IPSec Flow and SA to unexpected subnet

[Paul Suh]

Folks, 

I set up a router using 6.2-stable, and created IKEv1 tunnels using isakmpd, 
something I've done many times before. The other end is a Sonicwall NSA 4500, 
which I've used as an endpoint before as well. My ipsec.conf file is: 

> ike active esp \
> from 192.168.144.0/24 \
> to {   10.101.0.0/16, \
> 10.102.0.0/16, \
> 10.103.0.0/16, \
> 10.104.0.0/16, \
> 172.27.199.0/24 } \
> peer [Sonicwall IP] \
> main \
> auth hmac-sha1 \
> enc aes-128 \
> group modp2048 \
> lifetime 28800 \
> quick \
> auth hmac-sha1 \
> enc aes-128 \
> group modp2048 \
> lifetime 28800 \
> psk [PSK redacted]

However, the output of ipsecctl -s flow is: 

> # ipsecctl -s flow
>
> FLOWS:
> flow esp in from 10.104.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.104.0.16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.103.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.103.0.16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.102.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.102.0.16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.104.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.104.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.103.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.103.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.102.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.102.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> * flow esp in from 172.16.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 
> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type use
> * flow esp out from 192.168.144.0/24 to 172.16.0.0/16 peer 65.75.99.66 
> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 172.27.199.0/24 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 172.27.199.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.101.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.101.0.0/16 peer 65.75.99.66 srcid 
> 24.51.107.65/32 dstid 65.75.99.66/32 type require

Note the two starred flows that are not listed in my ipsec.conf configuration. 
The 172.16.0.0/16 subnet does exist on the Sonicwall end, and I'm pretty sure 
that the Sonicwall is requesting that a flow be set up for that subnet. 
However, I would think that my OpenBSD router would not create that flow since 
it's not in my ipsec.conf. 

Any ideas why it's being created anyway? I won't be in a position to see if the 
flow is really live until tomorrow morning. 


--Paul

Re: Image viewer alternative to eog

[x9p]

Thank you all for the inputs. feh suited best. lots of command line
options, folder slideshow and option to specify geometry was a big plus.

cheers.

x9p

>
> On 25/11/17 20:51, x9p wrote:
>> Hi,
>>
>> Is there a good/safe and light image viewer? Was used to eog, but it has
>> too many "vfprintf %s NULL" in messages. gimp is too big and good for
>> play
>> with images, In need of smth fast.
>>
>> cheers.
>>
>> x9p
>>
>
>

Re: Image viewer alternative to eog

[Noth]

geeqie is nice and old school.


On 25/11/17 20:51, x9p wrote:

Hi,

Is there a good/safe and light image viewer? Was used to eog, but it has
too many "vfprintf %s NULL" in messages. gimp is too big and good for play
with images, In need of smth fast.

cheers.

x9p

Re: Testing IKEv2 with Android devices

[C. L. Martinez]

On Sun, Nov 26, 2017 at 09:02:46PM +0100, C. L. Martinez wrote:
> Hi all,
> 
>  I am testing IKEv2 for Android roadwarriors clients ... I have done a very 
> basic config:
> 
> ikev2 "roadwarriors" passive esp \
> from 0.0.0.0/0 to 172.22.55.0/27 \
> peer any \
> config name-server 172.22.55.1 \
> psk "stargazer"
> 
>  Launching "iked -dvv" returns me:
> 
> ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to 
> 172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes
> ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x
> ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26
> ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x 
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 
> 652 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244
> ikev2_pld_sa: more than one proposal specified
> ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 
> xforms 15 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id 
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group  reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x 
> 172.17.35.20:500
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP 
> encapsulation
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x 
> 172.17.35.9:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA1 (1)
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> sa_stateok: SA_INIT flags 0x, require 0x 
> sa_stateflags: 0x -> 0x0020 sa (required 0x )
> ikev2_sa_keys: SKEYSEED with 32 bytes
> ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb 
> 172.17.35.9:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb 
> 172.17.35.20:500
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type RSA_KEY length 1
> ikev2_next_payload: length 5 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0xc417a42f151005cb 
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 

Testing IKEv2 with Android devices

[C. L. Martinez]

Hi all,

 I am testing IKEv2 for Android roadwarriors clients ... I have done a very 
basic config:

ikev2 "roadwarriors" passive esp \
from 0.0.0.0/0 to 172.22.55.0/27 \
peer any \
config name-server 172.22.55.1 \
psk "stargazer"

 Launching "iked -dvv" returns me:

ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to 
172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes
ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x
ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26
ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 652 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 
xforms 15 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id 
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group  reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x 
172.17.35.20:500
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP 
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x 
172.17.35.9:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA1 (1)
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x, require 0x 
sa_stateflags: 0x -> 0x0020 sa (required 0x )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb 
172.17.35.9:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb 
172.17.35.20:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type RSA_KEY length 1
ikev2_next_payload: length 5 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0xc417a42f151005cb 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 451 
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id 

Re: Image viewer alternative to eog

[Mihai Popescu]

gqview

Re: Image viewer alternative to eog

[Jens John]

On Sat, Nov 25, 2017 at 10:44:34PM +0100, Solène Rapenne wrote:
> I would recommend sxiv

I second sxiv.

However on displays with high or even highish DPI I find it difficult to
deal with the limited number of predefined zoom levels for images and
thumbnails, which is why I recommend adjusting/extending zoom_levels and
thumb_sizes in config.h to accommodate such displays.

Re: Image viewer alternative to eog

[Riccardo Mottola]

Hi there,


On 25/11/2017 20:51, x9p wrote:

Is there a good/safe and light image viewer? Was used to eog, but it has
too many "vfprintf %s NULL" in messages. gimp is too big and good for play
with images, In need of smth fast.


I use LaternaMagica for that, small, single-window with list and has 
handy functions for exporting and resizing if needed.

I should know, I wrote it :) Latest version is even in ports!
But you may like or may not that it is in GNUstep.

Riccardo

FU: RE: Hellos from the Lands of Norway.

[leo_tck]

I wrote:

> "Sterling Archer"  wrote:

which sould've been:

> "Ywe Cærlyn"  wrote:

But /thread, really.

 --schaafuit.

links to mdocml.bsd.lv

[Jan Stary]

The links to gmdiff and others in specialtopics#Mandoc
still seem to point to "mdocml.bsd.lv" instead of
mandoc's own "mandoc.bsd.lv" domain.

Jan


--- specialtopics.html.orig Sun Nov 26 12:41:11 2017
+++ specialtopics.html  Sun Nov 26 12:59:50 2017
@@ -1002,7 +1002,7 @@ $ doas make install
 
 
 Optionally, you may also get a copy of the
-http://mdocml.bsd.lv/cgi-bin/cvsweb/gmdiff?cvsroot=mdocml;>gmdiff
+http://mandoc.bsd.lv/cgi-bin/cvsweb/gmdiff;>gmdiff
 utility script that helps to compare groff and mandoc output.
 The gmdiff script is not strictly required, doing the necessary checks by hand
 is perfectly acceptable.
@@ -1123,7 +1123,7 @@ If there are no errors, but mandoc output has minor is
 hinder the user when reading the manual, you are welcome to report these
 issues as well.
 In that case, you are even more welcome to first check the mandoc
-http://mdocml.bsd.lv/cgi-bin/cvsweb/TODO?cvsroot=mdocml;>TODO
+http://mandoc.bsd.lv/cgi-bin/cvsweb/TODO;>TODO
 list, to avoid having the same minor issues reported again and again -
 but in case of doubt, it is always better to report dupes than to let
 problems go unnoticed.
@@ -1140,7 +1140,7 @@ particular to identify and remove bogus mandoc errors 
 To speed up the manual checks, in particular if you are often doing mandoc
 checks on OpenBSD ports, and to reduce the risk of overlooking problems,
 consider using the 
-http://mdocml.bsd.lv/cgi-bin/cvsweb/gmdiff?cvsroot=mdocml;>gmdiff
+http://mandoc.bsd.lv/cgi-bin/cvsweb/gmdiff;>gmdiff
 utility script.
 It takes the file names of an arbitrary number of manual source files as
 arguments, runs both groff and mandoc on all the files in turn, and compares