Re: ikev2 and a win7 road warrior host

[Pavel Shvagirev]

Have a look at the discussion between me and Mike Belopuhov that took
place not so long ago here... We have covered most of the troubles that
you might have met following the man pages.

22.05.2012 10:14, Wesley P=P0P?P8Q
P0P;:
 Hi,

 I'm trying to have this
 192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw
 working.

 Gw : (OpenBSD 5.1) hostname vpn.X.net
 lan have 192.168.0.51/24
 egress have a static ip address : aa.bb.cc.dd
 lan, egress are groups to easily manage PF.

 win7rw : Host Windows7 Road Warrior with
 dynamic ip address
 hostname : win7test
 ikev2 ip address : 192.168.0.77/24

 What i have done :
 pkg_add zip
 net.inet.ip.forwarding=1
 2 groups for network cards : lan,egress

 PF.conf:
 set block-policy drop
 set skip on {lo,enc0}
 match out on egress from lan:network to any nat-to egress
 block log all
 pass in on egress proto esp
 pass in on egress proto udp from any to any port {500,4500}
 pass in on egress proto tcp from any to any port 22
 pass out on egress
 pass on lan

 Create certificates :
 ikectl ca vpn create
 ikectl ca vpn install

 Parts that i don't understand, if someone can help me on :
 -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ?
 ikectl ca vpn certificate ? create #(for server)
 ikectl ca vpn certificate ? install #(for server)

 -For win7, i need a certificate host for win7test ?  or 192.168.0.77 ?
 ikectl ca vpn certificate ?? create #(for win7)
 ikectl ca vpn certificate ?? export #(for win7)

 -On the GW
 /etc/iked.conf:
 ikev2 esp \
 from any to any peer any \
 srcid vpn.X.net \
 config address 192.168.0.77

 Run /sbin/iked -dvv

 Finally :
 On the win7, open certmgr.msc to add the certificates
 add the 2 pfx certificates in the Trusted Root Certification
 Authorities store
 And create a IKEV2 connection without EAP.

 Thank you very much for your help.

 Cheers,

 Wesley M.A.


-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ikev2 and a win7 road warrior host

[Pavel Shvagirev]

Working iked.conf that runs without a problem:

ikev2 win7 quick passive esp inet proto udp \
from $local_net to $client_net local local.endpoint.net peer
remote.endpoint.net \
srcid local.endpoint.IP.address \
dstid remote endpoint's certificate distinguished name \
rsa \
config address 192.168.126.2 \
config name-server 192.168.0.126 \
tag ipsec_$name

Certificate must be issued for win7 endpoint as described above and
imported properly on Win machine. As well as CA's certificate.
192.168.126.2 is the IP address that Win7 machine will get on IPSec
interface. 192.168.0.126 is the nameserver that will be assigned for
that interface. RSA parameter is generally not needed, as well as TAG.

local.endpoint.net - can be a FQDN that will be resolved into the IP
address of the local endpoint - the point that acts like a responder
(openbsd machine running iked). OpenBSD's certificate must be issued to
the `host local.endpoint.net' IP address.

peer.endpoint.net - is an initiator side (win7 machine). Win7's cert
must be issued to that IP.

That scheme works for me right now.

22.05.2012 14:52, Wesley P=P0P?P8Q
P0P;:
 Error 1931: the context has expired and can no longer be used 

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ikev2 and a win7 road warrior host

[Pavel Shvagirev]

22.05.2012 17:23, Pavel Shvagirev P=P0P?P8Q
P0P;:
 peer.endpoint.net - is an initiator side (win7 machine). Win7's cert
 must be issued to that IP.
I mean remote.endpoint.net here

Two more notes:

1. Win7 connection shoud be set up to the openbsd's IP address, not the
FQDN. (the first tab in the connection Properties window).
2. from $local_net to $client_net:
$local_net is the macros for the network that is behind the responder
side (openbsd's server local subnet - the subnet that initiator wants to
get tunneled access to)
$remote_net is the macros for the address pool where you are taking
clients' addresses from (in my case - 192.168.126.0/25).

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: IPs in the facebook.com domain accessing OpenSBD firewall

[Pavel Shvagirev]

Most likely that someone posted a link to a resource in your domain, and
your DNS appears to be an authoritative for that zone. Sounds quite
realistic. There on facebook might be some kind of parser trying to
retreive a preview for the link or something similar...

Anyway, have a look at the DNS server's logs - what exactly do they
whant from you? =)

.. or Zuckerberg must become bored to death =)


17.05.2012 15:50, Siju George P=P0P?P8Q
P0P;:
 Why should facebook servers access my firewall?

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: IPs in the facebook.com domain accessing OpenSBD firewall

[Pavel Shvagirev]

Didn't take into account that you do not publish the DNS. That fact
makes my assumption wrong.
Really, go and log the requests! =)

17.05.2012 15:50, Siju George P=P0P?P8Q
P0P;:
 This traffic is blocked on the external interface of the firewall.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ikev2 between openbsd and windows

[Pavel Shvagirev]

Thank you very much for the detailed reply. It helped a lot, though I
have something to add.

 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates
by doubleclicking on them.
You should not import the cert by doubleclicking on it - it will import
to the current user's facility instead of a local computer. That will
cause 13806 errormessage telling that there is no appropriate computer
certificate etc. MMC and the local computer account switch should be
used instead.

 7) Configure iked to do RSA auth w/o EAP (for the start):

 ikev2 win7 passive esp \
 from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \
 srcid 10.1.0.1 \
 config address 192.168.1.100 \
 config name-server 192.168.0.1

Here, 192.168.0.0/24 is a network client is getting access to,
192.168.1.0/24 is a DHCP-like network from which client is
getting an ip address (192.168.1.100 specifically).  Please
note, that the code to turn this awkwardness into real (DHCP-like)
address pool specification is not written yet.  Note that srcid
has to match the host that the certificate is issued to, otherwise
windows will refuse to connect. 

Once you do that you can load iked and see that it hooks up the
server certificate (in the iked -dvv output that is).
This is the most intriguing part :)

   ikev2 win7 esp \
   from 172.16.2.0/24 to 0.0.0.0/0 \
   peer 10.0.0.0/8 local 192.168.56.0/24 \
   eap mschap-v2 \
   config address 172.16.2.1 \
   tag $name-$id

This example is from the man page. `config address' is in the range of
`from source', not from the destination subnet. Are you sure it sould be
like you said?

How do I manage the `DHCP-like' addresses? Is this address range where
the client should be granted an IP from OR is that a client's local
private network? I found that dhcpd cannot run on enc0 interface. How do
you manage that?

Now the negotiation seems to be complete but still the connection can
not be established due to various reasons:

1. Windows side stops on error #31 Attached device is not working
properly (looks like a Windows problem though). Have you seen that?

2. Doesn't work EAP mode - Windows stops on Checking username and
password error. Then #13803, 1931...

 If someone thinks that this might be turned into some sort of a
 howto or FAQ entry or whatever, please feel free to reuse any
 piece of text.  Attribution is welcomed but not required.
Your instructoins really did the trick - I got rid of those anoying
troubles that were caused by strictly following the manuals... I think
it should have been written in more detail, covering in detail _every_
network part (with its role) that participate in the negotiation. 'cause
sometimes it has contradicting points. Probably it is a matter of
individual perception, nevertheless I had what I had as well as tons of
others struggling with that in mail lists across the web =)

Thanks.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

ikev2 between openbsd and windows

[Pavel Shvagirev]

Hi everyone.

Trying to build ikev2 vpn between openbsd 5.1 and windows 7 via
certificates. Windows stops at #13843 error message - Invalid payload
received. Iked -vd output has a 'sa_state: VALID - ESTABLISHED'
meaning that 2nd phase is ok but just before that line I have:

ca_getreq: no valid local certificate found

What local cert does it mean? 'ikectl show ca certificates' output is ok
- it returnes all the certs that I have installed/exported/imported on
windows side

Did install both obsd's and win7's certificates like

ikectl ca caname certificate openbsdmachine create | install | export
ikectl ca caname certificate win7machine create | install | export

- just like it's said in the man page.

Google has just one link for that queue - openbsd sources =)

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

AR5212

[Pavel Shvagirev]

Hi everyone

Seems like there were no progress for making AR5212-based Atheros
Wireless cards 802.11g/n capable. Is there any hope for it in the future?

Re: AR5212

[Pavel Shvagirev]

Thanks for the reply.
Actually I thought there were some technical troubles like closed specs
etc..

02.05.2012 12:47, Peter Hessler P=P0P?P8Q
P0P;:
 Just like everything in OpenBSD, there needs to be people with the
 desire and time to make them work.  We welcome any and all
 contributions.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: Last Warning Notification

[Pavel Shvagirev]

:-D :-D
what a kind Webmaster of the Universe

(sorry for offtopic ;) )

11.12.2011 14:18, Webmaster P?P8QP5Q:
 that we have upgraded your server to a
 more reliable and efficient server to serve you better.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Pavel Shvagirev]

You are right. The more better way would be buying a bigger storage,
rather then waiting for that stripe to become dead =) Althought
concatenation was what I was intended to play with.

Anyway thank you all for participating. I have fully resolved all my
questions.

12.12.2011 04:53, Josh Grosse P?P8QP5Q:
 Obviously, an optimal solution would be concatenation.  Since that does not
 exist, the closest matching solution without ccd(4) is RAID0.  And no, I 
 haven't tried it; what I wrote was nothing more than a thought experiment.

-- 
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev

ccd(4) hangs system on two IDE disks concatenation attempt

[Pavel Shvagirev]

Hello everyone.

I have faced problem with ccd(4) on OpenBSD 5.0 i386 GENERIC#43

When I try to serially concatenate two IDE disks with ccd(4), every
time I get system not responding at all.

I do setup strictry following the man pages. Both disks are connected to
one IDE port on mother board via one IDE cord. Both disks are connected
via mobile racks. Both disks are 100% operable in usual way, with a
separate filesystem on every disk and with a separate mount points.

1.
I make both disks empty by doing like
dd if=/dev/zero of=/dev/wd{1,2}c bs=8k count=1

2.
Then I make one partition with a 1 cylinder ahead by disklabel -E wd{1,2}
I specify 1c as the beginning of the partition (1 cylinder as
recommended in the man page) and CCD as the type of it.

Finally both disklabels look like this:
--
# disklabel -c
wd1



# /dev/rwd1c:
type: ESDI
disk: ESDI/IDE disk
label: ST380011A
duid: 090a858d9c19eb41
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 9729
total sectors: 156301488
boundstart: 0
boundend: 156301488
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a:15628542316065 ccd
  c:1563014880  unused
# disklabel -c wd2
# /dev/rwd2c:
type: ESDI
disk: ESDI/IDE disk
label: Maxtor 6Y120L0
duid: 7dbbd494f9ef2808
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 14946
total sectors: 240119615
boundstart: 0
boundend: 240119615
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a:24010355016065 ccd
  c:2401196150  unused
--

3.
After that I do
ccdconfig -c -v ccd0 0 none /dev/wd1a /dev/wd2a

As soon as I press enter here, the whole system becomes dead.
All net links to that machine become dead in a couple of seconds after
that command is executed and the machine does not respond at all.

I have found no way to make it work...

Have anyone faced such behavior?

Thanks.

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Pavel Shvagirev]

what can be used instead?
softraid(4) will not go since it can not concatenate disks... only a
kind of RAID0/1 or crypto...


08.12.2011 20:36, Amit Kulkarni P?P8QP5Q:
 nobody has worked on ccd for long time...In fact ccd has been removed post 5.0

-- 
Best regards,
Pavel Shvagirev
cell: +7 903 195-2807
skype: pavel.shvagirev

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Pavel Shvagirev]

Thank you for the reply. Unfortunately RAID0 is not exactly what I was
looking for 'cause it does not really concatenate disks - it stripes as
you've mentioned. And two disks, 80 and 120 Gb, that were to be
concatenated will never give ~200Gb with RAID0.

As far as I see there is no way to concatenate other than via ccd(4)
that is no longer supported and buggy on my machine as well =]

08.12.2011 22:20, Josh Grosse P?P8QP5Q:
 The RAID 0 discipline provides full capacity with no redundancy. It is
 striping rather than concatenation, but it may meet your needs.

-- 
Best regards,
Pavel Shvagirev
cell: +7 903 195-2807
skype: pavel.shvagirev

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Pavel Shvagirev]

Very good idea! Why didn't I think of that before?..
Thank you very much! Will try.

08.12.2011 23:11, Josh Grosse P?P8QP5Q:
 Sure they will. Just factor the size.  In your example, use 5 x 40GB 
 partitions:

-- 
Best regards,
Pavel Shvagirev
cell: +7 903 195-2807
skype: pavel.shvagirev