Hello Stuart
thanks for the reply, already suspected something along those lines.
On 12/10/18 7:14 PM, Stuart Henderson wrote:
It's a bit awkward but can be done, you'll find some information at
Hello,
before I start getting creative with openssl(1) on my ikectl(8) created ca.
Yesterday my ca certificate expired and I need to renew it (without
loosing all the client certificates)
Is there a recommended way of renewing the ca.crt created using ikectl
ca create?
I didn't find
Good morning Radek,
I have a suspicion ...
For (1), (2) and (3) VPN is working just fine with Win7_warrior and
puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if
warrior has public IP or it is behind NAT). The rest of the world fails to
connect the VPN_server.
My
Hello Radek,
On 11/2/18 10:16 PM, Radek wrote:
Thank you for your response,
Following your suggestion I removed IP from enc0 and changed iked.conf as below:
$ cat /etc/iked.conf
dns1 = "8.8.8.8"
dns2 = "8.8.4.4"
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
On 10/31/18 10:42 AM, Markus Rosjat wrote:
...
doas vi /etc/doas.conf
# Edit in vi
:w
:! doas -C %
You don't even have to leave your editor
smime.p7s
Description: S/MIME Cryptographic Signature
On 10/28/18 3:04 PM, Radek wrote:
Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road
warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN
Gateway (A.B.C.0/23).
Clients from out of the
On 07/18/18 11:37, Adonis Peralta wrote:
Will definitely do that, but still looking for any explanation from devs :).
https://marc.info/?l=openbsd-tech=135203532704213=2
Seems there have been some errors with offloading and I350 in the past
Cheers
Kim
smime.p7s
Description: S/MIME
hello misc,
I got the requirement for a more exotic setup in which some road
warriors are required to be in a different network segment.
From strongSWAN I know it is possible to match connections based on
userid/cert.
iked.conf(5) only gives examples for different gateways.
To cut a long
Hello
On 01/30/18 22:00, Peter Müller wrote:
Hello *,
I am trying to set up an IPsec connection between OpenBSD 6.2
and an IPFire firewall, while the OpenBSD is a road warrior.
There, I use "iked", while the firewall is running "strongswan".
After struggling with some cryptography issues
On 11/08/17 08:37, Claudio Jeker wrote:
On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson <s...@spaceh
On 11/07/17 16:13, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote:
I have a question concerning routes
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson wrote:
I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
routing.
If the ipsec tunnel is down, no ospf route is
Hello
I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up
routing.
If the ipsec tunnel is down, no ospf route is set and the default route
used.
Is it sensible and possible to add a null-route from the vpn-gateway to
the
On 05/08/17 15:12, Markus Rosjat wrote:
Am 08.05.2017 um 15:02 schrieb Kim Zeitler:
Did you allow BGP on your firewall?
I was not aware there need to be special rules for bgp
I meant your outer-bound firewall, that you pass towards the internet.
Depending on your network setup you need
On 05/08/17 14:42, Markus Rosjat wrote:
Am 08.05.2017 um 14:37 schrieb Kim Zeitler:
Could you check
bgpctl s
are there any messages received?
You can also check
bgpctl s neigh | grep state
This should give you least 2 connections claiming to be established
regards
Cheers
Kim
I
On 05/08/17 14:13, Markus Rosjat wrote:
Am 08.05.2017 um 13:58 schrieb Kim Zeitler:
On 05/08/17 09:59, Markus Rosjat wrote:
match from group "spam-bgp" community $spamASN:666 set pftable
"bgp_spamd"
Try to remove this line from your /etc/bgpd.conf, it is not in the
e
On 05/08/17 09:59, Markus Rosjat wrote:
match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd"
Try to remove this line from your /etc/bgpd.conf, it is not in the
example on http://bgp-spamd.net
Checked it gainst my working setup and it is missing there
On 05/08/17 12:26, Markus Rosjat wrote:
Hi,
I have something like
bgp-spamd:\
:black:\
:msg="Your address %A has sent mail to a spamtrap\n\
within the last 24 hours":\
:method=file:\
:file=/var/mail/spamd.black:
in /etc/mail/spamd.conf
and a
Hi Markus
On 01/27/17 09:44, Markus Rosjat wrote:
> Hi there,
>
> so my question is what is the best strategy to migrate an exsiting LDAP
> directory from a system that has sendmail and courier running to a
> system with openSMTP and Dovecot.
>
Couple of years ago we changed from Courier to
Hello
On 10/28/16 08:55, Mik J wrote:
Hello,
I have FTP clients behind my Openbsd firewall and they want to access ftp sites
on the internet
I have read numerous documentations but haven't found the answer yet.
* I start the ftp-proxy like this
/usr/sbin/ftp-proxy -D7 -v
* I have rules in
Hello
having run a 'pure' ipsec tunnel for some years now I was wondering if
there are more advantages in using a tunnel like gre(4),gif(4) or
ehterip(4) over ipsec except being able to set the mtu or pass Layer2
traffic?
Thanks for your answer
Kim
Hello Martin
before I go further - I just run a ping test with the tcpdump as you
requested and it did work. The only thing that was changed was an
upgrade from GENERIC.MP#1983 -> GENERIC.MP#1997.
On 04/25/16 11:56, Martin Pieuchot wrote:
He is running a carp interface on top of a vlan
Hello Martin
On 04/25/16 11:12, Martin Pieuchot wrote:
On 25/04/16(Mon) 10:47, Kim Zeitler wrote:
He is running a carp interface on top of a vlan interface. In this scenario
the carp interface can not be pinged but the vlan interfaces can.
Do you mean the CARP node does not answer to ping
Hello Martin, hello Sebastian
On 04/25/16 10:15, Martin Pieuchot wrote:
On 25/04/16(Mon) 09:48, Sebastian Reitenbach wrote:
I'm trying to upgrade a HA carped firewall cluster to 5.9 but run into
issues.
Which issues? After reading your whole email I still don't understand
your problem(s).
Hello
maybe a stupid question, but is it possible to run a carp(4) interface
on vlan(4) interfaces?
In the following setup we have the problem that both boxes can be pinged
on their address associated with their respective vlan(4) interface, but
not on the carp(4) interface IP. Both boxes
Sorry for the long wait, but had a free weekend and none of the site
techs got back to me until later today.
On 01/29/16 22:03, Stuart Henderson wrote:
If you have contact with any of the site admins see if they are
running on linux with tcp_tw_recycle=1, I think there is a strong
possibility
On 01/28/16 23:04, Stuart Henderson wrote:
On 2016-01-28, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
currently I try to solve the phenomenon, that certain SSL sites are slow
when accessed via squid on OpenBSD. Mostly ownCloud in my case as well
as several web shops. The login screen
On 01/29/16 15:00, Stuart Henderson wrote:
$ curl https://owncloud.XX/apps/files_pdfviewer/js/previewplugin.js
curl: (7) Failed to connect to owncloud.XX port 443: Operation timed out
I have access to the logs and they show a mixture of 200 and 503
...and that pretty much
Hello all
currently I try to solve the phenomenon, that certain SSL sites are slow
when accessed via squid on OpenBSD. Mostly ownCloud in my case as well
as several web shops. The login screen alone taking minutes to load.
I tested this also with squid running on a debian vm showing no
What about the B50-80 (80LT003C): i3, Intel HD 4400, wifi B/G/N/AC,
Gigabit Ethernet, 2x USB3.
Got some for testing here ( meant to run Windows actually) and had
some minor issues with them and sadly not enough time to look
fully into it. But first impressions weren't that 'impressive'
My x220
Might be a stupid question, but I haven't found an answer to it yet
- how does one update to a new snapshot/kernel on an octeon system?
boot bsd.rd and select upgrade in the installer. (i hope.)
I'm afraid this is not as simple as this, yet. You will also need to
copy your kernel to the fat16
Hello
On 10/19/15 19:58, Sebastien Marie wrote:
RELEASE 5.8 returns ENOSYS ("Function not implemented") on tame(2) call
(which is the old name for pledge, so with the same syscall number).
I pulled the kernel down from the same URL path as the tgz I used.
Before reinstalling the system I
Sorry for the last empty answer - you shouldnt try to multi-task
boot bsd.rd and select upgrade in the installer. (i hope.)
Thanks for the answer Ted, I will try it with the next snapshot and
will give feedback
Cheers
Kim
On 10/20/15 15:30, Ted Unangst wrote:
Kim Zeitler wrote:
Hello Sebastien, hello Jonathan
@Sebastien thank you for your valuable hints and advice, I did learn
quite a bit from it. The machine has been reinstalled to the latest
snapshot, as it is needed.
On 10/20/15 12:30, Jonathan Gray wrote
Hello Sebastien, hello Jonathan
@Sebastien thank you for your valuable hints and advice, I did learn
quite a bit from it. The machine has been reinstalled to the latest
snapshot, as it is needed.
On 10/20/15 12:30, Jonathan Gray wrote:
There is no OpenBSD bootloader for armv7 or octeon, in
Hello
Running -current I have currently got a minor issue with iked.
Trying to connect a security gateway running OpenIKED to a Fortinet
IPSEC fw. Connection is set up and seems to work (mostly) but following
behaviour is a bit of an issue.
IKED sends one CHILD_SA request containing all
I just tried updating an EdgeRouterLite to the latest octeon snapshot
after replacing the kernel and unpacking base58.tgz
Literally all commands lead to
: pledge: Function not implemented
I would offer a ktrace/kdump but sadly my kdump also returns with said
error.
Cheers,
Kim
Hello
On 10/05/15 19:59, Nicholas Marriott wrote:
On Mon, Oct 05, 2015 at 10:07:21AM -0700, Philip Guenther wrote:
On Mon, Oct 5, 2015 at 6:54 AM, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
I am trying to transfer a new firmware to a switch using cu(1) with XMODEM
using a USB-to
Oct 5 15:48 /dev/ttyU0
Any help how to debug this further is much appreciated.
Cheers Kim
--
Kim Zeitler
Hello
I have iked running connecting to a Fortigate FW.
Running 'ipsecctl -s a' gives me the correct flows, but a rising number
of SADs. The tunnel has been up 5 days and I got 212 SADs installed.
Do I need to set up some kind of dpd to have the old SADs pulled down,
or is my error, that
Hi
I'm currently trying to set up a OpenIKED GW running 5.7-stable with a
proprietary fw/VPN hosted at one of our clients.
Seemingly worked so far ipsecctl shows flows and SADs. I was able to
ping a machine on the 'other-side' but this stopped without apparent reason.
Diving deeper into
Here are my notes, which are basic, but should be enough to get you through if
you're familiar with openbsd.
http://www.tedunangst.com/flak/post/OpenBSD-on-ERL
Hi Ted,
I just worked through the /pub/OpenBSD/snapshots/octeon/INSTALL.octeon
write up and also read through your notes.
Had
Hello,
On 07/13/15 22:29, Stuart Henderson wrote:
On 2015-07-13, Indunil Jayasooriya induni...@gmail.com wrote:
I delted 30 from that line. Now it looks like this.
/var/squid/logs/access.log _squid:_squid 640 14 *
@T00Z /var/squid/logs/squid.pid
Now it seems to work
Hello Adrian,
On 31.07.2014 18:59, Adrian Jervolino wrote:
My questions to you are: Has anybody ran into similar issues and was
able to resolve them? Do you think this is a OpenBSD related issue and
actually solveable (in a reasonable amount of time)?
Swaping the motherboard is currently
Hello Waldemar,
On 24.07.2014 17:44, Waldemar Brodkorb wrote:
Hi Peter,
Peter Hessler wrote,
if the addresses on the carp interface are out of sync, then the hashes
won't mash, and the firewalls *WILL* conflict with each other.
I recommend one IP per carp interface. Far nicer in case you
libiconv
Update candidates: quirks-1.113 - quirks-1.113 (ok)
Can't install libiconv-1.14p1 because of libraries
|library c.73.1 not found
| /usr/lib/libc.so.75.0 (system): bad major
Cheers,
--
Kim Zeitler
On 22.07.2014 17:55, Philip Guenther wrote:
OpenBSD gaia 5.5 GENERIC.MP#126 amd64
That's not the 5.5 release. The 5.5 release GENERIC.MP for amd64 had a
banner of:
OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar 5 09:37:46 MST 2014
so the build number is clearly off.
You have
All in all the default install is pretty useless in itself and I am going
to quote Absolute OpenBSD by Michael Lucas:
«You're installed OpenBSD and rebooted into a bare-bones system. Of
course, a minimal Unix-like system is actually pretty boring. While it
makes a powerful foundation, it
fsck)? How should I partition? Which partitions
should be mount read-only? Which should be mount as memory disks? Which
size shoud I allocate for memory disks (RAM is a constraint here as I
have only 256Mb)? Any other advices?
Thank you in advance,
--
Kim Zeitler
to be Master on A and B.
Is there a possibility to join the CARP state of 2 interfaces i.e. both
Master or both Backup, no mix.
Thanks in advance
Kim Zeitler
50 matches
Mail list logo