Re: would like: unix user and softraid crypto sharing same password

2018-03-04 Thread Marcus MERIGHI 
Hello, 

min...@obiit.org (frantisek holop), 2018.03.04 (Sun) 22:59 (CET):
> macOS has this rather user friendly operating mode
> where one is able to set the volume's FileVault
> (apple's full disk encryption) password to be the same
> as their user password and the password is asked only
> once.  after bootup i get a login screen, enter my
> password, and voila, i am both logged in, and can
> access the encrypted volume.  this works with a boot
> volume as well.
> 
> i would like to achieve something similar on OpenBSD
> but in a bit simpler setup.  my softraid crypto volume
> is just a "data" mount under my home, the system and /home
> are not encrypted.  this setup came to be partly
> because it's a pain in the ass to always mount the
> encrypted folder after logging in, so i left some
> common stuff unencrypted (yes, i know, keydisks...).
> 
> but it would be nice to have a fully encrypted /home
> that gets mounted when i enter my user password at the
> login screen, i don't mind leaving the system unencrypted...
> 
> any ideas how to achieve this?  some nice post auth
> hooks?  in some ways it's bit like authpf...

This doesn't achieve what you want the way you want it, but it lets me
have my $HOME on softraid(4) crypt without Full Disk Encryption (FDE).

I have a local change to ttys(5) to let me unlock my softraid(4) crypt
devices before xenodm(1) log in:

$ grep ^ttyC5 /etc/ttys
ttyC5   "/etc/ttymenu.getty"vt220   on  secure

$ cat /etc/ttymenu.getty 
#!/bin/sh -e
TERM=vt220 /etc/ttymenu < /dev/$1 > /dev/$1

/etc/ttymenu asks me for the password and passes it to bioctl(8).

After the softraid(4) volume is attached it's mounted via hotplug(8).

I recommend a small (1GB in my case) softraid volume for your $HOME, to
have it fsck(8)ed quickly and get access to your $HOME fast after
unclean shutdowns. Then have another, big softraid volume for your
$BIGDATA which takes longer beeing fsck(8)ed but isn't necessary for 
log in.

Marcus

sshd(8), sshd_config(5), and the LogLevel directive

2018-03-04 Thread Lars Noodén 
I'm not able to get sshd(8) to use alternative loglevels, such as Debug3.

When sshd(8) starts, it goes through the normal reporting regardless
of which LogLevel is set in sshd_config(5).  Here is  an excerpt from
/var/log/authlog showing the daemon starting and a first connection
from outside:

Mar  5 08:02:37 yeeloong sshd[13495]: Server listening on 0.0.0.0 port 22.
Mar  5 08:02:37 yeeloong sshd[13495]: Server listening on :: port 22.
Mar  5 08:11:55 yeeloong sshd[80107]: Connection from xx.yy.zz.aa port
60502 on xx.yy.zz.bb port 22 rdomain "0"

Yet the loglevel seems to be read correctly from the configuration file:

# /usr/sbin/sshd -T | grep -i loglevel
loglevel DEBUG3

Invoking sshd(8) with -d, -dd, -ddd produces increased logging though,
just not to the log file.

Is this worth a formal report?

/Lars

=

[ using 735440 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2018 OpenBSD. All rights reserved.  https://www.OpenBSD.org

OpenBSD 6.3-beta (GENERIC) #337: Sat Mar  3 07:36:58 MST 2018
dera...@loongson.openbsd.org:/usr/src/sys/arch/loongson/compile/GENERIC
real mem = 1073741824 (1024MB)
avail mem = 1055784960 (1006MB)
mainbus0 at root: Lemote Yeeloong
cpu0 at mainbus0: STC Loongson2F CPU 797 MHz, STC Loongson2F FPU
cpu0: cache L1-I 64KB D 64KB 4 way, L2 512KB 4 way
bonito0 at mainbus0: memory and PCI-X controller, rev 1
pci0 at bonito0 bus 0
rl0 at pci0 dev 7 function 0 "Realtek 8139" rev 0x10: irq 5, address
00:23:8b:59:df:48
rlphy0 at rl0 phy 0: RTL internal PHY
smfb0 at pci0 dev 8 function 0 "Silicon Motion LynxEM+" rev 0xb0:
1024x600, 16bpp
wsdisplay0 at smfb0 mux 1: console (std, vt100 emulation)
glxpcib0 at pci0 dev 14 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579
545Hz timer, watchdog, gpio, i2c
isa0 at glxpcib0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
mcclock0 at isa0 port 0x70/2: mc146818 or compatible
ykbec0 at isa0 port 0x381/3
gpio1 at glxpcib0: 32 pins
iic at glxpcib0 not configured
glxclk0 at glxpcib0: clock, prof
pciide0 at pci0 dev 14 function 2 "AMD CS5536 IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 7641MB, 15649200 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
auglx0 at pci0 dev 14 function 3 "AMD CS5536 Audio" rev 0x01: isa irq
9, CS5536 AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0)
audio0 at auglx0
ohci0 at pci0 dev 14 function 4 "AMD CS5536 USB" rev 0x02: isa irq 11,
version 1.0, legacy support
ehci0 at pci0 dev 14 function 5 "AMD CS5536 USB" rev 0x02: isa irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev
2.00/1.00 addr 1
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev
1.00/1.00 addr 1
apm0 at mainbus0
umass0 at uhub0 port 1 configuration 1 interface 0 "Generic
USB2.0-CRW" rev 2.00/58.87 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  SCSI0
0/direct removable serial.0bda015811417340
urtw0 at uhub0 port 4 configuration 1 interface 0 "Realtek RTL8187B"
rev 2.00/2.00 addr 3
urtw0: RTL8187B rev E, address 00:17:c4:4d:ed:56
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
pmon bootpath: /dev/disk/wd0
boot device: wd0
root on wd0a (7797d94bb0fceead.a) swap on wd0b dump on wd0b

Re: ffs mount options or tuning to prevent corrupted fs on power-outage

2018-03-04 Thread Thomas Huber 
Thanks to all of you for your advice.

Just one thing I had in mind but not sure if it is a wise option:
Is it possible to run fsck_ffs(8) with -y during startup so it hopefully
is able to repair the filesystems.
In addition to that I would do a hourly rsync of the partitions to a NAS to
easily repair when somthing goes terrible wrong?

Thomas



On 4 March 2018 at 18:49, Nick Holland  wrote:

> On 03/03/18 14:48, Thomas Huber wrote:
> > Hi,
> >
> > can someone give me a recomendations for ffs mount options or further
> > tuning to prevent file-system corruption on power-outage?
> >
> > I run a PC-Engines APU2c3 with -stable in a rural place where
> power-outage
> > takes place approx. once a month. Most of the time every things starts
> fine
> > when power is back, but sometimes (now the third time in one year) I end
> up
> > with an corrupted /var and I´ve to go to that place and do manual
> fsck_ffs
> > which could always repair the fs.
> ...
>
> Wrong question focusing on the wrong problem.  The bigger issue is, "Why
> is my machine so difficult to fix when things go wrong?"
>
> Answer: You got the wrong machine for the environment.
>
> I know, this week, the answer to all questions is "APU", just as some
> years ago it was "Soekris", regardless of the question.  Just as wrong
> now as it was then.
>
> You need a computer with a real keyboard and a real monitor attached, so
> you *WHEN* things go wrong (NOT JUST POWER), you can walk the locals
> through fixing (or at least diagnosing) the problem.  Normal people (you
> know, with weekends, social lives, significant others, things like that)
> can't handle serial consoles, nor should they be expected to.
>
> Murphy's law dictates that the harder it is to get console, the more
> often you need it.  I know, it's not true, but I swear the ONLY times an
> OpenBSD won't come up after a hard power down is when the keyboard and
> monitor aren't attached or hard to get attached.  Realistically, it's
> just that when you have keyboard and monitor attached, the fix is just a
> few minutes away, rather than hours or days, and you can walk just about
> anyone through it over the phone, and thus becomes a "non-event".
>
> Nick.
>
>


-- 
+49.179.1448024
Karl-Kunger-Straße 68
D - 12435 Berlin

6.3 snapshots runs well .

2018-03-04 Thread Tuyosi T 
i installed 6.3 snapshots .
it runs well lumina & japanese input method (scim-anthy) .
thanks

Is Absolute Software's Computrace AKA Lojack for Laptops a problem?

2018-03-04 Thread Z Ero 
For OpenBSD users on second hand Thinkpads does computrace present a
security concern? I understand that the phone home agent runs on
windows but is there anything is the "predesktop environment" that can
pose a security threat to OpenBSD users related to computrace? Thanks.

Re: would like: unix user and softraid crypto sharing same password

2018-03-04 Thread frantisek holop 
Mihai Popescu, 05 Mar 2018 00:07:
> Did they remove the SHIFT key support on macOS?

AH< SO THATS"S THE SECRET< I JUST NEED TO USE THE SHIFT KEY>
THANKS COMRADE

--

Re: would like: unix user and softraid crypto sharing same password

2018-03-04 Thread Mihai Popescu 
Did they remove the SHIFT key support on macOS?

would like: unix user and softraid crypto sharing same password

2018-03-04 Thread frantisek holop 
hello,

macOS has this rather user friendly operating mode
where one is able to set the volume's FileVault
(apple's full disk encryption) password to be the same
as their user password and the password is asked only
once.  after bootup i get a login screen, enter my
password, and voila, i am both logged in, and can
access the encrypted volume.  this works with a boot
volume as well.

i would like to achieve something similar on OpenBSD
but in a bit simpler setup.  my softraid crypto volume
is just a "data" mount under my home, the system and /home
are not encrypted.  this setup came to be partly
because it's a pain in the ass to always mount the
encrypted folder after logging in, so i left some
common stuff unencrypted (yes, i know, keydisks...).

but it would be nice to have a fully encrypted /home
that gets mounted when i enter my user password at the
login screen, i don't mind leaving the system unencrypted...

any ideas how to achieve this?  some nice post auth
hooks?  in some ways it's bit like authpf...

-f
--

Re: ffs mount options or tuning to prevent corrupted fs on power-outage

2018-03-04 Thread Nick Holland 
On 03/03/18 14:48, Thomas Huber wrote:
> Hi,
> 
> can someone give me a recomendations for ffs mount options or further
> tuning to prevent file-system corruption on power-outage?
> 
> I run a PC-Engines APU2c3 with -stable in a rural place where power-outage
> takes place approx. once a month. Most of the time every things starts fine
> when power is back, but sometimes (now the third time in one year) I end up
> with an corrupted /var and I´ve to go to that place and do manual fsck_ffs
> which could always repair the fs.
...

Wrong question focusing on the wrong problem.  The bigger issue is, "Why
is my machine so difficult to fix when things go wrong?"

Answer: You got the wrong machine for the environment.

I know, this week, the answer to all questions is "APU", just as some
years ago it was "Soekris", regardless of the question.  Just as wrong
now as it was then.

You need a computer with a real keyboard and a real monitor attached, so
you *WHEN* things go wrong (NOT JUST POWER), you can walk the locals
through fixing (or at least diagnosing) the problem.  Normal people (you
know, with weekends, social lives, significant others, things like that)
can't handle serial consoles, nor should they be expected to.

Murphy's law dictates that the harder it is to get console, the more
often you need it.  I know, it's not true, but I swear the ONLY times an
OpenBSD won't come up after a hard power down is when the keyboard and
monitor aren't attached or hard to get attached.  Realistically, it's
just that when you have keyboard and monitor attached, the fix is just a
few minutes away, rather than hours or days, and you can walk just about
anyone through it over the phone, and thus becomes a "non-event".

Nick.

Re: ffs mount options or tuning to prevent corrupted fs on power-outage

2018-03-04 Thread Otto Moerbeek 
On Sun, Mar 04, 2018 at 05:40:30AM -0800, Chris Bennett wrote:

> On Sun, Mar 04, 2018 at 12:26:18PM +, mark wrote:
> > On 03/04/18 00:32, Chris Bennett wrote:
> > > On Sat, Mar 03, 2018 at 07:48:07PM +, Thomas Huber wrote:
> > > > Hi,
> > > > 
> > > > can someone give me a recomendations for ffs mount options or further
> > > > tuning to prevent file-system corruption on power-outage?
> > > > 
> > > > I run a PC-Engines APU2c3 with -stable in a rural place where 
> > > > power-outage
> > > > takes place approx.
> > I'd add a 12v (lead-acid) battery between the unit and the PSU, as a cheapo
> > UPS and be done with it, depending on battery capacity you could consider a
> > proper battery charger that switches to trickle charge.
> > -m
> > 
> > 
> Speaking about that, if your power outages last for a while, get a deep
> cycle battery, NOT a car battery and an inverter to AC and your good to
> go. Won't fix problem of loss of power, but you can at least get back to
> work. A car battery isn't designed to be run dead, a deep cycle is for
> things like boat trolling motors and will not get quickly destroyed like
> a car battery is now designed.
> Years ago I had an electric bill that took me months to pay and I did
> just this for six months, charging it at work.
> Don't use a surge suppresor with this set up!
> 
> There is a way to set things up to make a clean switchover that is SAFE
> with the power on then cutting out.
> Maybe an old UPC with a bad battery and use that with the bigger
> battery? Solar power also has something for that too. You can usually
> find used stuff like that either free or cheap.
> 
> You'll get hours of power with a deep cycle. But if you want a clean and
> safe switch without losing power, make sure your setup is safe.
> You can probably google a good method. 
> 
> A plus with the inverter is that you can also run some lights/TV/etc
> charge cell phone during the outage. They also shut off before running
> the battery dead.
> 
> Ideally, get a UPC to shutdown with and and the battery plus inverter to
> start back up with.
> 
> Chris Bennett
> 

A UPS is nice, but for maintenance and upgrades a remote console is
very convenient and almost indispensable imo.

-Otto

Re: OSPF over gif on top of IPsec transport -current

2018-03-04 Thread Atanas Vladimirov 

On 2018-03-04 13:31, Stefan Sperling wrote:

On Sun, Mar 04, 2018 at 01:08:21PM +0200, Atanas Vladimirov wrote:

Please, let me know if I'm doing something wrong/stupid or this is bug
somewhere in the stack.


I can't spot anything wrong in what you've shown but it seems you're
not looking at all the data you could be looking at.

What might help with diagnosing the issue is monitoring the output of:

netstat -I gif0
netstat -I enc0

and:
netstat -s

Look closely at how the counters change, and find the ones which
could relate to an OSPF packet being dropped.

Also, check if pf is dropping related packets by logging any blocking
rules and checking pflog0 with tcpdump as well.


Hi Stefan,

I forgot to mention that both gif0 and enc0 are disable in pf.conf (set 
skip on {...}).

Also I have a `pass quick log proto ospf` rule.

With `netstat` I observe the same behavior, packets going out on gif0 - 
no packets in.


ns]~$ netstat -I gif0
NameMtu   Network Address  Ipkts IerrsOpkts 
Oerrs Colls
gif01400 0 0 8142 
0 0
gif01400  10.255.255. 10.255.255.2 0 0 8142 
0 0

[ns]~$ netstat -I enc0
NameMtu   Network Address  Ipkts IerrsOpkts 
Oerrs Colls
enc0*   0 8820 0 8870 
0 0


I'll try to take a deeper look on this.
Thanks for your time and effort,
Atanas

Re: ffs mount options or tuning to prevent corrupted fs on power-outage

2018-03-04 Thread Chris Bennett 
On Sun, Mar 04, 2018 at 12:26:18PM +, mark wrote:
> On 03/04/18 00:32, Chris Bennett wrote:
> > On Sat, Mar 03, 2018 at 07:48:07PM +, Thomas Huber wrote:
> > > Hi,
> > > 
> > > can someone give me a recomendations for ffs mount options or further
> > > tuning to prevent file-system corruption on power-outage?
> > > 
> > > I run a PC-Engines APU2c3 with -stable in a rural place where power-outage
> > > takes place approx.
> I'd add a 12v (lead-acid) battery between the unit and the PSU, as a cheapo
> UPS and be done with it, depending on battery capacity you could consider a
> proper battery charger that switches to trickle charge.
> -m
> 
> 
Speaking about that, if your power outages last for a while, get a deep
cycle battery, NOT a car battery and an inverter to AC and your good to
go. Won't fix problem of loss of power, but you can at least get back to
work. A car battery isn't designed to be run dead, a deep cycle is for
things like boat trolling motors and will not get quickly destroyed like
a car battery is now designed.
Years ago I had an electric bill that took me months to pay and I did
just this for six months, charging it at work.
Don't use a surge suppresor with this set up!

There is a way to set things up to make a clean switchover that is SAFE
with the power on then cutting out.
Maybe an old UPC with a bad battery and use that with the bigger
battery? Solar power also has something for that too. You can usually
find used stuff like that either free or cheap.

You'll get hours of power with a deep cycle. But if you want a clean and
safe switch without losing power, make sure your setup is safe.
You can probably google a good method. 

A plus with the inverter is that you can also run some lights/TV/etc
charge cell phone during the outage. They also shut off before running
the battery dead.

Ideally, get a UPC to shutdown with and and the battery plus inverter to
start back up with.

Chris Bennett

Re: ffs mount options or tuning to prevent corrupted fs on power-outage

2018-03-04 Thread mark 

On 03/04/18 00:32, Chris Bennett wrote:

On Sat, Mar 03, 2018 at 07:48:07PM +, Thomas Huber wrote:

Hi,

can someone give me a recomendations for ffs mount options or further
tuning to prevent file-system corruption on power-outage?

I run a PC-Engines APU2c3 with -stable in a rural place where power-outage
takes place approx.
I'd add a 12v (lead-acid) battery between the unit and the PSU, as a 
cheapo UPS and be done with it, depending on battery capacity you could 
consider a proper battery charger that switches to trickle charge.

-m

Re: OSPF over gif on top of IPsec transport -current

2018-03-04 Thread Stefan Sperling 
On Sun, Mar 04, 2018 at 01:08:21PM +0200, Atanas Vladimirov wrote:
> Please, let me know if I'm doing something wrong/stupid or this is bug
> somewhere in the stack.

I can't spot anything wrong in what you've shown but it seems you're
not looking at all the data you could be looking at.

What might help with diagnosing the issue is monitoring the output of:

netstat -I gif0
netstat -I enc0

and:
netstat -s

Look closely at how the counters change, and find the ones which
could relate to an OSPF packet being dropped.

Also, check if pf is dropping related packets by logging any blocking
rules and checking pflog0 with tcpdump as well.

OSPF over gif on top of IPsec transport -current

2018-03-04 Thread Atanas Vladimirov 

Hi,

I can't make OSPF to work on gif over IPsec.
With tcpdump on gif I see the OSPFv2-hello only from localhost:

# R1
[ns]~$ tcpdump -nei gif0
tcpdump: listening on gif0, link-type LOOP
23:19:29.181685 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 
192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1]
23:19:39.192025 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 
192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1]
23:19:49.202372 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 
192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1]
23:19:59.212730 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 
192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1]
23:20:09.223064 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 
192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1]
23:20:19.233393 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 
192.168.1.1 area 0.0.0.1 [tos 0xc0] [ttl 1]


# R2
[hodor]~$ tcpdump -nei gif0
tcpdump: listening on gif0, link-type LOOP
12:51:59.316704 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone [tos 0xc0] [ttl 1]
12:52:09.327002 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone [tos 0xc0] [ttl 1]
12:52:19.337314 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone [tos 0xc0] [ttl 1]


While on enc0 both hello's appears (not sure if `bad ip cksum` is the 
reason for my issues):


# R1
[ns]~$ tcpdump -nvi enc0
tcpdump: listening on enc0, link-type ENC
12:24:37.625873 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 
95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs 
[tos 0xc0] [ttl 1] (id 25841, len 64) (ttl 60, id 37752, len 84)
12:24:41.882173 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 
> 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 192.168.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 27818, len 64) (ttl 64, id 60563, len 84, bad ip cksum 32d7! -> c614)
12:24:47.636188 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 
95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs 
[tos 0xc0] [ttl 1] (id 36067, len 64) (ttl 60, id 65348, len 84)
12:24:51.892467 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 
> 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 192.168.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 5127, len 64) (ttl 64, id 12476, len 84, bad ip cksum 201! -> 81ec)
12:24:57.646535 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 
95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs 
[tos 0xc0] [ttl 1] (id 39220, len 64) (ttl 60, id 1938, len 84)


# R2
[hodor]~$ tcpdump -nvi enc0 | grep OSPF
tcpdump: listening on enc0, link-type ENC
12:28:57.894007 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 
95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone E mask 255.255.255.255 int 10 pri 1 dead 40 nbrs 
[tos 0xc0] [ttl 1] (id 3667, len 64) (ttl 64, id 14037, len 84, bad ip 
cksum 2b6d! -> 7bd3)
12:29:02.151763 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 
> 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 192.168.1.1 backbone E mask 25
5.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 16974, 
len 64) (ttl 60, id 21648, len 84)
12:29:07.904315 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 
95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone E mask 255
.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 45590, len 
64) (ttl 64, id 35262, len 84, bad ip cksum 2743! -> 28ea)
12:29:12.162049 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 
> 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 192.168.1.1 backbone E mask 25
5.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 19966, 
len 64) (ttl 60, id 3134, len 84)
12:29:17.914621 (authentic,confidential): SPI 0x11af4dae: 93.123.39.67 > 
95.87.227.232: 10.255.255.1 > 224.0.0.5: OSPFv2-hello  44: rtrid 
172.16.1.1 backbone E mask 255
.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 36161, len 
64) (ttl 64, id 53105, len 84, bad ip cksum fcb8! -> e336)
12:29:22.172468 (authentic,confidential): SPI 0x1a3fbc6d: 95.87.227.232 
> 93.123.39.67: 10.255.255.2 > 224.0.0.5: OSPFv2-hello  44: rtrid 192.168.1.1 backbone E mask 25
5.255.255.255 int 10 pri 1 dead 40 nbrs [tos 0xc0] [ttl 1] (id 36221, 
len 64) (ttl 60, id 29514, len 84)


If I set a static routes the regular traffic flows as it should.

The configs are the same on both routers:

# R1
[ns]~$ doas cat /etc/ipsec.conf
local_ip="95.87.227.232"
remote_ip="93.123.39.67"
ike esp transport from $local_ip to $remote_ip

# R2
[hodor]~$ doas cat /etc/ipsec.conf
local_ip="93.123.39.67"