Re: Renew/extend CA created with ikectl

Hello Stuart thanks for the reply, already suspected something along those lines. On 12/10/18 7:14 PM, Stuart Henderson wrote: It's a bit awkward but can be done, you'll find some information at

Renew/extend CA created with ikectl

Hello, before I start getting creative with openssl(1) on my ikectl(8) created ca. Yesterday my ca certificate expired and I need to renew it (without loosing all the client certificates) Is there a recommended way of renewing the ca.crt created using ikectl ca create? I didn't find

Re: ikev2 and road warriors setup

Good morning Radek, I have a suspicion ... For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server. My

Re: ikev2 and road warriors setup

Hello Radek, On 11/2/18 10:16 PM, Radek wrote: Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below: $ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \

Re: syntax error and doas.conf

On 10/31/18 10:42 AM, Markus Rosjat wrote: ... doas vi /etc/doas.conf # Edit in vi :w :! doas -C % You don't even have to leave your editor smime.p7s Description: S/MIME Cryptographic Signature

Re: ikev2 and road warriors setup

On 10/28/18 3:04 PM, Radek wrote: Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the

Re: Intel i350 Offloading not working

On 07/18/18 11:37, Adonis Peralta wrote: Will definitely do that, but still looking for any explanation from devs :). https://marc.info/?l=openbsd-tech=135203532704213=2 Seems there have been some errors with offloading and I350 in the past Cheers Kim smime.p7s Description: S/MIME

OpenIKED match on user/cert instead of gateway

hello misc, I got the requirement for a more exotic setup in which some road warriors are required to be in a different network segment. From strongSWAN I know it is possible to match connections based on userid/cert. iked.conf(5) only gives examples for different gateways. To cut a long

Re: iked: how to request a virtual IP when running as a road warrior

Hello On 01/30/18 22:00, Peter Müller wrote: Hello *, I am trying to set up an IPsec connection between OpenBSD 6.2 and an IPFire firewall, while the OpenBSD is a road warrior. There, I use "iked", while the firewall is running "strongswan". After struggling with some cryptography issues

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

On 11/08/17 08:37, Claudio Jeker wrote: On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson <s...@spaceh

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

On 11/07/17 16:13, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson <s...@spacehopper.org> wrote: I have a question concerning routes

Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson wrote: I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is

iked + gif + ospfd - use null-route to stop default route being used in case of no vpn

Hello I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up routing. If the ipsec tunnel is down, no ospf route is set and the default route used. Is it sensible and possible to add a null-route from the vpn-gateway to the

Re: bgp-spamd question

On 05/08/17 15:12, Markus Rosjat wrote: Am 08.05.2017 um 15:02 schrieb Kim Zeitler: Did you allow BGP on your firewall? I was not aware there need to be special rules for bgp I meant your outer-bound firewall, that you pass towards the internet. Depending on your network setup you need

Re: bgp-spamd question

On 05/08/17 14:42, Markus Rosjat wrote: Am 08.05.2017 um 14:37 schrieb Kim Zeitler: Could you check bgpctl s are there any messages received? You can also check bgpctl s neigh | grep state This should give you least 2 connections claiming to be established regards Cheers Kim I

Re: bgp-spamd question

On 05/08/17 14:13, Markus Rosjat wrote: Am 08.05.2017 um 13:58 schrieb Kim Zeitler: On 05/08/17 09:59, Markus Rosjat wrote: match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd" Try to remove this line from your /etc/bgpd.conf, it is not in the e

Re: bgp-spamd question

On 05/08/17 09:59, Markus Rosjat wrote: match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd" Try to remove this line from your /etc/bgpd.conf, it is not in the example on http://bgp-spamd.net Checked it gainst my working setup and it is missing there

Re: bgp-spamd question

On 05/08/17 12:26, Markus Rosjat wrote: Hi, I have something like bgp-spamd:\ :black:\ :msg="Your address %A has sent mail to a spamtrap\n\ within the last 24 hours":\ :method=file:\ :file=/var/mail/spamd.black: in /etc/mail/spamd.conf and a

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

Hi Markus On 01/27/17 09:44, Markus Rosjat wrote: > Hi there, > > so my question is what is the best strategy to migrate an exsiting LDAP > directory from a system that has sendmail and courier running to a > system with openSMTP and Dovecot. > Couple of years ago we changed from Courier to

Re: Allow FTP through Openbsd firewall

Hello On 10/28/16 08:55, Mik J wrote: Hello, I have FTP clients behind my Openbsd firewall and they want to access ftp sites on the internet I have read numerous documentations but haven't found the answer yet. * I start the ftp-proxy like this /usr/sbin/ftp-proxy -D7 -v * I have rules in

ipsec+tunnel vs. 'pure' ipsec

Hello having run a 'pure' ipsec tunnel for some years now I was wondering if there are more advantages in using a tunnel like gre(4),gif(4) or ehterip(4) over ipsec except being able to set the mtu or pass Layer2 traffic? Thanks for your answer Kim

Re: problem with carp on 5.9, MAC address of carp interface?

Hello Martin before I go further - I just run a ping test with the tcpdump as you requested and it did work. The only thing that was changed was an upgrade from GENERIC.MP#1983 -> GENERIC.MP#1997. On 04/25/16 11:56, Martin Pieuchot wrote: He is running a carp interface on top of a vlan

Re: problem with carp on 5.9, MAC address of carp interface?

Hello Martin On 04/25/16 11:12, Martin Pieuchot wrote: On 25/04/16(Mon) 10:47, Kim Zeitler wrote: He is running a carp interface on top of a vlan interface. In this scenario the carp interface can not be pinged but the vlan interfaces can. Do you mean the CARP node does not answer to ping

Re: problem with carp on 5.9, MAC address of carp interface?

Hello Martin, hello Sebastian On 04/25/16 10:15, Martin Pieuchot wrote: On 25/04/16(Mon) 09:48, Sebastian Reitenbach wrote: I'm trying to upgrade a HA carped firewall cluster to 5.9 but run into issues. Which issues? After reading your whole email I still don't understand your problem(s).

Carp interface sitting on vlan can not be pinged

Hello maybe a stupid question, but is it possible to run a carp(4) interface on vlan(4) interfaces? In the following setup we have the problem that both boxes can be pinged on their address associated with their respective vlan(4) interface, but not on the carp(4) interface IP. Both boxes

Re: Squid slow in connecting to SSL

Sorry for the long wait, but had a free weekend and none of the site techs got back to me until later today. On 01/29/16 22:03, Stuart Henderson wrote: If you have contact with any of the site admins see if they are running on linux with tcp_tw_recycle=1, I think there is a strong possibility

Re: Squid slow in connecting to SSL

On 01/28/16 23:04, Stuart Henderson wrote: On 2016-01-28, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: currently I try to solve the phenomenon, that certain SSL sites are slow when accessed via squid on OpenBSD. Mostly ownCloud in my case as well as several web shops. The login screen

Re: Squid slow in connecting to SSL

On 01/29/16 15:00, Stuart Henderson wrote: $ curl https://owncloud.XX/apps/files_pdfviewer/js/previewplugin.js curl: (7) Failed to connect to owncloud.XX port 443: Operation timed out I have access to the logs and they show a mixture of 200 and 503 ...and that pretty much

Squid slow in connecting to SSL

Hello all currently I try to solve the phenomenon, that certain SSL sites are slow when accessed via squid on OpenBSD. Mostly ownCloud in my case as well as several web shops. The login screen alone taking minutes to load. I tested this also with squid running on a debian vm showing no

Re: Advices for a new laptop

What about the B50-80 (80LT003C): i3, Intel HD 4400, wifi B/G/N/AC, Gigabit Ethernet, 2x USB3. Got some for testing here ( meant to run Windows actually) and had some minor issues with them and sadly not enough time to look fully into it. But first impressions weren't that 'impressive' My x220

Re: pledge(2) problems on 18/x/ octeon snapshot

Might be a stupid question, but I haven't found an answer to it yet - how does one update to a new snapshot/kernel on an octeon system? boot bsd.rd and select upgrade in the installer. (i hope.) I'm afraid this is not as simple as this, yet. You will also need to copy your kernel to the fat16

Re: pledge(2) problems on 18/x/ octeon snapshot

Hello On 10/19/15 19:58, Sebastien Marie wrote: RELEASE 5.8 returns ENOSYS ("Function not implemented") on tame(2) call (which is the old name for pledge, so with the same syscall number). I pulled the kernel down from the same URL path as the tgz I used. Before reinstalling the system I

Re: pledge(2) problems on 18/x/ octeon snapshot

Sorry for the last empty answer - you shouldnt try to multi-task boot bsd.rd and select upgrade in the installer. (i hope.) Thanks for the answer Ted, I will try it with the next snapshot and will give feedback Cheers Kim

Re: pledge(2) problems on 18/x/ octeon snapshot

On 10/20/15 15:30, Ted Unangst wrote: Kim Zeitler wrote: Hello Sebastien, hello Jonathan @Sebastien thank you for your valuable hints and advice, I did learn quite a bit from it. The machine has been reinstalled to the latest snapshot, as it is needed. On 10/20/15 12:30, Jonathan Gray wrote

Re: pledge(2) problems on 18/x/ octeon snapshot

Hello Sebastien, hello Jonathan @Sebastien thank you for your valuable hints and advice, I did learn quite a bit from it. The machine has been reinstalled to the latest snapshot, as it is needed. On 10/20/15 12:30, Jonathan Gray wrote: There is no OpenBSD bootloader for armv7 or octeon, in

OpenIKED - send traffic selectors in own child sa

Hello Running -current I have currently got a minor issue with iked. Trying to connect a security gateway running OpenIKED to a Fortinet IPSEC fw. Connection is set up and seems to work (mostly) but following behaviour is a bit of an issue. IKED sends one CHILD_SA request containing all

pledge(2) problems on 18/x/ octeon snapshot

I just tried updating an EdgeRouterLite to the latest octeon snapshot after replacing the kernel and unpacking base58.tgz Literally all commands lead to : pledge: Function not implemented I would offer a ktrace/kdump but sadly my kdump also returns with said error. Cheers, Kim

Re: cu with XMODEM won't transfer file

Hello On 10/05/15 19:59, Nicholas Marriott wrote: On Mon, Oct 05, 2015 at 10:07:21AM -0700, Philip Guenther wrote: On Mon, Oct 5, 2015 at 6:54 AM, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: I am trying to transfer a new firmware to a switch using cu(1) with XMODEM using a USB-to

cu with XMODEM won't transfer file

Oct 5 15:48 /dev/ttyU0 Any help how to debug this further is much appreciated. Cheers Kim -- Kim Zeitler

IKEd, rising SAD count and DPD

Hello I have iked running connecting to a Fortigate FW. Running 'ipsecctl -s a' gives me the correct flows, but a rising number of SADs. The tunnel has been up 5 days and I got 212 SADs installed. Do I need to set up some kind of dpd to have the old SADs pulled down, or is my error, that

pfkey_sa_last_used: message: No such process

Hi I'm currently trying to set up a OpenIKED GW running 5.7-stable with a proprietary fw/VPN hosted at one of our clients. Seemingly worked so far ipsecctl shows flows and SADs. I was able to ping a machine on the 'other-side' but this stopped without apparent reason. Diving deeper into

Re: Ubiquiti EdgeRouter Lite

Here are my notes, which are basic, but should be enough to get you through if you're familiar with openbsd. http://www.tedunangst.com/flak/post/OpenBSD-on-ERL Hi Ted, I just worked through the /pub/OpenBSD/snapshots/octeon/INSTALL.octeon write up and also read through your notes. Had

Re: how to add squid access log in /etc/newsyslog.conf

Hello, On 07/13/15 22:29, Stuart Henderson wrote: On 2015-07-13, Indunil Jayasooriya induni...@gmail.com wrote: I delted 30 from that line. Now it looks like this. /var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid Now it seems to work

Re: Not able to pass BIOS drive check with OpenBSD drive attached

Hello Adrian, On 31.07.2014 18:59, Adrian Jervolino wrote: My questions to you are: Has anybody ran into similar issues and was able to resolve them? Do you think this is a OpenBSD related issue and actually solveable (in a reasonable amount of time)? Swaping the motherboard is currently

Re: carp setup firewall

Hello Waldemar, On 24.07.2014 17:44, Waldemar Brodkorb wrote: Hi Peter, Peter Hessler wrote, if the addresses on the carp interface are out of sync, then the hashes won't mash, and the firewalls *WILL* conflict with each other. I recommend one IP per carp interface. Far nicer in case you

libiconv-1.14p1 - library c not found, bad major

libiconv Update candidates: quirks-1.113 - quirks-1.113 (ok) Can't install libiconv-1.14p1 because of libraries |library c.73.1 not found | /usr/lib/libc.so.75.0 (system): bad major Cheers, -- Kim Zeitler

Re: libiconv-1.14p1 - library c not found, bad major

On 22.07.2014 17:55, Philip Guenther wrote: OpenBSD gaia 5.5 GENERIC.MP#126 amd64 That's not the 5.5 release. The 5.5 release GENERIC.MP for amd64 had a banner of: OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar 5 09:37:46 MST 2014 so the build number is clearly off. You have

Re: Only two holes in a heck of a long time, but why?

All in all the default install is pretty useless in itself and I am going to quote Absolute OpenBSD by Michael Lucas: «You're installed OpenBSD and rebooted into a bare-bones system. Of course, a minimal Unix-like system is actually pretty boring. While it makes a powerful foundation, it

Re: power failure resistance

fsck)? How should I partition? Which partitions should be mount read-only? Which should be mount as memory disks? Which size shoud I allocate for memory disks (RAM is a constraint here as I have only 256Mb)? Any other advices? Thank you in advance, -- Kim Zeitler

Joining the state of two carp interfaces

to be Master on A and B. Is there a possibility to join the CARP state of 2 interfaces i.e. both Master or both Backup, no mix. Thanks in advance Kim Zeitler