On 4/4/24 23:17, Katherine Mcmillan wrote:
an open source data compression utility available on almost all installations of
Linux and other Unix-like operating systems."
There are a couple of problems with this statement, but I just want to
focus in on the "almost all installations of Linux
On 4/3/24 18:19, Karel Lucas wrote:
I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
would like to use ETH4 for the update/upgrade of the firewall. Remove
the connection from ETH1, plug it into ETH4, and update/upgrade. Then
the
I have asked myself the same question.
When runninng tcpdump -n -i pflog0 with the -e -v flags (and only in
that combination), it outputs tuples that looks like they should be a
uid and pid:
16:40:47.110033 rule 2/(match) [uid 0, pid 92257] block in on trunk0: ...
(it's 92257 on the machine
On 9/8/23 00:24, Richard Thornton wrote:
Say you had the guts of an x86_64 desktop running Windows on the bench and
another computer running OpenBSD right next to it, is there some mechanism
available that could allow you to integrity scan the NVMe drive (and also
the firmware but that's
Just for the record: The problem was caused by a malfunctioning upstream
gateway, which did no longer respond properly to neighbor solicitation
requests.
The SYN ACK from the server was dropped because the firewall had already
removed the state created by the SYN.
On 6/23/23 22:51, Markus
Hi all
(Sorry for flooding, this seems related to the question I asked earlier.
Please bear with me.)
I am using relayd on 7.3-release as an IP loadbalancer in front of some
dualstack backend hosts. This setup has worked for some years now.
After upgrading to 7.3 about 4 weeks ago I
Hi all
I am using relayd on 7.3-release as an incoming IP loadbalancer and
therefore have this line near the beginning of the filter section of
pf.conf:
anchor "relayd/*"
It shows up as rule number 2 in pfctl -vv -s rules:
@0 match all scrub (no-df reassemble tcp)
[ Evaluations: 89452
for my external carp interface both firewalls show master as status
The config is below for reference:
/etc/hostname.carp0 on fw1
inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password
advskew 1
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0
On 12/2/22 16:17, rsyk...@disroot.org wrote:
echo 1 | tee $(tty) | sed 's/1/2/'
Not 100% sure, but probably some timing/subshell issue.
This works:
tty=$(tty) && echo 1 | tee $tty | sed 's/1/2/'
best /m
Hi Tom
On 5/11/22 21:32, Tom Smyth wrote:
We are updating some course material for an upcoming PF firewall course,
and I would like to put a call out to those who use PFsync in a
redundant firewall cluster
The one thing that immediately comes to mind is to NOT use a crossover
cable for the
On 11.08.21 08:40, Vladimir Nikishkin wrote:
> table { 127.0.0.1 }
> table { 127.0.0.1 }
Have you tried having the two backend listeners on different IP
addresses rather than on different ports? Eg. 127.0.0.1 and 127.0.0.2?
best /m
On 7/13/21 9:32 AM, Tom K wrote:
> why demotion counter for group carp is set to 33 on boot? This is the
> primary firewall and there are no adskew settings in all hostname.carpX
> files or anywhere else.
> Because of this the other firewall which should be normaly the standby
> (adskew 100),
On 6/30/21 1:32 PM, Pierre Dupond wrote:
> veteher30 has no IPv6 link-local address, ignoring
^
I don't know rad, but from the output above there seems to be a typo in
some config.
On 3/8/21 11:05 PM, Antonino Sidoti wrote:
> There is no blocking showing up when I examine the pflog0,
I would run tcpdump -n -i em0 icmp6 during /etc/netstart with and
without pf enabled. If you see a difference, that should help you find
out what to allow in your ruleset.
/m
On 2/7/21 1:38 AM, Bryan Stenson wrote:
31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2,
link: no carrier, mtu: 1500,
Just grasping for something here...my next steps are to swap this unit
out with the other one (to try and eliminate hardware failure of THIS
unit). Any
On 1/23/21 3:25 AM, Hakan E. Duran wrote:
I have a few VMs on KVM/QEMU infrastructure. When I try to create an
OpenBSD VM, my key strokes start echoing on the VM console.
Not sure if this is the same problem, but I did have similar trouble
with qemu and OpenBSD in the past. I had to disable
On 1/20/21 10:01 AM, Bastien Durel wrote:
If There is no software way to solve this problem, I shall need to buy
a small HDMI screen and drop serial console ...
If the console gets input from the serial port even with no cable
plugged into it (and not just the other side disconnected),
On 11/4/20 4:05 PM, Harald Dunkel wrote:
inet 10.0.1.1 0xff00 NONE vhid 41 pass secret carpdev em1 advbase 1
advskew 0
If you use the actual broadcast address 10.0.1.255 instead on NONE it
will work with both.
On 9/28/20 4:54 PM, William Orr wrote:
> https://vim.fandom.com/wiki/Encryption
That post is from 2001 (still valid, though).
Vim from the current package defaults to blowfish2 as encryption algorithm.
best /m
On 9/28/20 9:18 AM, Martin wrote:
> I'm looking for some notepad with encryption of notes/files created. Simply
> Text File encryption is suitable too to hide some info from plain text files
> I have.
Depending on your definition of "notepad", vim (gvim) should have
built-in encryption (:X
On 9/3/20 5:41 PM, Ernest Stewart wrote:
> And which pf rules and how to establish those routing tables are exactly what
> I'm asking.
Maybe if you share the output of the ping test from your original mail
we could see what is actually happening.
>From your setup I would assume that the IP
On 6/9/20 9:25 PM, Paul B. Henson wrote:
> Hmm, I had never considered using jumbo frames.
...
> I guess multicast would work too
Neither jumbo frames nor multicast will prevent group demotion when the
other side of a crosslink cable goes physically down. Only not having
the sync interface in
On 6/9/20 12:27 AM, Paul B. Henson wrote:
> Yes, I am using a direct link between the two physical firewalls.
[...]
> Is this no longer a best practice?
If it's in the documentation, I suppose it still is.
But I have found it problematic, because taking down one firewall, or
even only its sync
On 6/8/20 12:29 AM, Paul B. Henson wrote:
> whenever I rebooted the secondary firewall, the
> carp interfaces on the primary would flip to backup and then back to
> master as the secondary one rebooted
I don't see that behaviour on my carp pair. Are you using a cross-link
cable between the two
On 5/24/20 3:55 AM, David A. Pocock wrote:
> I can't relate; doing this from OpenBSD6.7 to OpenBSD6.7 the ecdsa forward
> through and show up via ssh-add without any issues (and allow using the
> intermediary host without having the keys present (and being able to choose
> keys as per the
On 5/22/20 12:12 PM, Денис Давыдов wrote:
> I decided to reinstall OpenBSD to a newer version on my VMware ESXi
> cluster. So I deleted an old router and start the new one using the old
> configuration, except that I add lladdr parameter with the old MAC address
Last I looked into it (some years
On 14.11.2019 11:30, Rachel Roch wrote:
>>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan
>>> interface for pfsync ?
I have had pfsync running happily over a vlan interface for years, never
a problem.
> Regarding the extra port, in my case I'm using that for LACP
On 09.11.2019 15:24, Claudio Jeker wrote:
>> So nobody is using syncookies/synproxy at all?
>
> I guess that is a reasonably safe assumption. syncookies are rather new
> and probably need more battle testing.
OK, then I will send a bug report.
> synproxy never helped me much in
> case of a SYN
Hm, also no replies to that one :-)
On 11/6/19 8:15 PM, Markus Wernig wrote:
> So just to make sure: Is anybody using syncookies and/or synproxy in
> production in a similar setup?
So nobody is using syncookies/synproxy at all?
best /m
Hi again
Nobody has answered, so I suppose nobody else has this problem :-)
That's good.
So just to make sure: Is anybody using syncookies and/or synproxy in
production in a similar setup?
Thx /markus
On 11/4/19 8:35 PM, Markus Wernig wrote:
> Hi all
>
> After being hit by some
Hi all
After being hit by some synflood waves recently I enabled syncookies on
our OBSD 6.6 i386 CARP fw pair:
set syncookies always
This stopped the state table from filling up. But after some hours pf
started (randomly?) dropping legitimate connection attempts, both on
external->internal
Hi all
I have this at the beginning of pf.conf:
match all scrub (reassemble tcp no-df )
match out all scrub (random-id)
Behind that FW is a (OpenIndiana) DNS server that fragments those of its
UDP replies that are too large for the local MTU (1500). (Log below is
from a DNSKEY query, the
On 03.08.2017 06:42, Emille Blanc wrote:
> 005: RELIABILITY FIX: May 6, 2017
> Expired pf source tracking entries never got removed, leading to memory
> exhaustion.
> ref: https://www.openbsd.org/errata61.html
Thanks for the pointer! Problem gone after running syspatch (such a cool
tool!).
/m
On 02.08.2017 16:07, Steve Williams wrote:
> pfctl -t Sources -T flush
Thanks for the hints. The above yields an error here:
# pfctl -t Sources -T flush
pfctl: Table does not exist.
pfctl(8) is rather clear on the topic:
...
-F modifier
Flush the filter parameters specified by
?
best markus
On 01.08.2017 17:34, Markus Wernig wrote:
> Hi all
>
> I have a pair of OBSD 6.1 firewalls, on which some rules require source
> tracking, i.e. have a max-src-conn or similar statement as in:
>
> pass log quick on { em0 vlan1 } inet proto tcp from any to
Hi all
I have a pair of OBSD 6.1 firewalls, on which some rules require source
tracking, i.e. have a max-src-conn or similar statement as in:
pass log quick on { em0 vlan1 } inet proto tcp from any to
port { 80, 443 } modulate state ( max-src-conn 50,
max-src-conn-rate 25/5, overload flush
On 06/09/2016 08:03 PM, Bryan Vyhmeister wrote:
> On Thu, Jun 9, 2016, at 10:48 AM, Markus Wernig wrote:
>> Short question:
>> How do I prevent pf from changing the source port of outgoing natted udp
>> packets?
>
> Did you look at static-port in pf.conf(5)?
Argh! I
Hi all
I have a strange behaviour in pf on 5.9-stable:
A system (asterisk) behind the gateway is receiving and replying to udp
streams (RTP). The connection parameters (src/dst ip/port) are set up
before (STUN and SIP), so both systems "know" where to send to.
The gateway does NAT (rdr-to in,
Hi all
I have 5.5 i386 running under kvm-qemu, using ntpd to sync time.
But the system keeps constantly loosing time, at a rate of about two
seconds per minute (which of course makes it unusable).
When starting ntpd with the -s flag, it successfully sets the system
time and initializes
Hi all
To finish off this ancient thread, I've written up what it took to get
StrongSwan to play nicely with iked and to build a GRE tunnel over the
IPSec link:
http://markus.wernig.net/en/it/ip6tunnel.phtml
Any feedback is of course very welcome.
krgds /markus
On 08/13/2014 06:05 AM, Markus
On 08/10/2014 03:09 PM, Reyk Floeter wrote:
Just try to increase the number of vs to get more info, for example,
iked -dvv or iked -dvvv to get packet dumps.
Thanks for the hint. That brought some progress.
I've now switched back to -current and changed the client setup (I had
been using the
On 08/12/2014 11:58 AM, Reyk Floeter wrote:
Operation not supported is from the kernel returning EOPNOTSUPP.
If any of the following sysctls are turned off and it is requested via
the PFKEYv2 socket, the kernel will return EOPNOTSUPP:
net.inet.esp.enable=1
net.inet.ah.enable=1
On 08/12/2014 12:33 PM, Markus Wernig wrote:
sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
address_src: A.B.C.D
address_dst: 10.x.y.z
spirange: min 0x0100 max 0x
sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
sa: spi 0xfe52d794
On 08/12/2014 05:39 PM, Markus Wernig wrote:
But really, I think this is the problem:
Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD
SA spi 0xcb320247
Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0
Aug 12 16:56:18 tunnel iked[22215
On 08/12/2014 07:19 PM, Reyk Floeter wrote:
Another reason for AF 0 could be the use of the keyword any in your
iked.conf. I thought we fixed that before to inherit the AF from the
peer, but try to use 0.0.0.0/0 instead of any for IPv4 and
something like ::/0 for IPv6.
Reyk
Yes, that
Finally found a rather awkward workaround:
1) On the VPN GW, set an ip alias from a different subnet
(192.168.100.1/24) on the primary interface
2) Set up iked.conf with
ikev2 ...
from 0.0.0.0/0 to 192.168.100.0/24
config address 192.168.100.0/24
config address
Hi all
I am trying to set up a ipsec tunnel with iked in a double NAT scenario:
Client -- NAT GW 1 -- Inet -- NAT GW 2 -- VPN GW
Client has 192.168.1.x, User is j...@doe.com
VPN GW has 10.x.y.z, hostname vpn.doe.com
NAT GW 1 does hide NAT to A.B.C.D
NAT GW 2 does static NAT for public GW IP,
On 06/17/2014 11:10 AM, Brad Smith wrote:
boot -c
disable mpbios
Because ACPI is in use which takes higher precedence over MP BIOS. You
have to disable acpimadt.
THANKS GUYS!!
This just resolved a blocker that had for 2 years prevented me from
upgrading my OpenBSD kvm guests to
Not sure about the ported httpd, but usually you have to enable the
generation of those environment vars with
SSLOptions +StdEnvVars
as they are off by default.
krgds /m
On Tue, 18 Feb 2014, Olivier Mehani wrote:
(Almost) everything works fine, and I do indeed manage to
successfully
Hi all
I need to build an OpenBSD IPsec gateway that uses keys/certificates
from a hardware device (external smartcard, presumably via pkcs#11) for
authenticating itself to other gateways when establishing a connection
with them (active).
In the ipsec/isakmpd man pages I found no references to
Hi
I'm not sure if this will work, but you could try creating a loopback
interface (lo2) on FWC with the IP address that the FTP server should be
reachable on and then set up a regular VPN between FWA and FWC just for
that one IP address:
ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA
On 01/25/12 18:23, Matt Hamilton wrote:
pass in quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18
queue carp_out
pass in quick on $int_if proto carp from $fw_int_ips to 224.0.0.18
queue carp_in
pass out quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18
queue carp_out
to normal.
Thanks to cd for the help.
lg /markus
On 01/15/12 16:18, Markus Wernig wrote:
Hi all
After upgrading to 5.0 (and also on -current) I keep getting those
errors for 2 out of 4 carp'd interfaces in a fw cluster pair:
/bsd: carp2: ip_output failed: 65
/bsd: carp3: ip_output failed: 65
Hi all
After upgrading to 5.0 (and also on -current) I keep getting those
errors for 2 out of 4 carp'd interfaces in a fw cluster pair:
/bsd: carp2: ip_output failed: 65
/bsd: carp3: ip_output failed: 65
And effectively, no CARP traffic is seen on those two interfaces,
neither in nor out. Both
Hello all
I have recently upgraded a pair of CARPed firewalls from 4.6 to 5.0
(late, I know ...) after almost 2 years of absolutely flawless operation
(ipv4 interfaces only).
I have changed all the nat/rdr rules in pf.conf to the new syntax, not
changed any other fw/nw setting (at least to my
On 01/12/12 00:05, Markus Wernig wrote:
If I set net.inet.carp.log=7, I get lots of the following on both fws,
only for carp1 and carp2, never for carp0 and carp3:
carp2: ip_output failed: 65
carp1: ip_output failed: 65
carp2: ip_output failed: 65
carp1: ip_output failed: 65
carp2
Hi Mihajlo
Yes, this feature (re-sychronization after master failure) has been
missing from the day sasyncd came out
(http://archives.neohapsis.com/archives/openbsd/2005-09/0818.html). When
I gave that speech in Switzerland (the one you found the PDF of), I was
confident that it would be
Chris Bennett wrote:
I now wanted to improve security a bit, so when I tried accessing script
with https, I get this error in log file:
Can't locate object method request via package Apache
Hi
Compare the httpd.conf of your ssl and non-ssl virtual hosts. Both must
have something like
Hi Jose
The MX is the host destined for receiving mail for a domain. There is no
indication that it should also be the only one sending mail from a
domain. At the moment most domains use SPF records to mark their
preferred relay, so you might want to check that instead of/in addition
to the MX
23e7 wrote:
Hi,
my openbsd is 4.5, gnome-terminal default encoding is ascii, I cannot
find how to set to utf-8.
Which version? Normally, it's under Terminal-Set Character Encoding
(Alt-T C)
/m
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of
. this seems
to be incoming
R$+@$+$#error $@ 5.1.8 $: 551 Invalid sender domain
thx /markus
Dan Harnett wrote:
On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote:
I have sendmail on 4.4 as MX and relay for outgoing mail using smtp
auth. Now some users started using arbitrary
. this seems
to be incoming
R$+@$+$#error $@ 5.1.8 $: 551 Invalid sender domain
thx /markus
Dan Harnett wrote:
On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote:
I have sendmail on 4.4 as MX and relay for outgoing mail using smtp
auth. Now some users started using arbitrary
Hi all
I have sendmail on 4.4 as MX and relay for outgoing mail using smtp
auth. Now some users started using arbitrary from: addresses in their
mail clients. I would like to restrict those sender addresses to the
local domains, i.e. allow them to send mail from u...@my.domain or
Hi all
I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without
success so far.
The kernel stops booting after some lines of output. I've tried 4.4 and
4.5.
On 4.4 it stops right after the first lines. The last line of output is:
acpi0: tables DSDT FACP HPET MCFG SLIC APIC BOOT SSDT
/markus
Markus Wernig wrote:
I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without
success so far.
Mikolaj Kucharski wrote:
Another scenario. When all VPNs are up and stable (traffic is low) and
one of the clients is rebooted at boot time when ipsecctl -f
/etc/ipsec.conf is executed it's tunell is setup and _all_ other
tunnels are immediately dropped.
Am I right to assume that only those
Hi Georg
I think I remember something like this ... could it be that carp takes
over the interface before pfsync has finished updating the booted
machine's connection table?
TCP (and many other protocols) takes care of such situations by simply
retransmitting, so any TCP connections should
Hi
Are you sure that all the interfaces you have configured carp on have
link and can connect to each other? (I've seen similar behaviour caused
by defective NICs: receive buffer not receiving while send buffer still
sending - try ping on all interfaces) Is lo up? Is there any other
router
If you tcpdump do you see any carp traffic at all (ip proto 112)? Upon
reboot? And you did enable carp preemption on both hosts (sysctl
net.inet.carp.preempt=1)?
Hi all
I have an OBSD4.3 VPN gateway that authenticates users based on their
certificate and an isakmpd.policy, which works just fine. Now a user had
to renew his certificate: same CA, same CA certificate, same Subject DN,
same EVERYTHING. I'd have expected that he'd just need to close the
Alexey Vatchenko wrote:
It's because of:
ike passive esp from 192.168.0.0/24 to any local egress dstid
[EMAIL PROTECTED] psk xxx
Yes, it's because of that. But I'm convinced that you don't need that at
all.
From what I understand, you just need to give access from some remote
network(s) to
Hi
From my point of view the problem is that you use the same network
range 192.168.0/24 in your home and office. Off the top of my head I'd
say that this should not work. The routing entries look a bit scary,
actually. If I had the same setup, I'd try one of the following:
- change the
Hi
What does the ipsec.conf entry on the Office gateway for the Home
gateway look like?
IP range of Home network?
Are you trying to use the Home gateway as a relay to get into the Office
net from other locations than from Home network?
Do you have any NAT rules involved?
ipsecctl -s all on
Rephrasing: Is it possible to have multiple nat-t clients behind the
same NAT address connect to the same OBSD ipsec gateway? How?
thx /markus
Markus Wernig wrote:
Hi all
I'm having some trouble with VPN clients (workstations) connecting to an
OBSD 4.2 VPN gateway.
All clients sit behind one
Hi all
I'm having some trouble with VPN clients (workstations) connecting to an
OBSD 4.2 VPN gateway.
All clients sit behind one natting gateway, and are natted to the same
egress ip address. They try to connect to another network behind the VPN
gateway. The first connect succeeds, and the client
Hi all
I have replaced syslogd with syslog-ng on my OBSD4.2 boxes (needed tcp,
encryption and fifos). I have managed to mimick all traditional log
behaviour (as per the default syslogd config) with one exception:
isakmpd will not log a single bit into any facility. afaik isakmpd uses
the daemon
Dear list
I have a couple of 4.1 firewalls that I would like to upgrade to 4.2.
Before taking them online again I'd like to deploy the openssl patch
from ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/002_openssl.patch
Being perimeter firewalls, those systems don't have compile tools
Hi
The one time I remember getting that error was when I _thought_ I was
using certificates from /etc/isakmpd/{certsBprivate}, but still had a
local.pub and local.key from the installation lying around that got used
instead. Some more debug info (/var/log/daemon) would be helpful indeed.
krgds
Hi
If the problem is intermittent, this is probably correct, but have you
checked that you _really_ have different vhids for all devices?
You might also want to set different passwords for each carp device,
just to go sure they don't interfere with each other.
krgds /markus
Erich wrote:
Hi all
Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat
rules (OBSD 4.1)?
The idea is:
ipsec.conf:
ike esp from A to B tag mytag
pf.conf:
nat on $int_if tagged mytag - ($int_if:1)
nat on $int_if from !($int_if) - ($int_if:0)
If I use the tagged keyword, the second nat
A dstid fqdn B
ipsec.conf on B:
ike passive esp tunnel from any to Destination Net srcid fqdn B
Markus Wernig wrote:
Hi all
I'v looked through what documentation I could find, but didn't find this
case mentioned, so I assumed it would work (which it doesn't):
I have an OBSD 4.1 vpn gateway
Hi all
I'v looked through what documentation I could find, but didn't find this
case mentioned, so I assumed it would work (which it doesn't):
I have an OBSD 4.1 vpn gateway (A) with only one interface, over which
the default route points out and over which the packets to forward
through
Hi again!
I need to authenticate users in isakmpd by the subject DN of their x509
certificates. For this, I wrote isakmpd.policy as follows:
KeyNote-Version: 2
Authenticator: POLICY
Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject
Conditions: app_domain == IPsec policy
doi == ipsec
Hi all
For the archives: isakmpd.policy for authenticating users by their
certificates' subjects (ASN1 DNs):
KeyNote-Version: 2
Authenticator: POLICY
Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject
Conditions: app_domain == IPsec policy
doi == ipsec
esp_present ==yes
the -K option. See isakpmd.policy(5).
On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote:
Hi all
I'm setting up a OBSD 4.1 ipsec gateway, against which users will
authenticate using x509 certificates. They all use personal certificates
(key usage: digSig), which contains
s/isakmpd.conf/isakmpd.policy/g
typo
/m
Markus Wernig wrote:
Hello thanx for the swift reply
Now i've read through the isakmpd.conf and keynote manpages, but,
honestly, I still don't know how to get this working.
Here's the isakmpd.conf I came up with:
KeyNote-Version: 2
Hi all
I'm setting up a OBSD 4.1 ipsec gateway, against which users will
authenticate using x509 certificates. They all use personal certificates
(key usage: digSig), which contains their user name and Email in the
subject. I need to authenticate them by the whole subject, but can't
seem to
Hi all
I've upgraded OBSD on my notebook (hp-compaq nc7xxx series) from 3.8 to
4.1. All went well, except that when I start X, neither mouse nor
keyboard are responding any more. Instead I get repeating error messages
in syslog and on console:
pmsi_enable: command error
pckbc: command
Mathieu Sauve-Frankel wrote:
Currently the order in which isakmpd, ipsecctl and sasyncd need to be
invoked in order for everything to work is pretty rigid.
# isakmpd -KS
# ipsecctl -f /etc/ipsec.conf
# sasyncd
First start isakmpd with -KS, this brings up isakmpd in passive mode,
Hi
I'm not sure about carp supporting addresses in other subnets than the
physical one. But to debug this further:
- what does tcpdump -e -n -i xennet1 show on the routers when you ping
the virtual interface from outside the lan?
- is the route for the egress path the same as for the ingress path
Stuart Henderson wrote:
On 2007/04/16 15:06, Markus Wernig wrote:
...
the error message does come from sasyncd.
sharedkey [32byte RSA key]
the other config lines are ok, the error must be here.
aarrgg ... and indeed it was. I had produced that
string
Hi all
Does anybody know what the status of the problem described here is?
http://archives.neohapsis.com/archives/openbsd/2005-12/0327.html
The problem is that OBSD IPSec gateways will reject packets they have an
SA for if they don't have an IP route to the destination (any route,
default gw
Hello all
I am trying a - what I think is - simple ipsec setup. The point is to
ipsec-encrypt all traffic between a pair of firewalls (gateA and gateB,
both OBSD 4.0), in order to send pfsync traffic over the encrypted link.
Although having read through ipsec, ipsec.conf, isakmpd and friend's
Renaud Allard wrote:
It seems you just forgot to load your rules.
Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your
firewalls and everything should just work fine.
Hi
I've tried to load the rules by hand with ipsecctl -f /etc/ipsec.conf
- to no avail. On the other hand I
Renaud Allard wrote:
Did you verify that isakmpd is running?
Yes. It runs as follows:
11967 ?? Is 0:00.05 isakmpd: monitor [priv] (isakmpd)
18753 ?? I 0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo
Renaud Allard wrote:
Maybe also try on both firewalls:
cd /etc/isakmpd ln -s private/local.pub .
Then restart isakmpd and reload the rules.
Hi
Tried that as well ... still no go.
I have disabled pf for setting the enc up. I suppose, that doesn't
matter, does it?
krgds /markus
Hello!
Renaud Allard wrote:
Markus Wernig wrote:
Renaud Allard wrote:
Did you verify that isakmpd is running?
Yes. It runs as follows:
11967 ?? Is 0:00.05 isakmpd: monitor [priv] (isakmpd)
18753 ?? I 0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo
-S is used for redundant
Hi everybody!
I am looking at implementing a round-robin load-balanced group of
servers behind an OBSD firewall.
The pf commands would run along the lines
[...]
table servers persist file /etc/pf.serverlist
rdr on $ext_if proto tcp from any to $virtual_ip port 80 \
- servers
Hi all
I'm trying to build redundancy into two 3.8 boxes with trunk and carp.
Both boxes have 2 Nics each (fxp and rl), connected to two unmanaged dumb
switches without .1q tagging or other fancies.
On both boxes I have:
/etc/hostname.rl0
up
/etc/hostname.fxp0
up
and the corresponding
When running # sh /etc/netstart manually after login, I get an error
SIO... No buffer space available (or similar). When running it a second
time right afterwards, no error message appears, and the carp interface
goes up, replies to one ping (of a constantly running remote ping) and
then goes
1 - 100 of 125 matches
Mail list logo