Re: IPv6 NDP Confusion with PF enabled

2021-03-09 Thread Markus Wernig
On 3/8/21 11:05 PM, Antonino Sidoti wrote: > There is no blocking showing up when I examine the pflog0, I would run tcpdump -n -i em0 icmp6 during /etc/netstart with and without pf enabled. If you see a difference, that should help you find out what to allow in your ruleset. /m

Re: seeing carp interface state change for unknown reason ; cluestick hunting

2021-02-06 Thread Markus Wernig
On 2/7/21 1:38 AM, Bryan Stenson wrote: 31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2, link: no carrier, mtu: 1500, Just grasping for something here...my next steps are to swap this unit out with the other one (to try and eliminate hardware failure of THIS unit). Any

Re: OpenBSD VM creation problem

2021-01-22 Thread Markus Wernig
On 1/23/21 3:25 AM, Hakan E. Duran wrote: I have a few VMs on KVM/QEMU infrastructure. When I try to create an OpenBSD VM, my key strokes start echoing on the VM console. Not sure if this is the same problem, but I did have similar trouble with qemu and OpenBSD in the past. I had to disable

Re: auto-boot

2021-01-20 Thread Markus Wernig
On 1/20/21 10:01 AM, Bastien Durel wrote: If There is no software way to solve this problem, I shall need to buy a small HDMI screen and drop serial console ... If the console gets input from the serial port even with no cable plugged into it (and not just the other side disconnected),

Re: question about hostname.carp

2020-11-04 Thread Markus Wernig
On 11/4/20 4:05 PM, Harald Dunkel wrote: inet 10.0.1.1 0xff00 NONE vhid 41 pass secret carpdev em1 advbase 1 advskew 0 If you use the actual broadcast address 10.0.1.255 instead on NONE it will work with both.

Re: Encrypted notepad software suggestions

2020-09-28 Thread Markus Wernig
On 9/28/20 4:54 PM, William Orr wrote: > https://vim.fandom.com/wiki/Encryption That post is from 2001 (still valid, though). Vim from the current package defaults to blowfish2 as encryption algorithm. best /m

Re: Encrypted notepad software suggestions

2020-09-28 Thread Markus Wernig
On 9/28/20 9:18 AM, Martin wrote: > I'm looking for some notepad with encryption of notes/files created. Simply > Text File encryption is suitable too to hide some info from plain text files > I have. Depending on your definition of "notepad", vim (gvim) should have built-in encryption (:X

Re: Routing and forwarding: directly connected computers

2020-09-03 Thread Markus Wernig
On 9/3/20 5:41 PM, Ernest Stewart wrote: > And which pf rules and how to establish those routing tables are exactly what > I'm asking. Maybe if you share the output of the ping test from your original mail we could see what is actually happening. >From your setup I would assume that the IP

Re: pfsync interface in carp group

2020-06-09 Thread Markus Wernig
On 6/9/20 9:25 PM, Paul B. Henson wrote: > Hmm, I had never considered using jumbo frames. ... > I guess multicast would work too Neither jumbo frames nor multicast will prevent group demotion when the other side of a crosslink cable goes physically down. Only not having the sync interface in

Re: pfsync interface in carp group

2020-06-08 Thread Markus Wernig
On 6/9/20 12:27 AM, Paul B. Henson wrote: > Yes, I am using a direct link between the two physical firewalls. [...] > Is this no longer a best practice? If it's in the documentation, I suppose it still is. But I have found it problematic, because taking down one firewall, or even only its sync

Re: pfsync interface in carp group

2020-06-07 Thread Markus Wernig
On 6/8/20 12:29 AM, Paul B. Henson wrote: > whenever I rebooted the secondary firewall, the > carp interfaces on the primary would flip to backup and then back to > master as the secondary one rebooted I don't see that behaviour on my carp pair. Are you using a cross-link cable between the two

Re: Select ssh key from ssh-agent?

2020-05-24 Thread Markus Wernig
On 5/24/20 3:55 AM, David A. Pocock wrote: > I can't relate; doing this from OpenBSD6.7 to OpenBSD6.7 the ecdsa forward > through and show up via ssh-add without any issues (and allow using the > intermediary host without having the keys present (and being able to choose > keys as per the

Re: Strange behavior when I try to use lladdr

2020-05-22 Thread Markus Wernig
On 5/22/20 12:12 PM, Денис Давыдов wrote: > I decided to reinstall OpenBSD to a newer version on my VMware ESXi > cluster. So I deleted an old router and start the new one using the old > configuration, except that I add lladdr parameter with the old MAC address Last I looked into it (some years

Re: pfsync on VLAN - supported ?

2019-11-14 Thread Markus Wernig
On 14.11.2019 11:30, Rachel Roch wrote: >>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan >>> interface for pfsync ? I have had pfsync running happily over a vlan interface for years, never a problem. > Regarding the extra port, in my case I'm using that for LACP

Re: random packet drops with syncookies/synproxy

2019-11-14 Thread Markus Wernig
On 09.11.2019 15:24, Claudio Jeker wrote: >> So nobody is using syncookies/synproxy at all? > > I guess that is a reasonably safe assumption. syncookies are rather new > and probably need more battle testing. OK, then I will send a bug report. > synproxy never helped me much in > case of a SYN

Re: random packet drops with syncookies/synproxy

2019-11-09 Thread Markus Wernig
Hm, also no replies to that one :-) On 11/6/19 8:15 PM, Markus Wernig wrote: > So just to make sure: Is anybody using syncookies and/or synproxy in > production in a similar setup? So nobody is using syncookies/synproxy at all? best /m

Re: random packet drops with syncookies/synproxy

2019-11-06 Thread Markus Wernig
Hi again Nobody has answered, so I suppose nobody else has this problem :-) That's good. So just to make sure: Is anybody using syncookies and/or synproxy in production in a similar setup? Thx /markus On 11/4/19 8:35 PM, Markus Wernig wrote: > Hi all > > After being hit by some

random packet drops with syncookies/synproxy

2019-11-04 Thread Markus Wernig
Hi all After being hit by some synflood waves recently I enabled syncookies on our OBSD 6.6 i386 CARP fw pair: set syncookies always This stopped the state table from filling up. But after some hours pf started (randomly?) dropping legitimate connection attempts, both on external->internal

pf dropping fragmented UDP despite of scrub no-df

2017-12-04 Thread Markus Wernig
Hi all I have this at the beginning of pf.conf: match all scrub (reassemble tcp no-df ) match out all scrub (random-id) Behind that FW is a (OpenIndiana) DNS server that fragments those of its UDP replies that are too large for the local MTU (1500). (Log below is from a DNSKEY query, the

Re: Does pf's Sources table ever get cleared?

2017-08-07 Thread Markus Wernig
On 03.08.2017 06:42, Emille Blanc wrote: > 005: RELIABILITY FIX: May 6, 2017 > Expired pf source tracking entries never got removed, leading to memory > exhaustion. > ref: https://www.openbsd.org/errata61.html Thanks for the pointer! Problem gone after running syspatch (such a cool tool!). /m

Re: Does pf's Sources table ever get cleared?

2017-08-02 Thread Markus Wernig
On 02.08.2017 16:07, Steve Williams wrote: > pfctl -t Sources -T flush Thanks for the hints. The above yields an error here: # pfctl -t Sources -T flush pfctl: Table does not exist. pfctl(8) is rather clear on the topic: ... -F modifier Flush the filter parameters specified by

Re: Does pf's Sources table ever get cleared?

2017-08-02 Thread Markus Wernig
? best markus On 01.08.2017 17:34, Markus Wernig wrote: > Hi all > > I have a pair of OBSD 6.1 firewalls, on which some rules require source > tracking, i.e. have a max-src-conn or similar statement as in: > > pass log quick on { em0 vlan1 } inet proto tcp from any to

Does pf's Sources table ever get cleared?

2017-08-01 Thread Markus Wernig
Hi all I have a pair of OBSD 6.1 firewalls, on which some rules require source tracking, i.e. have a max-src-conn or similar statement as in: pass log quick on { em0 vlan1 } inet proto tcp from any to port { 80, 443 } modulate state ( max-src-conn 50, max-src-conn-rate 25/5, overload flush

Re: pf changes port on udp nat-to and rdr-to reply packets (RTP stream)

2016-06-09 Thread Markus Wernig
On 06/09/2016 08:03 PM, Bryan Vyhmeister wrote: > On Thu, Jun 9, 2016, at 10:48 AM, Markus Wernig wrote: >> Short question: >> How do I prevent pf from changing the source port of outgoing natted udp >> packets? > > Did you look at static-port in pf.conf(5)? Argh! I

pf changes port on udp nat-to and rdr-to reply packets (RTP stream)

2016-06-09 Thread Markus Wernig
Hi all I have a strange behaviour in pf on 5.9-stable: A system (asterisk) behind the gateway is receiving and replying to udp streams (RTP). The connection parameters (src/dst ip/port) are set up before (STUN and SIP), so both systems "know" where to send to. The gateway does NAT (rdr-to in,

ntpd not setting time under kvm-qemu

2014-09-21 Thread Markus Wernig
Hi all I have 5.5 i386 running under kvm-qemu, using ntpd to sync time. But the system keeps constantly loosing time, at a rate of about two seconds per minute (which of course makes it unusable). When starting ntpd with the -s flag, it successfully sets the system time and initializes

Re: how to debug iked failures?

2014-08-27 Thread Markus Wernig
Hi all To finish off this ancient thread, I've written up what it took to get StrongSwan to play nicely with iked and to build a GRE tunnel over the IPSec link: http://markus.wernig.net/en/it/ip6tunnel.phtml Any feedback is of course very welcome. krgds /markus On 08/13/2014 06:05 AM, Markus

Re: how to debug iked failures?

2014-08-12 Thread Markus Wernig
On 08/10/2014 03:09 PM, Reyk Floeter wrote: Just try to increase the number of vs to get more info, for example, iked -dvv or iked -dvvv to get packet dumps. Thanks for the hint. That brought some progress. I've now switched back to -current and changed the client setup (I had been using the

Re: how to debug iked failures?

2014-08-12 Thread Markus Wernig
On 08/12/2014 11:58 AM, Reyk Floeter wrote: Operation not supported is from the kernel returning EOPNOTSUPP. If any of the following sysctls are turned off and it is requested via the PFKEYv2 socket, the kernel will return EOPNOTSUPP: net.inet.esp.enable=1 net.inet.ah.enable=1

Re: how to debug iked failures?

2014-08-12 Thread Markus Wernig
On 08/12/2014 12:33 PM, Markus Wernig wrote: sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389 address_src: A.B.C.D address_dst: 10.x.y.z spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389 sa: spi 0xfe52d794

Re: how to debug iked failures?

2014-08-12 Thread Markus Wernig
On 08/12/2014 05:39 PM, Markus Wernig wrote: But really, I think this is the problem: Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD SA spi 0xcb320247 Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0 Aug 12 16:56:18 tunnel iked[22215

Re: how to debug iked failures?

2014-08-12 Thread Markus Wernig
On 08/12/2014 07:19 PM, Reyk Floeter wrote: Another reason for AF 0 could be the use of the keyword any in your iked.conf. I thought we fixed that before to inherit the AF from the peer, but try to use 0.0.0.0/0 instead of any for IPv4 and something like ::/0 for IPv6. Reyk Yes, that

Re: how to debug iked failures?

2014-08-12 Thread Markus Wernig
Finally found a rather awkward workaround: 1) On the VPN GW, set an ip alias from a different subnet (192.168.100.1/24) on the primary interface 2) Set up iked.conf with ikev2 ... from 0.0.0.0/0 to 192.168.100.0/24 config address 192.168.100.0/24 config address

how to debug iked failures?

2014-08-10 Thread Markus Wernig
Hi all I am trying to set up a ipsec tunnel with iked in a double NAT scenario: Client -- NAT GW 1 -- Inet -- NAT GW 2 -- VPN GW Client has 192.168.1.x, User is j...@doe.com VPN GW has 10.x.y.z, hostname vpn.doe.com NAT GW 1 does hide NAT to A.B.C.D NAT GW 2 does static NAT for public GW IP,

Re: Very slow I/O under OpenBSD i386 on qemu-kvm from RHEL7rc

2014-06-19 Thread Markus Wernig
On 06/17/2014 11:10 AM, Brad Smith wrote: boot -c disable mpbios Because ACPI is in use which takes higher precedence over MP BIOS. You have to disable acpimadt. THANKS GUYS!! This just resolved a blocker that had for 2 years prevented me from upgrading my OpenBSD kvm guests to

Re: Oddity with httpd/mod_ssl: missing HTTPS environment variable on non _default_ vhosts

2014-02-20 Thread Markus Wernig
Not sure about the ported httpd, but usually you have to enable the generation of those environment vars with SSLOptions +StdEnvVars as they are off by default. krgds /m On Tue, 18 Feb 2014, Olivier Mehani wrote: (Almost) everything works fine, and I do indeed manage to successfully

ipsec with smartcard?

2013-08-18 Thread Markus Wernig
Hi all I need to build an OpenBSD IPsec gateway that uses keys/certificates from a hardware device (external smartcard, presumably via pkcs#11) for authenticating itself to other gateways when establishing a connection with them (active). In the ipsec/isakmpd man pages I found no references to

Re: vpn isakmpd ipsec, one side with only one interface

2012-02-16 Thread Markus Wernig
Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA

Re: CARP strangeness after 5.0 upgrade

2012-01-26 Thread Markus Wernig
On 01/25/12 18:23, Matt Hamilton wrote: pass in quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18 queue carp_out pass in quick on $int_if proto carp from $fw_int_ips to 224.0.0.18 queue carp_in pass out quick on $ext_if proto carp from $fw_ext_ips to 224.0.0.18 queue carp_out

Solved: /bsd: carpN: ip_output failed: 65

2012-01-16 Thread Markus Wernig
to normal. Thanks to cd for the help. lg /markus On 01/15/12 16:18, Markus Wernig wrote: Hi all After upgrading to 5.0 (and also on -current) I keep getting those errors for 2 out of 4 carp'd interfaces in a fw cluster pair: /bsd: carp2: ip_output failed: 65 /bsd: carp3: ip_output failed: 65

/bsd: carpN: ip_output failed: 65

2012-01-15 Thread Markus Wernig
Hi all After upgrading to 5.0 (and also on -current) I keep getting those errors for 2 out of 4 carp'd interfaces in a fw cluster pair: /bsd: carp2: ip_output failed: 65 /bsd: carp3: ip_output failed: 65 And effectively, no CARP traffic is seen on those two interfaces, neither in nor out. Both

CARP strangeness after 5.0 upgrade

2012-01-11 Thread Markus Wernig
Hello all I have recently upgraded a pair of CARPed firewalls from 4.6 to 5.0 (late, I know ...) after almost 2 years of absolutely flawless operation (ipv4 interfaces only). I have changed all the nat/rdr rules in pf.conf to the new syntax, not changed any other fw/nw setting (at least to my

Re: CARP strangeness after 5.0 upgrade

2012-01-11 Thread Markus Wernig
On 01/12/12 00:05, Markus Wernig wrote: If I set net.inet.carp.log=7, I get lots of the following on both fws, only for carp1 and carp2, never for carp0 and carp3: carp2: ip_output failed: 65 carp1: ip_output failed: 65 carp2: ip_output failed: 65 carp1: ip_output failed: 65 carp2

Re: sasyncd syncs only newly created sad's

2010-01-12 Thread Markus Wernig
Hi Mihajlo Yes, this feature (re-sychronization after master failure) has been missing from the day sasyncd came out (http://archives.neohapsis.com/archives/openbsd/2005-09/0818.html). When I gave that speech in Switzerland (the one you found the PDF of), I was confident that it would be

Re: mod_perl script is failing to work under SSL

2009-07-24 Thread Markus Wernig
Chris Bennett wrote: I now wanted to improve security a bit, so when I tried accessing script with https, I get this error in log file: Can't locate object method request via package Apache Hi Compare the httpd.conf of your ssl and non-ssl virtual hosts. Both must have something like

Re: dealing with incoming mail from your own domain

2009-07-14 Thread Markus Wernig
Hi Jose The MX is the host destined for receiving mail for a domain. There is no indication that it should also be the only one sending mail from a domain. At the moment most domains use SPF records to mark their preferred relay, so you might want to check that instead of/in addition to the MX

Re: how to set gnome-terminal default encoding

2009-07-14 Thread Markus Wernig
23e7 wrote: Hi, my openbsd is 4.5, gnome-terminal default encoding is ascii, I cannot find how to set to utf-8. Which version? Normally, it's under Terminal-Set Character Encoding (Alt-T C) /m [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of

Re: Solved: sendmail: restrict sender domain for authenticated users

2009-06-28 Thread Markus Wernig
. this seems to be incoming R$+@$+$#error $@ 5.1.8 $: 551 Invalid sender domain thx /markus Dan Harnett wrote: On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote: I have sendmail on 4.4 as MX and relay for outgoing mail using smtp auth. Now some users started using arbitrary

Re: Solved: sendmail: restrict sender domain for authenticated users

2009-06-28 Thread Markus Wernig
. this seems to be incoming R$+@$+$#error $@ 5.1.8 $: 551 Invalid sender domain thx /markus Dan Harnett wrote: On Sun, Jun 21, 2009 at 05:42:22PM +0200, Markus Wernig wrote: I have sendmail on 4.4 as MX and relay for outgoing mail using smtp auth. Now some users started using arbitrary

sendmail: restrict sender domain for authenticated users

2009-06-21 Thread Markus Wernig
Hi all I have sendmail on 4.4 as MX and relay for outgoing mail using smtp auth. Now some users started using arbitrary from: addresses in their mail clients. I would like to restrict those sender addresses to the local domains, i.e. allow them to send mail from u...@my.domain or

cpu not configured??

2009-06-20 Thread Markus Wernig
Hi all I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without success so far. The kernel stops booting after some lines of output. I've tried 4.4 and 4.5. On 4.4 it stops right after the first lines. The last line of output is: acpi0: tables DSDT FACP HPET MCFG SLIC APIC BOOT SSDT

Re: cpu not configured??

2009-06-20 Thread Markus Wernig
/markus Markus Wernig wrote: I'm trying to install OBSD on a FJ-Siemens Amilo xi 3650, without success so far.

Re: Flapping VPN under load on Soekris

2009-06-05 Thread Markus Wernig
Mikolaj Kucharski wrote: Another scenario. When all VPNs are up and stable (traffic is low) and one of the clients is rebooted at boot time when ipsecctl -f /etc/ipsec.conf is executed it's tunell is setup and _all_ other tunnels are immediately dropped. Am I right to assume that only those

Re: PF/Carp/Pfsync

2009-05-29 Thread Markus Wernig
Hi Georg I think I remember something like this ... could it be that carp takes over the interface before pfsync has finished updating the booted machine's connection table? TCP (and many other protocols) takes care of such situations by simply retransmitting, so any TCP connections should

Re: CARP not leaving backup state

2008-07-18 Thread Markus Wernig
Hi Are you sure that all the interfaces you have configured carp on have link and can connect to each other? (I've seen similar behaviour caused by defective NICs: receive buffer not receiving while send buffer still sending - try ping on all interfaces) Is lo up? Is there any other router

Re: CARP not leaving backup state

2008-07-18 Thread Markus Wernig
If you tcpdump do you see any carp traffic at all (ip proto 112)? Upon reboot? And you did enable carp preemption on both hosts (sysctl net.inet.carp.preempt=1)?

isakmpd times out on rolled-over client certificate

2008-07-09 Thread Markus Wernig
Hi all I have an OBSD4.3 VPN gateway that authenticates users based on their certificate and an isakmpd.policy, which works just fine. Now a user had to renew his certificate: same CA, same CA certificate, same Subject DN, same EVERYTHING. I'd have expected that he'd just need to close the

Re: IPSec tunnel problem

2008-03-01 Thread Markus Wernig
Alexey Vatchenko wrote: It's because of: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Yes, it's because of that. But I'm convinced that you don't need that at all. From what I understand, you just need to give access from some remote network(s) to

Re: IPSec tunnel problem

2008-02-29 Thread Markus Wernig
Hi From my point of view the problem is that you use the same network range 192.168.0/24 in your home and office. Off the top of my head I'd say that this should not work. The routing entries look a bit scary, actually. If I had the same setup, I'd try one of the following: - change the

Re: IPSec tunnel problem

2008-02-24 Thread Markus Wernig
Hi What does the ipsec.conf entry on the Office gateway for the Home gateway look like? IP range of Home network? Are you trying to use the Home gateway as a relay to get into the Office net from other locations than from Home network? Do you have any NAT rules involved? ipsecctl -s all on

Re: multiple ipsec-nat-t clients behind same ip address

2008-02-03 Thread Markus Wernig
Rephrasing: Is it possible to have multiple nat-t clients behind the same NAT address connect to the same OBSD ipsec gateway? How? thx /markus Markus Wernig wrote: Hi all I'm having some trouble with VPN clients (workstations) connecting to an OBSD 4.2 VPN gateway. All clients sit behind one

multiple ipsec-nat-t clients behind same ip address

2008-01-30 Thread Markus Wernig
Hi all I'm having some trouble with VPN clients (workstations) connecting to an OBSD 4.2 VPN gateway. All clients sit behind one natting gateway, and are natted to the same egress ip address. They try to connect to another network behind the VPN gateway. The first connect succeeds, and the client

syslog-ng and isakmpd

2007-12-29 Thread Markus Wernig
Hi all I have replaced syslogd with syslog-ng on my OBSD4.2 boxes (needed tcp, encryption and fifos). I have managed to mimick all traditional log behaviour (as per the default syslogd config) with one exception: isakmpd will not log a single bit into any facility. afaik isakmpd uses the daemon

deploy openssl patch

2007-11-01 Thread Markus Wernig
Dear list I have a couple of 4.1 firewalls that I would like to upgrade to 4.2. Before taking them online again I'd like to deploy the openssl patch from ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/002_openssl.patch Being perimeter firewalls, those systems don't have compile tools

Re: ipsec with carp

2007-10-01 Thread Markus Wernig
Hi The one time I remember getting that error was when I _thought_ I was using certificates from /etc/isakmpd/{certsBprivate}, but still had a local.pub and local.key from the installation lying around that got used instead. Some more debug info (/var/log/daemon) would be helpful indeed. krgds

Re: carp devices master/backup behavior

2007-09-28 Thread Markus Wernig
Hi If the problem is intermittent, this is probably correct, but have you checked that you _really_ have different vhids for all devices? You might also want to set different passwords for each carp device, just to go sure they don't interfere with each other. krgds /markus Erich wrote:

pf tag from ipsec in nat rules

2007-09-24 Thread Markus Wernig
Hi all Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat rules (OBSD 4.1)? The idea is: ipsec.conf: ike esp from A to B tag mytag pf.conf: nat on $int_if tagged mytag - ($int_if:1) nat on $int_if from !($int_if) - ($int_if:0) If I use the tagged keyword, the second nat

Re: IPSec VPN gateway with only one interface

2007-09-24 Thread Markus Wernig
A dstid fqdn B ipsec.conf on B: ike passive esp tunnel from any to Destination Net srcid fqdn B Markus Wernig wrote: Hi all I'v looked through what documentation I could find, but didn't find this case mentioned, so I assumed it would work (which it doesn't): I have an OBSD 4.1 vpn gateway

IPSec VPN gateway with only one interface

2007-09-14 Thread Markus Wernig
Hi all I'v looked through what documentation I could find, but didn't find this case mentioned, so I assumed it would work (which it doesn't): I have an OBSD 4.1 vpn gateway (A) with only one interface, over which the default route points out and over which the packets to forward through

isakmpd.policy not getting evaluated? (was: Use certificate subjec/ASN1 t in ipsec.conf ?)

2007-07-23 Thread Markus Wernig
Hi again! I need to authenticate users in isakmpd by the subject DN of their x509 certificates. For this, I wrote isakmpd.policy as follows: KeyNote-Version: 2 Authenticator: POLICY Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject Conditions: app_domain == IPsec policy doi == ipsec

Re: isakmpd.policy not getting evaluated? SOLVED

2007-07-23 Thread Markus Wernig
Hi all For the archives: isakmpd.policy for authenticating users by their certificates' subjects (ASN1 DNs): KeyNote-Version: 2 Authenticator: POLICY Licensees: DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject Conditions: app_domain == IPsec policy doi == ipsec esp_present ==yes

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

2007-07-21 Thread Markus Wernig
the -K option. See isakpmd.policy(5). On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote: Hi all I'm setting up a OBSD 4.1 ipsec gateway, against which users will authenticate using x509 certificates. They all use personal certificates (key usage: digSig), which contains

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

2007-07-21 Thread Markus Wernig
s/isakmpd.conf/isakmpd.policy/g typo /m Markus Wernig wrote: Hello thanx for the swift reply Now i've read through the isakmpd.conf and keynote manpages, but, honestly, I still don't know how to get this working. Here's the isakmpd.conf I came up with: KeyNote-Version: 2

Use certificate subjec/ASN1 t in ipsec.conf ?

2007-07-20 Thread Markus Wernig
Hi all I'm setting up a OBSD 4.1 ipsec gateway, against which users will authenticate using x509 certificates. They all use personal certificates (key usage: digSig), which contains their user name and Email in the subject. I need to authenticate them by the whole subject, but can't seem to

pckbc, pmsi_* errors, mouse not working on 4.1

2007-05-21 Thread Markus Wernig
Hi all I've upgraded OBSD on my notebook (hp-compaq nc7xxx series) from 3.8 to 4.1. All went well, except that when I start X, neither mouse nor keyboard are responding any more. Instead I get repeating error messages in syslog and on console: pmsi_enable: command error pckbc: command

Re: host to host ipsec link

2007-04-16 Thread Markus Wernig
Mathieu Sauve-Frankel wrote: Currently the order in which isakmpd, ipsecctl and sasyncd need to be invoked in order for everything to work is pretty rigid. # isakmpd -KS # ipsecctl -f /etc/ipsec.conf # sasyncd First start isakmpd with -KS, this brings up isakmpd in passive mode,

Re: CARP access outside a subnet

2007-04-16 Thread Markus Wernig
Hi I'm not sure about carp supporting addresses in other subnets than the physical one. But to debug this further: - what does tcpdump -e -n -i xennet1 show on the routers when you ping the virtual interface from outside the lan? - is the route for the egress path the same as for the ingress path

Re: host to host ipsec link

2007-04-16 Thread Markus Wernig
Stuart Henderson wrote: On 2007/04/16 15:06, Markus Wernig wrote: ... the error message does come from sasyncd. sharedkey [32byte RSA key] the other config lines are ok, the error must be here. aarrgg ... and indeed it was. I had produced that string

encap routes

2007-04-16 Thread Markus Wernig
Hi all Does anybody know what the status of the problem described here is? http://archives.neohapsis.com/archives/openbsd/2005-12/0327.html The problem is that OBSD IPSec gateways will reject packets they have an SA for if they don't have an IP route to the destination (any route, default gw

host to host ipsec link

2007-04-15 Thread Markus Wernig
Hello all I am trying a - what I think is - simple ipsec setup. The point is to ipsec-encrypt all traffic between a pair of firewalls (gateA and gateB, both OBSD 4.0), in order to send pfsync traffic over the encrypted link. Although having read through ipsec, ipsec.conf, isakmpd and friend's

Re: host to host ipsec link

2007-04-15 Thread Markus Wernig
Renaud Allard wrote: It seems you just forgot to load your rules. Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your firewalls and everything should just work fine. Hi I've tried to load the rules by hand with ipsecctl -f /etc/ipsec.conf - to no avail. On the other hand I

Re: host to host ipsec link

2007-04-15 Thread Markus Wernig
Renaud Allard wrote: Did you verify that isakmpd is running? Yes. It runs as follows: 11967 ?? Is 0:00.05 isakmpd: monitor [priv] (isakmpd) 18753 ?? I 0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo

Re: host to host ipsec link

2007-04-15 Thread Markus Wernig
Renaud Allard wrote: Maybe also try on both firewalls: cd /etc/isakmpd ln -s private/local.pub . Then restart isakmpd and reload the rules. Hi Tried that as well ... still no go. I have disabled pf for setting the enc up. I suppose, that doesn't matter, does it? krgds /markus

Re: host to host ipsec link

2007-04-15 Thread Markus Wernig
Hello! Renaud Allard wrote: Markus Wernig wrote: Renaud Allard wrote: Did you verify that isakmpd is running? Yes. It runs as follows: 11967 ?? Is 0:00.05 isakmpd: monitor [priv] (isakmpd) 18753 ?? I 0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo -S is used for redundant

health check for members of round-robin group

2006-09-16 Thread Markus Wernig
Hi everybody! I am looking at implementing a round-robin load-balanced group of servers behind an OBSD firewall. The pf commands would run along the lines [...] table servers persist file /etc/pf.serverlist rdr on $ext_if proto tcp from any to $virtual_ip port 80 \ - servers

Carp on trunk not working

2006-06-28 Thread Markus Wernig
Hi all I'm trying to build redundancy into two 3.8 boxes with trunk and carp. Both boxes have 2 Nics each (fxp and rl), connected to two unmanaged dumb switches without .1q tagging or other fancies. On both boxes I have: /etc/hostname.rl0 up /etc/hostname.fxp0 up and the corresponding

Re: Carp on trunk not working

2006-06-28 Thread Markus Wernig
When running # sh /etc/netstart manually after login, I get an error SIO... No buffer space available (or similar). When running it a second time right afterwards, no error message appears, and the carp interface goes up, replies to one ping (of a constantly running remote ping) and then goes

Re: pf isakmpd: NAT through encryption interface?

2006-06-28 Thread Markus Wernig
Dag Richards wrote: Um no, it wont work. Once the traffic is encrypted you will no longer be able to nat it. The original packet is now and encrypted blob that is the payload of a new packet with a source of your gateway and dest their GW. you can nat the wrapper packet but not the payload.

Re: Carp on trunk is working since 3.9

2006-06-28 Thread Markus Wernig
Reyk Floeter wrote: retry with 3.9 OK, thanks and sorry for the noise. Works now, but now another thing keeps popping up: I've set the trunkproto to failover on both boxes. Now when I pull the master nic's cable, the time it takes for the other one to take over varies from around 5 to 8

Re: perl - problem 'checksum mismatch' almost solved

2005-12-19 Thread Markus Wernig
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Uwe Dippel wrote: [You find this repeatedly in the archive] Since I had this throughout the versions, including 3.8, I looked into this a bit deeper: cpan -MCPAN -e shell and everything subsequent bombs out with a checksum mismatch. [...] A

Re: Trying to understand iostat output

2005-12-14 Thread Markus Wernig
Joachim Schipper wrote: There was a lengthy thread about ccd mirroring here. Search the archives, and check whether it's worth the risk of ccd 'eating your data' first. (If not, go with RAID-1.) Hi Yes, I followed the thread, but to my understanding it was not conclusive that ccd would be

Trying to understand iostat output

2005-12-13 Thread Markus Wernig
Hi all! I have a system (obsd3.8/sparc64) with 2 identical scsi drives (4 partitions + 1 swap each). The largest partition (10G) is mirrored over the 2 drives as a ccd with interleave factor 16. When running iostat during an I/O stress test (writing many small files to the ccd in 10 parallel

Re: dhcpd and static entries

2005-12-12 Thread Markus Wernig
Peter Hessler wrote: I have a dhcp'd network, with static entries for a ton of machines. The problem is that the range is for .10 - .254, and the static entries are scattered throughout. When a random client requests an address, dhcpd will give out a staticly defined entry. So when the

Re: Just confirming: no way to do a pf rdr based on hostname?

2005-12-12 Thread Markus Wernig
Peter Landry wrote: I'm thinking that I can't do it. In that case, my options seem to be 1) use different external IP's for each website, and redirect to different internal servers based on IP 2) redirect all web traffic to the legacy ISA system, which will then redirect based on hostname.

Re: Apache 2.2 doesn't deliver files until killed

2005-12-09 Thread Markus Wernig
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry for the sender spoofing in my last mail - the virtual identity plugin to thunderbird got me ... and thus got itself deinstalled promptly. Shame on me. /m -BEGIN PGP SIGNATURE-

Re: OpenBSD 3.8+Mysql 5.0.16

2005-12-07 Thread Markus Wernig
off-list if needed). krgds /m - -- Markus Wernig Unix/Network Security Engineer - CISSP, CCSA GPG: CA558BF7 http://xfer.ch - - Linux User Group Bern - http://lugbe.ch - - -BEGIN PGP SIGNATURE

Re: isakmpd, preventing subnet clashing using NAT

2005-12-04 Thread Markus Wernig
SIGNATURE- -- Markus Wernig Unix/Network Security Engineer - CISSP, CCSA GPG: CA558BF7 http://xfer.ch - Linux User Group Bern - http://lugbe.ch -

Re: perl interface to pf?

2005-11-03 Thread Markus Wernig
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesper Louis Andersen wrote: John N. Brahy wrote: Is there a perl interface to pf? No, and it would be totally insane to build one. Well, the only use that came to my mind was a perl daemon running on the FW that accepts rule updates from a

iwi freezes machine

2005-11-01 Thread Markus Wernig
Hi all I'm trying to configure OBSD 3.8 on a compaq nx7010 laptop to use the built-in Intel PRO/Wireless 2200BG (iwi driver). I've installed the firmware from http://damien.bergamini.free.fr/iwifw/OpenBSD/iwi-firmware-2.3.tgz. The driver loads ok (at least that is my understanding from the

Re: iwi freezes machine

2005-11-01 Thread Markus Wernig
FWIW: If I turn the radio transmitter off, I get the message: ugen0: at uhub2 port 2 (addr 3) disconnected ugen0 detached When I turn it back on, there's: ugen0 at uhub2 port 2 ugen0: ACTIONTEC Bluetooth by hp, rev 1.10/8.02, addr 3 Which are a bit strange to me. USB? Bluetooth? Maybe some

  1   2   >