Re: OS X 10.11 'El Capitan' IKEv2
Thanks, verified and works great! > On 3 Oct 2015, at 3:32 PM, Reyk Floeter <r...@openbsd.org> wrote: > > On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote: >> Hello misc, >> >> Has anyone connected successfully between the new OS X ikev2 impl. To an >> OpenBSD box? >> >> Thanks in advance. >> > > I got the official update and I successfully connected from El Capitan > to OSX. I did it without using profiles, just with the GUI in network > settings. > > ON OPENBSD: > > - Get -current from yesterday (small fix went in) > > - Configure an IP on enc0 directly (eg. 10.2.0.2 in this case), a dns > cache, forwarding, PF etc. > > - Configure iked.conf, for example: > > user "user1" "password123" > ikev2 "ios9" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ > local any peer any \ > childsa enc 3des \ > eap "mschap-v2" \ > config address 10.2.0.1/24 \ > config name-server 10.2.0.2 \ > tag "$name-$id" > > - Yes, 3DES. As you see in your log, El Capitan currently only accepts > 3DES by default. You can probably change it with the external > security profiles program. iOS9 uses AES-128 instead. > > ON OSX: > > - Use "ikectl ca" (or other CA tool) to create ca, keys and certs for > the gateway and peers. I recommend to use FQDNs for the certs. > > - Install the ca.pfx and $CERT.pfx on OSX from keychain (import > objects). Trust the CA for EAP and IPsec. > > - I tested different options in OSX, user-based, "without" auth + shared > secret, "without" auth + certificate. Certificate-based auth doesn't > work since it is two factor EAP-TLS. User-based is EAP-MSCHAPv2. > Select the installed certificate. > > In summary, the GUI part is very easy but certificate configuration is > a bit difficult. It's the same complexity as in Windows. But much > better compared to earlier IPsec configurations. > > Reyk
Re: OS X 10.11 'El Capitan' IKEv2
Thanks Reyk, BTW thumbs up for your awesome work. On 17 Aug 2015, at 12:39 PM, Reyk Floeter r...@openbsd.org wrote: On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote: Hello misc, Has anyone connected successfully between the new OS X ikev2 impl. To an OpenBSD box? No, we don't have the beta. Reyk
OS X 10.11 'El Capitan' IKEv2
Hello misc, Has anyone connected successfully between the new OS X ikev2 impl. To an OpenBSD box? Thanks in advance.
Dell R630 with PERC H730
Hello Misc I am trying to install OpenBSD 5.6 on the above machine. 1. While using Lifecycle controller and deploy OS I get weird disk layout with MSDos partition which cannot be removed. 2. While trying to init the raid myself through the raid controller and init the raid 1 I see none in the disks while trying to install Has anyone encountered this issue? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Dell R630 with PERC H730
Is this for sure will solve the problem? Is it a known issue? On Mar 26, 2015, at 12:56 PM, Hrvoje Popovski hrv...@srce.hr wrote: On 26.3.2015. 11:40, Or Elimelech wrote: Hello Misc I am trying to install OpenBSD 5.6 on the above machine. 1. While using Lifecycle controller and deploy OS I get weird disk layout with MSDos partition which cannot be removed. 2. While trying to init the raid myself through the raid controller and init the raid 1 I see none in the disks while trying to install Has anyone encountered this issue? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Hi, wait for 5.7 or install current ...
Re: Dell R630 with PERC H730
Thanks mate, current works like a charm. On Mar 26, 2015, at 2:23 PM, Hrvoje Popovski hrv...@srce.hr wrote: On 26.3.2015. 12:40, Or Elimelech wrote: Is this for sure will solve the problem? Is it a known issue? well, dell r630 is really new hardware and there was few issues with h330 and h730 at the beginning of 2015 you could try current just to see will you be able to install openbsd on it...
ix(4) X710-DA4
Hi, I’m purchasing 2 new firewalls and I wonder if the ix(4) driver supports X710-DA4 Have anyone tried this in production? Thanks
Re: ix(4) X710-DA4
Thanks but I need it ASAP I will pass, I ordered X520 instead. On Feb 19, 2015, at 2:08 PM, Jonathan Gray j...@jsg.id.au wrote: On Thu, Feb 19, 2015 at 10:11:36AM +0200, Or Elimelech wrote: Hi, I???m purchasing 2 new firewalls and I wonder if the ix(4) driver supports X710-DA4 Have anyone tried this in production? Thanks Someone needs to port Intel's ixl/i40e driver from FreeBSD before those cards will work.
new support country
0 C Israel T Tel Aviv I Or Elimelech M 0r3limel...@gmail.com U http://or-e.net/about N 5 years OpenBSD, firewalling PF, load balancing, configuration management etc. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: NPPPD
npppd.conf
# Global
## Max sessions
set max-session 100
## Max user-sessions
set user-max-session 1
# Tunnel
tunnel L2TP protocol l2tp {
listen on 192.168.38.15
}
# IPCP
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 192.168.10.242
}
# Interface
interface tun0 address 10.0.0.1 ipcp IPCP
# Authentication
authentication RADIUS type radius {
authentication-server {
address 192.168.10.242 secret secret
}
}
bind tunnel from L2TP authenticated by RADIUS to tun0
ipsec.conf
ike passive esp transport \
proto udp from 1.2.3.4 to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
psk secret
and again Everything is working on all client I can work on VPN
Windows clients are connecting but after connection is made I cannot get
anywhere.
my client config is l2tp/ipsec with secret
optional encryption
mschapv2
And I made the connection to take VPN gateway
- Original Message -
From: Giancarlo Razzolini grazzol...@gmail.com
To: Or Elimelech o...@xwise.com, OpenBSD general usage list
misc@openbsd.org
Sent: Monday, December 9, 2013 2:54:42 PM
Subject: Re: NPPPD
Em 09-12-2013 05:38, Or Elimelech escreveu:
Hi,
I've configured nppd server and clients for Linux, Android, iOS, OSX and
Windows.
This works on all platforms when routing all traffic through VPN except for
Windows clients.
I can connect to the vpn and I get a route for 0.0.0.0 mask 0.0.0.0 vpn
interface
but ipconfig shows me 10.0.0.50 with 255.255.255.255 and 0.0.0.0 GW
After that I cannot get any traffic out.
Best regards
Or,
For us to help you we need a little more detail. Things like it
works but not all the time or it do not work on windows, are not very
helpful. The problem can be from misconfiguration on npppd, pf rules,
routing issues, or problems with the windows clients itself. Things
like, anti-virus firewalls, etc. They could all be the problem. Try to
elaborate a little more on the next one.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
___
The sender of this email is not authorized to bind XWise Marketing or any of
its affiliate companies (hereby: the Companies)
or to make any representations, contracts, or commitments on behalf of the
Companies.
The information contained in this communication is intended solely for the use
of the individual or entity to whom it is addressed and others
authorized to receive it.
It may contain confidential or legally privileged information. If you are not
the intended recipient you are hereby notified that any disclosure,
copying, distribution or taking any action in reliance on the contents of this
information is strictly prohibited and may be unlawful.
If you have received this communication in error, please notify us immediately
by forwarding this email to le...@xwise.com and then delete
it from your system.
The Companies are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.
Re: NPPPD
Giancarlo,
Thanks for the article though it did not solve the problem,
Therefore it's not MTU issue, I'm not getting any answers from the dns server
and I also cannot ping anywhere even with IP
It's like there's a connection to the vpn but no where else.
- Original Message -
From: Giancarlo Razzolini grazzol...@gmail.com
To: Or Elimelech o...@xwise.com
Cc: OpenBSD general usage list misc@openbsd.org
Sent: Monday, December 9, 2013 3:54:58 PM
Subject: Re: NPPPD
Em 09-12-2013 11:11, Or Elimelech escreveu:
npppd.conf
# Global
## Max sessions
set max-session 100
## Max user-sessions
set user-max-session 1
# Tunnel
tunnel L2TP protocol l2tp {
listen on 192.168.38.15
}
# IPCP
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 192.168.10.242
}
# Interface
interface tun0 address 10.0.0.1 ipcp IPCP
# Authentication
authentication RADIUS type radius {
authentication-server {
address 192.168.10.242 secret secret
}
}
bind tunnel from L2TP authenticated by RADIUS to tun0
ipsec.conf
ike passive esp transport \
proto udp from 1.2.3.4 to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
psk secret
and again Everything is working on all client I can work on VPN
Windows clients are connecting but after connection is made I cannot get
anywhere.
my client config is l2tp/ipsec with secret
optional encryption
mschapv2
And I made the connection to take VPN gateway
- Original Message -
From: Giancarlo Razzolini grazzol...@gmail.com
To: Or Elimelech o...@xwise.com, OpenBSD general usage list
misc@openbsd.org
Sent: Monday, December 9, 2013 2:54:42 PM
Subject: Re: NPPPD
Em 09-12-2013 05:38, Or Elimelech escreveu:
Hi,
I've configured nppd server and clients for Linux, Android, iOS, OSX and
Windows.
This works on all platforms when routing all traffic through VPN except for
Windows clients.
I can connect to the vpn and I get a route for 0.0.0.0 mask 0.0.0.0 vpn
interface
but ipconfig shows me 10.0.0.50 with 255.255.255.255 and 0.0.0.0 GW
After that I cannot get any traffic out.
Best regards
Or,
From what I could get, it could be problem with mtu. I've had these
problems with windows and since it's on the client side, there is no
easy fix. If you can ping both sides, but when more heavy traffic goes
through the pipe, and it hangs, it's almost likely to be it. You can
verify it using ping packets with big payloads, I believe that this
article:
http://www.sevenforums.com/tutorials/94721-mtu-limit-test-change-your-connection-s-mtu-limit.html
can help.
If it is indeed a mtu problem, the article show a solution that must
be used for all your clients. Or you could try using a different vpn
solution.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
___
The sender of this email is not authorized to bind XWise Marketing or any of
its affiliate companies (hereby: the Companies)
or to make any representations, contracts, or commitments on behalf of the
Companies.
The information contained in this communication is intended solely for the use
of the individual or entity to whom it is addressed and others
authorized to receive it.
It may contain confidential or legally privileged information. If you are not
the intended recipient you are hereby notified that any disclosure,
copying, distribution or taking any action in reliance on the contents of this
information is strictly prohibited and may be unlawful.
If you have received this communication in error, please notify us immediately
by forwarding this email to le...@xwise.com and then delete
it from your system.
The Companies are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.
NPPPD
Hi, I've configured nppd server and clients for Linux, Android, iOS, OSX and Windows. This works on all platforms when routing all traffic through VPN except for Windows clients. I can connect to the vpn and I get a route for 0.0.0.0 mask 0.0.0.0 vpn interface but ipconfig shows me 10.0.0.50 with 255.255.255.255 and 0.0.0.0 GW After that I cannot get any traffic out. Best regards -- Or Elimelech System Administrator Mail: o...@xwise.com Tel. +97237553300 ext. 2212 M. +972543266051 ___ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Re: NPPPD and IPSec
Thanks, I fixed it using the same config I wrote The problem is my npppd server is behind NAT and my windows needed registry modification AssumeUDP Thank you again Sent from my iPhone On Dec 3, 2013, at 12:28 AM, Frans Haarman franshaar...@gmail.com wrote: I have used this with windows 7 and osx: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk 2013/12/2 Or Elimelech o...@xwise.com Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project _ __ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. _ __ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
NPPPD and IPSec
Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project ___ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
