Re: Sad story
On Mon, Jun 5, 2017 at 7:37 PM, jungle Boogiewrote: > On 5 June 2017 at 16:27, Raul Miller wrote: >> On Mon, Jun 5, 2017 at 7:22 PM, jungle Boogie >> wrote: >>> On 5 June 2017 at 16:16, Mihai Popescu wrote: Bytheway, I am using marc.info to read list, has anyone an idea about why some emails are presented like a long ASCII stream without sense? Much like: http://marc.info/?l=openbsd-misc=149656895018721=2 >>> >>> It's base64 encoded.: >>> >>> Maybe the mail client of the poster did something weird. >> >> I didn't see anything unusual in the mail headers on that message. Did you? > > What about this? > > Content-Transfer-Encoding: base64 > Content-Type: text/plain; charset=UTF-8 > X-Content-Discarded: text/html > > If you look at "show original" in gmail, it'll also show the body as base64. What problem do you see there? Thanks, -- Raul
Re: Unable to establish ikev2 vpn with ios after update to current - OpenBSD 6.1 GENERIC.MP#103 amd64
I updated to the most recent snapshot (OpenBSD 6.1 GENERIC.MP#103 amd64). Unfortunately, while an OpenBSD to OpenBSD ikev2 tunnel works as expected, attempts to establish a tunnel from ios to OpenBSD fail. However, the OpenBSD machine appears to believe that the tunnel is up and fine ("sa_state: VALID -> ESTABLISHED"), while the iOS device indicates that no VPN is up. There appears to be no change from the snapshot from a couple of days ago, and this had been working flawlessly through several snapshots over the last year. Does anyone have any advice on this, and what might have changed? I see nothing obvious that I need to change in the iked.conf based on the my reading of the current manpage. Thank you Ted -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Theodore Wynnychenko Sent: Sunday, June 04, 2017 8:14 PM To: misc@openbsd.org Subject: Unable to estable ikev2 vpn with ios after update to current Hello I have been a bit remiss, and have not updated my system in a couple of months. I have been following current for a year or two, in general, without incident. Anyway, after updating last night, I am unable to establish a ikev2 vpn with an ios 10.3.2 device. A OBSD6.1<->OBSD6.1 ikev2 vpn is working fine. I am hoping that someone could shove me in a direction. I have been using iked with iOS for about a year without a problem. However, after the update, I noticed that all iOS vpn attempts were failing. Running # iked -dvvv and trying to connect showed: ... ca_setauth: auth length 510 ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG ikev2_resp_recv: failed to send auth response sa_state: AUTH_REQUEST -> CLOSED from xxx.yyy.1.254:64252 to xxx.yyy.1.20:4500 policy 'ios_vpn' ikev2_recv: closing SA sa_free: ispi 0xcd95648ffb47ac65 rspi 0x86e6b00a7646172e config_free_proposals: free 0x13f816f06500 config_free_proposals: free 0x13f8e4f63580 ca_setauth: auth length 528 ca_validate_pubkey: could not open public key pubkeys/fqdn/ios.ikev2.myfqdn.com ca_x509_subjectaltname: FQDN/ios.ikev2.myfqdn.com ca_validate_cert: /C=US/ST=Illinois... ok ikev2_getimsgdata: imsg 24 rspi 0x86e6b00a7646172e ispi 0xcd95648ffb47ac65 initiator 0 sa invalid type 14 data length 528 ikev2_dispatch_cert: invalid auth reply I found a suggestion that placing an RSA public certificate on the local OBSD machine could help. So, I used: # openssl rsa -in private.key -pubout > /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com Now, running # iked -dvvv shows: set_policy_auth_method: using rsa for peer /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com set_policy: found pubkey for /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com ikev2 "ios_vpn" passive esp inet from 0.0.0.0/0 to xxx.yyy.15.0/24 local xxx.yyy.1.20 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid ikesync.myfqdn.com dstid ios.ikev2.myfqdn.com ikelifetime 1800 lifetime 1800 bytes 536870912 rsa config address xxx.yyy.15.131 config netmask 255.255.255.0 config name-server xxx.yyy.1.128 config name-server xxx.yyy.1.129 config netbios-server xxx.yyy.2.99 ca_privkey_serialize: type RSA_KEY length 2349 ca_pubkey_serialize: type RSA_KEY length 526 ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpolicy: received policy ca_getkey: received private key type RSA_KEY length 2349 ca_getkey: received public key type RSA_KEY length 526 ca_dispatch_parent: config reset config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 ca_reload: loaded ca file ca.crt ca_reload: /C=US/ST=Illinois... ca_reload: loaded 1 ca certificate ca_reload: loaded cert file local.myfqdn.com.crt ca_reload: loaded cert file ikesync.myfqdn.com.crt ca_validate_cert: /C=US/ST=Illinois... ok ca_validate_cert: /C=US/ST=Illinois... ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:55008 to xxx.yyy.1.20:500 policy 'jacqueline_iphone_vpn' id 0, 432 bytes ikev2_recv: ispi 0xd14315b81593285a rspi 0x ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27 ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
Re: Sad story
>Simply restore from backup. I have only one old backup, not the newest changes... >10% are files you will not ever need >20% are files that you will never use That's not my case, sadly.
another iked issue
Hello all, I am continuing my assault on iked :) Here is a perfectly working configuration that uses PSK's: ### local_ip = "A.B.1.153" local_net = "172.16.0.0/20" ikev2 "KBweb" \ passive ipcomp esp \ from $local_net to 10.33.33.0/27 \ local $local_ip \ peer C.D.65.236 \ ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid $local_ip \ dstid web01.domain.org \ psk thepsk ikev2 "KBDB" \ passive ipcomp esp \ from $local_net to 10.34.34.0/27 \ local $local_ip \ peer C.D.65.237 \ ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid $local_ip \ dstid db01.domain.org \ psk thepsk ### Now, I am adding a third connection, using certificates (presumably): ## user "igor" "thepassword" ikev2 "roaming" \ passive esp \ from $local_net to 192.168.200.0/26 \ local $local_ip \ peer any \ eap "mschap-v2" \ config address 192.168.200.1 \ tag "$name-$id" ## This results in the first 2 connections never working anymore: ikev2_msg_auth: responder auth data length 525 ikev2_msg_auth: initiator auth data length 488 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0079 cert,auth,authvalid,sa,eapvalid) ikev2_sa_negotiate: score 4 sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0079 cert,auth,authvalid,sa,eapvalid) sa_stateok: VALID flags 0x0038, require 0x0079 cert,auth,authvalid,sa,eapvalid sa_state: cannot switch: AUTH_SUCCESS -> VALID ikev2_ike_auth: no CERTREQ, using default ikev2_policy2id: srcid IPV4/A.B.1.153 length 8 sa_stateflags: 0x0038 -> 0x003c certreq,auth,authvalid,sa (required 0x0079 cert,auth,authvalid,sa,eapvalid) config_free_proposals: free 0x23ee58d3f80 ca_getreq: found CA /C=US/ST=New Jersey/O=Gubenko/OU=IT/CN=cainter.dom.com ca_x509_subjectaltname: unsupported subjectAltName type 34 ca_getreq: found CA /C=US/ST=New Jersey/L=Livingston/O=Gubenko/OU=IT/CN=caroot.dom.com ca_getreq: no valid local certificate found ikev2_getimsgdata: imsg 19 rspi 0xbd166184c4d2d33b ispi 0xd7fc1a37a3acdec4 initiator 0 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored As a side note, the certificate does contain several subjectAltName's: X509v3 Subject Alternative Name: DNS:ip6.dom.com, DNS:www.dom.com, DNS:www.ip6.dom.com, DNS:mail.dom.com, DNS:imap.dom.com, DNS:smtp.dom.com, DNS:proxy.dom.com, DNS:vpn.dom.com, DNS:pbx.dom.com As soon as the third section is commented out, and iked restarted, the first two connections come back up. Please help. Many thanks, - Igor
Re: Sad story
On 5 June 2017 at 16:27, Raul Millerwrote: > On Mon, Jun 5, 2017 at 7:22 PM, jungle Boogie wrote: >> On 5 June 2017 at 16:16, Mihai Popescu wrote: >>> >>> Bytheway, I am using marc.info to read list, has anyone an idea about >>> why some emails are presented like a long ASCII stream without sense? >>> Much like: >>> >>> http://marc.info/?l=openbsd-misc=149656895018721=2 >> >> It's base64 encoded.: >> >> Maybe the mail client of the poster did something weird. > > I didn't see anything unusual in the mail headers on that message. Did you? > What about this? Content-Transfer-Encoding: base64 Content-Type: text/plain; charset=UTF-8 X-Content-Discarded: text/html If you look at "show original" in gmail, it'll also show the body as base64. > Thanks, > > -- > Raul -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info
Re: Sad story
On Mon, Jun 5, 2017 at 7:22 PM, jungle Boogiewrote: > On 5 June 2017 at 16:16, Mihai Popescu wrote: >> >> Bytheway, I am using marc.info to read list, has anyone an idea about >> why some emails are presented like a long ASCII stream without sense? >> Much like: >> >> http://marc.info/?l=openbsd-misc=149656895018721=2 > > It's base64 encoded.: > > Maybe the mail client of the poster did something weird. I didn't see anything unusual in the mail headers on that message. Did you? Thanks, -- Raul
Re: Sad story
On Mon, Jun 5, 2017 at 7:16 PM, Mihai Popescuwrote: >> So many documents will be lost > > There is an analysys about one's documents on the internet, something > like 10% are files you will not ever need, 20% are files that you will > never use, and so on. > > Bytheway, I am using marc.info to read list, has anyone an idea about > why some emails are presented like a long ASCII stream without sense? > Much like: > > http://marc.info/?l=openbsd-misc=149656895018721=2 I do not know why marc.info did not handle the base64 decode, but if you want to read that message, you can paste the body into https://www.base64decode.org/ and then hit the decode button. Or, you could use b64decode. -- Raul
Re: Sad story
On 5 June 2017 at 16:16, Mihai Popescuwrote: > > Bytheway, I am using marc.info to read list, has anyone an idea about > why some emails are presented like a long ASCII stream without sense? > Much like: > > http://marc.info/?l=openbsd-misc=149656895018721=2 It's base64 encoded.: Maybe the mail client of the poster did something weird. -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info
Re: Sad story
> So many documents will be lost There is an analysys about one's documents on the internet, something like 10% are files you will not ever need, 20% are files that you will never use, and so on. Bytheway, I am using marc.info to read list, has anyone an idea about why some emails are presented like a long ASCII stream without sense? Much like: http://marc.info/?l=openbsd-misc=149656895018721=2
Re: Can I bind USB/other interface/device number (e.g. cdceX) to particular MAC, USB serial number or the like?
On 06/04/17 19:09, Kevin Chadwick wrote: fxp0,1,2 are in order of pci slot. I assume usbs are the same after boot so anyone who unplugs and plugs devices and doesn't check the outcome on critical hardware deserves what they get. Also having critical hardware that can be physically damaged is also asking for trouble, so I cannot see an issue at all?? I've seen more than one instance where a critical system has to add an interface on the fly to either (a) replace a failing interface while maintaining traffic on all the other interfaces or (b) add an interface when all installed ports are busy. Saying "you shouldn't do that" or "why would you want to do that" shows lack of real-world experience. That said, I agree that the Linux solution is bad. OpenBSD reports hardware during boot and new hardware with kernel messages. Using that information to configure the appropriate daemons and utilities is the right solution. Geoff Steckel
Re: Sad story
Then the backup was restored, and they all lived happily ever after. :) On Mon, 5 Jun 2017 12:14:51 +0200 "L. R. S."wrote: > Forgot the passphrase of a full-disk encrypted OpenBSD system ;_; > So many documents will be lost, like [coughs] accesses to NULL. > > > --luiz r. >
Re: Sad story
On 13:37 Mon 05 Jun, Ingo Schwarze wrote: > L. R. S. wrote on Mon, Jun 05, 2017 at 12:14:51PM +0200: > > > Forgot the passphrase of a full-disk encrypted OpenBSD system ;_; > > So many documents will be lost, like [coughs] accesses to NULL. > > Simply restore from backup. There are two types of system administrators...
Re: Sad story
L. R. S. wrote on Mon, Jun 05, 2017 at 12:14:51PM +0200: > Forgot the passphrase of a full-disk encrypted OpenBSD system ;_; > So many documents will be lost, like [coughs] accesses to NULL. Simply restore from backup. Or is that sad part of your story that your enemy stole that, the night before you forgot the passphrase, and it was unencrypted? SCNR, Ingo
Sad story
Forgot the passphrase of a full-disk encrypted OpenBSD system ;_; So many documents will be lost, like [coughs] accesses to NULL. --luiz r.
Re: SNMP OID for free memory
On 2017-06-04, mabiwrote: > Hi, > > I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system > resources. I don't seem to find any OID for the free memory and was wondering > if this information is simply not made available in SNMP. Doing an snmpwalk > on the HOST-RESOURCES MIB for memory shows the following avaialble OIDs > related to memory: Don't use net-snmp's snmpd on OpenBSD without a very good reason, use snmpd from the base OS. > HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory > HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory > HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory > HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory > HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory > HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space > HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: / > > Any idea where the the free memory info would be hiding? Whichever of the hrStorageUsed oids that relates to the memory you're interested in, e.g. given the list above it would be hrStorageUsed.1 for physical memory. Multiply it by the same-numbered hrStorageSize. Here's an example from the base OS's snmpd, using snmptable to pull in the relevant oids for the whole table and format the display. $ snmptable -v2c -c public 127.0.0.1 hrStorageTable SNMP table: HOST-RESOURCES-MIB::hrStorageTable hrStorageIndexhrStorageType hrStorageDescr hrStorageAllocationUnits hrStorageSize hrStorageUsed hrStorageAllocationFailures 1 HOST-RESOURCES-MIB::hrStorageTypes.2 Physical memory 4096 Bytes 2069645 1468114 0 2 HOST-RESOURCES-MIB::hrStorageTypes.2 Real memory 4096 Bytes 2082986 1481455 0 10 HOST-RESOURCES-MIB::hrStorageTypes.3 Swap space 4096 Bytes 1572863 0 0 31 HOST-RESOURCES-MIB::hrStorageTypes.4 / 4096 Bytes520119 37923 0 32 HOST-RESOURCES-MIB::hrStorageTypes.4 /data 4096 Bytes 8254103 2292580 0 33 HOST-RESOURCES-MIB::hrStorageTypes.4 /home 4096 Bytes 31930799 10749150 0 34 HOST-RESOURCES-MIB::hrStorageTypes.4/usr 4096 Bytes 1546599132582 0 35 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/X11R6 4096 Bytes 1028871 48383 0 36 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/local 4096 Bytes 8254103 4240627 0 37 HOST-RESOURCES-MIB::hrStorageTypes.4/usr/src 4096 Bytes 1028871271331 0 38 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/ports 4096 Bytes 2061047523465 0 39 HOST-RESOURCES-MIB::hrStorageTypes.4/usr/obj 4096 Bytes 12382807 1816114 0 40 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/xenocara 4096 Bytes516007179230 0 41 HOST-RESOURCES-MIB::hrStorageTypes.4/var 4096 Bytes 8254103879286 0 42 HOST-RESOURCES-MIB::hrStorageTypes.4/distsrc 4096 Bytes 38701655 28351200 0 43 HOST-RESOURCES-MIB::hrStorageTypes.4/var/www 4096 Bytes 4125399660222 0 44 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www/htdocs/pub 512 Bytes20976693603955189904 0 45 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Multimedia 512 Bytes20976693603955189904 0 46 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Download 512 Bytes20976693603955189904 0 47 HOST-RESOURCES-MIB::hrStorageTypes.4/y/homes 512 Bytes20976693603955189904 0 > I found a script called check_snmp_openbsd.py > (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) > where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free > memory but when I do an snmpget on my OpenBSD box this OID is not available. I might have
"groups in groups" with pf tables
Hi, With other firewall products I like to use groups that contain groups. In pf I like working with tables. Tables can be negated and rules with tables are faster than ones with long lists. I tried to use something like this: $ cat pf-examples.conf host_a1 = "192.168.10.11" host_a2 = "192.168.10.12" a_hosts = $host_a1 $host_a2 host_b1 = "192.168.20.11" host_b2 = "192.168.20.12" b_hosts = $host_b1 $host_b2 net_c1 = "192.168.30.0/24" net_c2 = "192.168.31.0/24" c_hosts = $net_c1 $net_c2 table { $a_hosts $b_hosts } table { $a_hosts $b_hosts $c_hosts } block log pass log from to any pass log inet proto icmp from to any Unfortunately this does not work with macros containing subnets. $ pfctl -nf pf-examples.conf pf-examples.conf:11: syntax error pf-examples.conf:14: macro 'c_hosts' not defined pf-examples.conf:14: syntax error $ Do I miss something regarding the syntax? Are there other approaches to reach my goal? Thanks, Remi