Re: Ubiquiti Networks EdgeRouter 6P

[Bryan Vyhmeister]

On Fri, May 25, 2018 at 06:43:57PM +, Chris Jones wrote:
> I see that the Ubiquiti EdgeRouter 6P is supported under octeon port.
> Just wondering if anyone on the list is running OpenBSD 6.3 or current
> on the EdgeRouter 6P? I'm mainly interested in the performance of this
> unit as a home firewall but also interested in using it for other SMB
> applications.

Yes, I am running -current on a number of EdgeRouter 4 and 6P units.
They seem to work quite well. Some cursory routing between subnets
performance tested with iperf3 yields a max of around 450 Mbps
throughput. There is a new octcrypto(4) driver which should be
interesting and is on my list to test for ipsec.

http://man.openbsd.org/octcrypto

The caveat I have seen is that the USB 3.0 controller is more finicky
than I would like but it seems to be working better recently with
xhci(4) fixes that have gone in over the last few months. I have had
good success with Samsung Fit USB 3.0 flash drives but had some initial
problems with Samsung T3/T5 USB 3.0 SSD drives erroring out with USB
problems. I use OpenBSD through resflash for the most part but vanilla
OpenBSD works fine although the library reordering is fairly slow (a
minute or two I think) on boot.

> I would generally be running standard network services plus 
> isakmpd/iked, ospfd, unbound. Also, is it fair to assume the PoE ports 
> are just active by default?

I have not done any ipsec but the rest work fine. The PoE ports do not
work at all under OpenBSD. PoE is off unless enabled through the EdgeOS
interface and there is no way to do that through OpenBSD. I would
recommend the EdgeRouter 4 unless you need to run from 24V DC power or
need the extra ports but PoE is useless unfortunately. Also, unlike with
the shared copper/fiber ports on the EdgeRouter Pro and UniFi Security
Gateway Pro, the fiber port on the ER-4/ER-6P works fine as an
additional port (cnmac0 actually).

Bryan

Re: I got smtpd.conf working thanks to the man page

[Ingo Schwarze]

Hi Walter,

Walter Alejandro Iglesias wrote on Tue, May 29, 2018 at 05:47:36PM +0200:

> My advice to others is not to pay attention to anything
> but the man page,

While that's often nor bad advice in other areas of OpenBSD,
this particular manual page is not perfect yet, as should be
obvious to anyone looking at it.

So until these manual pages get finished, Gilles' various blog and
mailing list posts, and the source code, might be required for
missing clues.  Of course, only start searching elsewhere after
checking the manual.

Yours,
  Ingo

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

[Maxim Bourmistrov]

Diff, discussed in the thread, seems to follow all the way to 6.3.
Sure I probably can try out 6.3, but I have a feeling that this will not help.

dmesg can be arranged.

Br 

> 29 maj 2018 kl. 20:56 skrev Chris Cappuccio :
> 
> No magic expected here, but why not try 6.3? 6.1 is not supported anymore, 
> and in any event, you need to include full dmesg so that others without DL360 
> Gen9 have a chance at helping you.
> 
> Maxim Bourmistrov [m...@alumni.chalmers.se] wrote:
>> Hey,
>> While moving one of machines from 6.0 to 6.1, I found 6.1 not able to attach 
>> ix-device.
>> Machine is HP DL360 Gen9.
>> 
>> ix0 at pci5 dev 0 function 0 "Intel 82599" rev 0x01: mmba is not mem space
>> ix1 at pci5 dev 0 function 1 "Intel 82599" rev 0x01: mmba is not mem space
>> 
>> Found this thread
>> http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-ix-Intel-82598EB-issue-td317072.html
>>  
>> 
>> 
>> and as far as I can see, this diff is in tree, but not helping here :(
>> 
>> Any clues? 
>> 
>> 4:0:1: Intel 82599
>>   0x: Vendor ID: 8086 Product ID: 10fb
>>   0x0004: Command: 0147 Status: 0010
>>   0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01
>>   0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 10
>>   0x0010: BAR mem 32bit addr: 0x92c0/0x0010
>>   0x0014: BAR empty ()
>>   0x0018: BAR io addr: 0x2000/0x0020
>>   0x001c: BAR mem 32bit addr: 0x92e0/0x4000
>>   0x0020: BAR empty ()
>>   0x0024: BAR empty ()
>>   0x0028: Cardbus CIS: 
>>   0x002c: Subsystem Vendor ID: 103c Product ID: 17d0
>>   0x0030: Expansion ROM Base Address: 
>>   0x0038: 
>>   0x003c: Interrupt Pin: 01 Line: ff Min Gnt: 00 Max Lat: 00
>>   0x0040: Capability 0x01: Power Management
>>   State: D0 PME# enabled
>>   0x0050: Capability 0x05: Message Signalled Interrupts (MSI)
>>   0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X)
>>   0x00a0: Capability 0x10: PCI Express
>>   Link Speed: 5.0 / 5.0 GT/s Link Width: x8 / x8
>>   0x0100: Enhanced Capability 0x01: Advanced Error Reporting
>>   0x0140: Enhanced Capability 0x03: Device Serial Number
>>   0x0150: Enhanced Capability 0x0e: Alternate Routing ID
>>   0x0160: Enhanced Capability 0x10: Single Root I/O Virtualization
>>   0x00e0: Capability 0x03: Vital Product Data (VPD)
>> 
>> Br
>> 
>> 

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

[Chris Cappuccio]

No magic expected here, but why not try 6.3? 6.1 is not supported anymore, and 
in any event, you need to include full dmesg so that others without DL360 Gen9 
have a chance at helping you.

Maxim Bourmistrov [m...@alumni.chalmers.se] wrote:
> Hey,
> While moving one of machines from 6.0 to 6.1, I found 6.1 not able to attach 
> ix-device.
> Machine is HP DL360 Gen9.
> 
> ix0 at pci5 dev 0 function 0 "Intel 82599" rev 0x01: mmba is not mem space
> ix1 at pci5 dev 0 function 1 "Intel 82599" rev 0x01: mmba is not mem space
> 
> Found this thread
> http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-ix-Intel-82598EB-issue-td317072.html
>  
> 
> 
> and as far as I can see, this diff is in tree, but not helping here :(
> 
> Any clues? 
> 
> 4:0:1: Intel 82599
>0x: Vendor ID: 8086 Product ID: 10fb
>0x0004: Command: 0147 Status: 0010
>0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01
>0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 10
>0x0010: BAR mem 32bit addr: 0x92c0/0x0010
>0x0014: BAR empty ()
>0x0018: BAR io addr: 0x2000/0x0020
>0x001c: BAR mem 32bit addr: 0x92e0/0x4000
>0x0020: BAR empty ()
>0x0024: BAR empty ()
>0x0028: Cardbus CIS: 
>0x002c: Subsystem Vendor ID: 103c Product ID: 17d0
>0x0030: Expansion ROM Base Address: 
>0x0038: 
>0x003c: Interrupt Pin: 01 Line: ff Min Gnt: 00 Max Lat: 00
>0x0040: Capability 0x01: Power Management
>State: D0 PME# enabled
>0x0050: Capability 0x05: Message Signalled Interrupts (MSI)
>0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X)
>0x00a0: Capability 0x10: PCI Express
>Link Speed: 5.0 / 5.0 GT/s Link Width: x8 / x8
>0x0100: Enhanced Capability 0x01: Advanced Error Reporting
>0x0140: Enhanced Capability 0x03: Device Serial Number
>0x0150: Enhanced Capability 0x0e: Alternate Routing ID
>0x0160: Enhanced Capability 0x10: Single Root I/O Virtualization
>0x00e0: Capability 0x03: Vital Product Data (VPD)
> 
> Br
> 
> 

Re: Limit CPU usage of a process?

[Raul Miller]

There's https://man.openbsd.org/nice.1

You might be describing https://man.openbsd.org/setrlimit.2 or the
ulimit shell builtin (ulimit -t). But you might not want what you are
describing, if that is the case.

-- 
Raul


On Tue, May 29, 2018 at 2:35 PM, BergenBergen BergenBergen
 wrote:
> Browser or not, how *does* one cap CPU resources though? I think it's a
> very interesting question, and I'm sorta baffled by the fact that the
> demand for this kinda thing hasn't been any higher.
>
> All the best,
> Murk
>
> On Tue, May 29, 2018 at 8:10 PM, Dumitru Mișu Moldovan 
> wrote:
>
>> On 05/27/18 13:07, Maximilian Pichler wrote:
>>
>>> Is it possible to limit the CPU usage of a given process to, say, 20%?
>>>
>>> I'd like to slow down the web browser since it is draining my laptop's
>>> battery. With enough tabs open it's often consuming ~50% of CPU but
>>> not doing anything productive. Apparently with RLIMIT_CPU in
>>> setrlimit(2) the total CPU time of a process can be limited. Can a
>>> similar limit be set for the percentage?
>>>
>>
>> Honest question…  Have you tried blocking ads with something like uBlock
>> Origin?  I use several approaches to make web browsing palatable on old
>> hardware, and blocking ads is what makes the biggest difference for me.
>> (Using NoScript or equivalents to selectively enable JavaScript for sites
>> where I actually need it is a distant second.)
>>
>> Capping CPU resources is not the way to go on a laptop in my opinion,
>> unless you have some demanding job that always runs in the background in
>> your browser, and that's a problem by itself in your scenario.  Capping
>> will not change the fact that you'll still spend the same resources on
>> loading web pages, however it will slow you down and annoy you.
>>
>>

Re: Open source RISC-V 64bit w ECC RAM & PCIe this summer

[Chris Cappuccio]

Rupert Gallagher [r...@protonmail.com] wrote:
> Everybody loves the idea of an open-source CPU that can be uploaded to an 
> FPGA processor. Anybody from China who starts selling a mini-itx board and an 
> FPGA fast enough to run risc-v will turn the market on its head in 6--10 
> years, killing both Intel and AMD. ARM is fabless already...

FPGAs capable of doing anything big take lots of power and generate lots of 
heat. They are far from ideal as a platform base, but great for testing if your 
hardware can be described in VHDL or Verilog. The work to go from that to an 
ASIC is immense and will take significant backing, which makes the industry 
support for RISC-V rather interesting. Everyone wants royalty-free hardware in 
their little devices, I can't blame them.

Re: Limit CPU usage of a process?

[BergenBergen BergenBergen]

Browser or not, how *does* one cap CPU resources though? I think it's a
very interesting question, and I'm sorta baffled by the fact that the
demand for this kinda thing hasn't been any higher.

All the best,
Murk

On Tue, May 29, 2018 at 8:10 PM, Dumitru Mișu Moldovan 
wrote:

> On 05/27/18 13:07, Maximilian Pichler wrote:
>
>> Is it possible to limit the CPU usage of a given process to, say, 20%?
>>
>> I'd like to slow down the web browser since it is draining my laptop's
>> battery. With enough tabs open it's often consuming ~50% of CPU but
>> not doing anything productive. Apparently with RLIMIT_CPU in
>> setrlimit(2) the total CPU time of a process can be limited. Can a
>> similar limit be set for the percentage?
>>
>
> Honest question…  Have you tried blocking ads with something like uBlock
> Origin?  I use several approaches to make web browsing palatable on old
> hardware, and blocking ads is what makes the biggest difference for me.
> (Using NoScript or equivalents to selectively enable JavaScript for sites
> where I actually need it is a distant second.)
>
> Capping CPU resources is not the way to go on a laptop in my opinion,
> unless you have some demanding job that always runs in the background in
> your browser, and that's a problem by itself in your scenario.  Capping
> will not change the fact that you'll still spend the same resources on
> loading web pages, however it will slow you down and annoy you.
>
>

Upgrade 6.0 -> 6.1: ix mmba is not mem space

[Maxim Bourmistrov]

Hey,
While moving one of machines from 6.0 to 6.1, I found 6.1 not able to attach 
ix-device.
Machine is HP DL360 Gen9.

ix0 at pci5 dev 0 function 0 "Intel 82599" rev 0x01: mmba is not mem space
ix1 at pci5 dev 0 function 1 "Intel 82599" rev 0x01: mmba is not mem space

Found this thread
http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-ix-Intel-82598EB-issue-td317072.html
 


and as far as I can see, this diff is in tree, but not helping here :(

Any clues? 

4:0:1: Intel 82599
   0x: Vendor ID: 8086 Product ID: 10fb
   0x0004: Command: 0147 Status: 0010
   0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01
   0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 10
   0x0010: BAR mem 32bit addr: 0x92c0/0x0010
   0x0014: BAR empty ()
   0x0018: BAR io addr: 0x2000/0x0020
   0x001c: BAR mem 32bit addr: 0x92e0/0x4000
   0x0020: BAR empty ()
   0x0024: BAR empty ()
   0x0028: Cardbus CIS: 
   0x002c: Subsystem Vendor ID: 103c Product ID: 17d0
   0x0030: Expansion ROM Base Address: 
   0x0038: 
   0x003c: Interrupt Pin: 01 Line: ff Min Gnt: 00 Max Lat: 00
   0x0040: Capability 0x01: Power Management
   State: D0 PME# enabled
   0x0050: Capability 0x05: Message Signalled Interrupts (MSI)
   0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X)
   0x00a0: Capability 0x10: PCI Express
   Link Speed: 5.0 / 5.0 GT/s Link Width: x8 / x8
   0x0100: Enhanced Capability 0x01: Advanced Error Reporting
   0x0140: Enhanced Capability 0x03: Device Serial Number
   0x0150: Enhanced Capability 0x0e: Alternate Routing ID
   0x0160: Enhanced Capability 0x10: Single Root I/O Virtualization
   0x00e0: Capability 0x03: Vital Product Data (VPD)

Br

Re: Limit CPU usage of a process?

[Dumitru Mișu Moldovan]

On 05/27/18 13:07, Maximilian Pichler wrote:

Is it possible to limit the CPU usage of a given process to, say, 20%?

I'd like to slow down the web browser since it is draining my laptop's
battery. With enough tabs open it's often consuming ~50% of CPU but
not doing anything productive. Apparently with RLIMIT_CPU in
setrlimit(2) the total CPU time of a process can be limited. Can a
similar limit be set for the percentage?


Honest question…  Have you tried blocking ads with something like uBlock 
Origin?  I use several approaches to make web browsing palatable on old 
hardware, and blocking ads is what makes the biggest difference for me. 
(Using NoScript or equivalents to selectively enable JavaScript for 
sites where I actually need it is a distant second.)


Capping CPU resources is not the way to go on a laptop in my opinion, 
unless you have some demanding job that always runs in the background in 
your browser, and that's a problem by itself in your scenario.  Capping 
will not change the fact that you'll still spend the same resources on 
loading web pages, however it will slow you down and annoy you.




signature.asc
Description: OpenPGP digital signature

I got smtpd.conf working thanks to the man page

[Walter Alejandro Iglesias]

Just in case it could be useful to others.

After upgrading the snaptshot requiring the new version of smtpd.conf
it happend that the new rules I'd written (included the last one Gilles
passed me) were all wrong.

I could get it working thanks to the man page.  The result:

# OLD
accept from local for local alias  deliver to mbox
accept from any for domain  virtual  deliver to mbox
accept from local sender  for any relay


# FIST ATTEMPT (smtpd -n told me the three last lines were wrong)
action local_users mbox alias 
action remote_users relay

match from local for local apply local_users
match from any for domain  virtual  apply local_users
match from local sender  for any apply remote_users
match auth from any sender  for any apply remote_users


# NOW WORKING
action "local" mbox alias 
action "virtual" mbox virtual 
action "relay" relay

match from local for local action "local"
match from any for domain  action "virtual"
match mail-from  for any action "relay"
match auth mail-from  for any action "relay"


My advice to others is not to pay attention to anything but the man
page, checking one by one each option you used in the old configuration,
if it still exists, if it was replaced and finally *where* to pass it,
if to match or to action.  Doing it in that order you'll probably go
faster. :-)

As you see above I had to replace "sender" for "mail-from" and to create
a third action to pass the virtual aliases table that in the first
attempt I'd wrongly included it in the match.

IKEDv2 OpenBSD Roadwarrior

[Jan]

Hi,

I will try your puffy to puffy. Looks so simple, that there are obviously no 
Errors 😊.

Puffy to Android Comes next..



Puffy to puffy


# cat /etc/iked.conf

ikev2 “virtualmachine” passive esp from 172.0.16.0/24 to 192.168.10.0/24  \
local egress peer any psk “secret”


# cat /etc/iked.conf

ikev2 “openbsdgw” active esp from 192.168.10.0/24 to 172.0.16.0/24 \ 
local egress peer 10.20.30.10 psk “secret”





OpenBSD 6.X ( IPHONE AND STRONGSWAN ) 

ikev2 "roadwarrior"  passive esp from 0.0.0.0/0 to 10.20.30.0/24 \
 local egress peer any  \
 ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32



Iphone = just disable certificates and set psk


Interoperability with StrongSwan


# cat /etc/ipsec.conf

 ipsec.conf – strongSwan IPsec configuration file
# basic configuration

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!

conn strongswan
left=%any
leftfirewall=yes
leftsourceip=%config
right=REMOTE_PEER_IP
rightid=puffymagic.ikedvpn.com
rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on other 
side ) ( behind magic puffer fish )
auto=add


# cat /etc/ipsec.secrets

# ipsec.secrets – strongSwan IPsec secrets file
: PSK “strongopeniked”


Hope it helps 
You welcome !


2018-05-29 9:42 GMT-03:00 Jan :
Hi Christophe,

i think i’ve got it now. I removed the „config“ Options from the Server config 
and things started working. 
(for what interface should they be applied at all ?)
Since then my home lan (192.168.1.0/24) stoped working for other devices at 
home. When this is working again i will post my Setup. 
I think now everything from 192.168.1.0/24 gets routed through vpn to my 
Notebook and others are not allowed anymore. Maybe putting vpn ips and local 
ips in different address ranges is a good idea…

Jan

IKEDv2 OpenBSD Roadwarrior

[Jan]

Hi Stuart,

i trying to achieve Internet over vpn, Access to the Gateway via vpn and Access 
to the home lan via vpn. 
I somehow thought that this conifg-parameters also should work as Client. 
Without them Things are nearly working right now. 


Jan 


On 2018-05-29, Jan Lambertz  wrote:
> Hello everyone,
>
> i'm trying for two days now to setup an IKedV2 Roadwarrior VPN.
> the logfiles show, that something is not working correctly during
> connection establishment.
> I changed configs in every way i can think of without success. Why is
> it not working ?
> Here is the setup.
>
> PF is permissive
>
> Home(internet:178.x.x.x, NAT, lan 192.168.1.0/24) --
> internet --
> Smartphone(internet:89.x.x.x, NAT, WLanAP 192.168.43.0/24) --
> Notebook(OpenBSD6.3, 192.168.43.253)
>
> Home config
> ikev2 "VPN HOME" passive esp \
> from 192.168.1.1 to 192.168.43.253 \
> local 178.x.x.x peer any \
> srcid 178.x.x.x \
> psk "key" \
> config address 192.168.1.100/8 \
> config netmask 255.255.255.0 \
> config name-server 192.168.1.1
>
> Notebook config
> ikev2 "VPN HOME" active esp \
> from 192.168.43.253 to 192.168.1.1 peer 178.x.x.x \
> psk "key" \
> tag "VPN" tap enc0

iked as a client won't do the "config address" parts, ...

> sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa
> sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa
> ikev2_cp_setaddr: pool configured, but IKEV2_CP_REQUEST missing
> ikev2_resp_recv: failed to send auth response
> sa_state: VALID -> CLOSED from 89.x.x.x:15384 to 178.x.x.x:4500 policy
> 'VPN HOME'

... and it looks like the server is complaining about this.

If you explain what you want (notebook access to only the gateway?
notebook access to whole LAN? notebook access to internet over VPN?)
you can probably get some sample configs from someone who has already
done this.

Re: programs crash on Dell Latitude E7470

[Stuart Henderson]

On 2018-05-28, Marco van Hulten  wrote:
>> Sounds like ether you're running out of system memory, or running into
>> ulimit limits.
>
> `ulimit` == unlimited

 ulimit [-acdfHlmnpSst [value]] ... 
 
 Display or set process limits.  If no options are used, the file   
 
 size limit (-f) is assumed. 

What does ulimit -a say?

Re: IKEDv2 OpenBSD Roadwarrior

[R0me0 ***]

Puffy to puffy


# cat /etc/iked.conf

ikev2 “virtualmachine” passive esp from 172.0.16.0/24 to 192.168.10.0/24  \
local egress peer any psk “secret”



# cat /etc/iked.conf

ikev2 “openbsdgw” active esp from 192.168.10.0/24 to 172.0.16.0/24 \
local egress peer 10.20.30.10 psk “secret”






OpenBSD 6.X ( IPHONE AND STRONGSWAN )

ikev2 "roadwarrior"  passive esp from 0.0.0.0/0 to 10.20.30.0/24 \
 local egress peer any  \
 ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32



Iphone = just disable certificates and set psk


Interoperability with StrongSwan


# cat /etc/ipsec.conf

 ipsec.conf – strongSwan IPsec configuration file
# basic configuration

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!

conn strongswan
left=%any
leftfirewall=yes
leftsourceip=%config
right=REMOTE_PEER_IP
rightid=puffymagic.ikedvpn.com
rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on
other side ) ( behind magic puffer fish )
auto=add



# cat /etc/ipsec.secrets

# ipsec.secrets – strongSwan IPsec secrets file
: PSK “strongopeniked”




Hope it helps

You welcome !



2018-05-29 9:42 GMT-03:00 Jan :

> Hi Christophe,
>
> i think i’ve got it now. I removed the „config“ Options from the Server
> config and things started working.
> (for what interface should they be applied at all ?)
> Since then my home lan (192.168.1.0/24) stoped working for other devices
> at home. When this is working again i will post my Setup.
> I think now everything from 192.168.1.0/24 gets routed through vpn to my
> Notebook and others are not allowed anymore. Maybe putting vpn ips and
> local ips in different address ranges is a good idea…
>
> Jan
>
>

Re: IKEDv2 OpenBSD Roadwarrior

[Stuart Henderson]

On 2018-05-29, Jan Lambertz  wrote:
> Hello everyone,
>
> i'm trying for two days now to setup an IKedV2 Roadwarrior VPN.
> the logfiles show, that something is not working correctly during
> connection establishment.
> I changed configs in every way i can think of without success. Why is
> it not working ?
> Here is the setup.
>
> PF is permissive
>
> Home(internet:178.x.x.x, NAT, lan 192.168.1.0/24) --
> internet --
> Smartphone(internet:89.x.x.x, NAT, WLanAP 192.168.43.0/24) --
> Notebook(OpenBSD6.3, 192.168.43.253)
>
> Home config
> ikev2 "VPN HOME" passive esp \
> from 192.168.1.1 to 192.168.43.253 \
> local 178.x.x.x peer any \
> srcid 178.x.x.x \
> psk "key" \
> config address 192.168.1.100/8 \
> config netmask 255.255.255.0 \
> config name-server 192.168.1.1
>
> Notebook config
> ikev2 "VPN HOME" active esp \
> from 192.168.43.253 to 192.168.1.1 peer 178.x.x.x \
> psk "key" \
> tag "VPN" tap enc0

iked as a client won't do the "config address" parts, ...

> sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa
> sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa
> ikev2_cp_setaddr: pool configured, but IKEV2_CP_REQUEST missing
> ikev2_resp_recv: failed to send auth response
> sa_state: VALID -> CLOSED from 89.x.x.x:15384 to 178.x.x.x:4500 policy
> 'VPN HOME'

... and it looks like the server is complaining about this.

If you explain what you want (notebook access to only the gateway?
notebook access to whole LAN? notebook access to internet over VPN?)
you can probably get some sample configs from someone who has already
done this.

IKEDv2 OpenBSD Roadwarrior

[Jan]

Hi Christophe,

i think i’ve got it now. I removed the „config“ Options from the Server config 
and things started working. 
(for what interface should they be applied at all ?)
Since then my home lan (192.168.1.0/24) stoped working for other devices at 
home. When this is working again i will post my Setup. 
I think now everything from 192.168.1.0/24 gets routed through vpn to my 
Notebook and others are not allowed anymore. Maybe putting vpn ips and local 
ips in different address ranges is a good idea…

Jan

IKEDv2 OpenBSD Roadwarrior

[Jan Lambertz]

Hi Christophe,

I Made the changes you proposed. Sadly it still does not work. It seems to
me that the message "ikev2_resp_recv: failed to send auth response" is a
hint to the problem. But why did it fail ?

Jan

Re: protection fault trap with OpenBSD 6.3

[Martin Pieuchot]

On 28/05/18(Mon) 22:24, Marc Peters wrote:
> Hi List,
> 
> i am having issues with OpenBSD 6.3, latest patches as of today applied. We 
> are using gif-tunnels between our datacenters, transport encryption and 
> OpenBGPD to announce the prefixes between the datacenters. The boxes also 
> have isakmpd tunnels on a carp interface to AWS and GCP. The setup is working 
> fine with existing 6.1 boxes and there's no problem in pushing/receiving 
> several 100MBit/s (according to observium snmpd data, which gets constantly 
> collected). Switching the traffic to the 6.3 hosts, we get a freeze on one of 
> the boxes after about 45 minutes of transferring traffic (all IPv4 traffic in 
> our case for now):

This has been fixed in -current.