Re: Openbsd 7.1 installation - disk boot record

2022-04-28 Thread Pawel Kraszewski 
Well, I installed 7.0 (*not* 7.1) on my desktop (old Haswell mobo) -
it rendered computer unstartable (not unbootable). Mobo hung so hard
it couldn't even enter the BIOS. I think I was lucky I didn't install
it on my PCIe-card NVMe... It would be shitty to need it hot-plugged
to a working computer to fix.

I was able to do that as Michael did (unplug, boot other OS, hot-plug,
wipe OpenBSD partition, fix UEFI order).

And I'm pretty used to fact, that a bootable pendrive with OpenBSD
installer (.fs image) renders old HP laptops (ProBooks, EliteBooks
from 2-ish gen Cores era) unbootable in the very same way (hard lock,
can't enter BIOS). I suppose this behavior might have some common root
cause.

-- 
 Paweł Kraszewski
 GPG key: E030 A049 9C33 C1E9 28EA 50C9 821F DA62 0A90 D330
 Tel: +48(604)777447

czw., 28 kwi 2022 o 03:37  napisał(a):
>
> > Hello,
> >
> > Today I tried to do a fresh install of openbsd 7.1. (from usb pendrive). I
> > tried to do a very basic install (accepting the default - without network
> > - with sets from disk) and when getting to the root disk question I used
> > (W)hole disk MBR. Everything went through smoothly, however when rebooting
> > the system the initial boot sequence goes into an endless loop
> > (manufacture logo appearing again and again) - also cannot enter bios
> > setup anymore. Had to remove the ssd, connect via usb and dd with zero the
> > first mb. Tried several things i.e. changing bios options, upgrading bios
> > to latest version, using uefi etc nothing worked. Always same endless boot
> > loop.
> >
> > After some time I found a work around by installing from the 7.0
> > installation image and then upgrading to 7.1. Everything works now.
> >
> > Does anyone know why this might be happening?  It would seem that changes
> > to fdisk did change the MBR (or how it is written) which at least on my
> > machine - old dell e7240 - is preventing it from booting.
> >
> > Any help is highly appreciated.
> >
> > Thanks, Michael
> >
> > P. S. Not sure if this is a bug and if it should be reported.
> >
>
> Hello
>
> I had a similar situation with an old Dell:
>
> The installation of 7.1  went correctly, but when i did a reboot; the
> machine said that there were not a disk!
>
> Then i tried to install 7.0 and the installer gave me a > point! in the
> section available disk.
>
> Is there a form to reestablish the MBR using the installer?
>
> PD:
> Testing i deleted the loop partition with Gparted, and added different new
> mbr. Nothing changed.
>
> Thanks OpenBSD team I feel happy using 7.1 on 3 vms.
>
> Curiosity question:
> 2 of my vms show UTC with # date, and 1 shows the local time; during the
> installation, i marked local time Canada/Pacifi; in all of them, which i
> can see with: #
> date -z Canada/Pacific.
>
> Thanks.
>
>
>

Re: tcpdump rotating issue with newsyslog

2022-04-10 Thread Pawel Kraszewski 
First: as others mentioned, tcpdump isn't suited for output rotation
via tools like newsyslog. Even if you manage to restart it with new
log, you'll probably skip some packets. You might implement some sort
of overlap (you start tcpdump to a new file, *then* you kill the old
one and write a tool to seamlessly merge flows)

Second: Non-OpenBSD tcpdump support -C/-G/-W options that do the
rotation automatically (size- and age-based). I don't know if it may
be backported.

Third: Are you sure you want long-running tcpdump? Perhaps netflow
could be enough... See pflow(4) + nfcapd(1). The latter does
autorotation and can call compressor afterwards.

-- 
 Paweł Kraszewski
 GPG key: E030 A049 9C33 C1E9 28EA 50C9 821F DA62 0A90 D330

Re: ipsec traffic is dropped between two machines

2022-03-22 Thread Pawel Kraszewski 
Problem with service working after cross-pinging the other sides seems like
some stateful firewall that needs a nudge from inside.


-- 
Paweł Kraszewski

Re: Re : iked + sasyncd + carp - doesn't take over

2022-03-08 Thread Pawel Kraszewski 
I have some more info (this time from physical machines):

After a switchover I can see incoming flow on enc0 on the new master,
and it IS decoded correctly. It is just not pushed out into the
protected network.

Additionally, the replay counters seem to be all in sync except for
one - return tunnel to client on a backup node has replay counter
inreased by 16384 (for example replay: rpl 167 on master and replay:
rpl 16551 on backup).

-- 
 Paweł Kraszewski

Re: Re : iked + sasyncd + carp - doesn't take over

2022-03-04 Thread Pawel Kraszewski 
Things look like that:

When cluster is up and client is connected:

1/ output of "ipsecctl -v -sa" is perfectly in sync between nodes.
2/ output of "pfctll -sstates" is sync between nodes within 1s delay
(as expected)
3/ output of "ikectl sh sa" is *not* in sync between nodes. Passive
node has null output (I don't know if expected)

I run both sasyncd and iked with -vv, so logging is beefy.

Connection seen from ACTIVE side:

Mar  4 12:33:57 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: recv
IKE_SA_INIT req 0 peer 192.168.1.46:39248 local 192.168.1.160:500, 716
by
tes, policy 'win7'
Mar  4 12:33:57 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_sa_responder_dh: want dh CURVE25519, KE has ECP_256
Mar  4 12:33:57 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_resp_recv: failed to negotiate IKE SA
Mar  4 12:33:57 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_add_error: INVALID_KE_PAYLOAD
Mar  4 12:33:57 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: send
IKE_SA_INIT res 0 peer 192.168.1.46:39248 local 192.168.1.160:500, 38
byt
es
Mar  4 12:33:57 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: recv
IKE_SA_INIT req 0 peer 192.168.1.46:39248 local 192.168.1.160:500, 684
by
tes, policy 'win7'
Mar  4 12:33:57 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: send
IKE_SA_INIT res 0 peer 192.168.1.46:39248 local 192.168.1.160:500, 239
by
tes
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: recv
IKE_AUTH req 1 peer 192.168.1.46:43052 local 192.168.1.160:4500, 413
byte
s, policy 'win7'
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: send
IKE_AUTH res 1 peer 192.168.1.46:43052 local 192.168.1.160:4500, 1301
byt
es, NAT-T
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: recv
IKE_AUTH req 2 peer 192.168.1.46:43052 local 192.168.1.160:4500, 70
bytes
, policy 'win7'
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_pld_eap: RESPONSE id 0 length 9 EAP-IDENTITY
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_pld_eap: REQUEST id 1 length 31 EAP-MSCHAP_V2
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: eap_parse:
MSCHAP_V2 CHALLENGE id 1 length 26 valuesize 16 name '_iked' length
5
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: send
IKE_AUTH res 2 peer 192.168.1.46:43052 local 192.168.1.160:4500, 92
bytes
, NAT-T
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: recv
IKE_AUTH req 3 peer 192.168.1.46:43052 local 192.168.1.160:4500, 124
byte
s, policy 'win7'
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_pld_eap: RESPONSE id 1 length 63 EAP-MSCHAP_V2
Mar  4 12:33:58 ipsec1 iked[6487]: eap_parse: MSCHAP_V2 RESPONSE id 1
length 58 valuesize 49 name 'test' name-length 4
Mar  4 12:33:58 ipsec1 iked[6487]: ikev2_resp_ike_eap_mschap: 'test'
authenticated
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_pld_eap: REQUEST id 2 length 61 EAP-MSCHAP_V2
Mar  4 12:33:58 ipsec1 iked[6487]: eap_parse: MSCHAP_V2 SUCCESS
request id 1 length 56 message
'S=A8F1DF4F002779CC93AB39252353681F96C
B M=Welcome' message-len 52
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: send
IKE_AUTH res 3 peer 192.168.1.46:43052 local 192.168.1.160:4500, 122
byte
s, NAT-T
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: recv
IKE_AUTH req 4 peer 192.168.1.46:43052 local 192.168.1.160:4500, 67
bytes
, policy 'win7'
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_pld_eap: RESPONSE id 2 length 6 EAP-MSCHAP_V2
Mar  4 12:33:58 ipsec1 iked[6487]: eap_parse: MSCHAP_V2 SUCCESS response
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_pld_eap: SUCCESS id 2 length 4
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: send
IKE_AUTH res 4 peer 192.168.1.46:43052 local 192.168.1.160:4500, 65
bytes
, NAT-T
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: recv
IKE_AUTH req 5 peer 192.168.1.46:43052 local 192.168.1.160:4500, 97
bytes
, policy 'win7'
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: assigned
address 10.1.0.190 to FQDN/test
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: send
IKE_AUTH res 5 peer 192.168.1.46:43052 local 192.168.1.160:4500, 213
byte
s, NAT-T
Mar  4 12:33:58 ipsec1 sasyncd[3474]: net_send_messages: msg
0x62f175f8000 len 336 ref 1 to peer 10.0.1.162
Mar  4 12:33:58 ipsec1 sasyncd[3474]: net_send_messages: freeing msg
0x62f175f8000
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_childsa_enable: loaded SPIs: 0xe56d3eef, 0x2f538456 (enc
aes-128-gcm)
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699:
ikev2_childsa_enable: loaded flows: ESP-10.0.0.0/24=10.1.0.190/32(0)
Mar  4 12:33:58 ipsec1 iked[6487]: spi=0x47c4ccf08d9d8699: established
peer 192.168.1.46:43052[FQDN/test] local 192.168.1.160:4500[FQDN/v
pn.my.domain] assigned 10.1.0.190 policy 'win7' as responder (enc
aes-128-gcm group curve25519 prf hmac-sha2-256)
Mar

iked + sasyncd + carp - doesn't take over

2022-03-02 Thread Pawel Kraszewski 
Hello!

I'm trying to build a redundant IPSEC VPN concentrator.

What have I done by now:

* I have a working CARP. Verified from each side. 1-2 pings lost.
Works as expected.
* I have a working iked deployment. Test client can connect, sees
internal network as expected.
* I have a working pfsync. Pf states are replicated between nodes.
* I have a working sasyncd. Flows and SADs are replicated between nodes.

What doesn't work:

When the client is connected to a virtual CARP endpoint and I perform
a switchover, the new master doesn't pick up the communication.

NAT-t packages do come to a valid host, they are just not processed.
Iked compains with "ikev2_child_sa_acquire: flow wasn't found"

The full relevant configuration files follow:

Topology:

2 Identical Qemu's, OpenBSD 7.0, no conflicting MAC addresses

em0-s bridged together -> (WAN) -> strongswan on mobile phone
em1-s bridged together -> (LAN) -> IP to ping from mobile
em2-s bridged together -> (sync)

-
sysctl.conf

net.inet.carp.preempt=1
net.inet.ip.forwarding=1

-
hostname.carp0 (differences with | , hosts A|B)

inet 192.168.1.160 255.255.255.0 192.168.1.255 \
 carpdev em0 \
 group VPN \
 pass passwd \
 vhid 1 \
 advskew 0|100

-
hostname.carp1

inet 10.0.0.254 255.255.255.0 10.0.0.255 \
 carpdev em1 \
 group VPN \
 pass passwd \
 vhid 2 \
 advskew 0|100

-
hostname.em0

inet 192.168.1.161|162 255.255.255.0 NONE

-
hostname.em1

inet 10.0.0.161|162 255.255.255.0 NONE

-
hostname.em2

inet 10.0.1.161|162 255.255.255.0

-
hostname.enc0

inet 10.1.0.254 255.255.255.0

-
hostname.pfsync0

up \
  syncdev em2 \
  syncpeer 10.0.1.162|161

-
iked.conf

user "test" "password123"
set mobike
set enforcesingleikesa
set passive

ikev2 "VPN" esp \
from 10.0.0.0/24 to dynamic \
local 192.168.1.160 \
srcid vpn.my.domain \
eap "mschap-v2" \
config address 10.1.0.0/24 \
tag "$name-$id"


-
sasyncd.conf

peer 10.0.1.162|161

control iked
group VPN

interface carp0
listen on em2

sharedkey TAKEN_FROM_EXAMPLE

-
rc.conf.local

iked_flags=
ipsec=YES
sasyncd_flags=
ntpd_flags=NO

-
pf.conf

set skip on lo

pass quick on { em2 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state (no-sync)

block return # block stateless traffic
pass # establish keep-state

block return in on ! lo0 proto tcp to port 6000:6010

block return out log proto {tcp udp} user _pbuild

pass in on em0 proto udp from any to (em0) port {isakmp, ipsec-nat-t}
tag IKED keep state
pass in on em0 proto esp from any to (em0) tag IKED keep state
pass in on em0 from (em0:network) to any
pass in on em1 from (em1:network) to any
pass in on em2 from (em2:network) to any

-

What do I miss?

Best regards,

--
 Paweł Kraszewski

Re: HP notebook and wired temperatures

2013-06-07 Thread Pawel Kraszewski 
> The HP machines tend to have very complicated AML with heavy SMI and
> EC dependencies.  Another vendor which leans this way sometimes is
> Sony.
>
> Some machines do have AML bugs, and the Microsoft/Intel ACPI code
> bases certainly have workarounds for those problems.
>
> Some machines simply use corner areas of ACPI that we handle
> incorrectly.  It takes a lot of effort to find these corner cases and
> handle them correctly.

I'm digging through Google to find exact error on FreeBSD I
enountered, exact walkaround that (sort of) helped and suspected
cause. I remember faintly it was AML construction that failed.
-[tick tock]-
Cant't find it, sorry. I don't remember exact panic data that helped
me find solution. But AFAIR cure was to disable acpica driver.

OTOH, It is BSD that is right. BSDs keep in line with standards. It is
HP that screws things up (for years). I understand - mountain won't
come to BSD, it is BSD that shall go to the the mountain. This is
politics. I hate politics. I have a dream: someone at HP would say "We
are dumbasses. Let's fix BIOS and be such no more".

Paul
--
P.S. And as Theo & the crew is on thread: thanks for OpenBSD as a
whole. Thanks for keeping it small. Thanks for keeping it simple.
Thanks for keeping it powerful. Thanks for manual being so ingenious.

Re: HP notebook and wired temperatures

2013-06-07 Thread Pawel Kraszewski 
2013/6/7 Sven Gaerner :

> Thanks,  I guessed it's an ACPI problem and not an OpenBSD one. But I
> thought one can tell OpenBSD to ignore that useless values.

I stuggle with HP crap at work - pretty recent and expensive one.
FreeBSD just hangs hard during bootup. There is an "official" solution
- disable ACPI part dealing with SMP and run OS single-core :) And
still BSD shows rather hellish temps. That's why I strongly discourage
co-workers, friends and family to buy _any_ HP devices.

> Telling HP that they implemented ACPI the wrong way is IMHO useless. They
> just don't care. And the notebook is about 6.5 years old.

Their standard answer is "Yes, we know. All three users of BSD are indignant".

Paul

Re: HP notebook and wired temperatures

2013-06-07 Thread Pawel Kraszewski 
2013/6/7 Sven Gaerner :

> I installed OpenBSD 5.3 i386 on my HP nc6400 notebook. Now when booting
> the system, the kernel prints
>  acpitz3: critical temperate exceeded (3290 C): shutting down.
>
> This temperature (3290 C) is shown after starting a system that was
> powered off for several hours. After finishing the installation the
> reported temperature was about 4180 C.
>
> The other BSDs also report wired temperates but not that high. Some
> years ago Linux reported about 55 C for the CPU which seems to be
> a more realistic value.

This is just a next chapter of never-ending story of HP screwing up
ACPI tables. This is not OS's fault - it just shows what hardware
sends. Send an email to HP telling them to fix this crap (broken for
well over 10 years).

Greets,
 Paul.