Re: /etc/mygate equivalent for IPv6?
On Tue, Jun 06, 2017 at 03:53:10PM -0400, mabi wrote: > Fantastic, that was an easy one. Somehow I missed that from the OpenBSD FAQ, > must have skimmed it too fast... > > So I guess here that I can have my IPv4 default gw and IPv6 default gw both > on two different lines in the /etc/mygate file. No guessing needed, see man mygate, it's all there -Otto > > Original Message > Subject: Re: /etc/mygate equivalent for IPv6? > Local Time: June 6, 2017 9:50 PM > UTC Time: June 6, 2017 7:50 PM > From: knight@gmail.com > To: Janne Johansson > mabi , openbsd-misc > > for example: > > fe80::1%carp0 > > :) > > 2017-06-06 16:48 GMT-03:00 Janne Johansson : > Just add the ipv6 gw ip to /etc/mygate. > > 2017-06-06 21:45 GMT+02:00 mabi : > > > Hi, > > > > What is the "standard" approach for adding an IPv6 default gateway to an > > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default > > route? > > > > There are no /etc/mygate6 file and as such for now I manually run: > > > > route -n add -inet6 default > > > > Regards, > > Mabi > > -- > May the most significant bit of your life be positive.
Re: SNMP OID for free memory
On 2017-06-06, mabi wrote: > Thanks Stuart for your input. In the pass I used the snmp daemon which comes > with OpenBSD but I vaguely remember that some OID for my cacti graphs was > missing so I switched to Net-SNMP which had this information. Can't remember > though which OID that was and that was already a few years ago. > > As you suggest I will give snmpd a shot again and see how it goes. > > Regarding the script I was mentioning > (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) > have a look at line 51, there is the OID there for the free memory but in my > setup it simply does not exist so I wonder where he got that OID from... It's in the dictionary on that line, but nothing else in the file refers to it.
Re: nc in inetd - under which account?
On 2017-06-06, Marko Cupać wrote: > Hi, > > For a few years I have been running nc from inetd together with pf > redirect rules to reach LAN servers via their public IP adresses from > LAN: > > # cat /etc/inetd.conf > 127.0.0.1:20080 stream tcp nowait proxy /usr/bin/nc nc -w 20 PR.IV.AT.E 80 > 127.0.0.1:20443 stream tcp nowait proxy /usr/bin/nc nc -w 20 PR.IV.AT.E 443 > > Now that proxy user is gone in 6.1, what would be appropriate account to > run nc under? Is nobody OK? Something else? > > Or is there a better way to accomplish this? There's no need to do this in userland, a combination of nat-to and rdr-to works fine for this. Check faq/pf/rdr.html if you need hints.
Re: /etc/mygate equivalent for IPv6?
That's it: magic puffer fish 2017-06-06 16:53 GMT-03:00 mabi : > Fantastic, that was an easy one. Somehow I missed that from the OpenBSD > FAQ, must have skimmed it too fast... > > So I guess here that I can have my IPv4 default gw and IPv6 default gw > both on two different lines in the /etc/mygate file. > > > > Original Message > Subject: Re: /etc/mygate equivalent for IPv6? > Local Time: June 6, 2017 9:50 PM > UTC Time: June 6, 2017 7:50 PM > From: knight@gmail.com > To: Janne Johansson > mabi , openbsd-misc > > for example: > > fe80::1%carp0 > > :) > > 2017-06-06 16:48 GMT-03:00 Janne Johansson : > >> Just add the ipv6 gw ip to /etc/mygate. >> >> >> >> 2017-06-06 21:45 GMT+02:00 mabi : >> >> > Hi, >> > >> > What is the "standard" approach for adding an IPv6 default gateway to an >> > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default >> > route? >> > >> > There are no /etc/mygate6 file and as such for now I manually run: >> > >> > route -n add -inet6 default >> > >> > Regards, >> > Mabi >> >> >> >> >> -- >> May the most significant bit of your life be positive. >> > >
Re: /etc/mygate equivalent for IPv6?
Fantastic, that was an easy one. Somehow I missed that from the OpenBSD FAQ, must have skimmed it too fast... So I guess here that I can have my IPv4 default gw and IPv6 default gw both on two different lines in the /etc/mygate file. Original Message Subject: Re: /etc/mygate equivalent for IPv6? Local Time: June 6, 2017 9:50 PM UTC Time: June 6, 2017 7:50 PM From: knight@gmail.com To: Janne Johansson mabi , openbsd-misc for example: fe80::1%carp0 :) 2017-06-06 16:48 GMT-03:00 Janne Johansson : Just add the ipv6 gw ip to /etc/mygate. 2017-06-06 21:45 GMT+02:00 mabi : > Hi, > > What is the "standard" approach for adding an IPv6 default gateway to an > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default > route? > > There are no /etc/mygate6 file and as such for now I manually run: > > route -n add -inet6 default > > Regards, > Mabi -- May the most significant bit of your life be positive.
Re: SNMP OID for free memory
Thanks Stuart for your input. In the pass I used the snmp daemon which comes with OpenBSD but I vaguely remember that some OID for my cacti graphs was missing so I switched to Net-SNMP which had this information. Can't remember though which OID that was and that was already a few years ago. As you suggest I will give snmpd a shot again and see how it goes. Regarding the script I was mentioning (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) have a look at line 51, there is the OID there for the free memory but in my setup it simply does not exist so I wonder where he got that OID from... Regards, M. Original Message Subject: Re: SNMP OID for free memory Local Time: June 5, 2017 9:46 AM UTC Time: June 5, 2017 7:46 AM From: s...@spacehopper.org To: misc@openbsd.org On 2017-06-04, mabi wrote: > Hi, > > I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system > resources. I don't seem to find any OID for the free memory and was wondering > if this information is simply not made available in SNMP. Doing an snmpwalk > on the HOST-RESOURCES MIB for memory shows the following avaialble OIDs > related to memory: Don't use net-snmp's snmpd on OpenBSD without a very good reason, use snmpd from the base OS. > HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory > HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory > HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory > HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory > HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory > HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space > HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: / > > Any idea where the the free memory info would be hiding? Whichever of the hrStorageUsed oids that relates to the memory you're interested in, e.g. given the list above it would be hrStorageUsed.1 for physical memory. Multiply it by the same-numbered hrStorageSize. Here's an example from the base OS's snmpd, using snmptable to pull in the relevant oids for the whole table and format the display. $ snmptable -v2c -c public 127.0.0.1 hrStorageTable SNMP table: HOST-RESOURCES-MIB::hrStorageTable hrStorageIndex hrStorageType hrStorageDescr hrStorageAllocationUnits hrStorageSize hrStorageUsed hrStorageAllocationFailures 1 HOST-RESOURCES-MIB::hrStorageTypes.2 Physical memory 4096 Bytes 2069645 1468114 0 2 HOST-RESOURCES-MIB::hrStorageTypes.2 Real memory 4096 Bytes 2082986 1481455 0 10 HOST-RESOURCES-MIB::hrStorageTypes.3 Swap space 4096 Bytes 1572863 0 0 31 HOST-RESOURCES-MIB::hrStorageTypes.4 / 4096 Bytes 520119 37923 0 32 HOST-RESOURCES-MIB::hrStorageTypes.4 /data 4096 Bytes 8254103 2292580 0 33 HOST-RESOURCES-MIB::hrStorageTypes.4 /home 4096 Bytes 31930799 10749150 0 34 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr 4096 Bytes 1546599 132582 0 35 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/X11R6 4096 Bytes 1028871 48383 0 36 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/local 4096 Bytes 8254103 4240627 0 37 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/src 4096 Bytes 1028871 271331 0 38 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/ports 4096 Bytes 2061047 523465 0 39 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/obj 4096 Bytes 12382807 1816114 0 40 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/xenocara 4096 Bytes 516007 179230 0 41 HOST-RESOURCES-MIB::hrStorageTypes.4 /var 4096 Bytes 8254103 879286 0 42 HOST-RESOURCES-MIB::hrStorageTypes.4 /distsrc 4096 Bytes 38701655 28351200 0 43 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www 4096 Bytes 4125399 660222 0 44 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www/htdocs/pub 512 Bytes 2097669360 3955189904 0 45 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Multimedia 512 Bytes 2097669360 3955189904 0 46 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Download 512 Bytes 2097669360 3955189904 0 47 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/homes 512 Bytes 2097669360 3955189904 0 > I found a script called check_snmp_openbsd.py > (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) > where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free > memory but when I do an snmpget on my OpenBSD box this OID is not available. I might have missed something but I don't see it actually using that mem_free definition.
Re: /etc/mygate equivalent for IPv6?
for example: fe80::1%carp0 :) 2017-06-06 16:48 GMT-03:00 Janne Johansson : > Just add the ipv6 gw ip to /etc/mygate. > > > 2017-06-06 21:45 GMT+02:00 mabi : > > > Hi, > > > > What is the "standard" approach for adding an IPv6 default gateway to an > > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default > > route? > > > > There are no /etc/mygate6 file and as such for now I manually run: > > > > route -n add -inet6 default > > > > Regards, > > Mabi > > > > > -- > May the most significant bit of your life be positive. >
Re: /etc/mygate equivalent for IPv6?
Just add the ipv6 gw ip to /etc/mygate. 2017-06-06 21:45 GMT+02:00 mabi : > Hi, > > What is the "standard" approach for adding an IPv6 default gateway to an > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default > route? > > There are no /etc/mygate6 file and as such for now I manually run: > > route -n add -inet6 default > > Regards, > Mabi -- May the most significant bit of your life be positive.
/etc/mygate equivalent for IPv6?
Hi, What is the "standard" approach for adding an IPv6 default gateway to an OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default route? There are no /etc/mygate6 file and as such for now I manually run: route -n add -inet6 default Regards, Mabi
Re: nc in inetd - under which account?
Also, this seems like something that, depending on where the destination servers are, could be handled easily with PF by itself, or with the help of relayd, with a lot less hassle. On Tue, Jun 6, 2017 at 11:23 AM, Maximilian Pichler wrote: > On Tue, Jun 6, 2017 at 11:06 AM, Marko Cupać wrote: > > On Tue, 06 Jun 2017 08:18:15 -0600 > > "Theo de Raadt" wrote: > >> Never reuse a user intended for another purpose. > >> > >> Take a glance at the ptrace manual page. > > > I have read ptrace manual. But I guess I need to read much MUCH more if > > I want to comprehend it :) > > I'm guessing the point here is that ptrace can be used to eavesdrop on > processes of the same user id. So if the proxy user got compromised, > an attacker could not just kill the nc processes, but also read the > data they are forwarding. > >
Re: nc in inetd - under which account?
On Tue, Jun 6, 2017 at 11:06 AM, Marko Cupać wrote: > On Tue, 06 Jun 2017 08:18:15 -0600 > "Theo de Raadt" wrote: >> Never reuse a user intended for another purpose. >> >> Take a glance at the ptrace manual page. > I have read ptrace manual. But I guess I need to read much MUCH more if > I want to comprehend it :) I'm guessing the point here is that ptrace can be used to eavesdrop on processes of the same user id. So if the proxy user got compromised, an attacker could not just kill the nc processes, but also read the data they are forwarding.
Re: another iked issue
This indeed does help. Moved the policy to be the first. Thank you, - Igor On 2017-06-06 05:56, Zé Loff wrote: > On Mon, Jun 05, 2017 at 07:50:01PM -0400, Igor V. Gubenko wrote: > >> Hello all, >> >> I am continuing my assault on iked :) >> >> Here is a perfectly working configuration that uses PSK's: >> >> ### >> >> local_ip = "A.B.1.153" >> local_net = "172.16.0.0/20" >> >> ikev2 "KBweb" \ >> passive ipcomp esp \ >> from $local_net to 10.33.33.0/27 \ >> local $local_ip \ >> peer C.D.65.236 \ >> ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ >> childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ >> srcid $local_ip \ >> dstid web01.domain.org \ >> psk thepsk >> >> ikev2 "KBDB" \ >> passive ipcomp esp \ >> from $local_net to 10.34.34.0/27 \ >> local $local_ip \ >> peer C.D.65.237 \ >> ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ >> childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ >> srcid $local_ip \ >> dstid db01.domain.org \ >> psk thepsk >> >> ### >> >> Now, I am adding a third connection, using certificates (presumably): >> >> ## >> >> user "igor" "thepassword" >> >> ikev2 "roaming" \ >> passive esp \ >> from $local_net to 192.168.200.0/26 \ >> local $local_ip \ >> peer any \ >> eap "mschap-v2" \ >> config address 192.168.200.1 \ >> tag "$name-$id" >> >> ## >> >> This results in the first 2 connections never working anymore: >> >> ikev2_msg_auth: responder auth data length 525 >> ikev2_msg_auth: initiator auth data length 488 >> ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE >> ikev2_msg_authverify: authentication successful >> sa_state: AUTH_REQUEST -> AUTH_SUCCESS >> sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0079 >> cert,auth,authvalid,sa,eapvalid) >> ikev2_sa_negotiate: score 4 >> sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0079 >> cert,auth,authvalid,sa,eapvalid) >> sa_stateok: VALID flags 0x0038, require 0x0079 >> cert,auth,authvalid,sa,eapvalid >> sa_state: cannot switch: AUTH_SUCCESS -> VALID >> ikev2_ike_auth: no CERTREQ, using default >> ikev2_policy2id: srcid IPV4/A.B.1.153 length 8 >> sa_stateflags: 0x0038 -> 0x003c certreq,auth,authvalid,sa (required >> 0x0079 cert,auth,authvalid,sa,eapvalid) >> config_free_proposals: free 0x23ee58d3f80 >> ca_getreq: found CA /C=US/ST=New Jersey/O=Gubenko/OU=IT/CN=cainter.dom.com >> ca_x509_subjectaltname: unsupported subjectAltName type 34 >> ca_getreq: found CA /C=US/ST=New >> Jersey/L=Livingston/O=Gubenko/OU=IT/CN=caroot.dom.com >> ca_getreq: no valid local certificate found >> ikev2_getimsgdata: imsg 19 rspi 0xbd166184c4d2d33b ispi >> 0xd7fc1a37a3acdec4 initiator 0 sa valid type 0 data length 0 >> ikev2_dispatch_cert: cert type NONE length 0, ignored >> >> As a side note, the certificate does contain several subjectAltName's: >> >> X509v3 Subject Alternative Name: >> DNS:ip6.dom.com, DNS:www.dom.com [1], DNS:www.ip6.dom.com [2], >> DNS:mail.dom.com, DNS:imap.dom.com, DNS:smtp.dom.com, DNS:proxy.dom.com, >> DNS:vpn.dom.com, DNS:pbx.dom.com >> >> As soon as the third section is commented out, and iked restarted, the >> first two connections come back up. >> >> Please help. > > RTFM > > From iked.conf(5): > > For incoming connections from remote peers, the policies are evaluated > in sequential order, from first to last. The last matching policy > decides what action is taken; if no policy matches the connection, the > default action is to ignore the connection attempt or to use the > default policy, if set. Please also see the EXAMPLES section for a > detailed example of the policy evaluation. > > (...) > > EXAMPLES > > (...) > > The following example illustrates the last matching policy evaluation > for incoming connections on an IKEv2 gateway. The peer 192.168.1.34 > will always match the first policy because of the quick keyword; > connections from the peers 192.168.1.3 and 192.168.1.2 will be matched > by one of the last two policies; any other connections from > 192.168.1.0/24 will be matched by the 'subnet' policy; and any other > connection will be matched by the 'catch all' policy. > > ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \ > peer 192.168.1.34 > ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \ > peer any ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \ > peer 192.168.1.0/24 > ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 > ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 > > In summary you have a "last matching policy" and a "peer any" on the > last rule. Does it work if you move it upwards or add "quick" to the > other rules? > >> Many thanks, >> >> - Igor Links: -- [1] http://www.dom.com [2] http://www.ip6.dom.com
Re: nc in inetd - under which account?
On Tue, 06 Jun 2017 08:18:15 -0600 "Theo de Raadt" wrote: > > For a few years I have been running nc from inetd together with pf > > redirect rules to reach LAN servers via their public IP adresses > > from LAN: > > > > # cat /etc/inetd.conf > > 127.0.0.1:20080 stream tcp nowait proxy /usr/bin/nc nc -w 20 > > PR.IV.AT.E 80 127.0.0.1:20443 stream tcp nowait proxy /usr/bin/nc > > nc -w 20 PR.IV.AT.E 443 > > > > Now that proxy user is gone in 6.1, what would be appropriate > > account to run nc under? Is nobody OK? Something else? > > > > Or is there a better way to accomplish this? > > A user of your own you create. > > Never reuse a user intended for another purpose. > > Take a glance at the ptrace manual page. > Thank you for your help. I created dedicated user for this purpose, taking _ftp_proxy as starting point: _nc_proxy:*:20080:20080::0:0:NC Proxy Daemon:/nonexistent:/sbin/nologin I have read ptrace manual. But I guess I need to read much MUCH more if I want to comprehend it :) Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: nc in inetd - under which account?
> For a few years I have been running nc from inetd together with pf > redirect rules to reach LAN servers via their public IP adresses from > LAN: > > # cat /etc/inetd.conf > 127.0.0.1:20080 stream tcp nowait proxy /usr/bin/nc nc -w 20 PR.IV.AT.E 80 > 127.0.0.1:20443 stream tcp nowait proxy /usr/bin/nc nc -w 20 PR.IV.AT.E 443 > > Now that proxy user is gone in 6.1, what would be appropriate account to > run nc under? Is nobody OK? Something else? > > Or is there a better way to accomplish this? A user of your own you create. Never reuse a user intended for another purpose. Take a glance at the ptrace manual page.
nc in inetd - under which account?
Hi, For a few years I have been running nc from inetd together with pf redirect rules to reach LAN servers via their public IP adresses from LAN: # cat /etc/inetd.conf 127.0.0.1:20080 stream tcp nowait proxy /usr/bin/nc nc -w 20 PR.IV.AT.E 80 127.0.0.1:20443 stream tcp nowait proxy /usr/bin/nc nc -w 20 PR.IV.AT.E 443 Now that proxy user is gone in 6.1, what would be appropriate account to run nc under? Is nobody OK? Something else? Or is there a better way to accomplish this? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: another iked issue
On Mon, Jun 05, 2017 at 07:50:01PM -0400, Igor V. Gubenko wrote: > Hello all, > > I am continuing my assault on iked :) > > Here is a perfectly working configuration that uses PSK's: > > ### > > local_ip = "A.B.1.153" > local_net = "172.16.0.0/20" > > ikev2 "KBweb" \ > passive ipcomp esp \ > from $local_net to 10.33.33.0/27 \ > local $local_ip \ > peer C.D.65.236 \ > ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > srcid $local_ip \ > dstid web01.domain.org \ > psk thepsk > > > ikev2 "KBDB" \ > passive ipcomp esp \ > from $local_net to 10.34.34.0/27 \ > local $local_ip \ > peer C.D.65.237 \ > ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > srcid $local_ip \ > dstid db01.domain.org \ > psk thepsk > > ### > > Now, I am adding a third connection, using certificates (presumably): > > ## > > user "igor" "thepassword" > > ikev2 "roaming" \ > passive esp \ > from $local_net to 192.168.200.0/26 \ > local $local_ip \ > peer any \ > eap "mschap-v2" \ > config address 192.168.200.1 \ > tag "$name-$id" > > ## > > > This results in the first 2 connections never working anymore: > > ikev2_msg_auth: responder auth data length 525 > ikev2_msg_auth: initiator auth data length 488 > ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE > ikev2_msg_authverify: authentication successful > sa_state: AUTH_REQUEST -> AUTH_SUCCESS > sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > ikev2_sa_negotiate: score 4 > sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > sa_stateok: VALID flags 0x0038, require 0x0079 > cert,auth,authvalid,sa,eapvalid > sa_state: cannot switch: AUTH_SUCCESS -> VALID > ikev2_ike_auth: no CERTREQ, using default > ikev2_policy2id: srcid IPV4/A.B.1.153 length 8 > sa_stateflags: 0x0038 -> 0x003c certreq,auth,authvalid,sa (required > 0x0079 cert,auth,authvalid,sa,eapvalid) > config_free_proposals: free 0x23ee58d3f80 > ca_getreq: found CA /C=US/ST=New Jersey/O=Gubenko/OU=IT/CN=cainter.dom.com > ca_x509_subjectaltname: unsupported subjectAltName type 34 > ca_getreq: found CA /C=US/ST=New > Jersey/L=Livingston/O=Gubenko/OU=IT/CN=caroot.dom.com > ca_getreq: no valid local certificate found > ikev2_getimsgdata: imsg 19 rspi 0xbd166184c4d2d33b ispi > 0xd7fc1a37a3acdec4 initiator 0 sa valid type 0 data length 0 > ikev2_dispatch_cert: cert type NONE length 0, ignored > > > As a side note, the certificate does contain several subjectAltName's: > > X509v3 Subject Alternative Name: > DNS:ip6.dom.com, DNS:www.dom.com, DNS:www.ip6.dom.com, > DNS:mail.dom.com, DNS:imap.dom.com, DNS:smtp.dom.com, DNS:proxy.dom.com, > DNS:vpn.dom.com, DNS:pbx.dom.com > > > As soon as the third section is commented out, and iked restarted, the > first two connections come back up. > > > Please help. RTFM >From iked.conf(5): For incoming connections from remote peers, the policies are evaluated in sequential order, from first to last. The last matching policy decides what action is taken; if no policy matches the connection, the default action is to ignore the connection attempt or to use the default policy, if set. Please also see the EXAMPLES section for a detailed example of the policy evaluation. (...) EXAMPLES (...) The following example illustrates the last matching policy evaluation for incoming connections on an IKEv2 gateway. The peer 192.168.1.34 will always match the first policy because of the quick keyword; connections from the peers 192.168.1.3 and 192.168.1.2 will be matched by one of the last two policies; any other connections from 192.168.1.0/24 will be matched by the ‘subnet’ policy; and any other connection will be matched by the ‘catch all’ policy. ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \ peer 192.168.1.34 ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \ peer any ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \ peer 192.168.1.0/24 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 In summary you have a "last matching policy" and a "peer any" on the last rule. Does it work if you move it upwards or add "quick" to the other rules? > > Many thanks, > > - Igor > > > --
