trondd | 3 Jul 18:20 2015

All traffic over iked VPN

I'll jump into the current iked/ipsec/VPN discussions going on.

I have used iked to create a road warrior VPN from my OpenBSD laptop to 
an OpenBSD server in a remote data center.  All connections between the 
two are correctly going through the VPN.

What I want to do is force all traffic from the laptop through VPN and 
exit to the internet from the server.  Does that require a pseudo device 
tunnel?  How do I create a tunnel through a firewall where one end point 
is NATed?  I can control the firewall on my network (also OpenBSD) but 
will it work from, say, a hotel?

I feel like this has to have been solved and can't be that hard.  And 
without using openVPN to do it...

Tim.

n.reusse | 3 Jul 10:33 2015
Picon

cvs files from attic show up in update

Dear misc,

i have a script running every night on my openbsd 5.7 -stable box to fetch
the latest sources from cvs. If some files changed, it will send a mail.
This morning i got the following output from last nights run:

    ? gnu/usr.bin/binutils-2.17/gas/testsuite/gas/mmix

Here is the line of code:

    # update system sources
    cd /usr/src
    /usr/bin/cvs -d ${CVSROOT} -q up -rOPENBSD_5_7 -Pd \
    | /usr/bin/tee ${LOG}

As far as is understand, the testsuite was importet by mistake and moved
to the attic directly after the import approx. 4 years ago:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/gas/.
I also don't have the testsuite-folder on my disk.

Now, is this a problem with cvs or somehow "buggy, but expected"
behaviour? I have ever seen this message before, and i don't see any
activity on binutils in -stable. Or is it safe to filter out line starting
with '?' ?

Any insight is greatly appreciated. 

Thanks and best regards
Nils

(Continue reading)

Łukasz Czarniecki | 3 Jul 10:02 2015
Picon

Re: Is PFSync over IPSec still broken?

Hi,

Pfsync + ipsec setup IS broken.

Links:
http://marc.info/?l=openbsd-misc&m=143463803906528&w=2

Patch to manual page has been applied:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/man/man4/pfsync.4.diff?r1=1.32&r2=1.33

Please remove example of this setup:

"2. Use the ifconfig(8) syncpeer option (see below) so that updates are
unicast directly to the peer, then configure ipsec(4) between the hosts
to secure the pfsync(4) traffic."

from webpage:

http://www.openbsd.org/faq/pf/carp.html

Thanks

Lukasz

W dniu 26.06.2015 o 09:45, Jason McIntyre pisze:
> On Fri, Jun 26, 2015 at 09:05:08AM +0200, ??ukasz Czarniecki wrote:
>> W dniu 25.06.2015 o 12:19, Jason McIntyre pisze:
>>
>>>>> Please fix this bug or remove this example from documentation.
>>>>> For me this setup is broken since 2011.
(Continue reading)

Denis Lapshin | 3 Jul 08:50 2015

iked "ikev2_pld_certreq: invalid certificate request"

Hi,

Can someone help in explaining last two rows of iked -dvv output in time 
of initiating VPN connection?

ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 240
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 240/240 padding 15
ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 
0x00 length 19
ikev2_pld_id: id FQDN/myserver.domain length 15
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical 
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_certreq: invalid certificate request
ikev2_resp_recv: failed to parse message

Denis

Dale Lindskog | 2 Jul 21:11 2015
Picon

PKG_CACHE directory permissions and pkg_add(1) -n option

It is discouraged but possible to run pkg_add(1), with the -n option, as a 
user other than root.  However, if pkg_add(1) does not have write 
permission to $PKG_CACHE, then error messages are produced.  For example:

$ ls -ld $PKG_CACHE
drwxr-xr-x  2 root  wheel  3072 Jul  2 12:13 /var/pkg_cache
$ pkg_add -vn gcal
pkg_add should be run as root
Update candidates: quirks-2.54 -> quirks-2.54
quirks-2.54 signed on 2015-03-08T12:33:05Z
Fatal error: Ustar 
[ftp://ftp.openbsd.org/pub/OpenBSD/5.7/packages/amd64/gcal-3.6.3p0.tgz][?]: 
Error while reading header
 at /usr/libdata/perl5/OpenBSD/Ustar.pm line 89.

These error messages are less than clear about the underlying permissions 
problem, especially when -v is omitted.  (-v is what produces the first 
line of output: 'pkg_add should be run as root'.)

It is desirable to me (a) to run pkg_add -n as a non-root user and (b) 
that non-root users are unable to write to the PKG_CACHE directory.  One 
solution is for pkg_add(1) to silently omit the attempt to copy the 
package to an unwritable $PKG_CACHE.  Below is a diff that does that, and 
modifies pkg_add(1)'s man page accordingly.

I realize this should go to tech <at> , but I'm worried that I'm being dumb in 
some kind of way, and my understanding is that dumb posts, if they must 
occur, are better sent to misc <at>  first for vetting.  :)

Index: pkg_add.1
(Continue reading)

patrick keshishian | 2 Jul 20:42 2015
Picon

regression with wsdisplay? 2015-06-30 amd64 snap

Just noticed this issue with:

OpenBSD 5.8-beta (GENERIC) #1050: Tue Jun 30 11:10:13 MDT 2015
    deraadt <at> amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

After a sleep/wake cycle I noticed that key-repeat stopped working.

Running top(1) I see that the display isn't being updated, requiring
pressing the space-bar to force an update.

Last snapshot on this laptop without any major issues was:

OpenBSD 5.7-current (GENERIC) #973: Tue Jun  2 09:37:26 MDT 2015
    deraadt <at> amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

One change was I installed a new 9-Cell battery on this laptop.

Ideas?

I'll try a new snap in a few days.

--patrick

dmesg diff:

--- dmesg.boot-snap-20150602	Wed Jun  3 20:38:38 2015
+++ dmesg.boot-snap-20150630	Thu Jul  2 11:29:46 2015
 <at>  <at>  -1,7 +1,7  <at>  <at> 
-OpenBSD 5.7-current (GENERIC) #973: Tue Jun  2 09:37:26 MDT 2015
+OpenBSD 5.8-beta (GENERIC) #1050: Tue Jun 30 11:10:13 MDT 2015
(Continue reading)

[OFFTOPIC] Re: Order Acknowledgement from OpenBSD Store - Order No. 40393

Hi all,

I know this is not related to OpenBSD directly but hope someone might  
help; I ordered a CD set and a rucksack more than one month ago and I  
have not received them yet so I'm wondering what happened. I tried to  
write to the orders email address of the OpenBSD Store but got no  
response.

I spent that money mainly as a contribution but would not mind  
receiving those goods, if someone have an idea how I could contact the  
Store besides calling I would appreciate it.

--

-- 
Best regards,
Jorge Lopez.

Quoting Jorge Gabriel Lopez Paramount <jorge.lopez.paramount <at> googlemail.com>:

> Hi all,
>
> Hope somebody could help, I placed this order one month ago and I  
> had not received the goods in my address, would you please let me  
> know the status of this order? If it has already been delivered, how  
> can I check where the package is?
>
> Thanks for your kind help.
>
> -- 
> Best regards,
> Jorge Lopez.
(Continue reading)

Richard Thornton | 2 Jul 14:08 2015
Picon

RStudio

Has anybody built RStudio for OpenBSD?

Richard

Denis Lapshin | 2 Jul 10:51 2015

iked x509 negotiation problem with BlackBerry OS 10.3.1

Hi,
Have working setup with OpenIKEd and Win7 machine in part of IPsec link 
negotiating by using IKEv2 and MSCHAP-v2. Using certificate and 2048 key 
in *.P12 form.

10.0.20.0/24 is local network
10.0.10.0/24 is IPsec network
DNS server is 10.0.20.1

/etc/iked.conf is:

ikev2 "winauth" passive esp \
         from 10.0.20.0/24 to 10.0.10.0/24 \
         local IP_of_server peer any \
         srcid myserver.domain \
         eap "mschap-v2" \
         config address 10.0.10.10 \
         config netmask 255.255.255.0 \
         config name-server 10.0.20.1 \
#       ikesa auth hmac-sha1 enc 3des group modp2048 \
#       childsa auth hmac-sha1 enc aes-256 group modp2048 \
         tag "$name-$id"

The server machine has working PF with some rules to allow traffic over 
ports {isakmp, ipsec-nat-t} and both protos {ah, esp}.
While IPsec between Win7 and server has established, can ping DNS server 
only. No other traffic can pass in this stage of setup encrypted connection.

But my question is below and about connection setup between BB OS 10.3.1 
and iked only.
(Continue reading)

Craig Skinner | 1 Jul 19:15 2015
Picon

OK?: VIM_TMP=/tmp/vi.recover/$USER//

Hiya,

Would it be a bad idea to set vim's tmp dir to be
a 700 mode user directory below /tmp/vi.recover?

There's this in /etc/rc: /usr/libexec/vi.recover

Here's what I've got at the moment:

$ printenv VIM_TMP
/tmp/$USER/vim//

$ fgrep -i tmp /etc/vim/vimrc
set directory=$VIM_TMP,/tmp//
set backupdir=$VIM_TMP,/tmp//
set undodir=$VIM_TMP,/tmp//

Which gets nuked on boot.

Some users' $HOME is either not writable or non-existant.

Plus I don't want to dump(1) junk on /home

Setting VIM_TMP to /tmp/vi.recover/$USER// seems appealing.

Here are some vim docs I found:
http://vimdoc.sourceforge.net/htmldoc/recover.html
http://vimdoc.sourceforge.net/htmldoc/usr_11.html

Thoughts?
(Continue reading)

lists | 1 Jul 16:47 2015

Re: Leap second

On Wed, Jul 01, 2015 at 10:28:42AM -0400, Peter Pauly wrote:
> Would you mind sharing your ntpd.conf file?

ntpd.conf:

servers pool.ntp.org
constraints from "https://www.google.com"

rc.conf.local:

ntpd_flags=

I'm wondering if there's a discrepancy between ntpd -d and logging?


Gmane