Re: would like: unix user and softraid crypto sharing same password
Hello, min...@obiit.org (frantisek holop), 2018.03.04 (Sun) 22:59 (CET): > macOS has this rather user friendly operating mode > where one is able to set the volume's FileVault > (apple's full disk encryption) password to be the same > as their user password and the password is asked only > once. after bootup i get a login screen, enter my > password, and voila, i am both logged in, and can > access the encrypted volume. this works with a boot > volume as well. > > i would like to achieve something similar on OpenBSD > but in a bit simpler setup. my softraid crypto volume > is just a "data" mount under my home, the system and /home > are not encrypted. this setup came to be partly > because it's a pain in the ass to always mount the > encrypted folder after logging in, so i left some > common stuff unencrypted (yes, i know, keydisks...). > > but it would be nice to have a fully encrypted /home > that gets mounted when i enter my user password at the > login screen, i don't mind leaving the system unencrypted... > > any ideas how to achieve this? some nice post auth > hooks? in some ways it's bit like authpf... This doesn't achieve what you want the way you want it, but it lets me have my $HOME on softraid(4) crypt without Full Disk Encryption (FDE). I have a local change to ttys(5) to let me unlock my softraid(4) crypt devices before xenodm(1) log in: $ grep ^ttyC5 /etc/ttys ttyC5 "/etc/ttymenu.getty"vt220 on secure $ cat /etc/ttymenu.getty #!/bin/sh -e TERM=vt220 /etc/ttymenu < /dev/$1 > /dev/$1 /etc/ttymenu asks me for the password and passes it to bioctl(8). After the softraid(4) volume is attached it's mounted via hotplug(8). I recommend a small (1GB in my case) softraid volume for your $HOME, to have it fsck(8)ed quickly and get access to your $HOME fast after unclean shutdowns. Then have another, big softraid volume for your $BIGDATA which takes longer beeing fsck(8)ed but isn't necessary for log in. Marcus
sshd(8), sshd_config(5), and the LogLevel directive
I'm not able to get sshd(8) to use alternative loglevels, such as Debug3. When sshd(8) starts, it goes through the normal reporting regardless of which LogLevel is set in sshd_config(5). Here is an excerpt from /var/log/authlog showing the daemon starting and a first connection from outside: Mar 5 08:02:37 yeeloong sshd[13495]: Server listening on 0.0.0.0 port 22. Mar 5 08:02:37 yeeloong sshd[13495]: Server listening on :: port 22. Mar 5 08:11:55 yeeloong sshd[80107]: Connection from xx.yy.zz.aa port 60502 on xx.yy.zz.bb port 22 rdomain "0" Yet the loglevel seems to be read correctly from the configuration file: # /usr/sbin/sshd -T | grep -i loglevel loglevel DEBUG3 Invoking sshd(8) with -d, -dd, -ddd produces increased logging though, just not to the log file. Is this worth a formal report? /Lars = [ using 735440 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2018 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.3-beta (GENERIC) #337: Sat Mar 3 07:36:58 MST 2018 dera...@loongson.openbsd.org:/usr/src/sys/arch/loongson/compile/GENERIC real mem = 1073741824 (1024MB) avail mem = 1055784960 (1006MB) mainbus0 at root: Lemote Yeeloong cpu0 at mainbus0: STC Loongson2F CPU 797 MHz, STC Loongson2F FPU cpu0: cache L1-I 64KB D 64KB 4 way, L2 512KB 4 way bonito0 at mainbus0: memory and PCI-X controller, rev 1 pci0 at bonito0 bus 0 rl0 at pci0 dev 7 function 0 "Realtek 8139" rev 0x10: irq 5, address 00:23:8b:59:df:48 rlphy0 at rl0 phy 0: RTL internal PHY smfb0 at pci0 dev 8 function 0 "Silicon Motion LynxEM+" rev 0xb0: 1024x600, 16bpp wsdisplay0 at smfb0 mux 1: console (std, vt100 emulation) glxpcib0 at pci0 dev 14 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579 545Hz timer, watchdog, gpio, i2c isa0 at glxpcib0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 mcclock0 at isa0 port 0x70/2: mc146818 or compatible ykbec0 at isa0 port 0x381/3 gpio1 at glxpcib0: 32 pins iic at glxpcib0 not configured glxclk0 at glxpcib0: clock, prof pciide0 at pci0 dev 14 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA, 7641MB, 15649200 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) auglx0 at pci0 dev 14 function 3 "AMD CS5536 Audio" rev 0x01: isa irq 9, CS5536 AC97 ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0) audio0 at auglx0 ohci0 at pci0 dev 14 function 4 "AMD CS5536 USB" rev 0x02: isa irq 11, version 1.0, legacy support ehci0 at pci0 dev 14 function 5 "AMD CS5536 USB" rev 0x02: isa irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 apm0 at mainbus0 umass0 at uhub0 port 1 configuration 1 interface 0 "Generic USB2.0-CRW" rev 2.00/58.87 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0:SCSI0 0/direct removable serial.0bda015811417340 urtw0 at uhub0 port 4 configuration 1 interface 0 "Realtek RTL8187B" rev 2.00/2.00 addr 3 urtw0: RTL8187B rev E, address 00:17:c4:4d:ed:56 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets pmon bootpath: /dev/disk/wd0 boot device: wd0 root on wd0a (7797d94bb0fceead.a) swap on wd0b dump on wd0b
Re: ffs mount options or tuning to prevent corrupted fs on power-outage
Thanks to all of you for your advice. Just one thing I had in mind but not sure if it is a wise option: Is it possible to run fsck_ffs(8) with -y during startup so it hopefully is able to repair the filesystems. In addition to that I would do a hourly rsync of the partitions to a NAS to easily repair when somthing goes terrible wrong? Thomas On 4 March 2018 at 18:49, Nick Hollandwrote: > On 03/03/18 14:48, Thomas Huber wrote: > > Hi, > > > > can someone give me a recomendations for ffs mount options or further > > tuning to prevent file-system corruption on power-outage? > > > > I run a PC-Engines APU2c3 with -stable in a rural place where > power-outage > > takes place approx. once a month. Most of the time every things starts > fine > > when power is back, but sometimes (now the third time in one year) I end > up > > with an corrupted /var and I´ve to go to that place and do manual > fsck_ffs > > which could always repair the fs. > ... > > Wrong question focusing on the wrong problem. The bigger issue is, "Why > is my machine so difficult to fix when things go wrong?" > > Answer: You got the wrong machine for the environment. > > I know, this week, the answer to all questions is "APU", just as some > years ago it was "Soekris", regardless of the question. Just as wrong > now as it was then. > > You need a computer with a real keyboard and a real monitor attached, so > you *WHEN* things go wrong (NOT JUST POWER), you can walk the locals > through fixing (or at least diagnosing) the problem. Normal people (you > know, with weekends, social lives, significant others, things like that) > can't handle serial consoles, nor should they be expected to. > > Murphy's law dictates that the harder it is to get console, the more > often you need it. I know, it's not true, but I swear the ONLY times an > OpenBSD won't come up after a hard power down is when the keyboard and > monitor aren't attached or hard to get attached. Realistically, it's > just that when you have keyboard and monitor attached, the fix is just a > few minutes away, rather than hours or days, and you can walk just about > anyone through it over the phone, and thus becomes a "non-event". > > Nick. > > -- +49.179.1448024 Karl-Kunger-Straße 68 D - 12435 Berlin
6.3 snapshots runs well .
i installed 6.3 snapshots . it runs well lumina & japanese input method (scim-anthy) . thanks
Is Absolute Software's Computrace AKA Lojack for Laptops a problem?
For OpenBSD users on second hand Thinkpads does computrace present a security concern? I understand that the phone home agent runs on windows but is there anything is the "predesktop environment" that can pose a security threat to OpenBSD users related to computrace? Thanks.
Re: would like: unix user and softraid crypto sharing same password
Mihai Popescu, 05 Mar 2018 00:07: > Did they remove the SHIFT key support on macOS? AH< SO THATS"S THE SECRET< I JUST NEED TO USE THE SHIFT KEY> THANKS COMRADE --
Re: would like: unix user and softraid crypto sharing same password
Did they remove the SHIFT key support on macOS?
would like: unix user and softraid crypto sharing same password
hello, macOS has this rather user friendly operating mode where one is able to set the volume's FileVault (apple's full disk encryption) password to be the same as their user password and the password is asked only once. after bootup i get a login screen, enter my password, and voila, i am both logged in, and can access the encrypted volume. this works with a boot volume as well. i would like to achieve something similar on OpenBSD but in a bit simpler setup. my softraid crypto volume is just a "data" mount under my home, the system and /home are not encrypted. this setup came to be partly because it's a pain in the ass to always mount the encrypted folder after logging in, so i left some common stuff unencrypted (yes, i know, keydisks...). but it would be nice to have a fully encrypted /home that gets mounted when i enter my user password at the login screen, i don't mind leaving the system unencrypted... any ideas how to achieve this? some nice post auth hooks? in some ways it's bit like authpf... -f --
Re: ffs mount options or tuning to prevent corrupted fs on power-outage
On 03/03/18 14:48, Thomas Huber wrote: > Hi, > > can someone give me a recomendations for ffs mount options or further > tuning to prevent file-system corruption on power-outage? > > I run a PC-Engines APU2c3 with -stable in a rural place where power-outage > takes place approx. once a month. Most of the time every things starts fine > when power is back, but sometimes (now the third time in one year) I end up > with an corrupted /var and I´ve to go to that place and do manual fsck_ffs > which could always repair the fs. ... Wrong question focusing on the wrong problem. The bigger issue is, "Why is my machine so difficult to fix when things go wrong?" Answer: You got the wrong machine for the environment. I know, this week, the answer to all questions is "APU", just as some years ago it was "Soekris", regardless of the question. Just as wrong now as it was then. You need a computer with a real keyboard and a real monitor attached, so you *WHEN* things go wrong (NOT JUST POWER), you can walk the locals through fixing (or at least diagnosing) the problem. Normal people (you know, with weekends, social lives, significant others, things like that) can't handle serial consoles, nor should they be expected to. Murphy's law dictates that the harder it is to get console, the more often you need it. I know, it's not true, but I swear the ONLY times an OpenBSD won't come up after a hard power down is when the keyboard and monitor aren't attached or hard to get attached. Realistically, it's just that when you have keyboard and monitor attached, the fix is just a few minutes away, rather than hours or days, and you can walk just about anyone through it over the phone, and thus becomes a "non-event". Nick.
Re: ffs mount options or tuning to prevent corrupted fs on power-outage
On Sun, Mar 04, 2018 at 05:40:30AM -0800, Chris Bennett wrote: > On Sun, Mar 04, 2018 at 12:26:18PM +, mark wrote: > > On 03/04/18 00:32, Chris Bennett wrote: > > > On Sat, Mar 03, 2018 at 07:48:07PM +, Thomas Huber wrote: > > > > Hi, > > > > > > > > can someone give me a recomendations for ffs mount options or further > > > > tuning to prevent file-system corruption on power-outage? > > > > > > > > I run a PC-Engines APU2c3 with -stable in a rural place where > > > > power-outage > > > > takes place approx. > > I'd add a 12v (lead-acid) battery between the unit and the PSU, as a cheapo > > UPS and be done with it, depending on battery capacity you could consider a > > proper battery charger that switches to trickle charge. > > -m > > > > > Speaking about that, if your power outages last for a while, get a deep > cycle battery, NOT a car battery and an inverter to AC and your good to > go. Won't fix problem of loss of power, but you can at least get back to > work. A car battery isn't designed to be run dead, a deep cycle is for > things like boat trolling motors and will not get quickly destroyed like > a car battery is now designed. > Years ago I had an electric bill that took me months to pay and I did > just this for six months, charging it at work. > Don't use a surge suppresor with this set up! > > There is a way to set things up to make a clean switchover that is SAFE > with the power on then cutting out. > Maybe an old UPC with a bad battery and use that with the bigger > battery? Solar power also has something for that too. You can usually > find used stuff like that either free or cheap. > > You'll get hours of power with a deep cycle. But if you want a clean and > safe switch without losing power, make sure your setup is safe. > You can probably google a good method. > > A plus with the inverter is that you can also run some lights/TV/etc > charge cell phone during the outage. They also shut off before running > the battery dead. > > Ideally, get a UPC to shutdown with and and the battery plus inverter to > start back up with. > > Chris Bennett > A UPS is nice, but for maintenance and upgrades a remote console is very convenient and almost indispensable imo. -Otto
Re: OSPF over gif on top of IPsec transport -current
On 2018-03-04 13:31, Stefan Sperling wrote: On Sun, Mar 04, 2018 at 01:08:21PM +0200, Atanas Vladimirov wrote: Please, let me know if I'm doing something wrong/stupid or this is bug somewhere in the stack. I can't spot anything wrong in what you've shown but it seems you're not looking at all the data you could be looking at. What might help with diagnosing the issue is monitoring the output of: netstat -I gif0 netstat -I enc0 and: netstat -s Look closely at how the counters change, and find the ones which could relate to an OSPF packet being dropped. Also, check if pf is dropping related packets by logging any blocking rules and checking pflog0 with tcpdump as well. Hi Stefan, I forgot to mention that both gif0 and enc0 are disable in pf.conf (set skip on {...}). Also I have a `pass quick log proto ospf` rule. With `netstat` I observe the same behavior, packets going out on gif0 - no packets in. ns]~$ netstat -I gif0 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls gif01400 0 0 8142 0 0 gif01400 10.255.255. 10.255.255.2 0 0 8142 0 0 [ns]~$ netstat -I enc0 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls enc0* 0 8820 0 8870 0 0 I'll try to take a deeper look on this. Thanks for your time and effort, Atanas
Re: ffs mount options or tuning to prevent corrupted fs on power-outage
On Sun, Mar 04, 2018 at 12:26:18PM +, mark wrote: > On 03/04/18 00:32, Chris Bennett wrote: > > On Sat, Mar 03, 2018 at 07:48:07PM +, Thomas Huber wrote: > > > Hi, > > > > > > can someone give me a recomendations for ffs mount options or further > > > tuning to prevent file-system corruption on power-outage? > > > > > > I run a PC-Engines APU2c3 with -stable in a rural place where power-outage > > > takes place approx. > I'd add a 12v (lead-acid) battery between the unit and the PSU, as a cheapo > UPS and be done with it, depending on battery capacity you could consider a > proper battery charger that switches to trickle charge. > -m > > Speaking about that, if your power outages last for a while, get a deep cycle battery, NOT a car battery and an inverter to AC and your good to go. Won't fix problem of loss of power, but you can at least get back to work. A car battery isn't designed to be run dead, a deep cycle is for things like boat trolling motors and will not get quickly destroyed like a car battery is now designed. Years ago I had an electric bill that took me months to pay and I did just this for six months, charging it at work. Don't use a surge suppresor with this set up! There is a way to set things up to make a clean switchover that is SAFE with the power on then cutting out. Maybe an old UPC with a bad battery and use that with the bigger battery? Solar power also has something for that too. You can usually find used stuff like that either free or cheap. You'll get hours of power with a deep cycle. But if you want a clean and safe switch without losing power, make sure your setup is safe. You can probably google a good method. A plus with the inverter is that you can also run some lights/TV/etc charge cell phone during the outage. They also shut off before running the battery dead. Ideally, get a UPC to shutdown with and and the battery plus inverter to start back up with. Chris Bennett
Re: ffs mount options or tuning to prevent corrupted fs on power-outage
On 03/04/18 00:32, Chris Bennett wrote: On Sat, Mar 03, 2018 at 07:48:07PM +, Thomas Huber wrote: Hi, can someone give me a recomendations for ffs mount options or further tuning to prevent file-system corruption on power-outage? I run a PC-Engines APU2c3 with -stable in a rural place where power-outage takes place approx. I'd add a 12v (lead-acid) battery between the unit and the PSU, as a cheapo UPS and be done with it, depending on battery capacity you could consider a proper battery charger that switches to trickle charge. -m
Re: OSPF over gif on top of IPsec transport -current
On Sun, Mar 04, 2018 at 01:08:21PM +0200, Atanas Vladimirov wrote: > Please, let me know if I'm doing something wrong/stupid or this is bug > somewhere in the stack. I can't spot anything wrong in what you've shown but it seems you're not looking at all the data you could be looking at. What might help with diagnosing the issue is monitoring the output of: netstat -I gif0 netstat -I enc0 and: netstat -s Look closely at how the counters change, and find the ones which could relate to an OSPF packet being dropped. Also, check if pf is dropping related packets by logging any blocking rules and checking pflog0 with tcpdump as well.
OSPF over gif on top of IPsec transport -current
Hi, I can't make OSPF to work on gif over IPsec. With tcpdump on gif I see the OSPFv2-hello only from localhost: # R1 [ns]~$ tcpdump -nei gif0 tcpdump: listening on gif0, link-type LOOP 23:19:29.181685 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1] 23:19:39.192025 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1] 23:19:49.202372 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1] 23:19:59.212730 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1] 23:20:09.223064 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1] 23:20:19.233393 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1] # R2 [hodor]~$ tcpdump -nei gif0 tcpdump: listening on gif0, link-type LOOP 12:51:59.316704 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone [tos 0xc0] [ttl 1] 12:52:09.327002 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone [tos 0xc0] [ttl 1] 12:52:19.337314 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone [tos 0xc0] [ttl 1] While on enc0 both hello's appears (not sure if `bad ip cksum` is the reason for my issues): # R1 [ns]~$ tcpdump -nvi enc0 tcpdump: listening on enc0, link-type ENC 12:24:37.625873 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 25841, len 64) (ttl 60, id 37752, len 84) 12:24:41.882173 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 > 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 27818, len 64) (ttl 64, id 60563, len 84, bad ip cksum 32d7! -> c614) 12:24:47.636188 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 36067, len 64) (ttl 60, id 65348, len 84) 12:24:51.892467 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 > 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 5127, len 64) (ttl 64, id 12476, len 84, bad ip cksum 201! -> 81ec) 12:24:57.646535 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 39220, len 64) (ttl 60, id 1938, len 84) # R2 [hodor]~$ tcpdump -nvi enc0 | grep OSPF tcpdump: listening on enc0, link-type ENC 12:28:57.894007 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 3667, len 64) (ttl 64, id 14037, len 84, bad ip cksum 2b6d! -> 7bd3) 12:29:02.151763 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 > 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 backbone E mask 25 5.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 16974, len 64) (ttl 60, id 21648, len 84) 12:29:07.904315 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone E mask 255 .255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 45590, len 64) (ttl 64, id 35262, len 84, bad ip cksum 2743! -> 28ea) 12:29:12.162049 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 > 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 backbone E mask 25 5.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 19966, len 64) (ttl 60, id 3134, len 84) 12:29:17.914621 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello 44: rtrid 172.16.1.1 backbone E mask 255 .255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 36161, len 64) (ttl 64, id 53105, len 84, bad ip cksum fcb8! -> e336) 12:29:22.172468 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 > 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello 44: rtrid 192.168.1.1 backbone E mask 25 5.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 36221, len 64) (ttl 60, id 29514, len 84) If I set a static routes the regular traffic flows as it should. The configs are the same on both routers: # R1 [ns]~$ doas cat /etc/ipsec.conf local_ip="95.87.227.232" remote_ip="93.123.39.67" ike esp transport from $local_ip to $remote_ip # R2 [hodor]~$ doas cat /etc/ipsec.conf local_ip="93.123.39.67"