Hi, folks:
Here's a good one for you.
I have an IPsec tunnel running between two OpenBSD boxes. One is still
running 3.8 (yes, it needs to be updated) and the other is running 4.1.
There is a functioning tunnel running between the two devices.
Hosts on one end can see hosts on the other,
knitti wrote:
On 10/19/07, Stephen Bosch [EMAIL PROTECTED] wrote:
Other things I've tried:
- moving the Jetdirect to a different port on the same physical switch
- a variety of static and dynamic IPs in the subnet
I also forwarded the external port 9100 to this print server and tried
Jussi Peltola wrote:
Does the print server have the right gateway configured?
Yeah. Checked that.
Does scrub have any effect (fragments get dropped in some cases if scrub
is off - that bit me once with openvpn)?
I think scrub is on, though -- I'll have to look again.
Wouldn't tcpdump
Claudiu Pruna wrote:
hi Stephen,
No offense, but did you check JetDirect's ip settings about the default
gateway ?
None taken. Yes, I did actually check that, and it was correct.
Try an tcpdump on the ethernet interface at site A while trying to print
from site B and check if you see
joerch wrote:
On Mon, Oct 16, 2006 at 02:13:53PM -0600, Stephen Bosch wrote:
I recently switched to 1.0 GB SanDisk CF. I can generate images no
problem, but at boot time, we see this warning:
Automatic boot in progress: starting file system checks.
/dev/rwd0a: file system is clean
Stephen Bosch wrote:
Hi:
I have a Soekris net4801 which runs from a compact flash disk. It boots
to the serial console. I've set everything to 9600 baud, 8 bit words, no
parity, 1 stop bit.
When left unattended, it boots normally.
If I try to enter anything at the boot prompt, I see
Hi:
I use a script to generate images for the compact flash disks I use in
my Soekris net4801 devices.
I recently switched to 1.0 GB SanDisk CF. I can generate images no
problem, but at boot time, we see this warning:
Automatic boot in progress: starting file system checks.
/dev/rwd0a: file
I have an OpenBSD 3.8 device, running on Soekris 4801 hardware, sitting
on a private network. Its sole purpose is to NAT traffic before it goes
through an IPsec tunnel.
I am using binat and static routes to reach the
Two interfaces are connected to the network.
This is the pf.conf file:
#
Tobias Ulmer wrote:
Wow fun :) (the IP is from your mail, don't know if this is the firewall
or what and i didn't look at other ips around it.)
uran:tobiasu$ nmap -vv -P0 66.18.218.36
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-08-10 10:05
CEST
DNS resolution of 1 IPs
Steve Welham wrote:
The painless way to do this is with webservers on non-routable
addresses, NAT and two interfaces. Is that out of the question?
In any case man pf.conf says:
Redirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to
Hi:
I have an OpenBSD 3.8 host.
My authlog is filling up with strange messages:
Aug 9 17:30:27 fw1 sshd[7006]: Connection closed by XX.XX.XX.XX
Aug 9 17:31:31 fw1 sshd[21487]: Connection closed by XX.XX.XX.XX
Aug 9 17:32:35 fw1 sshd[339]: Connection closed by XX.XX.XX.XX
Aug 9 17:33:39
jared r r spiegel wrote:
On Mon, Jul 17, 2006 at 05:25:38PM -0600, Stephen Bosch wrote:
route add -host 192.168.0.57 -interface enc0
I get this response:
route: enc0: bad address
-interface actually takes an address:
---
If the destination is directly reachable via an interface
My apologies to everyone. This is a pf problem -- I've sorted it out.
Thanks,
-Stephen-
Stephen Bosch wrote:
jared r r spiegel wrote:
On Mon, Jul 17, 2006 at 05:25:38PM -0600, Stephen Bosch wrote:
route add -host 192.168.0.57 -interface enc0
I get this response:
route: enc0: bad
Tim Donahue wrote:
I swear, spam keeps getting wierder and wierder
My own theory is that these are messages designed (by the spammers) to
test spam filters.
On Fri, 14 Jul 2006 20:43:50 -0700 (PDT)
Anon Y. Mous [EMAIL PROTECTED] wrote:
BOB is dying.
Right turn on RED.
Tired of
Hi:
When I do this --
route add -host 192.168.0.57 -interface enc0
I get this response:
route: enc0: bad address
Even though a security association for the target address exists on
enc0. Unfortunately, the device is not passing traffic to 192.168.0.57.
I assume I need to add a route -- but
Hi:
Hi folks -- remember me? I finally resolved my problem of doing NAT
before IPsec by putting a second device on the internal network of a
redundant CARP firewall.
Nevertheless -- I am facing an avalanche of VPN requests and a need to
NAT them. The more traffic goes through this internal NAT
Matthew Closson wrote:
In setting up about 30 ISPEC tunnels on an OpenBSD box in the past 6
months I had this issue come up with about 4 of the remote peers.
Typically it is one of two problems.
1. They have a made a policy level decision somewhere and say they will
only route traffic to
Does tcpdump work on enc0?
-Stephen-
Marcus Glocker wrote:
On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote:
Does tcpdump work on enc0?
-Stephen-
$ man enc
The enc interface allows an administrator to see outgoing packets before
they have been processed by ipsec(4), or incoming packets after they have
been
Otto Moerbeek wrote:
On Wed, 5 Jul 2006, Stephen Bosch wrote:
Does tcpdump work on enc0?
Are you really too lazy to read a manual page?
Please don't get me started. I have been working on this problem with
precious little assistance from folks like you for over a week now, and
I've read
Otto Moerbeek wrote:
On Wed, 5 Jul 2006, Stephen Bosch wrote:
Does tcpdump work on enc0?
Are you really too lazy to read a manual page?
And for the record -- since some people found that question beyond the
pale -- I have been tcpdumping enc0 all morning and I am seeing no
traffic, inspite
Matthew R. Dempsky wrote:
On Wed, Jul 05, 2006 at 11:30:54AM -0600, Stephen Bosch wrote:
I am not seeing any traffic on enc0 when using tcpdump, that is why I
asked.
Are you sure IPsec is being used? Can you see IPsec-processed traffic
on the physical interface?
Aye, I have other
Hi, everybody:
First -- thanks to everyone who tried to help me out on this one. It is
most appreciated. I apologise if my questions or responses rubbed anyone
the wrong way. It wasn't intended.
I want to recap the situation because I think that, indeed, what I want
to do can't be done.
I have
Hi, all:
I am configuring an IPsec tunnel like so:
local_internal_IP - alias_IP -remote_peer_IP - remote_internal_IP
local host| openBSD | Cisco PIX | remote internal host
alias_IP is a carp alias. It is one end of an IPsec security
association. netstat -rn gives this (altered)
Stephen Bosch wrote:
Hi, all:
I am configuring an IPsec tunnel like so:
local_internal_IP - alias_IP -remote_peer_IP - remote_internal_IP
local host | openBSD | Cisco PIX | remote internal host
alias_IP is a carp alias. It is one end of an IPsec security
association
Hekan Olsson wrote:
On 29 jun 2006, at 22.33, Stephen Bosch wrote:
I'm trying to set up a tunnel to a Cisco PIX.
It seems to make it past Phase 1, the trouble starts at Phase 2. I've
provided some tcpdump output below:
...
So, at this point it looks like Phase 1 was successful. Phase 2
Hi, everybody:
Okay -- the good news is that we've got the SA up between these two
sites, the bad news is that traffic isn't passing.
The situation is complicated by some NAT that I need through the
encryption interface.
We have the following:
HostA_private_IP
HostA_private_NAT_IP
Stephen Bosch wrote:
Hi, everybody:
Okay -- the good news is that we've got the SA up between these two
sites, the bad news is that traffic isn't passing.
The situation is complicated by some NAT that I need through the
encryption interface.
We have the following:
HostA_private_IP
Clint Pachl wrote:
Stephen Bosch wrote:
In the NAT section of my pf.conf, I have the following command:
binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets
- $HostA_private_NAT_IP
Try binat pass ...
Done.
In the FILTER section, I have:
pass in on $enc_if from
Stuart Henderson wrote:
On 2006/06/30 10:51, Stephen Bosch wrote:
Thanks. No joy yet. Traceroute traffic is still going out the public
interface when I try to ping a host on RemoteB_private_subnets...
If this traceroute is from the vpn gateway itself (rather than
an endpoint) you'll need
Hans-Joerg Hoexer wrote:
isakmpd is only allowed to write to files in the /var/run directory.
I've updated the manpage accordingly.
Thanks, Hans-Jvrg.
-Stephen-
I'm trying to set up a tunnel to a Cisco PIX.
It seems to make it past Phase 1, the trouble starts at Phase 2. I've
provided some tcpdump output below:
14:21:45.379077 OpenBSD.500 Cisco_PIX.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: bf4ecb71857072fa-
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd and
pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network. Renumbering isn't going to work.
The VPN
Dag Richards wrote:
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd
and pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network
Hi, Roy:
Roy Morris wrote:
Yes it does work! I guess I better hold on to these two boxes I have. Seems
they are the only ones that do! lol
I have
A. clients on each end behind a vpn/pf box
B. enc0 binat from internal client to public IP of other side client
C. /etc/hostname.if alias for the
Roy Morris wrote:
Stephen Bosch wrote:
Dag Richards wrote:
Um no, it wont work. Once the traffic is encrypted you will
no longer be
able to nat it. The original packet is now and encrypted
blob that is
the payload of a new packet with a source of your gateway and
dest their
GW. you can
Hi:
Running OpenBSD 3.8, I cannot get isakmpd to write to a capture file.
Here is my mount output:
/dev/wd0a on / type ffs (local, noatime)
mfs:1824 on /tmp type mfs (asynchronous, local, nodev, nosuid,
size=24576 512-blocks)
mfs:16738 on /var type mfs (asynchronous, local, nosuid, size=32768
37 matches
Mail list logo
