Re: Sad story

[Raul Miller]

On Mon, Jun 5, 2017 at 7:37 PM, jungle Boogie  wrote:
> On 5 June 2017 at 16:27, Raul Miller  wrote:
>> On Mon, Jun 5, 2017 at 7:22 PM, jungle Boogie  
>> wrote:
>>> On 5 June 2017 at 16:16, Mihai Popescu  wrote:
 Bytheway, I am using marc.info to read list, has anyone an idea about
 why some emails are presented like a long ASCII stream without sense?
 Much like:

 http://marc.info/?l=openbsd-misc=149656895018721=2
>>>
>>> It's base64 encoded.:
>>>
>>> Maybe the mail client of the poster did something weird.
>>
>> I didn't see anything unusual in the mail headers on that message. Did you?
>
> What about this?
>
> Content-Transfer-Encoding: base64
> Content-Type: text/plain; charset=UTF-8
> X-Content-Discarded: text/html
>
> If you look at "show original" in gmail, it'll also show the body as base64.

What problem do you see there?

Thanks,

-- 
Raul

Re: Unable to establish ikev2 vpn with ios after update to current - OpenBSD 6.1 GENERIC.MP#103 amd64

[Theodore Wynnychenko]

I updated to the most recent snapshot (OpenBSD 6.1 GENERIC.MP#103 amd64).

Unfortunately, while an OpenBSD to OpenBSD ikev2 tunnel works as expected,
attempts to establish a tunnel from ios to OpenBSD fail.

However, the OpenBSD machine appears to believe that the tunnel is up and fine
("sa_state: VALID -> ESTABLISHED"), while the iOS device indicates that no VPN
is up.

There appears to be no change from the snapshot from a couple of days ago, and
this had been working flawlessly through several snapshots over the last year.

Does anyone have any advice on this, and what might have changed?

I see nothing obvious that I need to change in the iked.conf based on the my
reading of the current manpage.

Thank you
Ted


-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Theodore Wynnychenko
Sent: Sunday, June 04, 2017 8:14 PM
To: misc@openbsd.org
Subject: Unable to estable ikev2 vpn with ios after update to current

Hello

I have been a bit remiss, and have not updated my system in a couple of months.
I have been following current for a year or two, in general, without incident.

Anyway, after updating last night, I am unable to establish a ikev2 vpn with an
ios 10.3.2 device.  A OBSD6.1<->OBSD6.1 ikev2 vpn is working fine.

I am hoping that someone could shove me in a direction.

I have been using iked with iOS for about a year without a problem.

However, after the update, I noticed that all iOS vpn attempts were failing.

Running # iked -dvvv and trying to connect showed:

...
ca_setauth: auth length 510
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_resp_recv: failed to send auth response
sa_state: AUTH_REQUEST -> CLOSED from xxx.yyy.1.254:64252 to xxx.yyy.1.20:4500
policy 'ios_vpn'
ikev2_recv: closing SA
sa_free: ispi 0xcd95648ffb47ac65 rspi 0x86e6b00a7646172e
config_free_proposals: free 0x13f816f06500
config_free_proposals: free 0x13f8e4f63580
ca_setauth: auth length 528
ca_validate_pubkey: could not open public key pubkeys/fqdn/ios.ikev2.myfqdn.com
ca_x509_subjectaltname: FQDN/ios.ikev2.myfqdn.com
ca_validate_cert: /C=US/ST=Illinois... ok
ikev2_getimsgdata: imsg 24 rspi 0x86e6b00a7646172e ispi 0xcd95648ffb47ac65
initiator 0 sa invalid type 14 data length 528
ikev2_dispatch_cert: invalid auth reply


I found a suggestion that placing an RSA public certificate on the local OBSD
machine could help.

So, I used:

# openssl rsa -in private.key -pubout >
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com

Now, running # iked -dvvv shows:

set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
set_policy: found pubkey for /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
ikev2 "ios_vpn" passive esp inet from 0.0.0.0/0 to xxx.yyy.15.0/24 local
xxx.yyy.1.20 peer any ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth
hmac-sha2-256,hmac-sha1 srcid ikesync.myfqdn.com dstid ios.ikev2.myfqdn.com
ikelifetime 1800 lifetime 1800 bytes 536870912 rsa config address xxx.yyy.15.131
config netmask 255.255.255.0 config name-server xxx.yyy.1.128 config name-server
xxx.yyy.1.129 config netbios-server xxx.yyy.2.99
ca_privkey_serialize: type RSA_KEY length 2349
ca_pubkey_serialize: type RSA_KEY length 526
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 2349
ca_getkey: received public key type RSA_KEY length 526
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: /C=US/ST=Illinois...
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file local.myfqdn.com.crt
ca_reload: loaded cert file ikesync.myfqdn.com.crt
ca_validate_cert: /C=US/ST=Illinois... ok
ca_validate_cert: /C=US/ST=Illinois... ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:55008 to
xxx.yyy.1.20:500 policy 'jacqueline_iphone_vpn' id 0, 432 bytes
ikev2_recv: ispi 0xd14315b81593285a rspi 0x
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48

Re: Sad story

[L. R. S.]

>Simply restore from backup.

I have only one old backup, not the newest changes...

>10% are files you will not ever need
>20% are files that you will never use

That's not my case, sadly.

another iked issue

[Igor V. Gubenko]

Hello all,

I am continuing my assault on iked :)

Here is a perfectly working configuration that uses PSK's:

###

local_ip = "A.B.1.153"
local_net = "172.16.0.0/20"

ikev2 "KBweb" \
passive ipcomp esp \
from $local_net to 10.33.33.0/27 \
local $local_ip \
peer C.D.65.236 \
ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid $local_ip \
dstid web01.domain.org \
psk thepsk


ikev2 "KBDB" \
passive ipcomp esp \
from $local_net to 10.34.34.0/27 \
local $local_ip \
peer C.D.65.237 \
ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid $local_ip \
dstid db01.domain.org \
psk thepsk

###

Now, I am adding a third connection, using certificates (presumably):

##

user "igor" "thepassword"

ikev2 "roaming" \
passive esp \
from $local_net to 192.168.200.0/26 \
local $local_ip \
peer any \
eap "mschap-v2" \
config address 192.168.200.1 \
tag "$name-$id"

##


This results in the first 2 connections never working anymore:

ikev2_msg_auth: responder auth data length 525
ikev2_msg_auth: initiator auth data length 488
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
sa_stateok: VALID flags 0x0038, require 0x0079
cert,auth,authvalid,sa,eapvalid
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_ike_auth: no CERTREQ, using default
ikev2_policy2id: srcid IPV4/A.B.1.153 length 8
sa_stateflags: 0x0038 -> 0x003c certreq,auth,authvalid,sa (required
0x0079 cert,auth,authvalid,sa,eapvalid)
config_free_proposals: free 0x23ee58d3f80
ca_getreq: found CA /C=US/ST=New Jersey/O=Gubenko/OU=IT/CN=cainter.dom.com
ca_x509_subjectaltname: unsupported subjectAltName type 34
ca_getreq: found CA /C=US/ST=New
Jersey/L=Livingston/O=Gubenko/OU=IT/CN=caroot.dom.com
ca_getreq: no valid local certificate found
ikev2_getimsgdata: imsg 19 rspi 0xbd166184c4d2d33b ispi
0xd7fc1a37a3acdec4 initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored


As a side note, the certificate does contain several subjectAltName's:

 X509v3 Subject Alternative Name:
DNS:ip6.dom.com, DNS:www.dom.com, DNS:www.ip6.dom.com,
DNS:mail.dom.com, DNS:imap.dom.com, DNS:smtp.dom.com, DNS:proxy.dom.com,
DNS:vpn.dom.com, DNS:pbx.dom.com


As soon as the third section is commented out, and iked restarted, the
first two connections come back up.


Please help.

Many thanks,

- Igor

Re: Sad story

[jungle Boogie]

On 5 June 2017 at 16:27, Raul Miller  wrote:
> On Mon, Jun 5, 2017 at 7:22 PM, jungle Boogie  wrote:
>> On 5 June 2017 at 16:16, Mihai Popescu  wrote:
>>>
>>> Bytheway, I am using marc.info to read list, has anyone an idea about
>>> why some emails are presented like a long ASCII stream without sense?
>>> Much like:
>>>
>>> http://marc.info/?l=openbsd-misc=149656895018721=2
>>
>> It's base64 encoded.:
>>
>> Maybe the mail client of the poster did something weird.
>
> I didn't see anything unusual in the mail headers on that message. Did you?
>

What about this?

Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
X-Content-Discarded: text/html

If you look at "show original" in gmail, it'll also show the body as base64.


> Thanks,
>
> --
> Raul



-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info

Re: Sad story

[Raul Miller]

On Mon, Jun 5, 2017 at 7:22 PM, jungle Boogie  wrote:
> On 5 June 2017 at 16:16, Mihai Popescu  wrote:
>>
>> Bytheway, I am using marc.info to read list, has anyone an idea about
>> why some emails are presented like a long ASCII stream without sense?
>> Much like:
>>
>> http://marc.info/?l=openbsd-misc=149656895018721=2
>
> It's base64 encoded.:
>
> Maybe the mail client of the poster did something weird.

I didn't see anything unusual in the mail headers on that message. Did you?

Thanks,

-- 
Raul

Re: Sad story

[Raul Miller]

On Mon, Jun 5, 2017 at 7:16 PM, Mihai Popescu  wrote:
>> So many documents will be lost
>
> There is an analysys about one's documents on the internet, something
> like 10% are files you will not ever need, 20% are files that you will
> never use, and so on.
>
> Bytheway, I am using marc.info to read list, has anyone an idea about
> why some emails are presented like a long ASCII stream without sense?
> Much like:
>
> http://marc.info/?l=openbsd-misc=149656895018721=2

I do not know why marc.info did not handle the base64 decode, but if
you want to read that message, you can paste the body into
https://www.base64decode.org/ and then hit the decode button.

Or, you could use b64decode.

-- 
Raul

Re: Sad story

[jungle Boogie]

On 5 June 2017 at 16:16, Mihai Popescu  wrote:
>
> Bytheway, I am using marc.info to read list, has anyone an idea about
> why some emails are presented like a long ASCII stream without sense?
> Much like:
>
> http://marc.info/?l=openbsd-misc=149656895018721=2

It's base64 encoded.:

Maybe the mail client of the poster did something weird.


-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info

Re: Sad story

[Mihai Popescu]

> So many documents will be lost

There is an analysys about one's documents on the internet, something
like 10% are files you will not ever need, 20% are files that you will
never use, and so on.

Bytheway, I am using marc.info to read list, has anyone an idea about
why some emails are presented like a long ASCII stream without sense?
Much like:

http://marc.info/?l=openbsd-misc=149656895018721=2

Re: Can I bind USB/other interface/device number (e.g. cdceX) to particular MAC, USB serial number or the like?

[gwes]

On 06/04/17 19:09, Kevin Chadwick wrote:


fxp0,1,2 are in order of pci slot. I assume usbs are the same after
boot so anyone who unplugs and plugs devices and doesn't check the
outcome on critical hardware deserves what they get. Also having
critical hardware that can be physically damaged is also asking for
trouble, so I cannot see an issue at all??


I've seen more than one instance where a critical system has
to add an interface on the fly to either (a) replace a failing interface
while maintaining traffic on all the other interfaces or (b)
add an interface when all installed ports are busy.

Saying "you shouldn't do that" or "why would you want to
do that" shows lack of real-world experience.

That said, I agree that the Linux solution is bad.
OpenBSD reports hardware during boot and new hardware
with kernel messages. Using that information to configure
the appropriate daemons and utilities is the right solution.

Geoff Steckel

Re: Sad story

[bytevolcano]

Then the backup was restored, and they all lived happily ever after. :)

On Mon, 5 Jun 2017 12:14:51 +0200
"L. R. S."  wrote:

> Forgot the passphrase of a full-disk encrypted OpenBSD system ;_;
> So many documents will be lost, like [coughs] accesses to NULL.
> 
> 
> --luiz r.
> 

Re: Sad story

[Consus]

On 13:37 Mon 05 Jun, Ingo Schwarze wrote:
> L. R. S. wrote on Mon, Jun 05, 2017 at 12:14:51PM +0200:
> 
> > Forgot the passphrase of a full-disk encrypted OpenBSD system ;_;
> > So many documents will be lost, like [coughs] accesses to NULL.
> 
> Simply restore from backup.

There are two types of system administrators...

Re: Sad story

[Ingo Schwarze]

L. R. S. wrote on Mon, Jun 05, 2017 at 12:14:51PM +0200:

> Forgot the passphrase of a full-disk encrypted OpenBSD system ;_;
> So many documents will be lost, like [coughs] accesses to NULL.

Simply restore from backup.

Or is that sad part of your story that your enemy stole that,
the night before you forgot the passphrase, and it was unencrypted?

SCNR,
  Ingo

Sad story

[L. R. S.]

Forgot the passphrase of a full-disk encrypted OpenBSD system ;_;
So many documents will be lost, like [coughs] accesses to NULL.


--luiz r.

Re: SNMP OID for free memory

[Stuart Henderson]

On 2017-06-04, mabi  wrote:
> Hi,
>
> I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system 
> resources. I don't seem to find any OID for the free memory and was wondering 
> if this information is simply not made available in SNMP. Doing an snmpwalk 
> on the HOST-RESOURCES MIB for memory shows the following avaialble OIDs 
> related to memory:

Don't use net-snmp's snmpd on OpenBSD without a very good reason,
use snmpd from the base OS.

> HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory
> HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory
> HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory
> HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory
> HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory
> HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space
> HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: /
>
> Any idea where the the free memory info would be hiding?

Whichever of the hrStorageUsed oids that relates to the memory you're
interested in, e.g. given the list above it would be hrStorageUsed.1 for
physical memory. Multiply it by the same-numbered hrStorageSize.

Here's an example from the base OS's snmpd, using snmptable to pull in
the relevant oids for the whole table and format the display.

$ snmptable -v2c -c public 127.0.0.1 hrStorageTable
SNMP table: HOST-RESOURCES-MIB::hrStorageTable

 hrStorageIndexhrStorageType  hrStorageDescr 
hrStorageAllocationUnits hrStorageSize hrStorageUsed hrStorageAllocationFailures
  1 HOST-RESOURCES-MIB::hrStorageTypes.2 Physical memory
   4096 Bytes   2069645   1468114   0
  2 HOST-RESOURCES-MIB::hrStorageTypes.2 Real memory
   4096 Bytes   2082986   1481455   0
 10 HOST-RESOURCES-MIB::hrStorageTypes.3  Swap space
   4096 Bytes   1572863 0   0
 31 HOST-RESOURCES-MIB::hrStorageTypes.4   /
   4096 Bytes520119 37923   0
 32 HOST-RESOURCES-MIB::hrStorageTypes.4   /data
   4096 Bytes   8254103   2292580   0
 33 HOST-RESOURCES-MIB::hrStorageTypes.4   /home
   4096 Bytes  31930799  10749150   0
 34 HOST-RESOURCES-MIB::hrStorageTypes.4/usr
   4096 Bytes   1546599132582   0
 35 HOST-RESOURCES-MIB::hrStorageTypes.4  /usr/X11R6
   4096 Bytes   1028871 48383   0
 36 HOST-RESOURCES-MIB::hrStorageTypes.4  /usr/local
   4096 Bytes   8254103   4240627   0
 37 HOST-RESOURCES-MIB::hrStorageTypes.4/usr/src
   4096 Bytes   1028871271331   0
 38 HOST-RESOURCES-MIB::hrStorageTypes.4  /usr/ports
   4096 Bytes   2061047523465   0
 39 HOST-RESOURCES-MIB::hrStorageTypes.4/usr/obj
   4096 Bytes  12382807   1816114   0
 40 HOST-RESOURCES-MIB::hrStorageTypes.4   /usr/xenocara
   4096 Bytes516007179230   0
 41 HOST-RESOURCES-MIB::hrStorageTypes.4/var
   4096 Bytes   8254103879286   0
 42 HOST-RESOURCES-MIB::hrStorageTypes.4/distsrc
   4096 Bytes  38701655  28351200   0
 43 HOST-RESOURCES-MIB::hrStorageTypes.4/var/www
   4096 Bytes   4125399660222   0
 44 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www/htdocs/pub
512 Bytes20976693603955189904   0
 45 HOST-RESOURCES-MIB::hrStorageTypes.4   /y/Multimedia
512 Bytes20976693603955189904   0
 46 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Download
512 Bytes20976693603955189904   0
 47 HOST-RESOURCES-MIB::hrStorageTypes.4/y/homes
512 Bytes20976693603955189904   0

> I found a script called check_snmp_openbsd.py 
> (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py)
>  where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free 
> memory but when I do an snmpget on my OpenBSD box this OID is not available.

I might have 

"groups in groups" with pf tables

[Remi Locherer]

Hi,

With other firewall products I like to use groups that contain groups.
In pf I like working with tables. Tables can be negated and rules with
tables are faster than ones with long lists.

I tried to use something like this:


$ cat pf-examples.conf
host_a1 = "192.168.10.11"
host_a2 = "192.168.10.12"
a_hosts =  $host_a1 $host_a2

host_b1 = "192.168.20.11"
host_b2 = "192.168.20.12"
b_hosts = $host_b1 $host_b2

net_c1 = "192.168.30.0/24"
net_c2 = "192.168.31.0/24"
c_hosts = $net_c1 $net_c2

table   { $a_hosts $b_hosts }
table  { $a_hosts $b_hosts $c_hosts }


block log
pass log from  to any
pass log inet proto icmp from  to any


Unfortunately this does not work with macros containing subnets.

$ pfctl -nf pf-examples.conf
pf-examples.conf:11: syntax error
pf-examples.conf:14: macro 'c_hosts' not defined
pf-examples.conf:14: syntax error
$


Do I miss something regarding the syntax?

Are there other approaches to reach my goal?

Thanks,
Remi