lrint(INT_MAX) != INT_MAX

This is what happens on my relatively current OpenBSD bbb.stare.cz 6.5 GENERIC#0 armv7(BeagleBone Black) OpenBSD ppc.stare.cz 6.5 GENERIC#0 macppc (an old MacMini) #include #include #include int main() { long l; double d = INT_MAX; l = lrint(d); p

Re: malloc.conf on BeagleBone Black

On May 10 18:45:49, h...@stare.cz wrote: > > > > > malloc() warning: unknown char in MALLOC_OPTIONS > > > > if it's only some programs, then it's because those are older programs. > > Yes they are. I will get back after they recompile. Thanks. Indeed, after recompiling the ports (it was on

Re: malloc.conf on BeagleBone Black

On May 10 12:29:16, t...@tedunangst.com wrote: > hans wrote: > > On May 10 18:02:12, o...@drijf.net wrote: > > > hans schreef op 10 mei 2016 17:12:23 CEST: > > > >I started using the wonderfull malloc.conf, > > > >setting it to CFGJPRSU. This works on

Re: malloc.conf on BeagleBone Black

On May 10 18:02:12, o...@drijf.net wrote: > hans schreef op 10 mei 2016 17:12:23 CEST: > >I started using the wonderfull malloc.conf, > >setting it to CFGJPRSU. This works on amd64 and macppc and i386, > >but on a freshly upgraded current/armv7 (a BeagleBone Black), &g

malloc.conf on BeagleBone Black

I started using the wonderfull malloc.conf, setting it to CFGJPRSU. This works on amd64 and macppc and i386, but on a freshly upgraded current/armv7 (a BeagleBone Black), some programs report malloc() warning: unknown char in MALLOC_OPTIONS Each of the flags is documented in the malloc.co

Re: tmux vs UTF8 [solved]

On May 01 18:14:33, nicholas.marri...@gmail.com wrote: > Jan, please make sure you are running -current (build and install tmux > from CVS HEAD) and if the problem still exists run this I have the HEAD tmux now. > tmux -vvvLtest -f/dev/null new Strangely, with this line, I don't see the problem;

Re: tmux vs UTF8

shouldn't make > the difference, or should it? I don't think it should. > schwarze@isnote $ setxkbmap -query > rules: base > model: pc105 > layout: us > options:compose:ralt,altwin:left_meta_win > schwarze@isnote $ locale

tmux vs UTF8

In the last snapshot, it seems, tmux does not do UTF8 input correctly, while xterm is fine. This used to work with the ~/.xsession below. When typing non-ascii in xterm or in a vim-in-an-xterm ot a mutt-in-an-xterm, thay appear OK. When in a tmux window, they look like garbage. Interestingly, if

Belkin PCMCIA wifi

I have this Belkin card (model F5D8010) which reports on current/amd64 as unknown vendor 0x17cb product 0x0001 (class network subclass ethernet, rev 0x01) at cardbus1 dev 0 function 0 not configured but does not show up as an interface. What can I do to help make it supported? Jan

Re: Trying to move my httpd chroot

On Mar 16 20:58:59, alan01...@gmail.com wrote: > I don't have enough room in / to have my htdocs there so I want to > move it to /usr/htdocs. This is in 5.7. No problem I thought, I've > had to do it before. So my /etc/httpd.conf looks like this: > > chroot "/usr/htdocs" Why din't you use he s

Re: Trying to move my httpd chroot

On Mar 16 22:04:19, alan01...@gmail.com wrote: > Bingo. /usr does it. One clue I guess was that it was logging into > /usr/logs. With Apache at least the chroot dir wasn't the same as the > document root. With default httpd, it also isn't. > And you don't want the logs dir readable through the

zdump - nonexistent zone

It seems zdump(8) just displays GMT for zones which do not exist. Is that intended? Jan $ zdump Canada/* Canada/Toronto Canada/Atlantic Tue Mar 15 05:22:21 2016 ADT Canada/CentralTue Mar 15 03:22:21 2016 CDT Canada/East-Saskatchewan Tue Mar 15 02:22:21 2016 C

spamd.conf(5) wording

Two bits seem unclear in spamd.conf(5), at least to a non-native speaker. # Strings follow getcap(3) convention escapes, other than you # can have a bare colon (:) inside a quoted string and it # will deal with it. "Other that _that_ you can have a bare colon"? # Lists specified with the :

Re: /etc/hosts during install

On Mar 12 17:25:45, rob...@peichaer.org wrote: > On Sat, Mar 12, 2016 at 05:49:32PM +0100, hans wrote: > > On Mar 12 16:36:37, rob...@peichaer.org wrote: > > > On Sat, Mar 12, 2016 at 04:57:04PM +0100, hans wrote: > > > > Has the attitude towards /etc/hosts change

Re: /etc/hosts during install

On Mar 12 16:36:37, rob...@peichaer.org wrote: > On Sat, Mar 12, 2016 at 04:57:04PM +0100, hans wrote: > > Has the attitude towards /etc/hosts changed again? > > After a fresh install of current/i386, > > > > 127.0.0.1 localhost > > ::1

/etc/hosts during install

Has the attitude towards /etc/hosts changed again? After a fresh install of current/i386, 127.0.0.1 localhost ::1 localhost 192.168.22.4www.stare.cz www The first two I would expect. The last one was assigned to me via DHCP during install; I am changi

Firejail in OpenBSD?

Hello, Firejail secures* the everyday apps that a user uses on an example Desktop machine: Firefox, transmission, etc.: https://firejail.wordpress.com/ Is there any alternatives on OpenBSD for Firejail? Or could it be ported? *The sandbox is lightweight, the overhead is low. There are no complicate

cron - approval failed

This is what cron said to me on a current/macppc, when incidentally, the machine was just (re)booting: On Dec 28 12:00:01, root wrote: > approval failed for hans Dec 28 12:00:04 www syslogd: exiting on signal 15 Dec 28 12:00:53 www syslogd: start Dec 28 12:00:53 www /bsd: syncing disks... d

Re: Cisco IPSEC proposals

On Thu, Mar 05, 2009 at 02:32:36PM -0700, Cameron Schaus wrote: > I recently configured an IPSEC tunnel between OpenBSD 4.4 machine and a Cisco > gateway. I had trouble during the key exchange because I had configured DH > group 2. The Cisco sent a proposal for DH group 5 with a lifetime of 780

ПОЗДРАВЛЯЕ

B!Tengo nueva direcciC3n de correo!Ahora puedes escribirme a:hans.b...@yahoo.com.co - PP0Q P0P4QP5Q
Q P;P5P:QQP>P=P=P>P9 P?P>QQQ P2QP8P3QP0P;P0 PQ P>P1Q P5P9 Q
QPP;P;.P!P(P, PP2Q
QQP0P;P8P8 P2 Q
P5QP8 PP=QP5QP=P5Q P;P>QP5QP5Q. P-P1P8P;P5Q P=P>PP=QQ
QP8Q
P;P>P< 17

Re: Cisco IPSec Security Association Idle Timers and isakmpd

Hi, On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote: > > I noticed that the cisco end of a VPN I configured on my openBSD sends a > DELETE message after a certain amount of idle time. Which SAs get deleted? isakmp, ipsec or both? HJ.

Re: IPSec to Checkpoint

Support for specifying aes key sizes was added february 2008, thus 4.2 does not provide this. On Wed, Nov 12, 2008 at 03:17:17PM +, Joe Warren-Meeks wrote: > On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote: > > Hey there, > > OK, so I've switched to ipsec.conf and it is alot easier! >

Re: Using OpenBGPD as a route-server

er to send the routes received in the communities (yes they all contain the same routes) to every peer on the RS, except for those with AS 7547 and 8392. Was also wondering why you have that prepend rule in #5 while transparent-as is configured? Regards, Hans On Wed, Oct 29, 2008 at 12:08 PM, Cla

Using OpenBGPD as a route-server

Hi Misc, I am trying to make OpenBGPD work as a route-server for a little hobby project I am working on. As it's very hard to find configuration examples for this usage on the web i have to turn here. What I am trying to achieve: - A route-server acting as a transparent route distributor. - Cont

Re: ipsec.conf and AES 256

On Mon, Nov 19, 2007 at 12:26:16PM +0100, Mitja Mu?eni? wrote: > As far as I can tell, currently in ipsec.conf there is no way to use AES > with KEY_LENGHT=256. Is anybody working on adding this? Otherwise I might > try it when the time permits. > > I'm thinking that isakmpd should first learn ab

Re: Wasting our Freedom

g the door adds to your freedom, don't you think so? Hans

Re: IPSec

Hi, could you try the attached diff, please? Index: message.c === RCS file: /cvs/src/sbin/isakmpd/message.c,v retrieving revision 1.126 diff -u -p -r1.126 message.c --- message.c 2 Jun 2007 01:29:11 - 1.126 +++ message.c

Re: IPSEC.CONF with Dynamic IP address (parse HOST name) doesnt seem to work

Just use a recent snapshot. Support for names instead of ip addresses has been added, mh, at least a year ago. HJ. On Tue, Sep 04, 2007 at 12:32:55PM +0200, * VLGroup Forums wrote: > Hello everyone, > > I have several VPN tunnels between OBSD 3.8 systems (LAN to LAN via > VPN). These all have f

Re: IPSec

Hi, On Mon, Sep 03, 2007 at 03:11:35PM +0100, Josi Costa wrote: > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > KEY_EXCH payload without a group

Re: IPSec

On Mon, Sep 03, 2007 at 02:45:46PM +0100, Josi Costa wrote: > 3des, sha1, PFS disabled. ok, then enable pfs, use modp1024

Re: IPSec

Hi, which transforms are configured on the ISA server for phase 2? On Mon, Sep 03, 2007 at 02:21:24PM +0100, Josi Costa wrote: > How can I solve this? Any docs about it? Debugging? > > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > > Hi, > > > > O

Re: IPSec

Hi, On Mon, Sep 03, 2007 at 12:59:48PM +0100, Josi Costa wrote: > > Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 > port 500 due to notification type NO_PROPOSAL_CHOSEN > Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: > KEY_EXCH payload without a group

Re: ipsec vpn?

On Thu, Aug 16, 2007 at 06:43:34PM -0700, Steve B wrote: > I made a few changes and did some more testing this evening. > > 1. I changed the /etc/ipsec.conf to bring it in line with the Greenbow > default transforms that Hans-Joerg recommened. > > # cat /etc/ipsec.conf > i

Re: ipsec vpn?

, Aug 15, 2007 at 10:37:59PM +0200, Hans-Joerg Hoexer wrote: > > On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > > > ike dynamic from any to any \ > > > main auth hmac-sha1 enc aes group modp1024 \ > > > quick auth hmac-sha1 enc ae

Re: ipsec vpn?

And I should mention, that in the "any to any" case you can not use -K and you have to specify an isakmpd.policy file. On Wed, Aug 15, 2007 at 10:37:59PM +0200, Hans-Joerg Hoexer wrote: > On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > > ike dyna

Re: ipsec vpn?

On Mon, Aug 13, 2007 at 01:30:11AM +0300, Sergey Prysiazhnyi wrote: > ike dynamic from any to any \ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes psk secret > > ; ike passive, ike passive esp, ike esp, etc - no results. On the openbsd gateway you nee

Re: VPN Connection from 4.1 to WatchGuard

On Thu, Aug 09, 2007 at 02:22:31AM +0200, James Lepthien wrote: > Hi, > > I have set up a vpn from my OpenBSD Box (4.1-current) to our company > WatchGuard X700. My problem is that the re-keying > isn't always working and my tunnel does not come up if I send traffic to > the destination network.

Re: isakmpd active mode and phase 1 build-up

On Thu, Aug 02, 2007 at 10:23:59PM +0200, Sven Ulland wrote: > > I'm very (that's putting it mildly) interested in the issues with 4.0 > that you mention. Would you be able to shed some more light on which > issues they were, or point me to references? It would be most > interesting. I'm not sure,

Re: isakmpd active mode and phase 1 build-up

Hi, On Thu, Aug 02, 2007 at 09:23:59PM +0200, Sven Ulland wrote: > I am running OpenBSD 4.0 on amd64, and I'm seeing that isakmpd builds > up a large amount of redundant phase 1 tunnels for one of our peers. > It will only report these when prompted with 'echo r > \ > isakmpd.fifo', it's not shown

Re: IPSec Keylifetime using ipsecctl and ipsec.conf?

Hi, On Thu, Jul 26, 2007 at 10:04:31AM +0200, [EMAIL PROTECTED] wrote: > Hi, > > I am using ipsecctl and /etc/ipsec.conf to create an IPSec tunnel to a > WatchGuard Firebox X700 in my company. It works fine, but the > re-keying always makes some trouble, it does not always work. My > questi

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

Hi, the Subject Alternative Name of your certificate will be used as phase 2 IDs, ie. that's what is sent. If you want to use the Subject Canonical Name, you have to additionlly provide an isakmpd.policy file and you have to run isakmpd without the "-K" option. See isakpmd.policy(5). On Fri, Ju

Re: ipsec vpn with os x clients

Hi, On Thu, Jul 12, 2007 at 05:38:47PM -0800, eric wrote: > I have an OpenBSD 4.1 (OpenBSD 4.1 GENERIC#1435 i386) acting > as a PPPoE NAT router & firewall to my ISP. I'd like to replace my OS > X 10.4 Server IPSEC VPN with the OpenBSD system. My "road warrior" > clients are all OS X 10.4.1

Highpoint RocketRAID 1740.

Hi all!! I have got hold of a "Highpoint RocketRAID 1740" SATA disk controller. Is there anyone out there thats got a driver for it? /Hasse -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

Re: isakmpd on OpenBSD 3.7 and OpenBSD 4.0

Hi, please check the errata page for 3.7 [1], patch 6 solves this issue [2]. [1] http://www.openbsd.org/errata37.html. [2] ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/006_nat-t.patch HJ. On Mon, Jun 25, 2007 at 11:35:19AM -0400, catalin visinescu wrote: > Hello, > > I see that Op

Re: Specifying > 1 encryption algorithm in ipsec.conf(5) versus isakmpd.conf(5)

On Mon, May 28, 2007 at 07:02:39PM +0930, Damon McMahon wrote: > Greetings, > > How would I specify that blowfish, AES and 3DES should be accepted - > in that order - in ipsec.conf(5) to configure isakmpd(8)? this is not supported by ipsec.conf(5). > > In the deprecated isakmpd.conf(5) for Ma

Re: couple of questions

yes, that's possible. See brconfig(8) for instructions. On Sun, May 06, 2007 at 10:07:42PM +0200, Joachim Schipper wrote: > On Sun, May 06, 2007 at 02:56:14PM -0400, Paolo Supino wrote: ... > > 2. I have another project where I'm expanding a network to an adjacent > > building and I can't run ca

Re: isakmpd multiple tunnels

nother relevant ISPEC > configuration? yes. > > Anyone? > > Thanks, > Tim > > Hans-Joerg Hoexer wrote: > >On Thu, Apr 12, 2007 at 11:25:49AM -0600, Tim Pushor wrote: > > > >>Hi friends, > >> > >>I'm looking to add another IP

Re: host to host ipsec link

On Sun, Apr 15, 2007 at 05:26:11PM +0200, Markus Wernig wrote: > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -f /var/run/isakmpd.fifo" why the -f ...? isakmpd takes care of the fifo itself. You only need "-K", nothing else.

Re: isakmpd multiple tunnels

On Thu, Apr 12, 2007 at 11:25:49AM -0600, Tim Pushor wrote: > Hi friends, > > I'm looking to add another IPSEC connection to my openbsd 3.9 firewall. > All examples I've seen are a single connection (phase 1). To support > multiple vpn's tunnels, is it as simple as adding additional lines under

Re: IPSec help..

On Wed, Apr 11, 2007 at 01:28:28PM -0600, Roy Kim wrote: > I'm trying to setup an ipsec tunnel between an openbsd and a windows > box using X.509 certificates. Phase 1 gets successfully negotiated but > then things crap out at step 1 of phase 2 and I don't have a clue > what's wrong. Any thoughts?

Re: isakmpd, conflict using multiple rules w/o peer address

Hi, On Fri, Feb 23, 2007 at 12:09:27AM +, Stuart Henderson wrote: > > @0 C set [Phase 1]:Default=peer-default force > C set [peer-default]:Phase=1 force > C set [peer-default]:Authentication=2 force > C set [peer-default]:Configuration=mm-default force > C set [peer-default]:ID=me.mylan.n

Re: ipsecctl setting up multiple SAs

more correct diff: Index: ike.c === RCS file: /cvs/src/sbin/ipsecctl/ike.c,v retrieving revision 1.54 diff -u -p -r1.54 ike.c --- ike.c 24 Nov 2006 08:07:18 - 1.54 +++ ike.c 24 Nov 2006 10:46:19 - @@ -38,17 +3

Re: ipsecctl setting up multiple SAs

Hi, On Fri, Nov 24, 2006 at 09:45:45AM +, Brian Candler wrote: > I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box > and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP > over IPSEC tunnels]. > > Each SA is between the same two IP endpoints bu

Re: Can't build VPN with ipsecctl

your tunnel is between 193.189.180.192/28 and 193.189.180.208/28 On Thu, Nov 23, 2006 at 01:10:13PM +0100, Mitja wrote: > ... > OpenBSD1 > # ipsecctl -s all > FLOWS: > flow esp in from 193.189.180.208/28 to 193.189.180.192/28 peer > 172.16.16.6 type require > flow esp out from 193.189.180.192/28 t

Re: Wild card greytrapping setup in spamdb

Daniel Ouellet wrote: So, I would like to trapit everything that is not from these 5 emails. Beware that people make mistakes. Someone could just make a typing error in one of these 5 addresses and you end up blocking a legitimate mail server.. H.

Re: VPN interoperability problem with Symantec Enterprise Firewall

Hi, could you please provide a pcap of such an exchange? Thanks, HJ. On Wed, Oct 18, 2006 at 11:57:53AM +0200, Mitja Mu?eni? wrote: > > Just a quick question if anybody has had the same problem, or contrary, if > anybody has a success story with SEF. I'm trying to establish an IPsec > tunnel bet

Re: ipsecctl parser behavior on OpenBSD 4.0 running generic kernel#1137

Hi, On Wed, Oct 11, 2006 at 02:17:42PM -0700, Prabhu Gurumurthy wrote: > > pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs] > 10.200.0.46: [579]$ cat ipsec.conf > remote_gw = "192.168.0.1" > remote_net = "{ 10.0.100.0/22, 10.0.2/24 }" > local_net = "{ 172.16.18.0/26 } > > ike esp from

Re: IPSec roadwarrior configuration?

On Thu, Oct 12, 2006 at 10:07:27AM +0200, viq wrote: >... > Now, there are two caveats to this I didn't yet figure out how to solve. > 1) VPN-B must be able to resolve vpn-b.my.domain to the address of > it's egress interface, otherwise the traffic won't get encapsulated. > Right now I was doing th

Re: Spamassassin install from ports fail.

Woodchuck skrev: On Wed, 27 Sep 2006, Hans Almqvist wrote: Hi all! I am trying to install Spamassaassin from the ports tree on an OpenBSD 3.9 system. I have removed /usr/ports an downloaded a fresh copy starting from scratch. I did one prior run with make which of course gave the same

Spamassassin install from ports fail.

Hi all! I am trying to install Spamassaassin from the ports tree on an OpenBSD 3.9 system. I have removed /usr/ports an downloaded a fresh copy starting from scratch. I did one prior run with make which of course gave the same result. I get the fallowing: *Error in package*: ==

Re: Rotate many Apache logfiles

ery logfile to /etc/newsyslog.conf is one way, but hard to > maintain. Is Apache's own rotatelogs program the way to go? I prefer to use cronolog. It's in ports. Hans

Re: mbuf leak with rl

> dmesg: > rl0 at pci0 dev 8 function 0 "Realtek 8139" rev 0x10: irq 11, address > 00:48:54:65:39:5a > rlphy0 at rl0 phy 0: RTL internal PHY rl0 at pci1 dev 10 function 0 "Realtek 8139" rev 0x10: irq 11, address 00:10:a7:0b:16:ed rlphy0 at rl0 phy 0: RTL internal PHY Greetings, Hans

Re: IKE Phase-II fails -> GETSPI: Operation not supported

please provide all information. On Tue, Sep 05, 2006 at 02:50:12PM -0400, John Ruff wrote: > I'm trying implement a IPSec/VPN tunnel and phase-II of the IKE > negotiation is failing with the following errors seen from 'isakmpd - > dKL -D A=90': > > 110340.763012 Default pf_key_v2_get_spi: GETS

Re: IPsec Configuration Questions

what ipsec software is running on the clients? What does your ipsec.conf on the firewall look like? On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: > Hoping someone can point me in the right direction to get isakmpd working. > > The scenario: > - the router drops all traffic directe

Re: How to mail attachments from the comand line?

kspittles since 1998! > http://www.playr.co.uk/sudoku/ > http://weblog.vanhegan.net/ > > man uuencode it's in the examples. Kind regards, Hans

Re: sasyncd and ISAKMP SA

On Tue, Aug 08, 2006 at 08:23:39PM +0200, Floroiu, John Williams wrote: > > does sasyncd enable the IPsec failover gateways to also share the ISAKMP SA > (so that DPD exchanges can proceed despite failures)? the ISAKMP SA is not > explicitly mentioned in the help page (and is actually distinct fro

ccd harddisk error?

fails : v=88 m=03 b=01 read_data I'm guessing that one of the disks is broken, but how can I found out which one? And is the data still stored correctly, or does this mean the database will be corrupt? Below you will (hopefully) find all relevant information. Thanks, Hans [EMAIL PROT

Re: ipsec.conf syntax error

Hi, On Wed, Aug 16, 2006 at 09:46:18AM -0400, Stefan wrote: > Hans-Joerg Hoexer wrote: > > this is on -current? > > Sorry, I should have mentioned it. It's 3.9 release. setting the group was added post 3.9.

Re: ipsec.conf syntax error

this is on -current? On Tue, Aug 15, 2006 at 10:46:37PM -0400, Stefan wrote: > Can someone explain why this is giving a syntax error? > > > ike esp from 10.0.0.0/24 to 10.1.0.0/24 peer (remote IP CIDR) \ > main auth hmac-md5 enc 3des group modp1024 \

Re: OPENBSD isakmpd VPN Problems

Hi, On Thu, Aug 10, 2006 at 12:04:08AM -0400, Steve Glaus wrote: > ... > One glaring difference that I can see is that when I connect to the > DLINK I use a passive connection and isakpmd sits and listens for > incoming connections. Could this be a lifetime issue? Tech support at > the other en

Re: IKE DoS - factual?

On Fri, Jul 28, 2006 at 09:32:09AM -0700, Spruell, Darren-Perot wrote: > Word is, there is a flaw in IKEv1 that allows for an attacker to create IKE > sessions faster than previous attempts expire. The security research firm > who found the flaw only lists Cisco VPN devices as being vulnerable whil

Re: VPN help needed: OpenBSD in the corporate environment instead of Linux

On Fri, Jul 28, 2006 at 03:57:02PM -0400, Steven Surdock wrote: > Stuart Henderson wrote: > > On 2006/07/28 06:30, jeraklo wrote: > >> sorry. got to go with the stable branch (3.9). > > > > disadvantages:- > > > > openvpn is more complicated to install on OpenBSD than ipsec > > lots of security f

Re: tcpdump on enc0

On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote: > Does tcpdump work on enc0? > > -Stephen- > yes: <[EMAIL PROTECTED]:1>$ sudo tcpdump -n -i enc0 Password: tcpdump: WARNING: enc0: no IPv4 address assigned tcpdump: listening on enc0, link-type ENC 19:32:49.036465 (authentic,confiden

Re: isakmpd is not writing to a specified capture file

isakmpd is only allowed to write to files in the /var/run directory. I've updated the manpage accordingly. On Wed, Jun 28, 2006 at 04:37:16PM -0600, Stephen Bosch wrote: > Hi: > > Running OpenBSD 3.8, I cannot get isakmpd to write to a capture file. > > Here is my mount output: > > /dev/wd0a on

Re: Throughput Problem OpenBSD3.9 soekris 4801 isakmpd

On Wed, Jun 28, 2006 at 06:38:42PM +0200, Thomas Bvrnert wrote: > with the vpn1411 crypto card i get only > > 700 - 720 KB/s > CPU 30% > > by the way the driver of the crypto card is buggy. i have > a lot of cards here removed in the last year. i got several > hangs. h

Re: VIA C7 hardware AES support in IPSEC(ctl)

On Thu, Jun 22, 2006 at 10:22:08AM -0700, Joe wrote: > Dries Schellekens wrote: > >Bihlmaier Andreas wrote: > > > >>>As I say earlier, the hardware is working, but the performance > >>>bottleneck is elsewhere (presumably kernel crypto framework). > > I'm interested in purchasing one of these boar

Re: Help in Setting up "Open-ended" VPN connections

Hi, On Tue, Jun 13, 2006 at 04:10:08PM -0700, Spruell, Darren-Perot wrote: > > To follow that further, is it currently possible to do this kind of > road-warrior setup using ipsecctl/ipsec.conf? Doesn't it require aggressive > mode do to the unknown nature of the peer IP? since c2k6 it almost is

Promise SATA 300 TX4.

Hi all! Is there anyone out there using this controller successfully with OpenBSD ? In other word's : Is it supported by this OS ? /Hans Almqvist

Re: IPsec / vpn configuration issues

On Thu, May 04, 2006 at 12:31:28PM -0500, Nathan Johnson wrote: ... > The problem is when I try to ping any machine from network A to > 192.168.51.0/24 (gateway B's internal network) besides the gateway > itsself (192.168.51.1), ping doesn't work. what does "doesn't" work mean? Do you see the icm

Re: Mounting remote filesystems from OpenBSD to OS X

On Thu, Apr 20, 2006 at 02:11:36PM +0100, Constantine A. Murenin wrote: > Hi, > > I have an OpenBSD (file-)server at a remote location on the internet > that is around 137ms away from an OS X 10.4 laptop. > > Is there a way to securely mount OpenBSD's filesystems from OS X in > such a setting? c

Re: OpenBSD to Cisco VPN - help needed

On Wed, Apr 05, 2006 at 05:13:36PM +1000, Karl Kopp wrote: > > Firstly, I thought I could just use /etc/ipsec.conf (right?) and a > line like this: > > ike esp from 10.1.1.0/24 to 202.1.1.0/24 peer 202.1.1.30 main auth > hmac-md5 enc 3des psk shhhSecret this looks correct. Additionally to the d

Re: IPSEC via isakmpd with identical source networks

On Wed, Apr 05, 2006 at 11:27:03AM +0200, Ingbert Zan wrote: > > Does anybody know how to distinguish between the two flows? you can't. > Of course it would be possible to NAT the two 10/8 networks > on Box 1 and 2. do that.

Re: security hole in sendmail

root. Excuse my question - I don't want to attack our loved project but does that mean that we've got a second remote hole? Don't kick my ass. By default sendmail only listens on the local interface. Hans

Re: I need some help on frequently failing ipsec tunnel.

Hi, On Fri, Mar 31, 2006 at 11:01:03AM +0200, Stefan Sczekalla-Waldschmidt wrote: > > Some days ago one certain vpn-tunnel started failing for an > unpredictable time of some minutes up to an hour. > ( mostly just less than 5 minutes). All other site-link-tunnels stay up > and running. > > a lon

Re: CRK_MOD_EXP on /dev/crypto

On Mon, Mar 27, 2006 at 03:37:42AM -0500, Christopher Thorpe wrote: > dmesg says: > hifn0 at pci0 dev 14 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 > MD5 SHA1 RNG AES PK, 32KB dram, irq 11 > > The drivers support modular exponentiation, but I'm having trouble > finding documentation o

Re: certpatch on obsd 3.8

On Wed, Mar 22, 2006 at 11:30:40PM +0100, Lukas Drbohlav wrote: > > with this in x509v3.cnf > # default settings > CERTUFQDN = "what i have to give there ??!!" the UFQDN, eg. "[EMAIL PROTECTED]". Please take a look at isakmpd(8), where this is explained using FQDN. UFQDN is simila

Re: ipsec.conf manpage

Hi, On Tue, Mar 21, 2006 at 07:27:45PM +1100, Rod Whitworth wrote: > > Total mention in the manpage: > srcid >This optional parameter defines a FQDN that will be used by >isakmpd(8) as the identity of the local peer. > > dstid >Similar to srcid, th

Re: Spam (solutions) and some other practical issues

he archives for more information. Good luck, Hans

Re: ipsecctl and invalid phase 2 IDs

Can you show me the output of "ipsecctl -nvf ..." on both machines. HJ. On Wed, Feb 22, 2006 at 01:08:39PM -0500, Adam wrote: > I am trying to setup a simple vpn between two networks using ipsecctl. > One side is running 3.8 release, the other 3.8 stable. On both sides I > have copied over /etc/

Re: fatal: evp_crypt: EVP_Cipher failed

yes, these cards have issues. The only advice I can give is to set kern.usercrypto=0. I tried to debug this several times, but I did not find a test case that produces this issue reliably. On Mon, Jan 30, 2006 at 04:46:49PM -0600, Sean Cody wrote: > I have been having issues lately with the HiFn

Re: Need advice about VPN

On Wed, Jan 18, 2006 at 11:20:55AM +0100, Joachim Schipper wrote: > > Each will work; OpenVPN is slightly easier to set up, but IPsec will > likely offer better performance. Forget about openvpn, there's no need to fiddle around with third party stuff. Just make sure to take a look at vpn(8). I

Re: ipsecctl writev failed

Hi, On Fri, Dec 23, 2005 at 11:58:14AM -0500, Will H. Backman wrote: > > Reducing the enckey to 160 bits worked. Interesting to note that if a > key is too short, you get a nice warning that the key is too short and > must be 160 bits long. If a key is too long, you don't get a warning, > ju

Re: ipsecctl writev failed

the defaults are hmac-sha2-256 and aesctr which uses a 160 bit key. On Wed, Dec 21, 2005 at 03:25:26PM -0500, Will H. Backman wrote: > OpenBSD 3.8 release. > I'm getting the same errors as this thread: > http://archives.neohapsis.com/archives/openbsd/2005-11/1980.html > I'm trying to use as many d

Re: VPN in OpenBSD 3.8, how to use new tools?

On Sun, Dec 18, 2005 at 06:58:22PM +0100, Lukasz Sztachanski wrote: > ipsecadm(8) isn't new ;) Probably ipsecctl isn't `mature' enough to > handle such setup. Imho, you'll have to use isakmpd- actually web is > full of tutorials and examples of isakmpd configurtion; plus, it's very > flexible and c

Re: x509 keys & isakmpd in OBSD 3.8

Hi, On Fri, Dec 16, 2005 at 09:48:06AM +, Gordon Ross wrote: > I'm trying to setup an isakmpd VPN using x509 keys between two OpenBSD > 3.8 boxes. > > To start with, I followed the instructions at > http://www.openbsdsupport.org/vpn-ipsec.html to setup an initial VPN > using pre-shared secret

Re: Apache Log Rotation - FAQ 10.16

Olivier Mehani wrote: On Fri, 09 Dec 2005 13:12:14 +0100 Hans van Leeuwen <[EMAIL PROTECTED]> wrote: CustomLog "|/usr/local/sbin/cronolog -l /var/www/logs/access-hanz.nl /var/www/logs/old/access-hanz.nl.%Y%m%d" combined But you are not using the default chrooted

Re: Apache Log Rotation - FAQ 10.16

Olivier Mehani wrote: On Fri, 09 Dec 2005 11:11:23 +0100 Hans van Leeuwen <[EMAIL PROTECTED]> wrote: Could you please share your preferred methods to rotate the /var/www/logs/, ? I had the same problem, and solved it by using cronolog. From my httpd.conf: CustomLog "

Re: Apache Log Rotation - FAQ 10.16

nz.nl /var/www/logs/old/access-hanz.nl.%Y%m%d" combined Hans

Re: ipsec question

yes, you can. You need to encrypt traffic from/to your laptop to 0.0.0.0/0. So instead of using your gw address, use 0.0.0.0/0. HJ. On Thu, Dec 01, 2005 at 08:00:38AM +0100, raff wrote: > Hi, > I have wireless connection between my machine and router/gateway. > I can set up ipsec connection bet

Re: isakmpd fills my log

On Wed, Nov 30, 2005 at 03:58:07PM +0100, martin wrote: ... > [Phase 1] > 10.10.10.9= ISAKMP-peer-ignition > > [Phase 2] > Connections=IPsec-ignition-soekris this should be a passive connection. Otherwise isakmpd will try to keep this connection up and when this fails it

  1   2   >