this has been fixed in openbsd 4.5
On Sun, Apr 12, 2009 at 05:48:54PM +0200, Florian Obser wrote:
Hi,
I'm trying to secure my wlan access point with ipsec.
Apparently I cannot match ipv6 esp traffic. This is on 4.4
I build a simplified setup with qemu, ipsec-gw and ipsec-client:
1.15 should just work fine in stable.
-m
On Tue, Jan 20, 2009 at 12:19:34PM +0100, Christoph Leser wrote:
As described in
http://kerneltrap.org/mailarchive/openbsd-misc/2008/9/22/3364064
there is a problem with the driver for the AMD Geode LX series processor
security block for openBSD 4.4 (
On Fri, Sep 19, 2008 at 12:33:36AM +0200, Lukas Ratajski wrote:
IPsec tunnel between two computers - a Soekris net5501 running
[...]
key_encrypt: bits 256:
The crypto driver for the net5501 does not support 256bit AES.
you have to switch to 128bit AES keys or backport revision 1.15
On Wed, Sep 10, 2008 at 10:11:05PM +0200, Toni Mueller wrote:
I've just discovered that this is unsupported.
How difficult would it be to add support for this?
why not just tag the packet on enc0 and altq on the 'real' interface?
AFAIK it's not supported in IKE, so it's not supported in ipsec.conf
On Thu, Sep 04, 2008 at 10:37:25AM +0200, Michael wrote:
Hi,
I am trying to setup IPsec and also exclude some parts from getting
processed by IPsec.
In IPSEC.CONF(5) the description says
[...]
from src [port sport]
On Fri, Sep 28, 2007 at 07:02:28AM +0200, Otto Moerbeek wrote:
On Thu, 27 Sep 2007, Brian A. Seklecki wrote:
Ok, it's running now. The cause was not the move from 4.0 - 4.1, but
the move from a diskful to a diskless setup: The machine mounts its root
fs via nfs.
WHAT?!?!?! What
yes, that should be possible. if it does not work, then it's a bug.
On Mon, Sep 24, 2007 at 03:08:29PM +0200, Markus Wernig wrote:
Hi all
Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat
rules (OBSD 4.1)?
The idea is:
ipsec.conf:
ike esp from A to B tag mytag
On Thu, Aug 16, 2007 at 06:43:34PM -0700, Steve B wrote:
I made a few changes and did some more testing this evening.
1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow
default transforms that Hans-Joerg recommened.
# cat /etc/ipsec.conf
ike dynamic esp tunnel from any
it was broken and you need to apply the patch from revision 1.161
On Tue, Aug 07, 2007 at 07:25:52PM -0700, Justin Lindberg wrote:
I have not been able to get an Ethernet bridge over IPsec to work
in OpenBSD 4.1. I have two machines running as NAT gateways with a
gif tunnel between them
On Fri, Apr 13, 2007 at 12:03:18PM +0200, Renaud Allard wrote:
It's just quite annoying that the man page for brconfig says that the
bridge over gif should work and it does not.
well, it did work before and should work in 4.1
On Thu, Nov 23, 2006 at 02:47:14PM +0100, Camiel Dobbelaar wrote:
I think this tells me that I can see unencrypted/unencapsulated traffic on
enc0.
yes.
However, with tcpdump I see this:
14:09:27.894326 (authentic,confidential): SPI 0x728aafc9: 86.90.xx.xx
62.58.xx.xx: 192.168.2.3.1264
1. IPcomp is only used if it results in smaller packets
2. IPcomp on OpenBSD is broken and does not work correctly (some packets
are not compressed correctly).
-m
On Fri, Jun 23, 2006 at 01:22:39PM -0400, Jason Dixon wrote:
Does anyone know if enc(4) was ever updated to support altq?
enc(4) does only work for for pcap (tcpdump) and filtering (pf)
it's not a real interface and does not support altq.
yes, the card needs to support all algorithms,
crypto_newsession() does this:
/*
* The algorithm we use here is pretty stupid; just use the
* first driver that supports all the algorithms we need. Do
* a double-pass over all the drivers, ignoring software ones
On Tue, May 30, 2006 at 04:52:35PM +0200, Dries Schellekens wrote:
Peter Blair wrote:
That project (if/once completed) would be very useful. I just cringe
at the thought of running a guestOS of openbsd under linux or Solaris
;)
A minor detail: OpenBSD will run on the Xen virtual machine
On Wed, Feb 15, 2006 at 06:11:41PM -0500, Matthew Closson wrote:
Hello,
If you enable RFC3706 - Dead Peer Detection in isakmpd.conf, what is the
result of a peer-failing the DPD check. Will it Start over with Phase1
negotiations again for that ISAKMP peer, or will it simply remove the SA
On Tue, Dec 06, 2005 at 12:14:20AM -0500, Brian A. Seklecki wrote:
OpenBSD requires that gateway A and gateway B have a default route
declared
no, you just need a route to the destination, this is a known
but and there's no simple fix. however, just create a network
route for the peer
On Thu, Nov 10, 2005 at 11:30:58AM +0100, [EMAIL PROTECTED] wrote:
-bash-3.00# ipsecadm show
sadb_dump: satype esp vers 2 len 38 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x1c5551f1 auth hmac-sha1 enc aes
that's a bug in ipsecadm show.
recompiling sshd with
includes.h:#define USE_PIPES 1
removed would also help.
i think it's better to fix ppp(8)
it will work in 3.8 and later.
On Tue, Aug 30, 2005 at 12:14:32AM +0200, [EMAIL PROTECTED] wrote:
Hello!
Can you please confirm if it is possible to set the mtu on cards
using the sis driver (I have a Netgear FA311, based on the DP 83816
chip)?
I am trying to change the mtu with:
On Tue, Aug 02, 2005 at 05:02:05PM +0200, umaxx wrote:
# ifconfig tun0 create
# ifconfig tun0 10.0.0.1 10.0.0.2 up
try
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 link0
check brconfig(8)
link2 Setting this flag causes all packets to be passed on to ipsec(4)
for processing, based on the policies established by the adminis-
trator using the ipsecadm(8) command. If appropriate security
associations (SAs) exist, they
the TCP client reuses a source port and sends a SYN while the
server still has the old TIME_WAIT state, so the server does not
send a SYN/ACK.
after 6 seconds the client retransmits the SYN and the connect
succeeds.
so there are 2 problems:
1) the client reuses the port too soon.
23 matches
Mail list logo