pflow info on 5.1
Hello, I am running OpenBSD 5.1 as a gateway device with 4 interfaces and am using pflow with the IPFIX protocol. I have read over the docs but it is not clear if I can run a netflow sensor / emitter per interface? If so then on the netflow server I could query by sensor. The other thing that came to mind is in the past with a different vendor I have setup netflow emitters on a per interface(normally one per gateway device still), now pflow does not seem to support that because it is determined by pf from my understanding, is that correct? So should I only tag (pflow) on rule sets that are on the external interface and make sure it is on the in and out rule sets? Any help is appreciated. Thanks Michael
Re: developer laptop choices
Hey, I just picked up a IBM Thinkpad T61p. After looking around for about a month and comparing the following: - cost - battery life - compatibility with Linux / BSD I had it narrowed down to the IBM Lenovo or a Mac. The IBM model was cheaper and had support for dual monitors via a docking station. I currently have dual LCD's. Plus the T series seems to be a more durable machine, spec wise the Mac was going to cost another $1000 to match in spec. Michael Ed Ahlsen-Girard wrote: I'm curious as to the 'modal' laptop that the developers use - that would probably be a good steer for what to buy. -- Ed Ahlsen-Girard -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. Status quo is not an option
Re: IPSEC with Checkpoint Sonicwall ?
Yup ... apparently it is now just a Checkpoint ... Thanks for the catch .. Michael Steven Surdock wrote: Michael Gale wrote: Hey, I have been asked if we can setup an IPSEC connection with a Checkpoint Sonicwall. Currently I have NO information on the remote end except that it is a Checkpoint Sonicwall :( You're already starting with bad communication from the remote end. http://www.checkpoint.com http://www.sonicwall.com Two completely different companies, unless I missed some recent merger. -Steve S. -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. Each person's work is a portrait of himself - Samuel Butler
IPSEC with Checkpoint Sonicwall ?
Hey, I have been asked if we can setup an IPSEC connection with a Checkpoint Sonicwall. Currently I have NO information on the remote end except that it is a Checkpoint Sonicwall :( My pass experiences using IPSEC have been on Linux with things like FreeSwan and OpenSwan. Does anyone know if this will work or maybe can provide some info on possible limitation? I have started going through so docs at http://www.ipsec-howto.org I believe the remote end wants to use certs instead of keys. -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. Each person's work is a portrait of himself - Samuel Butler
Max throughput ?
Hey, It was suggested that we create an OpenBSD server with 9GB interfaces to start. 7 Will be used right off the bat. This would function as a core router brining 7 GB networks together on the inside of a main firewall. I suggested that maybe we would have some bandwidth issues with trying to push that much traffic through a single server. Can any one comment on this ? Would it not be better to use some think like a Cisco layer 3 GB switch. -- Michael Gale Nothing is impossible to a willing mind. - Monk Hae Chang
Re: IPsec problems with multiple clients behind same NAT
Hey, Can you UDP encapsulate the IPSEC ESP packets ? I believe most IPSEC servers and clients can support this feature, which also helps when going through NAT gateways. http://www.faqs.org/rfcs/rfc3948.html http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzaja/rzajaudpencap.htm Michael Martin Hedenfalk wrote: Hello misc, I'm having problems with two IPsec tunnels from two different peers behind the same NAT, to the same responder. All hosts are running OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just fine, but when the other tries to establish a tunnel (with a different tunneled network), the first SA is just deleted. The two peers are now continuously competing. I get a lot of INVALID_COOKIE messages from isakmpd. It's the same problem as reported in this post: http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html However, the Shared-SADB parameter mentioned doesn't have any effect for me. I've sort of tracked this down to a call to sa_delete() in ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This function calls sa_lookup_by_peer() which apparently matches both of my SAs. I disabled the sa_delete() loop and now both of my SAs stay up fine, but I'm not really sure what I've done. Does anyone (developer?) have any thoughts about this? TIA /Martin -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. What we need are more people who specialize in the impossible. - Theodore Roethke
Support multiple pptp (GRE) Channels ?
Hey, We are currently testing out OpenBSD 4.1 and have a requirement where we need to support multiple PPTP connections to a single server where the clients are behind a single NAT device. It does not look like OpenBSD can support this requirement, are my assumptions correct ? I came across this mailing list entry: OpenBSD Security: Subject: Re: Will 3.5 pf support multiple pptp (GRE) Channels ? --snip-- In the other hand, multiple PPTP connections to the same server are not allowed when there is NAT between clients and server. It is a problem with PPTP, not OpenBSD or NAT. --snip-- It seems that iptables and the Linux kernel can support this, would this every be added to OpenBSD ? -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.