Re: ikev2 and a win7 road warrior host
Have a look at the discussion between me and Mike Belopuhov that took place not so long ago here... We have covered most of the troubles that you might have met following the man pages. 22.05.2012 10:14, Wesley P=P0P?P8QP0P;: Hi, I'm trying to have this 192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw working. Gw : (OpenBSD 5.1) hostname vpn.X.net lan have 192.168.0.51/24 egress have a static ip address : aa.bb.cc.dd lan, egress are groups to easily manage PF. win7rw : Host Windows7 Road Warrior with dynamic ip address hostname : win7test ikev2 ip address : 192.168.0.77/24 What i have done : pkg_add zip net.inet.ip.forwarding=1 2 groups for network cards : lan,egress PF.conf: set block-policy drop set skip on {lo,enc0} match out on egress from lan:network to any nat-to egress block log all pass in on egress proto esp pass in on egress proto udp from any to any port {500,4500} pass in on egress proto tcp from any to any port 22 pass out on egress pass on lan Create certificates : ikectl ca vpn create ikectl ca vpn install Parts that i don't understand, if someone can help me on : -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ? ikectl ca vpn certificate ? create #(for server) ikectl ca vpn certificate ? install #(for server) -For win7, i need a certificate host for win7test ? or 192.168.0.77 ? ikectl ca vpn certificate ?? create #(for win7) ikectl ca vpn certificate ?? export #(for win7) -On the GW /etc/iked.conf: ikev2 esp \ from any to any peer any \ srcid vpn.X.net \ config address 192.168.0.77 Run /sbin/iked -dvv Finally : On the win7, open certmgr.msc to add the certificates add the 2 pfx certificates in the Trusted Root Certification Authorities store And create a IKEV2 connection without EAP. Thank you very much for your help. Cheers, Wesley M.A. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 and a win7 road warrior host
Working iked.conf that runs without a problem: ikev2 win7 quick passive esp inet proto udp \ from $local_net to $client_net local local.endpoint.net peer remote.endpoint.net \ srcid local.endpoint.IP.address \ dstid remote endpoint's certificate distinguished name \ rsa \ config address 192.168.126.2 \ config name-server 192.168.0.126 \ tag ipsec_$name Certificate must be issued for win7 endpoint as described above and imported properly on Win machine. As well as CA's certificate. 192.168.126.2 is the IP address that Win7 machine will get on IPSec interface. 192.168.0.126 is the nameserver that will be assigned for that interface. RSA parameter is generally not needed, as well as TAG. local.endpoint.net - can be a FQDN that will be resolved into the IP address of the local endpoint - the point that acts like a responder (openbsd machine running iked). OpenBSD's certificate must be issued to the `host local.endpoint.net' IP address. peer.endpoint.net - is an initiator side (win7 machine). Win7's cert must be issued to that IP. That scheme works for me right now. 22.05.2012 14:52, Wesley P=P0P?P8QP0P;: Error 1931: the context has expired and can no longer be used -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 and a win7 road warrior host
22.05.2012 17:23, Pavel Shvagirev P=P0P?P8QP0P;: peer.endpoint.net - is an initiator side (win7 machine). Win7's cert must be issued to that IP. I mean remote.endpoint.net here Two more notes: 1. Win7 connection shoud be set up to the openbsd's IP address, not the FQDN. (the first tab in the connection Properties window). 2. from $local_net to $client_net: $local_net is the macros for the network that is behind the responder side (openbsd's server local subnet - the subnet that initiator wants to get tunneled access to) $remote_net is the macros for the address pool where you are taking clients' addresses from (in my case - 192.168.126.0/25). -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: IPs in the facebook.com domain accessing OpenSBD firewall
Most likely that someone posted a link to a resource in your domain, and your DNS appears to be an authoritative for that zone. Sounds quite realistic. There on facebook might be some kind of parser trying to retreive a preview for the link or something similar... Anyway, have a look at the DNS server's logs - what exactly do they whant from you? =) .. or Zuckerberg must become bored to death =) 17.05.2012 15:50, Siju George P=P0P?P8QP0P;: Why should facebook servers access my firewall? -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: IPs in the facebook.com domain accessing OpenSBD firewall
Didn't take into account that you do not publish the DNS. That fact makes my assumption wrong. Really, go and log the requests! =) 17.05.2012 15:50, Siju George P=P0P?P8QP0P;: This traffic is blocked on the external interface of the firewall. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 between openbsd and windows
Thank you very much for the detailed reply. It helped a lot, though I have something to add. 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates by doubleclicking on them. You should not import the cert by doubleclicking on it - it will import to the current user's facility instead of a local computer. That will cause 13806 errormessage telling that there is no appropriate computer certificate etc. MMC and the local computer account switch should be used instead. 7) Configure iked to do RSA auth w/o EAP (for the start): ikev2 win7 passive esp \ from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \ srcid 10.1.0.1 \ config address 192.168.1.100 \ config name-server 192.168.0.1 Here, 192.168.0.0/24 is a network client is getting access to, 192.168.1.0/24 is a DHCP-like network from which client is getting an ip address (192.168.1.100 specifically). Please note, that the code to turn this awkwardness into real (DHCP-like) address pool specification is not written yet. Note that srcid has to match the host that the certificate is issued to, otherwise windows will refuse to connect. Once you do that you can load iked and see that it hooks up the server certificate (in the iked -dvv output that is). This is the most intriguing part :) ikev2 win7 esp \ from 172.16.2.0/24 to 0.0.0.0/0 \ peer 10.0.0.0/8 local 192.168.56.0/24 \ eap mschap-v2 \ config address 172.16.2.1 \ tag $name-$id This example is from the man page. `config address' is in the range of `from source', not from the destination subnet. Are you sure it sould be like you said? How do I manage the `DHCP-like' addresses? Is this address range where the client should be granted an IP from OR is that a client's local private network? I found that dhcpd cannot run on enc0 interface. How do you manage that? Now the negotiation seems to be complete but still the connection can not be established due to various reasons: 1. Windows side stops on error #31 Attached device is not working properly (looks like a Windows problem though). Have you seen that? 2. Doesn't work EAP mode - Windows stops on Checking username and password error. Then #13803, 1931... If someone thinks that this might be turned into some sort of a howto or FAQ entry or whatever, please feel free to reuse any piece of text. Attribution is welcomed but not required. Your instructoins really did the trick - I got rid of those anoying troubles that were caused by strictly following the manuals... I think it should have been written in more detail, covering in detail _every_ network part (with its role) that participate in the negotiation. 'cause sometimes it has contradicting points. Probably it is a matter of individual perception, nevertheless I had what I had as well as tons of others struggling with that in mail lists across the web =) Thanks. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
ikev2 between openbsd and windows
Hi everyone. Trying to build ikev2 vpn between openbsd 5.1 and windows 7 via certificates. Windows stops at #13843 error message - Invalid payload received. Iked -vd output has a 'sa_state: VALID - ESTABLISHED' meaning that 2nd phase is ok but just before that line I have: ca_getreq: no valid local certificate found What local cert does it mean? 'ikectl show ca certificates' output is ok - it returnes all the certs that I have installed/exported/imported on windows side Did install both obsd's and win7's certificates like ikectl ca caname certificate openbsdmachine create | install | export ikectl ca caname certificate win7machine create | install | export - just like it's said in the man page. Google has just one link for that queue - openbsd sources =) -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
AR5212
Hi everyone Seems like there were no progress for making AR5212-based Atheros Wireless cards 802.11g/n capable. Is there any hope for it in the future?
Re: AR5212
Thanks for the reply. Actually I thought there were some technical troubles like closed specs etc.. 02.05.2012 12:47, Peter Hessler P=P0P?P8QP0P;: Just like everything in OpenBSD, there needs to be people with the desire and time to make them work. We welcome any and all contributions. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: Last Warning Notification
:-D :-D what a kind Webmaster of the Universe (sorry for offtopic ;) ) 11.12.2011 14:18, Webmaster P?P8QP5Q: that we have upgraded your server to a more reliable and efficient server to serve you better. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ccd(4) hangs system on two IDE disks concatenation attempt
You are right. The more better way would be buying a bigger storage, rather then waiting for that stripe to become dead =) Althought concatenation was what I was intended to play with. Anyway thank you all for participating. I have fully resolved all my questions. 12.12.2011 04:53, Josh Grosse P?P8QP5Q: Obviously, an optimal solution would be concatenation. Since that does not exist, the closest matching solution without ccd(4) is RAID0. And no, I haven't tried it; what I wrote was nothing more than a thought experiment. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
ccd(4) hangs system on two IDE disks concatenation attempt
Hello everyone. I have faced problem with ccd(4) on OpenBSD 5.0 i386 GENERIC#43 When I try to serially concatenate two IDE disks with ccd(4), every time I get system not responding at all. I do setup strictry following the man pages. Both disks are connected to one IDE port on mother board via one IDE cord. Both disks are connected via mobile racks. Both disks are 100% operable in usual way, with a separate filesystem on every disk and with a separate mount points. 1. I make both disks empty by doing like dd if=/dev/zero of=/dev/wd{1,2}c bs=8k count=1 2. Then I make one partition with a 1 cylinder ahead by disklabel -E wd{1,2} I specify 1c as the beginning of the partition (1 cylinder as recommended in the man page) and CCD as the type of it. Finally both disklabels look like this: -- # disklabel -c wd1 # /dev/rwd1c: type: ESDI disk: ESDI/IDE disk label: ST380011A duid: 090a858d9c19eb41 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 9729 total sectors: 156301488 boundstart: 0 boundend: 156301488 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:15628542316065 ccd c:1563014880 unused # disklabel -c wd2 # /dev/rwd2c: type: ESDI disk: ESDI/IDE disk label: Maxtor 6Y120L0 duid: 7dbbd494f9ef2808 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 14946 total sectors: 240119615 boundstart: 0 boundend: 240119615 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:24010355016065 ccd c:2401196150 unused -- 3. After that I do ccdconfig -c -v ccd0 0 none /dev/wd1a /dev/wd2a As soon as I press enter here, the whole system becomes dead. All net links to that machine become dead in a couple of seconds after that command is executed and the machine does not respond at all. I have found no way to make it work... Have anyone faced such behavior? Thanks.
Re: ccd(4) hangs system on two IDE disks concatenation attempt
what can be used instead? softraid(4) will not go since it can not concatenate disks... only a kind of RAID0/1 or crypto... 08.12.2011 20:36, Amit Kulkarni P?P8QP5Q: nobody has worked on ccd for long time...In fact ccd has been removed post 5.0 -- Best regards, Pavel Shvagirev cell: +7 903 195-2807 skype: pavel.shvagirev
Re: ccd(4) hangs system on two IDE disks concatenation attempt
Thank you for the reply. Unfortunately RAID0 is not exactly what I was looking for 'cause it does not really concatenate disks - it stripes as you've mentioned. And two disks, 80 and 120 Gb, that were to be concatenated will never give ~200Gb with RAID0. As far as I see there is no way to concatenate other than via ccd(4) that is no longer supported and buggy on my machine as well =] 08.12.2011 22:20, Josh Grosse P?P8QP5Q: The RAID 0 discipline provides full capacity with no redundancy. It is striping rather than concatenation, but it may meet your needs. -- Best regards, Pavel Shvagirev cell: +7 903 195-2807 skype: pavel.shvagirev
Re: ccd(4) hangs system on two IDE disks concatenation attempt
Very good idea! Why didn't I think of that before?.. Thank you very much! Will try. 08.12.2011 23:11, Josh Grosse P?P8QP5Q: Sure they will. Just factor the size. In your example, use 5 x 40GB partitions: -- Best regards, Pavel Shvagirev cell: +7 903 195-2807 skype: pavel.shvagirev