > > description Customer > > network-object 10.21.139.8 255.255.255.252 > > object-group network ISP-to-Customer > > description ISP-to-Customer > > network-object object Svc_2_2_2_2 > > network-object object Svc_3_3_3_3 > > access-list outside_cryptomap_2470 extended permit ip object-group > > ISP-to-Customer object-group Customer > > crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 > > crypto map outside_map 2470 match address outside_cryptomap_2470 > > crypto map outside_map 2470 set pfs group14 > > crypto map outside_map 2470 set connection-type answer-only > > crypto map outside_map 2470 set peer 1.1.1.1 > > crypto map outside_map 2470 set ikev2 ipsec-proposal ESP-AES256-SHA2 > > crypto map outside_map 2470 set nat-t-disable > > crypto map outside_map 2470 set reverse-route > > crypto ikev2 policy 100 > > encryption aes-256 > > integrity sha > > group 21 20 19 24 14 5 2 > > prf sha > > lifetime seconds 28800 > > tunnel-group 1.1.1.1 type ipsec-l2l > > tunnel-group 1.1.1.1 general-attributes > > default-group-policy GroupPolicy-Def-IKE2 > > tunnel-group 1.1.1.1 ipsec-attributes > > ikev1 pre-shared-key * > > ikev2 remote-authentication pre-shared-key * > > ikev2 local-authentication pre-shared-key * > > ikev2 local-authentication pre-shared-key * > > > > asa-8m-a5-820-l2l/sec/act# sh logg | i 1.1.1.1 > > May 11 2021 13:35:11: %ASA-7-609001: Built local-host outside:1.1.1.1 > > May 11 2021 13:35:11: %ASA-6-302015: Built inbound UDP connection > > 1392894457 for outside:1.1.1.1/500 (1.1.1.1/500) to identity:7.7.7.7/500 > ( > > 7.7.7.7/500) > > May 11 2021 13:35:11: %ASA-7-713906: IKE Receiver: Packet received on > > 7.7.7.7:500 from 1.1.1.1:500 > > May 11 2021 13:35:11: %ASA-5-750002: Local:7.7.7.7:500 Remote: > 1.1.1.1:500 > > Username:Unknown IKEv2 Received a IKE_INIT_SA request > > May 11 2021 13:35:11: %ASA-7-713906: IKE Receiver: Packet received on > > 7.7.7.7:500 from 1.1.1.1:500 > > May 11 2021 13:35:11: %ASA-5-750007: Local:7.7.7.7:500 Remote: > 1.1.1.1:500 > > Username:1.1.1.1 IKEv2 SA DOWN. Reason: application initiated > > May 11 2021 13:35:11: %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, > > IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: > > 0h:05m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: IKE Delete > > May 11 2021 13:35:11: %ASA-5-750006: Local:7.7.7.7:500 Remote: > 1.1.1.1:500 > > Username:1.1.1.1 IKEv2 SA UP. Reason: New Connection Established > > May 11 2021 13:35:11: %ASA-6-113009: AAA retrieved default group policy > > (GroupPolicy-Def-IKE2) for user = 1.1.1.1 > > > > > > P.S. This is strange, but with another provider, which has the Cisco ASA > > 5585-SSP10, there are no such problems. > > > > -- > > Sincerely, > > Denis > > > > On Fri, May 7, 2021 at 1:10 PM Tobias Heider > > wrote: > > > > > On Fri, May 07, 2021 at 12:17:35PM +0300, Денис Давыдов wrote: > > > > Hello all, > > > > > > > > I can't understand why I got SA_INIT timeout: > > > > May 5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: > sa_free: > > > > SA_INIT timeout >
OpenBSD 6.9 ports upgrade failures
Hello. I'm trying to upgrade ports after upgrading os to 6.9, but I get a lot of failures from various packages and I don't know how to approach them. One of those packages is python-3.8.6p0 -> python-3.8.8p0. >quirks-4.9 signed on 2021-05-11T16:31:32Z >Can't install python-3.8.8p0 because of libraries >|library ssl.48.2 not found >| /usr/lib/libssl.so.48.1 (system): minor is too small >| /usr/lib/libssl.so.49.0 (system): bad major >Direct dependencies for python-3.8.6p0->3.8.8p0 resolve to libffi-3.3 >sqlite3-3.35.5 gettext-runtime-0.21p1 bzip2-1.0.8p0 xz-5.2.5>Full >dependency tree is sqlite3-3.35.5 gettext-runtime-0.21p1 xz-5.2.5 >bzip2-1.0.8p0 libiconv-1.16p0 libffi-3.3 > >Couldn't find updates for python-3.8.6p0 >Couldn't install python-3.8.8p0 What should I make of this ?
Re: 6.9 on VMware Workstation networking issues
I've also tried VMware Workstation 16 Player on Windows10 Pro and the netowrk is working fine. -- ASOU Masato From: Masato Asou Date: Wed, 12 May 2021 12:51:48 +0900 (JST) > Hi Moritz, > > I upgraded with the following command on my OpenBSD 6.8 release, and > the network is working fine. > > $ doas sysupgrade > > I am using ESXi 6.7 and VMware Fusion 12.1.1 and em0 both environment, > and network is working fine both environment. > > Isn't it a VMware Workstation problem? > Can you try VirtualBox? > -- > ASOU Masato > > From: Moritz Grimm > Date: Wed, 12 May 2021 00:32:42 +0200 > >> Hi, >> >> >> Networking has become unusable in all of my virtual installs of 6.9 on >> VMware Workstation after an (otherwise uneventful) sysupgrade from 6.8 >> to 6.9. They've been working for years and I've upgraded them several >> times without any issues so far. >> >> netstat -ni shows a huge number of Ofail and ping almost always prints >> and error from sendmsg ("No buffer space available"), but the >> occasional ping and DNS lookup does go through (at a success rate of >> <5%). These are the only error messages I am getting. >> >> I'm using vmx(4), but also tried em(4) without any success. >> >> None of the upgrade69.html configuration changes are applicable, and >> my pf.conf parses without errors in 6.9. >> >> The dmesg output (from version 6.8 below) is almost identical in 6.9, >> which just shows slightly less memory available. >> >> I've run out of debugging ideas and would appreciate some help. My >> only "solution" right now was to revert to a 6.8 snapshot. I'm also a >> bit worried that I might run into similar issues on my bare metal >> installs (which are all "production"), so I haven't tried those, yet. >> >> >> Thanks, >> >> -Moritz >> >> >> OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021 >> >> r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> real mem = 519962624 (495MB) >> avail mem = 489213952 (466MB) >> random: good seed from bootblocks >> mpath0 at root >> scsibus0 at mpath0: 256 targets >> mainbus0 at root >> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (620 entries) >> bios0: vendor Phoenix Technologies LTD version "6.00" date 02/27/2020 >> bios0: VMware, Inc. VMware Virtual Platform >> acpi0 at bios0: ACPI 4.0 >> acpi0: sleep states S0 S1 S4 S5 >> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET >> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) >> S8F0(S3) S16F(S3) S17F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) >> S25F(S3) PE40(S3) S1F0(S3) PE50(S3) [...] >> acpitimer0 at acpi0: 3579545 Hz, 24 bits >> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >> cpu0 at mainbus0: apid 0 (boot processor) >> cpu0: Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz, 2593.36 MHz, 06-9e-0d >> cpu0: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XSAVES >> cpu0: 256KB 64b/line 8-way L2 cache >> cpu0: smt 0, core 0, package 0 >> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges >> cpu0: apic clock running at 65MHz >> cpu1 at mainbus0: apid 2 (application processor) >> cpu1: Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz, 2593.40 MHz, 06-9e-0d >> cpu1: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XSAVES >> cpu1: 256KB 64b/line 8-way L2 cache >> cpu1: smt 0, core 0, package 2 >> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins >> acpimcfg0 at acpi0 >> acpimcfg0: addr 0xf000, bus 0-127 >> acpihpet0 at acpi0: 14318179 Hz >> acpiprt0 at acpi0: bus 0 (PCI0) >> acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 >> acpicmos0 at acpi0 >> "PNP0A05" at acpi0 not configured >> acpibat0 at acpi0: BAT1 model "VMware Virtual Batt" >> acpiac0 at acpi0: AC unit online >> "PNP0A05" at acpi0 not configured >> "PNP0A05" at acpi0 not configured >> "PNP0A05" at acpi0 not configured >> "PNP0A05" at acpi0 not configured >> "PNP0A05" at acpi0 not configured >> acpicpu0 at acpi0: C1(@1 halt!) >> acpicpu1 at acpi0: C1(@1 halt!) >> pvbus0 at mainbus0: VMware >> vmt0 at pvbus0 >> pci0 at mainbus0 bus 0 >> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 >> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 >> pci1 at ppb0 bus 1 >> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08 >> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01
Re: IKEv2: CHILD_SA is not created
On Wed, May 12, 2021 at 12:06:21PM +0300, Денис Давыдов wrote: > I tried to specify an explicit parameter -T to disable NAT-Traversal > auto-detection and use `local' parameter. Also according to your advice > tried a configuration like this: > > ikev2 crypto-primary active esp \ > from any to any \ > local 1.1.1.1 peer 7.7.7.7 \ > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 > \ > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > ikelifetime 86400 lifetime 28800 \ > psk "secret" > > And I got: > > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_payloads: decrypted > payload TSi nextpayload TSr critical 0x00 length 8 > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_tss: count 1 length 0 > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_ts: malformed > payload: too short for header (0 < 8) > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_pld: malformed > payload: shorter than minimum header size (0 < 4) This looks like you're running < 6.9 where any doesn't work for traffic selectors. Either try using 0.0.0.0/0 instead or even better update to the latest version. > > Full log: https://pastebin.com/MLC4VXSs > > P.S. Tried removing the ikelifetime and lifetime parameters as well. Did > not help, the same behavior. > > On Tue, May 11, 2021 at 7:43 PM Tobias Heider > wrote: > > > From my limited understanding of cisco ASA configs i can't see any > > obvious problems. > > > > You could try setting 'from any to any' on your side to see how the server > > responds. If the server is configured to narrow traffic selectors, the > > handshake > > should succeed and the log will tell you the exact traffic selectors you > > need > > in your config (look for ikev2_pld_ts in the verbose log). > > > > On Tue, May 11, 2021 at 01:47:53PM +0300, Денис Давыдов wrote: > > > Tobias, > > > > > > The remote side gave me their Cisco ASA 5585 settings and they showed the > > > logs: > > > > > > object network Svc_2_2_2_2 > > > host 2.2.2.2 > > > object network Svc_3_3_3_3 > > > host 3.3.3.3 > > > crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 > > > protocol esp encryption aes-256 > > > protocol esp integrity sha-256 > > > > > > object-group network Customer > > > description Customer > > > network-object 10.21.139.8 255.255.255.252 > > > object-group network ISP-to-Customer > > > description ISP-to-Customer > > > network-object object Svc_2_2_2_2 > > > network-object object Svc_3_3_3_3 > > > access-list outside_cryptomap_2470 extended permit ip object-group > > > ISP-to-Customer object-group Customer > > > crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 > > > crypto map outside_map 2470 match address outside_cryptomap_2470 > > > crypto map outside_map 2470 set pfs group14 > > > crypto map outside_map 2470 set connection-type answer-only > > > crypto map outside_map 2470 set peer 1.1.1.1 > > > crypto map outside_map 2470 set ikev2 ipsec-proposal ESP-AES256-SHA2 > > > crypto map outside_map 2470 set nat-t-disable > > > crypto map outside_map 2470 set reverse-route > > > crypto ikev2 policy 100 > > > encryption aes-256 > > > integrity sha > > > group 21 20 19 24 14 5 2 > > > prf sha > > > lifetime seconds 28800 > > > tunnel-group 1.1.1.1 type ipsec-l2l > > > tunnel-group 1.1.1.1 general-attributes > > > default-group-policy GroupPolicy-Def-IKE2 > > > tunnel-group 1.1.1.1 ipsec-attributes > > > ikev1 pre-shared-key * > > > ikev2 remote-authentication pre-shared-key * > > > ikev2 local-authentication pre-shared-key * > > > ikev2 local-authentication pre-shared-key * > > > > > > asa-8m-a5-820-l2l/sec/act# sh logg | i 1.1.1.1 > > > May 11 2021 13:35:11: %ASA-7-609001: Built local-host outside:1.1.1.1 > > > May 11 2021 13:35:11: %ASA-6-302015: Built inbound UDP connection > > > 1392894457 for outside:1.1.1.1/500 (1.1.1.1/500) to identity:7.7.7.7/500 > > ( > > > 7.7.7.7/500) > > > May 11 2021 13:35:11: %ASA-7-713906: IKE Receiver: Packet received on > > > 7.7.7.7:500 from 1.1.1.1:500 > > > May 11 2021 13:35:11: %ASA-5-750002: Local:7.7.7.7:500 Remote: > > 1.1.1.1:500 > > > Username:Unknown IKEv2 Received a IKE_INIT_SA request > > > May 11 2021 13:35:11: %ASA-7-713906: IKE Receiver: Packet received on > > > 7.7.7.7:500 from 1.1.1.1:500 > > > May 11 2021 13:35:11: %ASA-5-750007: Local:7.7.7.7:500 Remote: > > 1.1.1.1:500 > > > Username:1.1.1.1 IKEv2 SA DOWN. Reason: application initiated > > > May 11 2021 13:35:11: %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, > > > IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: > > > 0h:05m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: IKE Delete > > > May 11 2021 13:35:11: %ASA-5-750006: Local:7.7.7.7:500 Remote: > > 1.1.1.1:500 > > > Username:1.1.1.1 IKEv2 SA UP. Reason: New Connection Established > > > May 11 2021 13:35:11: %ASA-6-113009: AAA retrieved default group policy > > > (GroupPolicy-Def-IKE2) for user = 1.1.1.1 > > > > > > > > > P.S. This is strange, bu
Re: 6.9 on VMware Workstation networking issues
Hi Masato, Thanks for checking. I'm currently stuck with Workstation Pro 15.5.7 build-17171714. It seems likely that it is an interaction between Workstation and some changes between 6.8 and 6.9 that causes this regression. It's not clear whose fault it is for this misbehavior. However, none of the previous OpenBSD versions, various Linux distros, and Windows VMs I'm running exhibit this. It would be interesting to know, if there is more than just ENOBUFS and high Ofail numbers that I could look for to pinpoint the root cause ... Best regards, -Moritz On 12.05.21 11:14, Masato Asou wrote: I've also tried VMware Workstation 16 Player on Windows10 Pro and the netowrk is working fine. -- ASOU Masato From: Masato Asou Date: Wed, 12 May 2021 12:51:48 +0900 (JST) Hi Moritz, I upgraded with the following command on my OpenBSD 6.8 release, and the network is working fine. $ doas sysupgrade I am using ESXi 6.7 and VMware Fusion 12.1.1 and em0 both environment, and network is working fine both environment. Isn't it a VMware Workstation problem? Can you try VirtualBox? -- ASOU Masato From: Moritz Grimm Date: Wed, 12 May 2021 00:32:42 +0200 Hi, Networking has become unusable in all of my virtual installs of 6.9 on VMware Workstation after an (otherwise uneventful) sysupgrade from 6.8 to 6.9. They've been working for years and I've upgraded them several times without any issues so far. netstat -ni shows a huge number of Ofail and ping almost always prints and error from sendmsg ("No buffer space available"), but the occasional ping and DNS lookup does go through (at a success rate of <5%). These are the only error messages I am getting. I'm using vmx(4), but also tried em(4) without any success. None of the upgrade69.html configuration changes are applicable, and my pf.conf parses without errors in 6.9. The dmesg output (from version 6.8 below) is almost identical in 6.9, which just shows slightly less memory available. I've run out of debugging ideas and would appreciate some help. My only "solution" right now was to revert to a 6.8 snapshot. I'm also a bit worried that I might run into similar issues on my bare metal installs (which are all "production"), so I haven't tried those, yet. Thanks, -Moritz OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021 r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 519962624 (495MB) avail mem = 489213952 (466MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (620 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 02/27/2020 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S8F0(S3) S16F(S3) S17F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3) S1F0(S3) PE50(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz, 2593.36 MHz, 06-9e-0d cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XSAVES cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 65MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz, 2593.40 MHz, 06-9e-0d cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XSAVES cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 0, package 2 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xf000, bus 0-127 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 "PNP0A05" at acpi0 not configured acpibat0 at acpi0: BAT1 model "VMware Virtual Batt" acpiac0 at acpi0: AC unit online "PNP0A05" at acpi0 not configured "PNP0A05" at acpi0 not configured "PNP0A05" at acpi0 not configured "PNP0A05" at acpi0 not configured "PNP0A05" at acpi0 not configured acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) pvbus0 at mainbus0: VMware vm
Re: OpenBSD 6.9 ports upgrade failures
Den ons 12 maj 2021 kl 11:29 skrev Артём Мазуров : > Hello. > I'm trying to upgrade ports after upgrading os to 6.9, but I get a lot > >|library ssl.48.2 not found > >| /usr/lib/libssl.so.48.1 (system): minor is too small > >| /usr/lib/libssl.so.49.0 (system): bad major This usually means the pkg_add URL is wrong, perhaps because you have something version-specific in PKG_PATH or /etc/installurl that points to the wrong place, compared to your OS version. -- May the most significant bit of your life be positive.
Re: IKEv2: CHILD_SA is not created
Tobias, I replaced the OpenBSD with the same configuration: -> % uname -r -p 6.9 amd64 Now, with this configuration: ikev2 crypto-primary active esp \ from any to any \ peer 7.7.7.7 \ ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ ikelifetime 86400 lifetime 28800 \ psk "*" I got NO_PROPOSAL_CHOSEN: https://pastebin.com/Puhx41DZ And with the original configuration, which was agreed with the provider: ikev2 crypto-primary active esp \ from 10.21.139.8/30 to 2.2.2.2 \ from 10.21.139.8/30 to 3.3.3.3 \ peer 7.7.7.7 \ ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ ikelifetime 86400 lifetime 28800 \ psk "*" I still got TS_UNACCEPTABLE: https://pastebin.com/nw0usUJi I don't know where to dig anymore. The remote side is not responding yet. I contacted another provider who shared their configuration from the same Cisco model ASA 5585 (IKEv2 works with that hardware without problems). The only difference is that they have no these two options (although, I am not an expert in Cisco IKEv2 configuration either): crypto map outside_map 2470 set connection-type answer-only crypto map outside_map 2470 set reverse-route I understand that everyone is already tired of this topic. I will be in close contact with this provider. If I can connect to their equipment, I'll write what the problem was. Most likely the problem is in their configuration, rather than the problem in iked itself. I am sorry for the time wasted. Oh! One more question: Can iked work with the same TS but different peers at the same time? Am I correct in understanding that this is not possible? The remote side just offers the same settings for two public IP addresses from their side (they have two different crypto peers). So far, I just commented out the configuration with the second peer. On Wed, May 12, 2021 at 12:33 PM Tobias Heider wrote: > On Wed, May 12, 2021 at 12:06:21PM +0300, Денис Давыдов wrote: > > I tried to specify an explicit parameter -T to disable NAT-Traversal > > auto-detection and use `local' parameter. Also according to your advice > > tried a configuration like this: > > > > ikev2 crypto-primary active esp \ > > from any to any \ > > local 1.1.1.1 peer 7.7.7.7 \ > > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group > modp2048 > > \ > > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > > ikelifetime 86400 lifetime 28800 \ > > psk "secret" > > > > And I got: > > > > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_payloads: decrypted > > payload TSi nextpayload TSr critical 0x00 length 8 > > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_tss: count 1 length 0 > > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_ts: malformed > > payload: too short for header (0 < 8) > > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_pld: malformed > > payload: shorter than minimum header size (0 < 4) > > This looks like you're running < 6.9 where any doesn't work for traffic > selectors. Either try using 0.0.0.0/0 instead or even better update > to the latest version. > > > > > Full log: https://pastebin.com/MLC4VXSs > > > > P.S. Tried removing the ikelifetime and lifetime parameters as well. Did > > not help, the same behavior. > > > > On Tue, May 11, 2021 at 7:43 PM Tobias Heider > > wrote: > > > > > From my limited understanding of cisco ASA configs i can't see any > > > obvious problems. > > > > > > You could try setting 'from any to any' on your side to see how the > server > > > responds. If the server is configured to narrow traffic selectors, the > > > handshake > > > should succeed and the log will tell you the exact traffic selectors > you > > > need > > > in your config (look for ikev2_pld_ts in the verbose log). > > > > > > On Tue, May 11, 2021 at 01:47:53PM +0300, Денис Давыдов wrote: > > > > Tobias, > > > > > > > > The remote side gave me their Cisco ASA 5585 settings and they > showed the > > > > logs: > > > > > > > > object network Svc_2_2_2_2 > > > > host 2.2.2.2 > > > > object network Svc_3_3_3_3 > > > > host 3.3.3.3 > > > > crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 > > > > protocol esp encryption aes-256 > > > > protocol esp integrity sha-256 > > > > > > > > object-group network Customer > > > > description Customer > > > > network-object 10.21.139.8 255.255.255.252 > > > > object-group network ISP-to-Customer > > > > description ISP-to-Customer > > > > network-object object Svc_2_2_2_2 > > > > network-object object Svc_3_3_3_3 > > > > access-list outside_cryptomap_2470 extended permit ip object-group > > > > ISP-to-Customer object-group Customer > > > > crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 > > > > crypto map outside_map 2470 match address outside_cryptomap_2470 > > > > crypto map out
Re: VMM 6.9amd64 host video acceleration
Martin writes: > Hi list, > > Just wonder how to enable video acceleration on VMM guest's side (Debian) if > it was possible. Maybe PCIe passthru should be present for that purpose? There is nothing to accelerate: vmd(8) doesn't emulate a display or video device. vmm(4) doesn't support pass-through to host hardware either. -dv
Re: spamd IPv6 listener 6.9amd64
Am Wed, May 12, 2021 at 09:46:28AM -0400 schrieb Aisha Tammy: > afaik spamd(8) does not support ipv6 (yet). > I also do not know if there is any ongoing effort for ipv6 to be added. > > On 5/12/21 9:24 AM, Martin wrote: > > Hi list, > > > > I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 > > one. > > > > Is it possible to set spamd(8) to listen on both IPv4 and IPv6? > > > > Martin > > I'm using rspamd, that's a pretty good application.
Re: OpenBSD 6.9 ports upgrade failures
Hi, Do you mean packages upgrade by using command: $ doas pkg_add -uvi ? If yes, you can remove failed packages for upgrade and reinstall them manually by the command: $ doas pkg_add package_name Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 9:06 AM, Артём Мазуров wrote: > Hello. > I'm trying to upgrade ports after upgrading os to 6.9, but I get a lot > of failures from various packages and I don't know how to approach them. > One of those packages is python-3.8.6p0 -> python-3.8.8p0. > > > quirks-4.9 signed on 2021-05-11T16:31:32Z > > Can't install python-3.8.8p0 because of libraries > > |library ssl.48.2 not found > > | /usr/lib/libssl.so.48.1 (system): minor is too small > > | /usr/lib/libssl.so.49.0 (system): bad major > > Direct dependencies for python-3.8.6p0->3.8.8p0 resolve to libffi-3.3 > > sqlite3-3.35.5 gettext-runtime-0.21p1 bzip2-1.0.8p0 xz-5.2.5>Full > > dependency tree is sqlite3-3.35.5 gettext-runtime-0.21p1 xz-5.2.5 > > bzip2-1.0.8p0 libiconv-1.16p0 libffi-3.3 > > Couldn't find updates for python-3.8.6p0 > > Couldn't install python-3.8.8p0 > > What should I make of this ?
Re: 6.9 on VMware Workstation networking issues
Hi, Please consider to move to VirtualBox. No any problems with networking at all on any host platform. Network works fine using OpenBSD VMM hypervisor too. Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 9:48 AM, Moritz Grimm wrote: > Hi Masato, > > Thanks for checking. I'm currently stuck with Workstation Pro 15.5.7 > build-17171714. > It seems likely that it is an interaction between Workstation and some > changes between 6.8 and 6.9 that causes this regression. It's not clear > whose fault it is for this misbehavior. However, none of the previous > OpenBSD versions, various Linux distros, and Windows VMs I'm running > exhibit this. > It would be interesting to know, if there is more than just ENOBUFS and > high Ofail numbers that I could look for to pinpoint the root cause ... > > Best regards, > -Moritz > > On 12.05.21 11:14, Masato Asou wrote: > > > I've also tried VMware Workstation 16 Player on Windows10 Pro and the > > netowrk is working fine. > > > > --- > > > > ASOU Masato > > From: Masato Asou a...@soum.co.jp > > Date: Wed, 12 May 2021 12:51:48 +0900 (JST) > > > > > Hi Moritz, > > > I upgraded with the following command on my OpenBSD 6.8 release, and > > > the network is working fine. > > > $ doas sysupgrade > > > I am using ESXi 6.7 and VMware Fusion 12.1.1 and em0 both environment, > > > and network is working fine both environment. > > > > > > Isn't it a VMware Workstation problem? > > > Can you try VirtualBox? > > > > > > --- > > > > > > ASOU Masato > > > From: Moritz Grimm mgmlist...@mrsserver.net > > > Date: Wed, 12 May 2021 00:32:42 +0200 > > > > > > > Hi, > > > > Networking has become unusable in all of my virtual installs of 6.9 on > > > > VMware Workstation after an (otherwise uneventful) sysupgrade from 6.8 > > > > to 6.9. They've been working for years and I've upgraded them several > > > > times without any issues so far. > > > > netstat -ni shows a huge number of Ofail and ping almost always prints > > > > and error from sendmsg ("No buffer space available"), but the > > > > occasional ping and DNS lookup does go through (at a success rate of > > > > <5%). These are the only error messages I am getting. > > > > I'm using vmx(4), but also tried em(4) without any success. > > > > None of the upgrade69.html configuration changes are applicable, and > > > > my pf.conf parses without errors in 6.9. > > > > The dmesg output (from version 6.8 below) is almost identical in 6.9, > > > > which just shows slightly less memory available. > > > > I've run out of debugging ideas and would appreciate some help. My > > > > only "solution" right now was to revert to a 6.8 snapshot. I'm also a > > > > bit worried that I might run into similar issues on my bare metal > > > > installs (which are all "production"), so I haven't tried those, yet. > > > > Thanks, > > > > -Moritz > > > > OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021 > > > > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > real mem = 519962624 (495MB) > > > > avail mem = 489213952 (466MB) > > > > random: good seed from bootblocks > > > > mpath0 at root > > > > scsibus0 at mpath0: 256 targets > > > > mainbus0 at root > > > > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (620 entries) > > > > bios0: vendor Phoenix Technologies LTD version "6.00" date 02/27/2020 > > > > bios0: VMware, Inc. VMware Virtual Platform > > > > acpi0 at bios0: ACPI 4.0 > > > > acpi0: sleep states S0 S1 S4 S5 > > > > acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET > > > > acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) > > > > S8F0(S3) S16F(S3) S17F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) > > > > S25F(S3) PE40(S3) S1F0(S3) PE50(S3) [...] > > > > acpitimer0 at acpi0: 3579545 Hz, 24 bits > > > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > > > cpu0 at mainbus0: apid 0 (boot processor) > > > > cpu0: Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz, 2593.36 MHz, 06-9e-0d > > > > cpu0: > > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XSAVES > > > > cpu0: 256KB 64b/line 8-way L2 cache > > > > cpu0: smt 0, core 0, package 0 > > > > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > > > > cpu0: apic clock running at 65MHz > > > > cpu1 at mainbus0: apid 2 (application processor) > > > > cpu1: Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz, 2593.40 MHz, 06-9e-0d > > > > cpu1: > > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,P
Re: IKEv2: CHILD_SA is not created
Finally solved! Tried TS one after another. To put it mildly, I'm surprised. it turns out that the equipment on the remote side is configured in such a way that for each TS I had to set up a separate connection. This configuration working fine now: ikev2 crypto-primary active esp \ from 10.21.139.8/30 to 2.2.2.2 \ peer 7.7.7.7 \ ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ ikelifetime 86400 lifetime 28800 \ psk "*" ikev2 crypto-primary active esp \ from 10.21.139.8/30 to 3.3.3.3 \ peer 7.7.7.7 \ ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ ikelifetime 86400 lifetime 28800 \ psk "*" Tobias, thanks for your time and attention to my problem. On Wed, May 12, 2021 at 3:36 PM Денис Давыдов wrote: > Tobias, > > I replaced the OpenBSD with the same configuration: > -> % uname -r -p > 6.9 amd64 > > Now, with this configuration: > > ikev2 crypto-primary active esp \ > from any to any \ > peer 7.7.7.7 \ > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group > modp2048 \ > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > ikelifetime 86400 lifetime 28800 \ > psk "*" > > I got NO_PROPOSAL_CHOSEN: https://pastebin.com/Puhx41DZ > > And with the original configuration, which was agreed with the provider: > > ikev2 crypto-primary active esp \ > from 10.21.139.8/30 to 2.2.2.2 \ > from 10.21.139.8/30 to 3.3.3.3 \ > peer 7.7.7.7 \ > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group > modp2048 \ > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > ikelifetime 86400 lifetime 28800 \ > psk "*" > > I still got TS_UNACCEPTABLE: https://pastebin.com/nw0usUJi > > I don't know where to dig anymore. The remote side is not responding yet. > I contacted another provider who shared their configuration from the same > Cisco model ASA 5585 (IKEv2 works with that hardware without problems). The > only difference is that they have no these two options (although, I am not > an expert in Cisco IKEv2 configuration either): > > crypto map outside_map 2470 set connection-type answer-only > crypto map outside_map 2470 set reverse-route > > I understand that everyone is already tired of this topic. I will be in > close contact with this provider. If I can connect to their equipment, I'll > write what the problem was. Most likely the problem is in their > configuration, rather than the problem in iked itself. I am sorry for the > time wasted. > > Oh! One more question: Can iked work with the same TS but different peers > at the same time? Am I correct in understanding that this is not possible? > The remote side just offers the same settings for two public IP addresses > from their side (they have two different crypto peers). So far, I just > commented out the configuration with the second peer. > > > On Wed, May 12, 2021 at 12:33 PM Tobias Heider > wrote: > >> On Wed, May 12, 2021 at 12:06:21PM +0300, Денис Давыдов wrote: >> > I tried to specify an explicit parameter -T to disable NAT-Traversal >> > auto-detection and use `local' parameter. Also according to your advice >> > tried a configuration like this: >> > >> > ikev2 crypto-primary active esp \ >> > from any to any \ >> > local 1.1.1.1 peer 7.7.7.7 \ >> > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group >> modp2048 >> > \ >> > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ >> > ikelifetime 86400 lifetime 28800 \ >> > psk "secret" >> > >> > And I got: >> > >> > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_payloads: decrypted >> > payload TSi nextpayload TSr critical 0x00 length 8 >> > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_pld_tss: count 1 length 0 >> > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_ts: malformed >> > payload: too short for header (0 < 8) >> > May 12 08:45:17 crypto-gw2 iked[17640]: ikev2_validate_pld: malformed >> > payload: shorter than minimum header size (0 < 4) >> >> This looks like you're running < 6.9 where any doesn't work for traffic >> selectors. Either try using 0.0.0.0/0 instead or even better update >> to the latest version. >> >> > >> > Full log: https://pastebin.com/MLC4VXSs >> > >> > P.S. Tried removing the ikelifetime and lifetime parameters as well. Did >> > not help, the same behavior. >> > >> > On Tue, May 11, 2021 at 7:43 PM Tobias Heider >> > wrote: >> > >> > > From my limited understanding of cisco ASA configs i can't see any >> > > obvious problems. >> > > >> > > You could try setting 'from any to any' on your side to see how the >> server >> > > responds. If the server is configured to narrow traffic selectors, the >> > > handshake >> > > should succeed and the log will tell you the exact traffic selectors >
VMM 6.9amd64 host video acceleration
Hi list, Just wonder how to enable video acceleration on VMM guest's side (Debian) if it was possible. Maybe PCIe passthru should be present for that purpose? virtio_vmmci and vmm_clock kernel driver modules doesn't help. Martin
spamd IPv6 listener 6.9amd64
Hi list, I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one. Is it possible to set spamd(8) to listen on both IPv4 and IPv6? Martin
kernel size over time
I used to be able to install OpenBSD on a 1G disk (sets: -x* -g* -c*) and 256M ram, but no more….now a 1280M disk + 384M ram is needed. After a little sleuthing, the primary reason seems to be that the size of /usr/share/relink/kernel/GENERIC/ has been growing: Rel Size 6.4 217M 6.5 223M 6.6 339M 6.7 6.8 465M 6.9 469M Not that it really matters, but does anyone know why the kernel has grown this much over the releases? K.
Re: kernel size over time
Check the diff of release notes I guess On Wed, May 12, 2021, 19:26 Kent Watsen wrote: > I used to be able to install OpenBSD on a 1G disk (sets: -x* -g* -c*) and > 256M ram, but no more….now a 1280M disk + 384M ram is needed. > > After a little sleuthing, the primary reason seems to be that the size of > /usr/share/relink/kernel/GENERIC/ has been growing: > > Rel Size > > 6.4 217M > 6.5 223M > 6.6 339M > 6.7 > 6.8 465M > 6.9 469M > > Not that it really matters, but does anyone know why the kernel has grown > this much over the releases? > > K. > >
Re: kernel size over time
kernel-side code for X Kent Watsen wrote: > I used to be able to install OpenBSD on a 1G disk (sets: -x* -g* -c*) and > 256M ram, but no more….now a 1280M disk + 384M ram is needed. > > After a little sleuthing, the primary reason seems to be that the size of > /usr/share/relink/kernel/GENERIC/ has been growing: > > Rel Size > > 6.4 217M > 6.5 223M > 6.6 339M > 6.7 > 6.8 465M > 6.9 469M > > Not that it really matters, but does anyone know why the kernel has grown > this much over the releases? > > K. >
Re: spamd IPv6 listener 6.9amd64
afaik spamd(8) does not support ipv6 (yet). I also do not know if there is any ongoing effort for ipv6 to be added. On 5/12/21 9:24 AM, Martin wrote: Hi list, I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one. Is it possible to set spamd(8) to listen on both IPv4 and IPv6? Martin
Re: VMM 6.9amd64 host video acceleration
Have you considered using a real computer? Martin wrote: > Hi Dave, > > Can you recommend any way to see online videos without shuttering? Modern > CPUs can't smoothly play it in software emulation, unfortunately. > > Martin > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila wrote: > > > Martin writes: > > > > > Hi list, > > > Just wonder how to enable video acceleration on VMM guest's side (Debian) > > > if it was possible. Maybe PCIe passthru should be present for that > > > purpose? > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > video device. vmm(4) doesn't support pass-through to host hardware > > either. > > > > -dv > >
Re: VMM 6.9amd64 host video acceleration
On Wed, May 12, 2021 at 06:06:14PM +, Martin wrote: > Hi Dave, > > Can you recommend any way to see online videos without shuttering? Modern > CPUs can't smoothly play it in software emulation, unfortunately. > pkg_add youtube-dl pkg_add firefox (or chrome, etc) What's the problem here? Are you trying to watch 8k 240Hz videos or something? > Martin > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila wrote: > > > Martin writes: > > > > > Hi list, > > > Just wonder how to enable video acceleration on VMM guest's side (Debian) > > > if it was possible. Maybe PCIe passthru should be present for that > > > purpose? > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > video device. vmm(4) doesn't support pass-through to host hardware > > either. > > > > -dv > >
Re: VMM 6.9amd64 host video acceleration
Have you considered using a real computer? Martin wrote: > Hi Theo, > > Sure, for online videos I'm using OpenBSD host with appropriate browser > installed. Just wonder about VMM to move all 'potentially dangerous' things > to a linux VM and remove any browsers from the host. > > Martin > > âââââââ Original Message âââââââ > On Wednesday, May 12, 2021 6:07 PM, Theo de Raadt wrote: > > > Have you considered using a real computer? > > > > Martin martin...@protonmail.com wrote: > > > > > Hi Dave, > > > Can you recommend any way to see online videos without shuttering? Modern > > > CPUs can't smoothly play it in software emulation, unfortunately. > > > Martin > > > âââââââ Original Message âââââââ > > > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila d...@sisu.io wrote: > > > > > > > Martin writes: > > > > > > > > > Hi list, > > > > > Just wonder how to enable video acceleration on VMM guest's side > > > > > (Debian) if it was possible. Maybe PCIe passthru should be present > > > > > for that purpose? > > > > > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > > > video device. vmm(4) doesn't support pass-through to host hardware > > > > either. > > > > -dv > >
Re: VMM 6.9amd64 host video acceleration
I am terribly sorry you aren't satisfied with what is possible in OpenBSD, and will have to return to a Linux or Windows environment. Martin wrote: > Hi Theo, > > Sure, for online videos I'm using OpenBSD host with appropriate browser > installed. Just wonder about VMM to move all 'potentially dangerous' things > to a linux VM and remove any browsers from the host. > > Martin > > âââââââ Original Message âââââââ > On Wednesday, May 12, 2021 6:07 PM, Theo de Raadt wrote: > > > Have you considered using a real computer? > > > > Martin martin...@protonmail.com wrote: > > > > > Hi Dave, > > > Can you recommend any way to see online videos without shuttering? Modern > > > CPUs can't smoothly play it in software emulation, unfortunately. > > > Martin > > > âââââââ Original Message âââââââ > > > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila d...@sisu.io wrote: > > > > > > > Martin writes: > > > > > > > > > Hi list, > > > > > Just wonder how to enable video acceleration on VMM guest's side > > > > > (Debian) if it was possible. Maybe PCIe passthru should be present > > > > > for that purpose? > > > > > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > > > video device. vmm(4) doesn't support pass-through to host hardware > > > > either. > > > > -dv > >
LLDB step over command
Hello Im on 6.9 release amd64. Switched to clang and lldb since gcc and gdb are not in base anymore. My problem is during debugging for some functions command "next/step-over" behaves like "step/step-in". example code (just for illustration purpose): #include #include int main() { int a = 5, b; void *p = malloc(sizeof(int)); memcpy(p, (void *)&a, sizeof(int)); b = *(int *)p; return b; } compiled with: cc -g -Weverything -ansi -pedantic -O0 -o moveint moveint.c below is the snippet from session where lldb goes into malloc instead of step over it. ... -> 7void *p = malloc(sizeof(int)); ^ 8memcpy(p, (void *)&a, sizeof(int)); 9b = *(int *)p; 10 return b; (lldb) next Process 18050 stopped * thread #1, stop reason = step over failed (Could not create return address breakpoint. Return address (0x43eae9c89bd) permissions not found.) frame #0: 0x043eae9c8ad0 moveint`malloc moveint`malloc: -> 0x43eae9c8ad0 <+0>: movq 0x11c9(%rip), %r11 0x43eae9c8ad7 <+7>: callq 0x43eae9c8a40 0x43eae9c8adc <+12>: jmp0x43eae9c8a32 0x43eae9c8ae1 <+17>: pushq $0x4 ... How should I deal with this? Thanks, Serge.
Re: VMM 6.9amd64 host video acceleration
I think there are ways to get what you want w/o VMM, such as a combination of regular X, separate user accounts for different activities, ssh -X/-Y, and rarely, xhost. Email me off-list if you want details; I have described them here at least somewhat, in the past. (Also given the fact that chrome/iridium and I think FF use pledge/unveil now.) On 2021-05-12 18:06:14+, Martin wrote: > Hi Dave, > > Can you recommend any way to see online videos without shuttering? Modern > CPUs can't smoothly play it in software emulation, unfortunately. > > Martin > > ? Original Message ? > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila wrote: > > > Martin writes: > > > > > Hi list, > > > Just wonder how to enable video acceleration on VMM guest's side (Debian) > > > if it was possible. Maybe PCIe passthru should be present for that > > > purpose? > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > video device. vmm(4) doesn't support pass-through to host hardware > > either. > > > > -dv > >
Re: spamd IPv6 listener 6.9amd64
> 12. mai 2021 kl. 15:24 skrev Martin : > > Hi list, > > I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one. > > Is it possible to set spamd(8) to listen on both IPv4 and IPv6? Unfortunately spamd is IPv4 only. Back in the day (2014ish?, about the time I was finishing up the 3rd ed of The Book of PF) there was talk of and possibly even an ambition of making it IPv6 capable. I remember discussing some of this with phessler at the time and left the descriptions in the book somewhat vague on the matter, hoping to get back to the issue soon. However I never saw code ready for testing. I was under the impression that one of the hurdles to overcome was to define a sane version of greylisting to implement for IPv6 with its much larger set of addresses. But there could easily have been other issues that affected the effort. So until other news on the matter turns up, it is better to rdr-to port spamd only for inet, not inet6. All the best, Peter — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. signature.asc Description: Message signed with OpenPGP
Re: VMM 6.9amd64 host video acceleration
I just have to say this hatred and twisting of facts could be due to my mindness promotion of our operating system. I've hurt a lot of people. Jealousy is a m*. --Murk On Wed, May 12, 2021 at 8:09 PM Theo de Raadt wrote: > > Have you considered using a real computer? > > Martin wrote: > > > Hi Dave, > > > > Can you recommend any way to see online videos without shuttering? Modern > > CPUs can't smoothly play it in software emulation, unfortunately. > > > > Martin > > > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila wrote: > > > > > Martin writes: > > > > > > > Hi list, > > > > Just wonder how to enable video acceleration on VMM guest's side > > > > (Debian) if it was possible. Maybe PCIe passthru should be present for > > > > that purpose? > > > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > > video device. vmm(4) doesn't support pass-through to host hardware > > > either. > > > > > > -dv > > > > >
Re: VMM 6.9amd64 host video acceleration
* mindless On Wed, May 12, 2021 at 11:30 PM BergenBergen BergenBergen wrote: > > I just have to say this hatred and twisting of facts could be due to > my mindness promotion of our operating system. > > I've hurt a lot of people. Jealousy is a m*. > > --Murk > > > > On Wed, May 12, 2021 at 8:09 PM Theo de Raadt wrote: > > > > Have you considered using a real computer? > > > > Martin wrote: > > > > > Hi Dave, > > > > > > Can you recommend any way to see online videos without shuttering? Modern > > > CPUs can't smoothly play it in software emulation, unfortunately. > > > > > > Martin > > > > > > ‐‐‐ Original Message ‐‐‐ > > > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila wrote: > > > > > > > Martin writes: > > > > > > > > > Hi list, > > > > > Just wonder how to enable video acceleration on VMM guest's side > > > > > (Debian) if it was possible. Maybe PCIe passthru should be present > > > > > for that purpose? > > > > > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > > > video device. vmm(4) doesn't support pass-through to host hardware > > > > either. > > > > > > > > -dv > > > > > > > >
Re: VMM 6.9amd64 host video acceleration
Hi Dave, Can you recommend any way to see online videos without shuttering? Modern CPUs can't smoothly play it in software emulation, unfortunately. Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 1:43 PM, Dave Voutila wrote: > Martin writes: > > > Hi list, > > Just wonder how to enable video acceleration on VMM guest's side (Debian) > > if it was possible. Maybe PCIe passthru should be present for that purpose? > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > video device. vmm(4) doesn't support pass-through to host hardware > either. > > -dv
Re: spamd IPv6 listener 6.9amd64
Hi Peter, Great book of PF. I've read it early in 2015, very useful. Since last updates all the incoming connections to my mail servers are IPv6, unfortunately. Just before the updates it was IPv4, so spamd has been used for all the incoming connections outside whitelists of known peers. Works like a charm. Now I'm looking forward to exchange spamd to rspamd (it has DKIM signing functionality) to replace spamd and dkimproxy which working in current configuration. Hope it can provide required functionality for IPv6 networks. Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 4:47 PM, Peter Nicolai Mathias Hansteen wrote: > > 12. mai 2021 kl. 15:24 skrev Martin martin...@protonmail.com: > > > > Hi list, > > I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 > > one. > > Is it possible to set spamd(8) to listen on both IPv4 and IPv6? > > Unfortunately spamd is IPv4 only. > > Back in the day (2014ish?, about the time I was finishing up the 3rd ed of > The Book of PF) there was talk of and possibly even an ambition of making it > IPv6 capable. I remember discussing some of this with phessler at the time > and left the descriptions in the book somewhat vague on the matter, hoping to > get back to the issue soon. However I never saw code ready for testing. > > I was under the impression that one of the hurdles to overcome was to define > a sane version of greylisting to implement for IPv6 with its much larger set > of addresses. But there could easily have been other issues that affected the > effort. > > So until other news on the matter turns up, it is better to rdr-to port spamd > only for inet, not inet6. > > All the best, > Peter > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: VMM 6.9amd64 host video acceleration
Hi Theo, Sure, for online videos I'm using OpenBSD host with appropriate browser installed. Just wonder about VMM to move all 'potentially dangerous' things to a linux VM and remove any browsers from the host. Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 6:07 PM, Theo de Raadt wrote: > Have you considered using a real computer? > > Martin martin...@protonmail.com wrote: > > > Hi Dave, > > Can you recommend any way to see online videos without shuttering? Modern > > CPUs can't smoothly play it in software emulation, unfortunately. > > Martin > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila d...@sisu.io wrote: > > > > > Martin writes: > > > > > > > Hi list, > > > > Just wonder how to enable video acceleration on VMM guest's side > > > > (Debian) if it was possible. Maybe PCIe passthru should be present for > > > > that purpose? > > > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > > video device. vmm(4) doesn't support pass-through to host hardware > > > either. > > > -dv
Re: VMM 6.9amd64 host video acceleration
Hi Mike, Did it already as you replied. Thanks. Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 6:20 PM, Mike Larkin wrote: > On Wed, May 12, 2021 at 06:06:14PM +, Martin wrote: > > > Hi Dave, > > Can you recommend any way to see online videos without shuttering? Modern > > CPUs can't smoothly play it in software emulation, unfortunately. > > pkg_add youtube-dl > > pkg_add firefox (or chrome, etc) > > What's the problem here? Are you trying to watch 8k 240Hz videos or something? > > > Martin > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila d...@sisu.io wrote: > > > > > Martin writes: > > > > > > > Hi list, > > > > Just wonder how to enable video acceleration on VMM guest's side > > > > (Debian) if it was possible. Maybe PCIe passthru should be present for > > > > that purpose? > > > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > > video device. vmm(4) doesn't support pass-through to host hardware > > > either. > > > -dv
Re: VMM 6.9amd64 host video acceleration
No Window'es or Linux'es on the hosts, just OpenBSD. Anyway, Debian works great on VMM, except the question's topic thing. Thank you for your attention) Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 6:25 PM, Theo de Raadt wrote: > I am terribly sorry you aren't satisfied with what is possible in OpenBSD, > and will have to return to a Linux or Windows environment. > > Martin martin...@protonmail.com wrote: > > > Hi Theo, > > Sure, for online videos I'm using OpenBSD host with appropriate browser > > installed. Just wonder about VMM to move all 'potentially dangerous' things > > to a linux VM and remove any browsers from the host. > > Martin > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, May 12, 2021 6:07 PM, Theo de Raadt dera...@openbsd.org wrote: > > > > > Have you considered using a real computer? > > > Martin martin...@protonmail.com wrote: > > > > > > > Hi Dave, > > > > Can you recommend any way to see online videos without shuttering? > > > > Modern CPUs can't smoothly play it in software emulation, unfortunately. > > > > Martin > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Wednesday, May 12, 2021 1:43 PM, Dave Voutila d...@sisu.io wrote: > > > > > > > > > Martin writes: > > > > > > > > > > > Hi list, > > > > > > Just wonder how to enable video acceleration on VMM guest's side > > > > > > (Debian) if it was possible. Maybe PCIe passthru should be present > > > > > > for that purpose? > > > > > > > > > > There is nothing to accelerate: vmd(8) doesn't emulate a display or > > > > > video device. vmm(4) doesn't support pass-through to host hardware > > > > > either. > > > > > -dv
Re: VMM 6.9amd64 host video acceleration
I use TigerVNC server on the Linux VM (Debian) plus dummy video driver and compiled vmm kernel modules for clock in sync and network... https://github.com/voutilad/virtio_vmmci https://github.com/voutilad/vmm_clock On the OpenBSD host TigerVNC viewer has been installed. Works absolutely amazing, like a physical computer. For completely headless system I'd prefer OpenBSD and Alpine on VM. It depends on goals. Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 6:49 PM, David Anthony wrote: > Hi Martin, > > Do you have any notes on how to view Linux GUI apps running on OpenBSD VMM? > > For instance, say I wanted to develop code on Debian w/ Visual Studio > Code, and wanted to edit / view VS Code app from my host OpenBSD machine. > > Does that make sense? > > -David
smptd - sslv3 alert handshake failure
I have a smtpd config, which has been running for >1 year without a hitch until now. All outgoing mail is forwarded to a remote SMTP server using a config similar to an example in smtpd.conf(5). Forwarding is failing because of "handshake failed: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure" (see below for more information). I'm running current (amd64) with an update frequency of ~twice a week. This error started popping up this weekend - before the libssl/libtls/libcrypto bump. Error remains after the bump. $ cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 action "local" mbox alias action "relay" relay host smtp+tls://u...@smtp.ziggo.nl:587 auth match from local for local action "local" match from local for any action "relay" I bisected libssl/libtls/libcrypto (checked all changes of the last 2 months) without solving my issue. I also checked smtpd, and found that eric@'s work on moving smtpd to libtls [0] is related to my issue. Reverting smtpd to a version prior to March 5 fixes it for me. Best guess - probably a stupid one - is that the remote host changed something causing SNI related issues. Hints on how to further investigate the above are appreciated! [0] https://marc.info/?l=openbsd-cvs&m=161494786013059&w=2 debug: scheduler: scheduling evp:2b97a598686ca143 debug: scheduler: evp:2b97a598686ca143 scheduled (mta) debug: mta: querying smarthost for relay:... debug: mta: querying smarthost debug: mta: ... got smarthost for 2b97a598686ca143: smtp+tls://u...@smtp.ziggo.nl:587 debug: mta: received evp:2b97a598686ca143 for debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying secret for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]... debug: mta: querying MX for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]... debug: mta: [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] waiting for MX secret debug: control -> client: pipe closed debug: clearing p=client, fd=11, pid=0 debug: mta: ... got secret for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]: AGJrZXRAemlnZ28ubmwAREgmd2pQVyZkS3V3enA2a2wqKjM= debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=2, ntask=1, nconnector=0, nconn=0 debug: mta: [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] waiting for MX debug: MXs for domain smtp.ziggo.nl: 212.54.42.9 preference -1 debug: mta: ... got mx (0x4c260099920, smtp.ziggo.nl, [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]) debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying source for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]... debug: mta: ... got source for [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx]: [] debug: mta: new [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x1] debug: mta: connecting with [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0] debug: mta-routing: searching new route for [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0]... debug: mta-routing: selecting candidate route [] <-> 212.54.42.9 debug: mta-routing: spawning new connection on [] <-> 212.54.42.9 debug: mta: 0x4c2600b96d0: spawned for relay [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] debug: mta: connecting with [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0] debug: mta: cannot use [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] before 2s debug: mta-routing: no route available for [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0]: must wait a bit debug: mta: retrying to connect on [connector:[]->[relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx],0x0] in 2s... debug: mta: draining [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] refcount=3, ntask=1, nconnector=1, nconn=1 debug: mta: scheduling relay [relay:smtp.ziggo.nlort=587,smtp+tls,auth=secrets:ziggo,mx] in 1s... 9483c6637b224554 mta connecting address=smtp+tls://212.54.42.9:587 host=smtp.mail.gtm.iss.as9143.net 9483c6637b224554 mta connected debug: mta: 0x4c2600b96d0: IO error: handshake failed: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure 9483c6637b224554 mta error reason=IO Error: handshake failed: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure debug: mta: 0x4c2600b96d0: session done ...