Hello,
I tried ( and failed ) to set up an IPSEC Tunnel to a LANCOM VPN Router in a
somewhat special constellation:
main mode is ok
quick mode negotiated successfully and established the following flow:
# ipsecctl -s flow
flow esp in from 172.17.0.0/16 to 172.17.7.50 peer a.b.c.d srcid
[EMAIL
Hi,
is AES 256 cipher supported in OBSD 4.1 ipsec implementation?
If it is, how can I specify this as input to ipsecctl ( ipsec.conf )?
regards
Christoph
-Urspr|ngliche Nachricht-
Von: Christoph Leser
Gesendet: Freitag, 21. September 2007 12:58
An: 'n0g0013'
Betreff: AW: isakmp phase 2 negotiation failed
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag
von n0g0013
Gesendet
-Urspr|ngliche Nachricht-
Von: Christoph Leser
Gesendet: Freitag, 21. September 2007 16:44
An: '[EMAIL PROTECTED]'
Betreff: Re: isakmp phase 2 negotiation failed
w
#$OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
# See ipsec.conf(5
Hello,
the question is about how to route traffic from an openvpn tunnel
to an ipsec tunnel.
This is my setup:
The OpenBSD gateway has an internal (10.0.1.1/24 )
and external (x.x.x.x/30) interface.
The internal net is NAT'ed to the external interface to provide
internet access to hosts on
If you add this extra section to your isakmpd.conf, do you need to add it to
the remote site too? Does this extra section change the negotiation between the
two endpoints.
Thanks
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag
von Nick Suckling
Betreff: Re: NAT/pf before IPSEC
No the other side does not need to know about this additional
section if
you are using NAT as described.
Nick
On Wed, 2005-12-21 at 14:06 +0100, Christoph Leser wrote:
If you add this extra section to your isakmpd.conf, do you
need to add
I came across
http://www.kb.cert.org/vuls/id/226364
which describes some vulnerablities in IKE Protocol V1 implementations.
That page state ( that is at least what I read from it ) that it is unknown
whether OpenBSD is affected or not.
Is anything known about this issue? Should I care about
An: Christoph Leser
Cc: misc@openbsd.org
Betreff: Re: NAT/pf before IPSEC
On Wed, 21 Dec 2005, Christoph Leser wrote:
Does this imply that I must not mention VPN-2 in the isakmpd.conf Connections
statement?
Thanks for your help.
I tried with and without and didn't get it working either way. I think
scp from linux to linux via an ipsec tunnel between openBSD gateway and lancom
1611+ router fails( hangs) if tcp window scaling is enabled.
This is my setup:
Redhat Linux ES3 --- dc0 openBSD IPSEC dc1 internet - lancom
1611+ --- Redhat Linux ES4
RHES3 does
scp a.a
I would like to block these messages as they fill up /var/log/messages
A MS windows server with a trunked interface sends packets with either of its
two hardware addresses, causing these messages
Regards
hello,
I would love to set up a openBSD/soekris based dsl router for accessing the
internet from home (my provider is t-com from germany).
Can anyone here tell me whether there are internal dsl modem cards available
which are supported by openBSD?
It would be sad if I had to install an external
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Aaron W. Hsu
Gesendet: Montag, 22. September 2008 20:04
An: misc@openbsd.org
Betreff: OpenBSD Road Warrior connecting to L2TP/IPSec VPN?
Hell All,
I am trying to connect to my University's
This is interesting. We suffer from spurious connection losses since we
started with OBSD ipsec.
Do you have any details what caused your problem, and why setting
DPD-check-interval helped?
In our environnement (we manage openbsd tunnels to cisco 3030
which is out of our scope) we debugged a
I'd like to ask the community:
Will IKE V2 ever become available on a larger scale and will it
eventually replace V1 sometime?
Regards
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Otto Moerbeek
Gesendet: Freitag, 24. Oktober 2008 13:11
An: Sebastian Reitenbach
Cc: misc@openbsd.org
Betreff: Re: slow network performance behind cisco
On Fri, Oct 24, 2008 at 12:58:27PM
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Rod Whitworth
Gesendet: Mittwoch, 29. Oktober 2008 07:47
An: OpenBSD general usage list
Betreff: Re: How to debug IPSec and PF problem
On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von bofh
Gesendet: Dienstag, 28. Oktober 2008 16:13
An: OpenBSD general usage list
Betreff: Re: J.C. Roberts [EMAIL PROTECTED] saiz
OpenBSD. --We won't miss you.
On Tue, Oct 28, 2008 at 9:55
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Carlos Laviola
Gesendet: Donnerstag, 6. November 2008 13:34
An: misc@openbsd.org
Betreff: isakmpd routing woes
Hello,
I have three /24 networks connected to each other through
multihomed
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von BARDOU Pierre
Gesendet: Donnerstag, 6. November 2008 15:30
An: misc@openbsd.org
Cc: LOUIS Marc
Betreff: NAT + IPsec problem
Hello,
I am trying to setup an IPsec connection.
Here is the
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Charlie Clark
Gesendet: Donnerstag, 6. November 2008 18:34
An: misc
Betreff: openbsd fail2ban
Hi,
I have noticed that people constantly try to brute force sshd on my
openbsd box, on my
I think the mailing lists would be better if it wasn't always full of
people asking stupid questions, and then being answered by people with
ridiculous or uneducated answers.
Not that I want to be here providing the correct answers. Why bother?
They won't be understood, and it isn't worth
Trying to establish an ipsec tunnel to a debian linux box with openswan,
using this entry in ipsec.conf:
ike active esp from 192.168.1.0/24 to 192.168.2.0/24 peer a.b.c.d srcid
[EMAIL PROTECTED] dstid [EMAIL PROTECTED] psk xxx
I get 'PAYLOAD MALFORMED' in the middle of the phase 1
= 61443 (unknown)
On 2008-11-25, Christoph Leser [EMAIL PROTECTED] wrote:
I see the above message in the tcpdump of
/var/run/isakmpd.pcap, when
a cisco router establishes quick mode to my openbsd. The
connect works
ok, just wondering what this message could mean. I have only seen
Hi,
I see the above message in the tcpdump of /var/run/isakmpd.pcap, when a
cisco router establishes quick mode to my openbsd. The connect works ok,
just wondering what this message could mean. I have only seen
'ENCAPSULATION MODE = TUNNEL' in this context.
As connect setup fails in the opposite
as far as I know you need to set the syslogd_flags variable in
/etc/rc.conf.local or /etc/rc.conf
regards
Christoph
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Sma11T0wnITGuy
Gesendet: Donnerstag, 11. Dezember 2008 15:35
An:
Just my 1 cent on the perl script
#!/usr/bin/perl
`cd /path-to-dir`:
`rm *`;
will purge your working directory, not /path-to-dir, as each of the `command`
constructs is executed in a process of its own and thus has no influence on
the next command
you would be better of with
#!/usr/bin/perl
I used to configure VPNs using isakmpd.conf, for 2 dozen VPNs, each with
a hand crafted set of parameters ( encryption, hmac, key length etc. ).
Now I tried to move this setup to ipsec.conf by spelling out the
complete line for every VPN like this:
ike active esp tunnel from a.b.c.d to e.f.g.h
I'm still struggling to keep my ipsec vpns running smoothly.
Is there a reference to a more detailed description of the allowed
isakmp exchanges?
Watching tcpdump for some time gives me a rough impression of what is
going on, but it is hard to tell what's wrong ( if anything at all )
when the
After migrating to OBSD 4.4 ( from 4.1 ) I sometimes find that for a
particular VPN ( tunnel mode ) :
1. The corresponding flows are established, as shown by
netstat -rnf encap
and
ipsecctl -sflow
2. The packets sent to the remote site show up in
tcpdump -leni enc0
with a
Hi,
I noticed that the cisco end of a VPN I configured on my openBSD sends a
DELETE message after a certain amount of idle time.
This feature is described in
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle
.html#wp1045897
The effect is, that the VPN no longer works.
-Urspr|ngliche Nachricht-
Von: dug [mailto:d...@xgs-france.com]
Gesendet: Montag, 19. Januar 2009 17:44
An: Hans-Joerg Hoexer
Cc: Christoph Leser; misc@openbsd.org
Betreff: Re: Cisco IPSec Security Association Idle Timers and isakmpd
Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer
As described in
http://kerneltrap.org/mailarchive/openbsd-misc/2008/9/22/3364064
there is a problem with the driver for the AMD Geode LX series processor
security block for openBSD 4.4 ( glxsb.c ).
This has been fixed in version 1.15 of this file, but this fix has not
been committed to 4.4.
I'm sure I have seen the answer to my question here on the list some
time ago, but I'm too stupid to find it again:
In what order are the following operations performed on an IP packet
a. IPSEC ( decides whether a packet matches an IPSEC flow )
b. normal kernel routing
c. NAT
d. packet filtering
Are you sure that obsd does not try to initiate the connection at least once?
I have noticed the following problem with cisco:
Some Cisco models delete the security association after an inactivity timeout,
they call it Cisco IPSec Security Association Idle Timers.
When this happens, openBSDs
1723 is PPTP. This uses GRE ( generic routing encapsulation ).
You must allow this protocol.
And, as far as I know, openBSD cannot NAT this protocol ( it is possible to
nat GRE for pptp if you peek into the next higher level protocol ( ppp in this
case ? ) but this is not implemented )
So I did
-Urspr|ngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Im Auftrag von Aaron Mason
Gesendet: Mittwoch, 2. Dezember 2009 23:14
An: OpenBSD
Betreff: Re: IPSec Blues
On Wed, Dec 2, 2009 at 11:02 AM, Bryan Irvine
sparcta...@gmail.com wrote:
Does
Take a look at pdftk. It is a simple command line tool, that can do a lot of
things with pdf files: merge, split, rotate, fill forms etc.
http://www.accesspdf.com/pdftk/
Regards
-Urspr|ngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Im Auftrag von
Hi,
from what I see you use the new address translation feature of ipsec 4.7
This requires a nat statement in pf.conf , which is probably missing from your
configuration..
See the section on 'outgoing network address translation' in the man page of
ipsec.conf
Regards
Christoph
Sorry for the noise. I overlooked your nat statement in pf.conf.
But it is wrong, as per man page you shopuld nat on enc0, not on $ext_if
Hi,
from what I see you use the new address translation feature of ipsec 4.7
This requires a nat statement in pf.conf , which is probably missing from your
Hello,
I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:
ike active esp tunnel from my_internal_net to his_internal_net peer
his_gateway_address main_mode_parameters quick_mode_parameters
preshared_key
My isakmpd.policy file is
# cat /etc/isakmpd/isakmpd.policy
I have a problem with ipsec/isakmpd.
I have setup about 20 vpn's to various other sites, all using tunnel mode (
active ).
All but one are working fine.
One connection exhibits the following behaviour:
After isakmpd starts, the vpn starts correctly, main and quick mode are
successfully
Hi,
I use the pppoe0 device to connect to my isp. And I use ntpd.
ntpd seems not to be aware of the changing ip address of the interface. It
keeps sending messages with the source address it saw on startup, as can be
seen for netstat -an or pflog.
Is there a signal I can send to ntpd to rebind
Hi,
here my 50 cent:
tcpdump looks good, obsd maschine receives first message of phase 1 exchange
and sends a suitable response.
your netgear log says, that no response to first message is received.
this means, response from isakmpd gets lost, either in local pf or in netgear
( dont know if
I forgot to ask:
what are the NAT statements in your pf.conf, that you mention. the ipsec
packets should not be NAT'ed inyour configuration ( although ipsec can go
through NAT in general ).
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag
von jcr
are they sent? Is it a normal behaviour or is
the remote site trying to end the vpn. ( remote is a lancom ?? ).
Why is it that isakmpd sometimes tries to reestablish and sometimes it does
not?
Thanks for any hints
Mit freundlichen Gr|_en
Christoph Leser
SP Computersysteme GmbH
Systemhaus f|r Logistik
Hi,
afaik all access to oracle databases require oracle client software. only
exception I know of is JDBC ( java database connectivity, which has a thin
client requiring only tcp and the oracle jdbc client, which is pure java.
maybe that is an option.
if not you might connect your ms sql server
address' /var/run/isakmpd.fifo
echo 'c vpn-name' /var/run/isakmpd.fifo
Is there anything known about such behaviour ?
Thanks
Christoph
Mit freundlichen Gr|_en
Christoph Leser
SP Computersysteme GmbH
Systemhaus f|r Logistik
Tel: 0711 726410
Mail: [EMAIL PROTECTED]
Amtsgericht Stuttgart HRB
Hi,
I've a question regarding the priority of routing entries.
Please take a look at the following routing table for a machine with 3
ethernet interfaces (
link#1 192.168.0.1 ( internal net 1 /24 )
link#2 u.v.w.254 ( internet/30 )
link#4 10.10.60.1 ( internal net 2 /24 ):
netstat
Yes, I can confirm that glxsb.c 1.15 works fine with 4.4. stable.
Now AES 256 works again.
Thanks
-Urspr|ngliche Nachricht-
Von: Markus Friedl [mailto:markus.r.fri...@arcor.de]
Gesendet: Dienstag, 20. Januar 2009 13:53
An: Christoph Leser
Cc: misc@openbsd.org
Betreff: Re: net5501
23:10
An: misc@openbsd.org
Betreff: Re: isakmpd does not initiate quick mode after main
mode is established
Christoph Leser le...@sup-logistik.de wrote:
I'm still struggling to keep my ipsec vpns running smoothly.
FWIW, I mostly use IPsec on my home WLAN and I observe a
similar lack
You can use -Djava.awt.headless=true on the Java commandline to start without
x.
Regards
Christoph
-Urspr|ngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Im Auftrag von Eugeni Akmuradov
Gesendet: Samstag, 14. Mdrz 2009 11:50
An: misc@openbsd.org
-Urspr|ngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Im Auftrag von Tobias Ulmer
Gesendet: Donnerstag, 23. April 2009 14:02
An: Thomas Pfaff
Cc: misc@openbsd.org
Betreff: Re: Problem with slow disk I/O
On Thu, Apr 23, 2009 at 03:27:42PM +0200,
After I upgraded from openBSD 4.6 to 5.2 I have the following problem with
isakmpd+nat when the remote side is behind a NAT gateway:
openBSD Phase 1 recognizes NAT and switches to port 4500 to send the ID
information.
openBSD Phase 2 then tries to negotiate TUNNEL mode, but the remote side
?
-Ursprüngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von
Christoph Leser
Gesendet: Samstag, 15. September 2012 15:51
An: misc@openbsd.org
Betreff: isakmpd nat problem with openBSD 5.2
After I upgraded from openBSD 4.6 to 5.2 I have the following problem
not
make any difference.
Best Regards / Mit freundlichen Grüßen
Christoph Leser
SP Computersysteme GmbH
Systemhaus für Logistik
Zettachring 4
70567 Stuttgart
www.sup-logistik.de
Tel.: 0711 72641 0
Fax: 0711 72641 70
Amtsgericht Stuttgart HRB 11921
Geschäftsführer Jürgen Probst, Horst Reichert
those values in isakmpd.conf. Never seen those
messages and all works fine.
On 09/17/2012 09:30 PM, Christoph Leser wrote:
After updating to 5.2 current, I noticed, that incoming phase-1
requests get drop due to ( from /var/log/messages )
Sep 17 21:20:51 q-dsl isakmpd[951
) would be highly welcome
Mit freundlichen Grüßen
Christoph Leser
SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logistik.de
Henderson [mailto:s...@spacehopper.org]
Gesendet: Samstag, 22. September 2012 16:52
An: Christoph Leser; misc@openbsd.org
Betreff: Re: Router project on OpenBSD questions
Search the archives for the cisco nat-t problem, I sent a mail with more
details and I think there was a patch
It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 on tech@
has not made it into âcurrent yet.
Von: Stuart Henderson [mailto:s...@spacehopper.org]
Gesendet: Samstag, 22. September 2012 16:52
An: Christoph Leser; misc@openbsd.org
Betreff: Re: Router project on OpenBSD
: Montag, 24. September 2012 16:41
An: Christoph Leser
Cc: misc@openbsd.org
Betreff: Re: Router project on OpenBSD questions
On 2012/09/24 13:24, Christoph Leser wrote:
It seems that the patch from Stuart Henderson, proposed on Aug.4 2012
on tech@ has not made it into –current yet.
I
Thank you for this hint.
I indeed have ike.c r=1.76.
I will refresh my system tonight, give it a try and report my result.
Best Regards
Christoph
-Ursprüngliche Nachricht-
Von: Otto Moerbeek [mailto:o...@drijf.net]
Gesendet: Montag, 24. September 2012 22:03
An: Christoph Leser
Cc
. September 2012 13:45
An: misc@openbsd.org
Cc: Christoph Leser
Betreff: Re: Router project on OpenBSD questions
On Tue, Sep 25, 2012 at 05:51:42PM +0100, Stuart Henderson wrote:
On 2012/09/25 18:24, Otto Moerbeek wrote:
On Tue, Sep 25, 2012 at 11:11:19AM +, Stuart Henderson wrote
with
your pf.conf. If you see both, I would believe your tunnel is ok and the
remote side is filtering your icmp or does not route your packet properly into
the (remote) internal net.
Christoph Leser
SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logistik.de
the debug output
in messages shows for this?
Best Regards / Mit freundlichen Grüßen
Christoph Leser
SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart
Fasanenhof
EMail: le...@sup-logistik.de
Von: Christoph Leser
Gesendet:
Dienstag, 2. Oktober 2012 14:50
of locore.s is 'Up to date', Revision 1.145
I followed the same procedure some weeks ago ( Sep. 25. ) and had no problems.
dmesg.boot is included at the end of this message.
Best Regards / Mit freundlichen Grüßen
Christoph Leser
Dmesg.boot:
OpenBSD 5.2 (GENERIC) #278: Wed Aug 1 10:04:16 MDT 2012
Nachricht-
Von: Philip Guenther [mailto:guent...@gmail.com]
Gesendet: Montag, 26. November 2012 21:44
An: Christoph Leser
Cc: 'misc@openbsd.org' (misc@openbsd.org)
Betreff: Re: ../../../../arch/i386/i386/locore.s:1755: Error: no such
instruction:
`stac'
On Mon, Nov 26, 2012 at 10:42 AM
( or is RFC3947 deas, it
seems to be a standard proposal since 2005 ).
Mit freundlichen Grüßen
Christoph Leser
SP Computersysteme GmbH
Zettachring 4
70567 Stuttgart Fasanenhof
EMail: le...@sup-logistik.de
Von: owner-m...@openbsd.org [owner-m...@openbsd.org]quot; im Auftrag von
quot;Stuart Henderson [s...@spacehopper.org]
Gesendet: Samstag, 7. September 2013 00:11
An: misc@openbsd.org
Betreff: Re: ISAKMPD NAT/Traversal
On 2013-09-06, Christoph Leser le...@sup-logistik.de wrote:
Hello, list
this matter.
Thanks
Christoph Leser
command
Sep 9 16:09:39 q-dsl isakmpd[13061]: isakmpd: shutting down...
-Ursprüngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im
Auftrag von Christoph Leser
Gesendet: Montag, 9. September 2013 12:13
An: misc@openbsd.org
Betreff: Help with ISAKMP Nat
There seems to be no interest in this issue on @misc.
Would it be ok to file a bug for this?
-Ursprüngliche Nachricht-
Von: Christoph Leser
Gesendet: Montag, 9. September 2013 16:45
An: Christoph Leser; misc@openbsd.org
Betreff: AW: Help with ISAKMP Nat Traversal Problem needed
Hello,
with ipsecctl I can configure outgoing address translation in ipsec.conf like
this:
ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 peer
10.10.20.1
Is there an equivalent syntax for isakmpd.conf? ( Due to problems with NAT-T I
need to use isakmpd.conf and
address translation question
Christoph Leser le...@sup-logistik.de wrote:
with ipsecctl I can configure outgoing address translation in
ipsec.conf like this:
ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24
peer 10.10.20.1
Is there an equivalent syntax
I read in an 2013 paper by Reyk Floeter about openIKED
(https://www.openbsd.org/papers/openiked-asiabsdcon2013.pdf)
"The design intends to allow operation of both protocol versions on the same
host"
but
"The unprivileged IKEv1 process is currently an empty stub"
Does this mean that I cannot
s?
Mit freundlichen Grüßen / Best regards / Meilleures salutations
Christoph Leser
Systemtechnik
S Computersysteme GmbH
Systemhaus für Logistik
Zettachring 4
70567Stuttgart
www.sup-logistik.de
T: +49 711 726 41-0
F: +49 711 726 41-70
christoph.le...@sup-logistik.de
Amtsgericht
76 matches
Mail list logo