xl2tpd cannot connect to PPPoE VPN server
Hello, I set up an xl2tp client using xl2tpd port on OpenBSD amd64 stable. Most of the time I connect to a Mikrotik PPPoE VPN server and the connection runs without problems but sometimes I cannot make a connection. When this happens I see the following in the /var/log/daemon: tail -f /var/log/daemon | grep xl2tpd Jul 25 13:27:07 nb1 xl2tpd[96632]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Jul 25 13:27:07 nb1 xl2tpd[96632]: Forked by Scott Balmos and David Stipp, (C) 2001 Jul 25 13:27:07 nb1 xl2tpd[96632]: Inherited by Jeff McAdams, (C) 2002 Jul 25 13:27:07 nb1 xl2tpd[96632]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 Jul 25 13:27:07 nb1 xl2tpd[96632]: Listening on IP address 0.0.0.0, port 1701 Jul 25 13:27:07 nb1 xl2tpd[96632]: Connecting to host IPADDRESS, port 1701 Jul 25 13:27:38 nb1 xl2tpd[96632]: Maximum retries exceeded for tunnel 39276. Closing. Jul 25 13:27:38 nb1 xl2tpd[96632]: Connection 0 closed to 91.234.97.130, port 1701 (Timeout) When I check the port 1701 on the VPN host with netcat it is open. When I ask a VPN admin on their side to check my connection attempts they do not see anything. When I make a connection using Windows or Ubuntu machine at the same time, it connects without problems. What can be the problem? -- Best regards, Maksim Rodin
Re: can't find libpcap
> Hi, > > shadrock uhuru wrote on Sat, Aug 17, 2019 at 01:01:08PM +0100: > >> is there a package for pcap or libpcap >> or do i have to download the source and compile > to answer such questions, use pkg_locate(1). > ># pkg_add pkglocatedb >$ man pkg_locate >$ pkg_locate libpcap.so > > This may also provide a clue: > >$ ldd $(which tcpdump) > > Yours, > Ingo > thanks Ingo
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
Does your ISP implement authoritative DNS? Do you suspect a UDP issue? Is a managed (switch) involved? Has duplex ever been an issue? Regards Patrick > On Aug 18, 2019, at 1:03 PM, Radek wrote: > > Hello, > > I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs > (OpenIKED). > Both gws are fully syspatched, have public IPs and the same iked/pf > configuration. > > Unfortunately, the network traffic over the VPN tunnel stalls few times a > day. > > On the one side I use a script to monitor VPN tunnel with ping, it restarts > iked and emails me if there is no ping over the VPN tunnel. > Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST) > Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST) > Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST) > Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST) > > > In 6.3/i386 I have the same problem, but more frequently. > Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST) > Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST) > Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST) > Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST) > Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST) > Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST) > Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST) > Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST) > Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST) > > Do I have any bugs/deficiencies in my configs, missed something? > Is there any way to make it work uninterruptedly? > I would be very greatful if you could help me with this case. > > $cat /etc/hostname.enc0 > up > > $cat /etc/hostname.vr3 > inet 10.0.17.254 255.255.255.0 NONE description "LAN17" > group trust > > $cat /etc/iked.conf > local_gw_RAC17 = "10.0.17.254" # lan_RAC > local_lan_RAC17 = "10.0.17.0/24" > remote_gw_MON = "1.2.3.5" # fw_MON > remote_lan_MON = "172.16.1.0/24" > ikev2 quick active esp \ > from $local_gw_RAC17 to $remote_gw_MON \ > from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \ > childsa enc chacha20-poly1305 \ > psk "psk" > > $cat /etc/pf.conf > # RAC-fwTEST > ext_if = "vr0" > lan_rac_if = "vr3" # vr3 - > lan_rac_local = $lan_rac_if:network # 10.0.17.0/24 > backup_if = "vr2" # vr2 - lewy port > backup_local= $backup_if:network # 10.0.117/24 > > bud = "1.2.3.0/25" > rdk_wy = "1.2.3.4" > rdk_mon = "1.2.3.5" > panac_krz = "1.2.3.6" > panac_rac = "1.2.3.7" > > set fingerprints "/dev/null" > set skip on { lo, enc0 } > set block-policy drop > set optimization normal > set ruleset-optimization basic > > antispoof quick for {lo0, $lan_rac_if, $backup_if } > > match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to > $ext_if set prio (3, 7) > > block all > > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > pass out on egress keep state > > pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio > (3, 7) keep state > > ssh_port= "1071" > table const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, > 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 } > table persist counters > block from > pass in log quick inet proto tcp from to $ext_if port $ssh_port > flags S/SA \ >set prio (7, 7) keep state \ >(max-src-conn 15, max-src-conn-rate 2/10, overload flush > global) > > icmp_types = "{ echoreq, unreach }" > pass inet proto icmp all icmp-type $icmp_types \ >set prio (7, 7) keep state > > table const { $rdk_mon, $panac_rac, $panac_krz } > pass out quick on egress proto esp from (egress:0) to > set prio (6, 7) keep state > pass out quick on egress proto udp from (egress:0) to port {500, > 4500} set prio (6, 7) keep state > pass in quick on egress proto esp from to (egress:0) > set prio (6, 7) keep state > pass in quick on egress proto udp from to (egress:0) port {500, > 4500} set prio (6, 7) keep state > pass out quick on trust received-on enc0 set prio (6, 7) keep state > > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} > set prio (6,7) keep state > pass in on egress proto {ah,esp} set prio (6,7) keep state > > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > > $cat iked_monitor.sh > #!/bin/sh > while true > do > vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " > '{print $4}'` > > if [ "${vpn}" -eq 0 ] ; then > mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print > $4}'` > wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'` > >if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then >echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through > VPN RACTEST-MON! restartng iked!" em...@example.com >rcctl restart iked >fi > fi > sleep 32 > done > > > -- > Radek >
[OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
Hello, I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs (OpenIKED). Both gws are fully syspatched, have public IPs and the same iked/pf configuration. Unfortunately, the network traffic over the VPN tunnel stalls few times a day. On the one side I use a script to monitor VPN tunnel with ping, it restarts iked and emails me if there is no ping over the VPN tunnel. Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST) Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST) Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST) Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST) In 6.3/i386 I have the same problem, but more frequently. Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST) Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST) Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST) Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST) Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST) Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST) Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST) Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST) Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST) Do I have any bugs/deficiencies in my configs, missed something? Is there any way to make it work uninterruptedly? I would be very greatful if you could help me with this case. $cat /etc/hostname.enc0 up $cat /etc/hostname.vr3 inet 10.0.17.254 255.255.255.0 NONE description "LAN17" group trust $cat /etc/iked.conf local_gw_RAC17 = "10.0.17.254" # lan_RAC local_lan_RAC17 = "10.0.17.0/24" remote_gw_MON = "1.2.3.5" # fw_MON remote_lan_MON = "172.16.1.0/24" ikev2 quick active esp \ from $local_gw_RAC17 to $remote_gw_MON \ from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \ childsa enc chacha20-poly1305 \ psk "psk" $cat /etc/pf.conf # RAC-fwTEST ext_if = "vr0" lan_rac_if = "vr3" # vr3 - lan_rac_local = $lan_rac_if:network # 10.0.17.0/24 backup_if = "vr2" # vr2 - lewy port backup_local= $backup_if:network # 10.0.117/24 bud = "1.2.3.0/25" rdk_wy = "1.2.3.4" rdk_mon = "1.2.3.5" panac_krz = "1.2.3.6" panac_rac = "1.2.3.7" set fingerprints "/dev/null" set skip on { lo, enc0 } set block-policy drop set optimization normal set ruleset-optimization basic antispoof quick for {lo0, $lan_rac_if, $backup_if } match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to $ext_if set prio (3, 7) block all match in all scrub (no-df random-id) match out all scrub (no-df random-id) pass out on egress keep state pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 7) keep state ssh_port= "1071" table const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 } table persist counters block from pass in log quick inet proto tcp from to $ext_if port $ssh_port flags S/SA \ set prio (7, 7) keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global) icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types \ set prio (7, 7) keep state table const { $rdk_mon, $panac_rac, $panac_krz } pass out quick on egress proto esp from (egress:0) to set prio (6, 7) keep state pass out quick on egress proto udp from (egress:0) to port {500, 4500} set prio (6, 7) keep state pass in quick on egress proto esp from to (egress:0) set prio (6, 7) keep state pass in quick on egress proto udp from to (egress:0) port {500, 4500} set prio (6, 7) keep state pass out quick on trust received-on enc0 set prio (6, 7) keep state pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} set prio (6,7) keep state pass in on egress proto {ah,esp} set prio (6,7) keep state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 $cat iked_monitor.sh #!/bin/sh while true do vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " '{print $4}'` if [ "${vpn}" -eq 0 ] ; then mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print $4}'` wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'` if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through VPN RACTEST-MON! restartng iked!" em...@example.com rcctl restart iked fi fi sleep 32 done -- Radek
Re: IPv6 problems
Hi, so i removed everything from /etc/mygate and rebooted the machine. I still cannot ping anybody. The output of slaacctl show interface vio0 ist the following: # slaacctl show interface vio0 slaacctl: connect: /dev/slaacd.sock: Connection refused This is not how it is supposed to be i guess. My provider doesn't have any BSD related examples. Thanks for your time freda bundchen! Regards, Stephan On 8/18/19 3:10 PM, freda_bundc...@nym.hush.com wrote: >> From: list >> my /etc/hostname looks exactly like you proposed: >> inet6 autoconf autoconfprivacy soii >> inet6 >> when i enter the default IPv6 gateway manually. I can ping stuff >> but don't get a reply. When I don't: "No route to host" >> (With route to fe80::1%vio added and the normal hostname.vio0) > I would suggest not specifying any routes or link-local addresses, and > instead in /etc/hostname.vio0 make sure the IPv6 address in > is the public IPv6 address given by your provider (I know there's a > /64, but I'm just going by the example of my own provider.) > > Then make sure /etc/mygate doesn't have any IPv6 addresses. Then > perhaps reboot everything to make sure you've cleared out references > to fe80::1, if /bin/sh /etc/netstart doesn't get everything working. > > My provider's configuration examples said to use -autoconfprivacy and > -soii so you might try that also. But mine works with autoconfprivacy > and soii. > > What is the output of slaacctl show interface vio0? > >
Re: IPv6 problems
> From: list > my /etc/hostname looks exactly like you proposed: > inet6 autoconf autoconfprivacy soii > inet6 > when i enter the default IPv6 gateway manually. I can ping stuff > but don't get a reply. When I don't: "No route to host" > (With route to fe80::1%vio added and the normal hostname.vio0) I would suggest not specifying any routes or link-local addresses, and instead in /etc/hostname.vio0 make sure the IPv6 address in is the public IPv6 address given by your provider (I know there's a /64, but I'm just going by the example of my own provider.) Then make sure /etc/mygate doesn't have any IPv6 addresses. Then perhaps reboot everything to make sure you've cleared out references to fe80::1, if /bin/sh /etc/netstart doesn't get everything working. My provider's configuration examples said to use -autoconfprivacy and -soii so you might try that also. But mine works with autoconfprivacy and soii. What is the output of slaacctl show interface vio0?
Re: dkim on openbsd mailing lists.
On Sun, 18 Aug 2019, Todd C. Miller wrote: > The mailing list server may modify the subject and from headers > (depending on user configuration) and often does modify the message > body. > > That is why DKIM headers are removed. I did not know that the list may modify those headers. In fact never noticed it ... I guess some reading majordomo's help won't hurt. Thanks for your answer Todd. -- Paco Esteban. https://onna.be/gpgkey.asc 9A6B 6083 AD9E FDC2 0EAF 5CB3 5818 130B 8A6D BC03
Re: dkim on openbsd mailing lists.
The mailing list server may modify the subject and from headers (depending on user configuration) and often does modify the message body. That is why DKIM headers are removed. - todd
Re: How do I publish default router preferences using rad?
I'm curious, how are you using the router preference, could you tell us a bit more about your network topology? Also, what clients pay attention to it and how are they using it? Same goes for the route option, are you aware of clients using it? Thanks, Florian On Sat, Aug 17, 2019 at 08:09:54PM -0700, Caleb Callaway wrote: > If it interests anyone, I've also implemented the route option > described in https://tools.ietf.org/html/rfc4191#section-2.3 > > I find sharing patches via this mailing list particularly unwieldy, > so I've pushed my work to a git branch at > https://github.com/cqcallaw/src/tree/rfc-4191 > > On Wed, Aug 7, 2019 at 11:27 PM Caleb wrote: > > > > Thank you for the code and review! I've synthesized the existing patch > > and review into something that successfully advertises router > > preferences in local testing (verified w/ rdisc6). This patch does not > > implement the route information option specified in RFC 4191 section > > 2.3. > > > > diff --git a/usr.sbin/rad/frontend.c b/usr.sbin/rad/frontend.c > > index 8178b058629..4031da6b99d 100644 > > --- a/usr.sbin/rad/frontend.c > > +++ b/usr.sbin/rad/frontend.c > > @@ -411,7 +411,7 @@ frontend_dispatch_main(int fd, short event, void *bula) > > ra_prefix_conf)) > >fatalx("%s: IMSG_RECONF_RA_PREFIX wrong " > > "length: %lu", __func__, > > -IMSG_DATA_SIZE(imsg)); > > +IMSG_DATA_SIZE(imsg)); > >if ((ra_prefix_conf = malloc(sizeof(struct > > ra_prefix_conf))) == NULL) > >fatal(NULL); > > @@ -1023,6 +1023,18 @@ build_packet(struct ra_iface *ra_iface) > >ra->nd_ra_router_lifetime = > > htons(ra_options_conf->router_lifetime); > >} > > + > > + /* add router preference flags */ > > + if (ra_options_conf->preference == ND_RA_FLAG_RTPREF_RSV) { > > + fatalx("Invalid router preference found during RA packet > > construction."); > > + } > > + > > + if (ra_options_conf->router_lifetime == 0) { > > + log_debug("Router lifetime set to zero; ignoring router > > preference per https://tools.ietf.org/html/rfc4191#section-2.2";); > > + } else { > > + ra->nd_ra_flags_reserved |= ra_options_conf->preference; > > + } > > + > >ra->nd_ra_reachable = htonl(ra_options_conf->reachable_time); > >ra->nd_ra_retransmit = htonl(ra_options_conf->retrans_timer); > >p += sizeof(*ra); > > diff --git a/usr.sbin/rad/parse.y b/usr.sbin/rad/parse.y > > index 004e5e22f92..74480148246 100644 > > --- a/usr.sbin/rad/parse.y > > +++ b/usr.sbin/rad/parse.y > > @@ -32,6 +32,7 @@ > > #include > > #include > > +#include > > #include > > #include > > @@ -117,10 +118,12 @@ typedef struct { > > %token CONFIGURATION OTHER LIFETIME REACHABLE TIME RETRANS TIMER > > %token AUTO PREFIX VALID PREFERRED LIFETIME ONLINK AUTONOMOUS > > %token ADDRESS_CONFIGURATION DNS NAMESERVER SEARCH MTU > > +%token PREFERENCE LOW MEDIUM HIGH > > %token STRING > > %token NUMBER > > %typeyesno > > +%typepreference > > %typestring > > %% > > @@ -166,6 +169,11 @@ yesno : YES { $$ = 1; } > >| NO{ $$ = 0; } > >; > > +preference : LOW { $$ = ND_RA_FLAG_RTPREF_LOW; } > > + | MEDIUM { $$ = ND_RA_FLAG_RTPREF_MEDIUM; } > > + | HIGH { $$ = ND_RA_FLAG_RTPREF_HIGH; } > > + ; > > + > > varset : STRING '=' string { > >char *s = $1; > >if (cmd_opts & OPT_VERBOSE) > > @@ -213,6 +221,9 @@ ra_opt_block: DEFAULT ROUTER yesno { > >| MTU NUMBER { > >ra_options->mtu = $2; > >} > > + | PREFERENCE preference { > > + ra_options->preference = $2; > > + } > >| DNS dns_block > >; > > @@ -426,16 +437,20 @@ lookup(char *s) > >{"default", DEFAULT}, > >{"dns", DNS}, > >{"hop", HOP}, > > + {"high",HIGH}, > >{"include", INCLUDE}, > >{"interface", RA_IFACE}, > >{"lifetime",LIFETIME}, > >{"limit", LIMIT}, > > + {"low", LOW}, > >{"managed", MANAGED}, > > + {"medium", MEDIUM}, > >{"mtu", MTU}, > >{"nameserver", NAMESERVER}, > >{"no", NO}, > >{"on-link", ONLINK}, > >{"other", OTHER}, > > + {"preference", PREFERENCE}, > >{"preferred", PREFERRED}, > >{"prefix", PREFIX}, > >{"reachable", REACHABLE}, > > diff --git a/usr.sbin/rad/printconf.c b/usr.sbin/rad/printconf.c > > index d42890da518..c2173d2142f 100644 > > --- a/usr.sbin/rad/printconf.c > > +++ b/usr.sbin/rad/printconf.c > > @@ -26,6 +26,7 @@ > > #include > > #include > > +#include > > #include > > #include > > @@ -34,6 +35,7 @@ > > #include "rad.h" > > const char*yesno(int); > > +const char*preference(int); > > void print_ra_options(const char*, const struct ra_
Re: IPv6 problems
Hi, my /etc/hostname looks exactly like you proposed: inet6 autoconf autoconfprivacy soii inet6 when i enter the default IPv6 gateway manually. I can ping stuff but don't get a reply. When I don't: "No route to host" PF is not the problem. Same results when loading pf rules that look like this: "pass log all" The ISO was uploaded by me. There is one thing that has me wondering. When looking at the output of tcpdump. In your example you told me that the host on the right site of a neighbor sol is always the router/gateway.. But when I look at the output of that i see two different addresses who are NOT fe80::1. These IPs both follow this schema "fe80:something". When I take a closer look and run tcpdump while pinging I see the following output: (With route to fe80::1%vio added and the normal hostname.vio0) 11:40:36.446539 fe80:: > ff02::1:ff00:1: icmp6: neighbor sol: who has fe80::1 This line is being repeated over and over again. I left out all the other traffic that is not related to my /64. Hm... Any ideas ? I've got a feeling that somethings wrong with that fe80::1 address... Stephan On 8/18/19 1:33 AM, freda_bundc...@nym.hush.com wrote: >> From: list >> I've restarted my VM over the official >> Webinterface but still... >> When trying to ping the gateway on fe80::1 I don't get any icmp >> echoreplies. >> What is the behavior of pf when disabled ? Is there some kind of >> default blocking rule that is still active ? > Have you tried /etc/hostname.vio0 with > inet6 autoconf autoconfprivacy soii > inet6 > > instead of specifying a LL route? > > Just in case, you could try /etc/pf.conf with only > > pass log all > > instead of disabling pf. > > Is the installion of OpenBSD provider by your VPS, or do they let > you use a custom ISO? Maybe a trial installation using a differnt > VPS but a similar configuration would indicate it's a problem with > the VPS. > >