Re: after upgrade to 6.9, iked does not pass traffic

2021-05-27 Thread Jason Tubnor
I have a vpn from a Windows machine to a network behind an OpenBSD router. It was working fine until I upgraded the router to 6.9 (amd64). The VPN is still coming up fine, but the traffic is blocked somehow. Using tcpdump on the interface protected by the router (vlan0 in my case), I see the

Re: Redistribution between ospfd and ripd

2020-11-29 Thread Jason Tubnor
On Sat, 28 Nov 2020 at 11:14, Sebastian Benoit wrote: > Hi, > > > > route add -label FOOBAR 172.16.1.0/24 172.16.2.5 > route show -label FOOBAR > > I am only aware of these mechanisms to set labels on routes added by > routing daemons: > > bgpd (rtlabel keyword in filter "set") >

Redistribution between ospfd and ripd

2020-11-24 Thread Jason Tubnor
Hi, We are planning for migration from ripd to ospf, however both protocols will need to work together as the migration rolls through. I was looking at the 'redistribute rtlabel' option, even after digging into the code, it is unclear how this would work to bring other dynamic routes on the same

iked(8) bad-ip-version 7 (encap) error after 6.4 upgrade

2018-10-18 Thread Jason Tubnor
I am preparing a bug report but just wanted to flag an issue that I discovered after a 6.3 to 6.4 uplift of an iked(8) endpoint. We overlay vxlan(4) on top of iked(8) to provide seamless connectivity to site offices. I have uplifted our test endpoint to 6.4 and discovered that traffic had

Re: SNMP reporting on VXLAN interfaces

2018-08-16 Thread Jason Tubnor
On Fri, 17 Aug 2018 at 11:48, David Gwynne wrote: > On Thu, Aug 16, 2018 at 10:51:25AM +1000, Jason Tubnor wrote: > > > > > Am I missing something here or could it be a potential bug in the VXLAN > > code in how it reports into snmpd? > > The vxlan driver counts so

SNMP reporting on VXLAN interfaces

2018-08-15 Thread Jason Tubnor
Hi, Not sure if anyone else here is using SNMP for obtaining VXLAN(4) adapter throughput but after some testing (clamping with PF queues), I have discovered that throughput on VXLAN interfaces via SNMP are reporting exactly double the data throughput than what is measured either through iperf or

Re: Topics for revised PF and networking tutorial

2017-04-10 Thread Jason Tubnor
On 8 April 2017 at 07:41, Mihai Popescu wrote: > I don;t want to offend you folks, but I'm curious and I will ask: is > this BSDCon so useful? Does it pay the efforts? > > If someone has time and knowledge to do a PF tutorial he/she can do it > and post. Do you need the Con? >

Re: OpenBSD 6.1-snapshot boot issues in bhyve

2017-04-05 Thread Jason Tubnor
On 5 April 2017 at 13:07, Theo de Raadt wrote: > > > cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.87 MHz > > cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3, >

Re: Topics for revised PF and networking tutorial

2017-04-05 Thread Jason Tubnor
Without hijacking this thread completely, but touching on some of the elements discussed above (and I think these are great inclusions for the tutorial). We have implemented a variety of queues to manage our internet links and ikev2 VPNs tunnels to remote offices. We have also done something

OpenBSD 6.1-snapshot boot issues in bhyve

2017-04-04 Thread Jason Tubnor
Hi, Just wondering if anyone else is seeing the same issue I am booting a 6.1-snapshot in bhyve? In preparation for the 6.1 pending release, I have tried to spin up 6.1-snap to iron out any issues in bhyve but I don't get very far into the installation process: Copyright (c) 1982, 1986,

Typo error in OpenBSD 6.0 Errata 6 patch file

2016-09-17 Thread Jason Tubnor
Hi, Just picked up a typo in in the http://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/006_iked.patch.sig errata file. While there is a patch below, it will need to be re-issued with an updated signify signature. Cheers! --- 006_iked.patch.sig.orig Sun Sep 18 12:05:38 2016 +++

Re: Anyone experienced with 4G/LTE modems?

2015-11-03 Thread Jason Tubnor
On 4 November 2015 at 07:31, Alan Corey wrote: > Anybody have good experiences with any of the currently available > 4G/LTE modems that start around $30 on eBay, mostly by Huawei? I > won't have a real internet connection for at least a year. Right now > You might want to

Re: queueing example on pf.conf man page

2015-11-03 Thread Jason Tubnor
On 4 November 2015 at 13:09, Glenn Faustino wrote: > I notice that under queueing section of the pf.conf man page the total > child queues bandwidth exceed what's defined in the parent. rootq was > defined with 100M bandwidth and the child queues defined http 60M, mail

Re: ipsec via iked

2015-11-02 Thread Jason Tubnor
On 3 November 2015 at 03:14, Sébastien Morand wrote: > Hi, > > I set up an ipsec VPN via iked. > > > > The point is that the server has to know my home network (192.168.100.0/24 > ). > How to make it works wherever my laptop is? > > I tried with config address options but

Re: iked & nat-t problem (no keep alive)

2015-11-02 Thread Jason Tubnor
On 19 October 2015 at 21:49, igyht wrote: > I am testing iked on OpenBSD phobos 5.7 GENERIC#738 i386, I think there is > keep-alive problem when use with NAT-T, > detailed configurations are: > > > > http://daemonforums.org/showthread.php?t=9446 > > > > I think, iked &

PF Queuing of NAT-T IKEv2 ESP Traffic

2015-11-02 Thread Jason Tubnor
Hi All, Can anyone verify (based on my diagram below) if they have had success with queuing IKEv2 return traffic from the "Server". I have been able to use IKEv2 based tagging and doing it (as described in iked.conf(5)) when NAT-T isn't used and when traffic is 'pass out' from the IKEv2

Re: IKED and encapsulated peers

2015-10-05 Thread Jason Tubnor
On 5 October 2015 at 22:00, Jason Tubnor <ja...@tubnor.net> wrote: > > Solved! > > > I have attached a man 5 iked.conf patch that clears up an example used in > the man page. > The gz diff was stripped by demime, here is the flat text patch file. Cheers, Ja

Re: IKED and encapsulated peers

2015-10-05 Thread Jason Tubnor
On 3 October 2015 at 14:40, Jason Tubnor <ja...@tubnor.net> wrote: > Hi, > > Based on man 5 iked.conf the following should setup technically 4 flows > (reversing and setting active on the corresponding peer): > > > Solved! Main gateway: # cat /etc/iked.conf ike

Re: IKED and encapsulated peers

2015-10-04 Thread Jason Tubnor
On 3 October 2015 at 14:40, Jason Tubnor <ja...@tubnor.net> wrote: > Hi, > > > Here is the ipsecctl flows: > > > Sorry, I copied in the flows from the wrong server (testing all different ways trying to get things to work). Here is the ipsecctl to match the iked.conf li

IKED and encapsulated peers

2015-10-02 Thread Jason Tubnor
Hi, Based on man 5 iked.conf the following should setup technically 4 flows (reversing and setting active on the corresponding peer): /etc/iked.conf ikev2 esp from 192.168.232.128 to 192.168.232.129 psk "HelloWorld" ikev2 esp from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 psk

Re: spamd pf rules

2015-06-11 Thread Jason Tubnor
As Okan stated, your 5.6 man page is still correct for 5.7. It is only of issue when you move to 5.8-Release in November. http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf%2econf - -current and 5.8, use/will use divert-to (Can't give you a link to the online pf.conf

Re: vnconfig crypto alternative

2014-11-25 Thread Jason Tubnor
On 25 November 2014 at 18:58, David Vasek va...@fido.cz wrote: did not look neither efficient, nor healthy. Try dd if=/dev/zero of=/dev/rsd1c bs=1m while watching systat/iostat at the same time. Is it still the case? So here are the findings. The test is virtualised but below is the

vnconfig crypto alternative

2014-11-24 Thread Jason Tubnor
With crypto being deprecated (and possibly removed in future versions - depending on dev direction) from vnconfig, would the following be assumed one way of providing an encrypted container? To create 200MB encrypted container: sudo dd if=/dev/zero of=/var/encrypt/container.encrypt bs=1m

rc.conf issue on upgrade from 5.5 to 5.6

2014-10-09 Thread Jason Tubnor
Hi, I was just testing upgrades prior to the 5.6 release and noticed items in the rc.conf.local were being ignored. A bit of digging, I noticed, rc.subr had some changes and more importantly there were quite a few changes to rc.conf. Cutting to the chase, replacing rc.conf from the upgraded 5.5

Re: ifconfig command for IPv6 tunnel

2014-08-20 Thread Jason Tubnor
Forgot to reply-all yesterday (only sent to Charles) to keep the thread in-sync with the rest of the conversation (don't nuke me for stating the obvious + added the rtadvd/route6d) On 20 August 2014 13:40, Charles Musser cmus...@sonic.net wrote: ifconfig gif0 tunnel 50.1.94.112 72.52.104.74

Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src

2014-08-17 Thread Jason Tubnor
On 2 June 2014 10:23, Ted Unangst t...@tedunangst.com wrote: Part of the deprecation / migration process is identifying the weird ways people use vnd and finding solutions for them. But as we've seen, people never move forward without the occasional push. So the most appropriate way to use

Re: Has any one had any problem with install50.iso?

2011-11-03 Thread Jason Tubnor
Hi Johan, Have you checked the SHA256 sig with the iso? They can be found here: http://ftp.openbsd.org/pub/OpenBSD/5.0/arch/SHA256 If you don't have an OpenBSD installation already running to use the sha256 command, you can pick up tools over on sourceforge http://md5deep.sourceforge.net/ that