IPSec Flow and SA to unexpected subnet
Folks, I set up a router using 6.2-stable, and created IKEv1 tunnels using isakmpd, something I've done many times before. The other end is a Sonicwall NSA 4500, which I've used as an endpoint before as well. My ipsec.conf file is: > ike active esp \ > from 192.168.144.0/24 \ > to { 10.101.0.0/16, \ > 10.102.0.0/16, \ > 10.103.0.0/16, \ > 10.104.0.0/16, \ > 172.27.199.0/24 } \ > peer [Sonicwall IP] \ > main \ > auth hmac-sha1 \ > enc aes-128 \ > group modp2048 \ > lifetime 28800 \ > quick \ > auth hmac-sha1 \ > enc aes-128 \ > group modp2048 \ > lifetime 28800 \ > psk [PSK redacted] However, the output of ipsecctl -s flow is: > # ipsecctl -s flow > > FLOWS: > flow esp in from 10.104.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 10.104.0.16 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require > flow esp in from 10.103.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 10.103.0.16 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require > flow esp in from 10.102.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 10.102.0.16 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require > flow esp in from 10.104.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 10.104.0.0/16 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require > flow esp in from 10.103.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 10.103.0.0/16 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require > flow esp in from 10.102.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 10.102.0.0/16 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require > * flow esp in from 172.16.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 > srcid 24.51.107.65/32 dstid 65.75.99.66/32 type use > * flow esp out from 192.168.144.0/24 to 172.16.0.0/16 peer 65.75.99.66 > srcid 24.51.107.65/32 dstid 65.75.99.66/32 type require > flow esp in from 172.27.199.0/24 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 172.27.199.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require > flow esp in from 10.101.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type use > flow esp out from 192.168.144.0/24 to 10.101.0.0/16 peer 65.75.99.66 srcid > 24.51.107.65/32 dstid 65.75.99.66/32 type require Note the two starred flows that are not listed in my ipsec.conf configuration. The 172.16.0.0/16 subnet does exist on the Sonicwall end, and I'm pretty sure that the Sonicwall is requesting that a flow be set up for that subnet. However, I would think that my OpenBSD router would not create that flow since it's not in my ipsec.conf. Any ideas why it's being created anyway? I won't be in a position to see if the flow is really live until tomorrow morning. --Paul
Re: Image viewer alternative to eog
Thank you all for the inputs. feh suited best. lots of command line options, folder slideshow and option to specify geometry was a big plus. cheers. x9p > > On 25/11/17 20:51, x9p wrote: >> Hi, >> >> Is there a good/safe and light image viewer? Was used to eog, but it has >> too many "vfprintf %s NULL" in messages. gimp is too big and good for >> play >> with images, In need of smth fast. >> >> cheers. >> >> x9p >> > >
Re: Image viewer alternative to eog
geeqie is nice and old school. On 25/11/17 20:51, x9p wrote: Hi, Is there a good/safe and light image viewer? Was used to eog, but it has too many "vfprintf %s NULL" in messages. gimp is too big and good for play with images, In need of smth fast. cheers. x9p
Re: Testing IKEv2 with Android devices
On Sun, Nov 26, 2017 at 09:02:46PM +0100, C. L. Martinez wrote: > Hi all, > > I am testing IKEv2 for Android roadwarriors clients ... I have done a very > basic config: > > ikev2 "roadwarriors" passive esp \ > from 0.0.0.0/0 to 172.22.55.0/27 \ > peer any \ > config name-server 172.22.55.1 \ > psk "stargazer" > > Launching "iked -dvv" returns me: > > ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to > 172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes > ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x > ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26 > ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 652 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244 > ikev2_pld_sa: more than one proposal specified > ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 > xforms 15 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 > ikev2_pld_ke: dh group reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x > 172.17.35.20:500 > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP > encapsulation > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x > 172.17.35.9:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > ikev2_pld_notify: signature hash SHA1 (1) > ikev2_pld_notify: signature hash SHA2_256 (2) > ikev2_pld_notify: signature hash SHA2_384 (3) > ikev2_pld_notify: signature hash SHA2_512 (4) > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED > sa_state: INIT -> SA_INIT > ikev2_sa_negotiate: score 4 > sa_stateok: SA_INIT flags 0x, require 0x > sa_stateflags: 0x -> 0x0020 sa (required 0x ) > ikev2_sa_keys: SKEYSEED with 32 bytes > ikev2_sa_keys: S with 80 bytes > ikev2_prfplus: T1 with 32 bytes > ikev2_prfplus: T2 with 32 bytes > ikev2_prfplus: T3 with 32 bytes > ikev2_prfplus: T4 with 32 bytes > ikev2_prfplus: T5 with 32 bytes > ikev2_prfplus: T6 with 32 bytes > ikev2_prfplus: T7 with 32 bytes > ikev2_prfplus: Tn with 224 bytes > ikev2_sa_keys: SK_d with 32 bytes > ikev2_sa_keys: SK_ai with 32 bytes > ikev2_sa_keys: SK_ar with 32 bytes > ikev2_sa_keys: SK_ei with 32 bytes > ikev2_sa_keys: SK_er with 32 bytes > ikev2_sa_keys: SK_pi with 32 bytes > ikev2_sa_keys: SK_pr with 32 bytes > ikev2_add_proposals: length 44 > ikev2_next_payload: length 48 nextpayload KE > ikev2_next_payload: length 264 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload NOTIFY > ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb > 172.17.35.9:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb > 172.17.35.20:500 > ikev2_next_payload: length 28 nextpayload CERTREQ > ikev2_add_certreq: type RSA_KEY length 1 > ikev2_next_payload: length 5 nextpayload NOTIFY > ikev2_next_payload: length 14 nextpayload NONE > ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0xc417a42f151005cb > nextpayload SA version 0x20 exchange IKE_SA_INIT flags
Testing IKEv2 with Android devices
Hi all, I am testing IKEv2 for Android roadwarriors clients ... I have done a very basic config: ikev2 "roadwarriors" passive esp \ from 0.0.0.0/0 to 172.22.55.0/27 \ peer any \ config name-server 172.22.55.1 \ psk "stargazer" Launching "iked -dvv" returns me: ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to 172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26 ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 652 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 xforms 15 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x 172.17.35.20:500 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x 172.17.35.9:500 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA1 (1) ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x, require 0x sa_stateflags: 0x -> 0x0020 sa (required 0x ) ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb 172.17.35.9:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb 172.17.35.20:500 ikev2_next_payload: length 28 nextpayload CERTREQ ikev2_add_certreq: type RSA_KEY length 1 ikev2_next_payload: length 5 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0xc417a42f151005cb nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 451 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id
Re: Image viewer alternative to eog
gqview
Re: Image viewer alternative to eog
On Sat, Nov 25, 2017 at 10:44:34PM +0100, Solène Rapenne wrote: > I would recommend sxiv I second sxiv. However on displays with high or even highish DPI I find it difficult to deal with the limited number of predefined zoom levels for images and thumbnails, which is why I recommend adjusting/extending zoom_levels and thumb_sizes in config.h to accommodate such displays.
Re: Image viewer alternative to eog
Hi there, On 25/11/2017 20:51, x9p wrote: Is there a good/safe and light image viewer? Was used to eog, but it has too many "vfprintf %s NULL" in messages. gimp is too big and good for play with images, In need of smth fast. I use LaternaMagica for that, small, single-window with list and has handy functions for exporting and resizing if needed. I should know, I wrote it :) Latest version is even in ports! But you may like or may not that it is in GNUstep. Riccardo
FU: RE: Hellos from the Lands of Norway.
I wrote: > "Sterling Archer"wrote: which sould've been: > "Ywe Cærlyn" wrote: But /thread, really. --schaafuit.
links to mdocml.bsd.lv
The links to gmdiff and others in specialtopics#Mandoc still seem to point to "mdocml.bsd.lv" instead of mandoc's own "mandoc.bsd.lv" domain. Jan --- specialtopics.html.orig Sun Nov 26 12:41:11 2017 +++ specialtopics.html Sun Nov 26 12:59:50 2017 @@ -1002,7 +1002,7 @@ $ doas make install Optionally, you may also get a copy of the -http://mdocml.bsd.lv/cgi-bin/cvsweb/gmdiff?cvsroot=mdocml;>gmdiff +http://mandoc.bsd.lv/cgi-bin/cvsweb/gmdiff;>gmdiff utility script that helps to compare groff and mandoc output. The gmdiff script is not strictly required, doing the necessary checks by hand is perfectly acceptable. @@ -1123,7 +1123,7 @@ If there are no errors, but mandoc output has minor is hinder the user when reading the manual, you are welcome to report these issues as well. In that case, you are even more welcome to first check the mandoc -http://mdocml.bsd.lv/cgi-bin/cvsweb/TODO?cvsroot=mdocml;>TODO +http://mandoc.bsd.lv/cgi-bin/cvsweb/TODO;>TODO list, to avoid having the same minor issues reported again and again - but in case of doubt, it is always better to report dupes than to let problems go unnoticed. @@ -1140,7 +1140,7 @@ particular to identify and remove bogus mandoc errors To speed up the manual checks, in particular if you are often doing mandoc checks on OpenBSD ports, and to reduce the risk of overlooking problems, consider using the -http://mdocml.bsd.lv/cgi-bin/cvsweb/gmdiff?cvsroot=mdocml;>gmdiff +http://mandoc.bsd.lv/cgi-bin/cvsweb/gmdiff;>gmdiff utility script. It takes the file names of an arbitrary number of manual source files as arguments, runs both groff and mandoc on all the files in turn, and compares