cdio burning images

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

cdio burning images

John Tate-8
# cdio -f cd0c tao /home/john/ubuntu-11.10-desktop-i386.iso
cdio: The media can't be written in TAO mode

What am I doing wrong?


--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: cdio burning images

Neal Hogan
On Fri, Nov 11, 2011 at 6:07 AM, John Tate <[hidden email]> wrote:
> # cdio -f cd0c tao /home/john/ubuntu-11.10-desktop-i386.iso
> cdio: The media can't be written in TAO mode
>
> What am I doing wrong?
>
>

I'm guessing the full device path is needed (i.e., /dev/cd0c).
However, consider the faq (
http://www.openbsd.org/faq/faq4.html#MkInsMedia ):

<faq>
4.3.1 - Making a CD-ROM

You can create a CD-ROM using the cd50.iso or install50.iso files. The
exact details here are left to the reader to determine with the tools
they have at their disposal.

In OpenBSD, you can create a CD from an ISO image using cdio(1):
  # cdio tao cd50.iso

Most CD recorders sold for Windows and Macintosh systems come with
software that can burn ISO images to blank media. If yours does not,
there are various no-cost applications that can do this for you.
</faq>

-Neal

Reply | Threaded
Open this post in threaded view
|

Re: cdio burning images

Norman Golisz-3
In reply to this post by John Tate-8
On Fri Nov 11 2011 23:07, John Tate wrote:
> # cdio -f cd0c tao /home/john/ubuntu-11.10-desktop-i386.iso
> cdio: The media can't be written in TAO mode
>
> What am I doing wrong?

You don't read manuals.

cdio(1):

> -f device
> Specifies the name of the CD device, such as /dev/rcd0c.  Both
> absolute and relative paths to /dev filenames are possible; the
> raw partition name is added if needed.

Meaning that when you specify "-f cd0" it internally converts it to
"-f /dev/rcd0c".

Also, you probably want to explore disklabel(8) and the difference
between raw-level and block-level access of block devices. Read a UNIX
book of your choice, or stick with Google hunting for an explanation.

Norman.

Reply | Threaded
Open this post in threaded view
|

Re: cdio burning images

John Tate-8
In reply to this post by Neal Hogan
Recap...

cdio...
# cdio tao /home/john/ubuntu-11.10-desktop-i386.iso
cdio: The media can't be written in TAO mode

I'm guessing I get that one because ISO distribution has deviated a
long way from formally defined standards towards spontaneously defined
ones.

cdrecord...# cdrecord -vv -dao dev=/dev/cd0c
/home/john/ubuntu-11.10-desktop-i386.iso
Cdrecord-Clone 2.01 (--) Copyright (C) 1995-2004 Jvrg Schilling
TOC Type: 1 = CD-ROM
scsidev: '/dev/cd0c'
devname: '/dev/cd0c'
scsibus: -2 target: -2 lun: -2
Using libscg version 'schily-0.8'.
Using libscg transport code version 'schily-scsi-bsd.c-1.42'
SCSI buffer size: 61440
atapi: 0
Device type    : Removable CD-ROM
Version        : 0
Response Format: 2
Capabilities   :
Vendor_info    : 'ASUS    '
Identifikation : 'DRW-20B1LT      '
Revision       : '1.00'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
Current: 0x0011
Profile: 0x002B
Profile: 0x001B
Profile: 0x001A
Profile: 0x0016
Profile: 0x0015
Profile: 0x0014
Profile: 0x0013
Profile: 0x0012
Profile: 0x0011 (current)
Profile: 0x0010
Profile: 0x000A
Profile: 0x0009
Profile: 0x0008
Profile: 0x0002
cdrecord: Found DVD media but DVD-R/DVD-RW support code is missing.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
cdrecord: Free test versions and free keys for personal use are at
ftp://ftp.berlios.de/pub/cdrecord/ProDVD/
cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support
code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
cdrecord: Free test versions and free keys for personal use are at
ftp://ftp.berlios.de/pub/cdrecord/ProDVD/
Drive current speed: 125
Drive default speed: 125
Drive max speed    : 125
Selected speed     : 125
Using generic SCSI-3/mmc   CD/DVD driver (checks media) (mmc_cd_dvd).
Driver flags   : MMC-3 SWABAUDIO BURNFREE FORCESPEED
Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R
Drive buf size : 1310720 = 1280 KB
FIFO size      : 4194304 = 4096 KB
Track 01: data   695 MB
track: 1 start: 0 pregap: 150
Total size:      798 MB (79:06.53) = 355990 sectors
Lout start:      798 MB (79:08/40) = 355990 sectors
Track 1 start 0
Track 2 start 355990
 41 00 A0 00 00 00 00 01 00 00 00 00
 41 00 A1 00 00 00 00 01 00 00 00 00
 41 00 A2 00 00 00 00 79 08 40 00 00
 41 00 01 00 00 00 00 00 02 00 00 00
Current Secsize: 2048
cdrecord: Unspecified command not implemented for this drive.
cdrecord: WARNING: Data may not fit on standard 74min disk.
Forcespeed is OFF.
Starting to write CD/DVD at speed 125 in real SAO mode for single session.
Last chance to quit, starting real write    0 seconds. Operation starts.
Waiting for reader process to fill input buffer ... input buffer ready.
Writing pregap for track 1 at -150
cdrecord: Input/output error. write_g1: scsi sendcmd: retryable error
CDB:  2A 00 FF FF FF 6A 00 00 1E 00
status: 0x0 (GOOD STATUS)
resid: 61440
cmd finished after 0.018s timeout 200s
write track pad data: error after 0 bytes
BFree: 0 K BSize: 1280 K
Starting new track at sector: 0
Track 01:    0 of  695 MB written.cdrecord: Input/output error.
write_g1: scsi sendcmd: retryable error
CDB:  2A 00 00 00 00 00 00 00 1E 00
status: 0x0 (GOOD STATUS)
resid: 61440
cmd finished after 0.020s timeout 200s

write track data: error after 0 bytes
cdrecord: A write error occured.
cdrecord: Please properly read the error message above.
Writing  time:    5.061s
Average write speed 938.1x.
Fixating...
Fixating time:    0.000s
cdrecord: fifo had 68 puts and 1 gets.
cdrecord: fifo was 0 times empty and 0 times full, min fill was 100%.

John Tate


On Sat, Nov 12, 2011 at 1:14 AM, Neal Hogan <[hidden email]> wrote:

> On Fri, Nov 11, 2011 at 6:07 AM, John Tate <[hidden email]> wrote:
>> # cdio -f cd0c tao /home/john/ubuntu-11.10-desktop-i386.iso
>> cdio: The media can't be written in TAO mode
>>
>> What am I doing wrong?
>>
>>
>
> I'm guessing the full device path is needed (i.e., /dev/cd0c).
> However, consider the faq (
> http://www.openbsd.org/faq/faq4.html#MkInsMedia ):
>
> <faq>
> 4.3.1 - Making a CD-ROM
>
> You can create a CD-ROM using the cd50.iso or install50.iso files. The
> exact details here are left to the reader to determine with the tools
> they have at their disposal.
>
> In OpenBSD, you can create a CD from an ISO image using cdio(1):
>  # cdio tao cd50.iso
>
> Most CD recorders sold for Windows and Macintosh systems come with
> software that can burn ISO images to blank media. If yours does not,
> there are various no-cost applications that can do this for you.
> </faq>
>
> -Neal
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: cdio burning images

Rod Whitworth-3
On Sat, 12 Nov 2011 16:19:31 +1100, John Tate wrote:

>Recap...
>
>cdio...
># cdio tao /home/john/ubuntu-11.10-desktop-i386.iso
>cdio: The media can't be written in TAO mode
>

Well, I don't know if you have media that will take 788MB images.
Who is silly enough to make those ISOs that big?

Or are you supposed to be putting them on DVD?

If that turns out to be the problem, I'd be running ISO Master to
delete some of the cruft.
It's what I use to add a swag of packages to a snapshot installxx.iso
so I keep the OS and pkgs in sync but I never hit 700MB.

As far as cdio is concerned, I run the following command line several
times a week when I'm messing with current:

#cdio -f cd0c tao /usr/src/distrib/i386/iso/obj/install50.iso

and never have a problem.
NB: if you only have one CD drive that will work if it is known to the
OS as an internal drive and whatever your drive is you should avoid
using the full /dev/cd0c name and never use cd0a.

>I'm guessing I get that one because ISO distribution has deviated a
>long way from formally defined standards towards spontaneously defined
>ones.
>

Well my ISOs are made by mkhybrid and (AFAICT) cleave solidly to the
ISO spec.


*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Reply | Threaded
Open this post in threaded view
|

Re: cdio burning images

Norman Golisz-3
In reply to this post by Norman Golisz-3
Hi John,

On Fri Nov 11 2011 16:44, Norman Golisz wrote:

> On Fri Nov 11 2011 23:07, John Tate wrote:
> > # cdio -f cd0c tao /home/john/ubuntu-11.10-desktop-i386.iso
> > cdio: The media can't be written in TAO mode
> >
> > What am I doing wrong?
>
> You don't read manuals.
>
> cdio(1):
>
> > -f device
> > Specifies the name of the CD device, such as /dev/rcd0c.  Both
> > absolute and relative paths to /dev filenames are possible; the
> > raw partition name is added if needed.
>
> Meaning that when you specify "-f cd0" it internally converts it to
> "-f /dev/rcd0c".
>
> Also, you probably want to explore disklabel(8) and the difference
> between raw-level and block-level access of block devices. Read a UNIX
> book of your choice, or stick with Google hunting for an explanation.

even though this information is not principally wrong, it was unrelated,
incomplete and written inadequately rude. Sorry for that.

However, did you compare the ISO's checksum after downloading it?

Norman.

Reply | Threaded
Open this post in threaded view
|

OpenBSD ipsec gateway behind a router

Mik J
In reply to this post by Rod Whitworth-3
Hello,

I would like to know if such configuration is possible.

LAN1
(192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet <--> IPy
IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)

As you can see the OpenBSD 4.9
server sits on the LAN1 and has one physical interface.
When it wants to
access to the internet, its address 192.168.10.99 is natted in IPx and that's
how the IPSec_GW(Vendor) sees the source packets.

It's not really important
now if other machines on LAN1 should ping machines on LAN2. I would like for
now that the OpenBSD could ping machines on LAN2.

I have search for examples
on the internet for this particular case because the OpenBSD is behind a nat
router. And I haven't found the proper way to do this. I don't even know if
it's possible. I know some kind of nat-t should be used though.

Does anyone
have this configuration in place ?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD ipsec gateway behind a router

Stuart Henderson
This basically works but there are incompatibilities between nat-t in OpenBSD
and that from certain vendors, notably cisco.


On 2011-11-13, Mik J <[hidden email]> wrote:

> Hello,
>
> I would like to know if such configuration is possible.
>
> LAN1
> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet <--> IPy
> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>
> As you can see the OpenBSD 4.9
> server sits on the LAN1 and has one physical interface.
> When it wants to
> access to the internet, its address 192.168.10.99 is natted in IPx and that's
> how the IPSec_GW(Vendor) sees the source packets.
>
> It's not really important
> now if other machines on LAN1 should ping machines on LAN2. I would like for
> now that the OpenBSD could ping machines on LAN2.
>
> I have search for examples
> on the internet for this particular case because the OpenBSD is behind a nat
> router. And I haven't found the proper way to do this. I don't even know if
> it's possible. I know some kind of nat-t should be used though.
>
> Does anyone
> have this configuration in place ?
>
> Thanks

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD ipsec gateway behind a router

Mentesan
In reply to this post by Mik J
Hi :)

I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 (central
office) and 4.9 (branch office).
With the following setup I can bring the tunnel up, but the networks can't
talk to each other:

Central ipsec.conf
-------------------------
ike passive esp tunnel from 10.20.0.0/16 to any \
                srcid matriz.domain.com.br \
                psk testefilial
------------

Branch ipsec.conf
-------------------------
matriz_net = "10.20.0.0/16"
matriz_gw = "178.9.35.10"
filial_net =  "10.10.11.0/24"

ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \
                srcid filial.domain.com.br \
                dstid matriz.domain.com.br \
                psk testefilial
-----------

# ipsecctl -sa
FLOWS:
flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
matriz.gruponp.com.br dstid filial.gruponp.com.br type use
flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
matriz.gruponp.com.br dstid filial.gruponp.com.br type require

SAD:
esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256
enc aes
esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256
enc aes

-----------

# route -n show -encap
Routing tables

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
10.10.11/24        0     10.20/16           0     0
185.53.27.23/esp/use/in
10.20/16           0     10.10.11/24        0     0
185.53.27.23/esp/require/out


Fabio Almeida

Em 13/11/2011, `s 12:06, Mik J escreveu:

> Hello,
>
> I would like to know if such configuration is possible.
>
> LAN1
> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet <-->
IPy
> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>
> As you can see the OpenBSD 4.9
> server sits on the LAN1 and has one physical interface.
> When it wants to
> access to the internet, its address 192.168.10.99 is natted in IPx and
that's
> how the IPSec_GW(Vendor) sees the source packets.
>
> It's not really important
> now if other machines on LAN1 should ping machines on LAN2. I would like
for
> now that the OpenBSD could ping machines on LAN2.
>
> I have search for examples
> on the internet for this particular case because the OpenBSD is behind a
nat
> router. And I haven't found the proper way to do this. I don't even know if
> it's possible. I know some kind of nat-t should be used though.
>
> Does anyone
> have this configuration in place ?
>
> Thanks

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re : OpenBSD ipsec gateway behind a router

Mik J
Hello,

Thanks to both of you for your answer.
However I'm really confused
regarding where I should configure the OpenBSD ipsec gateway to use nat-t or
not.

The only this I'm aware of is
$ sysctl -a | grep udpencap
net.inet.esp.udpencap=1
net.inet.esp.udpencap_port=4500
But it just states the
kernel to support udp encapsulation for nat-t

Fabio, in your configuration
below I don't see anywhere you specified you wanted to use nat-t

I'm going to
try to test your configuration.


----- Mail original -----
> De : Mentesan
<[hidden email]>
> @ : [hidden email]
> Cc :
> Envoyi le : Lundi 14
Novembre 2011 13h00
> Objet : Re: OpenBSD ipsec gateway behind a router
>
>
Hi :)
>
> I'm trying to do exactly this setup, between two OpenBSD boxes -
4.4
> (central
> office) and 4.9 (branch office).
> With the following setup
I can bring the tunnel up, but the networks can't
> talk to each other:
>
>
Central ipsec.conf
> -------------------------
> ike passive esp tunnel from
10.20.0.0/16 to any \
>                 srcid matriz.domain.com.br \
>        
        psk testefilial
> ------------
>
> Branch ipsec.conf
>
-------------------------
> matriz_net = "10.20.0.0/16"
> matriz_gw =
"178.9.35.10"
> filial_net =  "10.10.11.0/24"
>
> ike dynamic esp tunnel from
$filial_net to $matriz_net peer $matriz_gw \
>         srcid
filial.domain.com.br \
>         dstid matriz.domain.com.br \
>         psk
testefilial
> -----------
>
> # ipsecctl -sa
> FLOWS:
> flow esp in from
10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
> matriz.gruponp.com.br
dstid filial.gruponp.com.br type use
> flow esp out from 10.20.0.0/16 to
10.10.11.0/24 peer 185.53.27.23 srcid
> matriz.gruponp.com.br dstid
filial.gruponp.com.br type require
>
> SAD:
> esp tunnel from 178.9.35.10 to
185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256
> enc aes
> esp tunnel from
185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256
> enc aes
>
>
-----------
>
> # route -n show -encap
> Routing tables
>
> Encap:
> Source
          Port  Destination        Port  Proto
>
SA(Address/Proto/Type/Direction)
> 10.10.11/24        0    10.20/16        
0    0
> 185.53.27.23/esp/use/in
> 10.20/16          0    10.10.11/24      
0    0
> 185.53.27.23/esp/require/out
>
>
> Fabio Almeida
>
> Em
13/11/2011, `s 12:06, Mik J escreveu:
>
>> Hello,
>>
>> I would like to know
if such configuration is possible.
>>
>> LAN1
>> (192.168.10.0/24) <-->
OpenBSD .99 <--> .254 Router IPx
> <--> Internet <-->
> IPy
>> IPSec_GW
(Vendor) <--> LAN2 (192.168.20.0/24)
>>
>> As you can see the OpenBSD 4.9
>>
server sits on the LAN1 and has one physical interface.
>> When it wants to
>>
access to the internet, its address 192.168.10.99 is natted in IPx and
>
that's
>> how the IPSec_GW(Vendor) sees the source packets.
>>
>> It's not
really important
>> now if other machines on LAN1 should ping machines on
LAN2. I would like
> for
>> now that the OpenBSD could ping machines on LAN2.
>>
>> I have search for examples
>> on the internet for this particular case
because the OpenBSD is behind a
> nat
>> router. And I haven't found the
proper way to do this. I don't even
> know if
>> it's possible. I know some
kind of nat-t should be used though.
>>
>> Does anyone
>> have this
configuration in place ?
>>
>> Thanks
>
> [demime 1.01d removed an
attachment of type application/pgp-signature which had
> a name of
signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD ipsec gateway behind a router

Joosep-2
In reply to this post by Mentesan
On Mon, Nov 14, 2011 at 2:00 PM, Mentesan <[hidden email]> wrote:

> Hi :)
>
> I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4
> (central
> office) and 4.9 (branch office).
> With the following setup I can bring the tunnel up, but the networks can't
> talk to each other:
>
> Central ipsec.conf
> -------------------------
> ike passive esp tunnel from 10.20.0.0/16 to any \
>                srcid matriz.domain.com.br \
>                psk testefilial
> ------------
>
> Branch ipsec.conf
> -------------------------
> matriz_net = "10.20.0.0/16"
> matriz_gw = "178.9.35.10"
> filial_net =  "10.10.11.0/24"
>
> ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \
>                srcid filial.domain.com.br \
>                dstid matriz.domain.com.br \
>                psk testefilial
> -----------
>
> # ipsecctl -sa
> FLOWS:
> flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
> matriz.gruponp.com.br dstid filial.gruponp.com.br type use
> flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
> matriz.gruponp.com.br dstid filial.gruponp.com.br type require
>
> SAD:
> esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth
> hmac-sha2-256
> enc aes
> esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth
> hmac-sha2-256
> enc aes
>
> -----------
>
> # route -n show -encap
> Routing tables
>
> Encap:
> Source             Port  Destination        Port  Proto
> SA(Address/Proto/Type/Direction)
> 10.10.11/24        0     10.20/16           0     0
> 185.53.27.23/esp/use/in
> 10.20/16           0     10.10.11/24        0     0
> 185.53.27.23/esp/require/out
>
>
> Fabio Almeida
>
> Em 13/11/2011, `s 12:06, Mik J escreveu:
>
> > Hello,
> >
> > I would like to know if such configuration is possible.
> >
> > LAN1
> > (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet
> <-->
> IPy
> > IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
> >
> > As you can see the OpenBSD 4.9
> > server sits on the LAN1 and has one physical interface.
> > When it wants to
> > access to the internet, its address 192.168.10.99 is natted in IPx and
> that's
> > how the IPSec_GW(Vendor) sees the source packets.
> >
> > It's not really important
> > now if other machines on LAN1 should ping machines on LAN2. I would like
> for
> > now that the OpenBSD could ping machines on LAN2.
> >
> > I have search for examples
> > on the internet for this particular case because the OpenBSD is behind a
> nat
> > router. And I haven't found the proper way to do this. I don't even know
> if
> > it's possible. I know some kind of nat-t should be used though.
> >
> > Does anyone
> > have this configuration in place ?
> >
> > Thanks
>
> [demime 1.01d removed an attachment of type application/pgp-signature
> which had a name of signature.asc]
>
>
Hi!

I think the problem in your case is HMAC-SHA2 incompatibility between
releases before 4.7 and 4.7(and upwards) releases. Please check this link
http://www.openbsd.org/faq/upgrade47.html#hmac-sha2

regards,
Joosep

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD ipsec gateway behind a router

Boris Goldberg
In reply to this post by Mik J
Hello Mik,

Sunday, November 13, 2011, 8:06:32 AM, you wrote:

MJ> I would like to know if such configuration is possible.

MJ> LAN1
MJ> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet <--> IPy
MJ> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)

MJ> As you can see the OpenBSD 4.9
MJ> server sits on the LAN1 and has one physical interface.
MJ> When it wants to
MJ> access to the internet, its address 192.168.10.99 is natted in IPx and that's
MJ> how the IPSec_GW(Vendor) sees the source packets.

MJ> It's not really important
MJ> now if other machines on LAN1 should ping machines on LAN2. I would like for
MJ> now that the OpenBSD could ping machines on LAN2.

MJ> I have search for examples
MJ> on the internet for this particular case because the OpenBSD is behind a nat
MJ> router. And I haven't found the proper way to do this. I don't even know if
MJ> it's possible. I know some kind of nat-t should be used though.

MJ> Does anyone
MJ> have this configuration in place ?

  There are two problems in that configuration: IPSEC behind a NAT and one
physical interface.

  IPSEC behind a NAT more often works than not. I have similar working
configuration myself (but with two interfaces). Would recommend to use UDP
encapsulation if the other side supports it.

  I would recommend to get a computer with 2 network interfaces. Otherwise
it's going to be very complicated at best. /24 (on the left) is for sure
not going to work.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD ipsec gateway behind a router

Mentesan
Hello,

Can anyone validate, or give some advice in this setup:

LAN (10.20/16) <----> OpenBSD (public fixed IP) <------> (public dynamic IP)
LAN ROUTER <-----> OpenBSD <-----> LAN (10.10.11/24)

There's a *need* to have that "LAN ROUTER" on the client side.
Let's call the first OpenBSD box "Server" and the other "Client".

The config I'm using is:
Server
---------
ike passive esp tunnel from 10.20.0.0/16 to any \
                srcid matriz.gruponp.com.br \
                psk testevpn

Client
--------
ike dynamic esp tunnel from 10.10.11.0/24 to 10.20.0.0/16 peer 187.8.53.34 \
                srcid filial.gruponp.com.br \
                dstid matriz.gruponp.com.br \
                psk testevpn
--------

This config can bring the tunnel up, even the routes, but the networks can't
talk to each other.

Do I need to redirect ports on the client side (LAN ROUTER redirect ports 500,
4500 to OpenBSD)?
Is everything messed up and the tunnel is established by pure luck?

Thanks in advance,
Fabio Almeida

Em 14/11/2011, `s 14:25, Boris Goldberg escreveu:

> Hello Mik,
>
> Sunday, November 13, 2011, 8:06:32 AM, you wrote:
>
> MJ> I would like to know if such configuration is possible.
>
> MJ> LAN1
> MJ> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet
<--> IPy
> MJ> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>
> MJ> As you can see the OpenBSD 4.9
> MJ> server sits on the LAN1 and has one physical interface.
> MJ> When it wants to
> MJ> access to the internet, its address 192.168.10.99 is natted in IPx and
that's
> MJ> how the IPSec_GW(Vendor) sees the source packets.
>
> MJ> It's not really important
> MJ> now if other machines on LAN1 should ping machines on LAN2. I would like
for
> MJ> now that the OpenBSD could ping machines on LAN2.
>
> MJ> I have search for examples
> MJ> on the internet for this particular case because the OpenBSD is behind a
nat
> MJ> router. And I haven't found the proper way to do this. I don't even know
if

> MJ> it's possible. I know some kind of nat-t should be used though.
>
> MJ> Does anyone
> MJ> have this configuration in place ?
>
>  There are two problems in that configuration: IPSEC behind a NAT and one
> physical interface.
>
>  IPSEC behind a NAT more often works than not. I have similar working
> configuration myself (but with two interfaces). Would recommend to use UDP
> encapsulation if the other side supports it.
>
>  I would recommend to get a computer with 2 network interfaces. Otherwise
> it's going to be very complicated at best. /24 (on the left) is for sure
> not going to work.

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re : OpenBSD ipsec gateway behind a router

Mik J
In reply to this post by Joosep-2
Hello,

Joosep, thank you for pointing out this incompatibility. I have made
tests with Fabio and that was the problem.

Regarding the ipsec configuration
behind nat routers it has been tested successfully between a 4.9 and a 4.4
openbsd with udp encapsulation and between a 4.9 openbsd and a fortigate (not
behind nat). However I don't know about long term stability in those two
cases.
Regarding the configuration to adopt when the ipsec gateway is natted,
I'm wondering if it's necessary to port forward udp 500 and 4500 pointing to
the ipsec gateway on the LAN. I think yes if the two ipsec gateways are
natted, and maybe if only one of them is natted.

As for the configuration
that I described below I have not tried to do a ping from LAN1 to LAN2 with
the OpenBSD having only one interface. I will try to test it when I'll be able
to.

Something I'm still wondering is, how Openbsd knows that he's natted or
not so that he should use udp 4500. I haven't seen anywhere in the
configuration stating that I would use nat-t or not. Also, if two ipsec
gateways are not natted but I want to force nat-t would that be possible ?
Thanks



----- Mail original -----
> De : Joosep <[hidden email]>
> @ :
[hidden email]
> Cc :
> Envoyi le : Lundi 14 Novembre 2011 14h08
> Objet :
Re: OpenBSD ipsec gateway behind a router
>
> On Mon, Nov 14, 2011 at 2:00
PM, Mentesan <[hidden email]> wrote:
>
>>  Hi :)
>>
>>  I'm trying to do
exactly this setup, between two OpenBSD boxes - 4.4
>>  (central
>>  office)
and 4.9 (branch office).
>>  With the following setup I can bring the tunnel
up, but the networks
> can't
>>  talk to each other:
>>
>>  Central
ipsec.conf
>>  -------------------------
>>  ike passive esp tunnel from
10.20.0.0/16 to any \
>>                 srcid matriz.domain.com.br \
>>      
          psk testefilial
>>  ------------
>>
>>  Branch ipsec.conf
>>
-------------------------
>>  matriz_net = "10.20.0.0/16"
>>  matriz_gw =
"178.9.35.10"
>>  filial_net =  "10.10.11.0/24"
>>
>>  ike dynamic esp tunnel
from $filial_net to $matriz_net peer $matriz_gw
> \
>>                 srcid
filial.domain.com.br \
>>                 dstid matriz.domain.com.br \
>>    
            psk testefilial
>>  -----------
>>
>>  # ipsecctl -sa
>>  FLOWS:
>>  flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
>>
matriz.gruponp.com.br dstid filial.gruponp.com.br type use
>>  flow esp out
from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
>>
matriz.gruponp.com.br dstid filial.gruponp.com.br type require
>>
>>  SAD:
>>
esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth
>>
hmac-sha2-256
>>  enc aes
>>  esp tunnel from 185.53.27.23 to 178.9.35.10 spi
0xda08a9c3 auth
>>  hmac-sha2-256
>>  enc aes
>>
>>  -----------
>>
>>  #
route -n show -encap
>>  Routing tables
>>
>>  Encap:
>>  Source          
Port  Destination        Port  Proto
>>  SA(Address/Proto/Type/Direction)
>>
10.10.11/24        0     10.20/16           0     0
>>
185.53.27.23/esp/use/in
>>  10.20/16           0     10.10.11/24        0  
0
>>  185.53.27.23/esp/require/out
>>
>>
>>  Fabio Almeida
>>
>>  Em
13/11/2011, `s 12:06, Mik J escreveu:
>>
>>  > Hello,
>>  >
>>  > I would
like to know if such configuration is possible.
>>  >
>>  > LAN1
>>  >
(192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx
> <--> Internet
>>
<-->
>>  IPy
>>  > IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>>  >
>>  >
As you can see the OpenBSD 4.9
>>  > server sits on the LAN1 and has one
physical interface.
>>  > When it wants to
>>  > access to the internet, its
address 192.168.10.99 is natted in IPx and
>>  that's
>>  > how the
IPSec_GW(Vendor) sees the source packets.
>>  >
>>  > It's not really
important
>>  > now if other machines on LAN1 should ping machines on LAN2. I
would
> like
>>  for
>>  > now that the OpenBSD could ping machines on LAN2.
>>  >
>>  > I have search for examples
>>  > on the internet for this
particular case because the OpenBSD is behind
> a
>>  nat
>>  > router. And I
haven't found the proper way to do this. I don't
> even know
>>  if
>>  >
it's possible. I know some kind of nat-t should be used though.
>>  >
>>  >
Does anyone
>>  > have this configuration in place ?
>>  >
>>  > Thanks
>>
>>
[demime 1.01d removed an attachment of type application/pgp-signature
>>
which had a name of signature.asc]
>>
>>
> Hi!
>
> I think the problem in
your case is HMAC-SHA2 incompatibility between
> releases before 4.7 and
4.7(and upwards) releases. Please check this link
>
http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>
> regards,
> Joosep

Reply | Threaded
Open this post in threaded view
|

Re : OpenBSD ipsec gateway behind a router

Mik J
> Hello,
>
> Joosep, thank you for pointing out this incompatibility. I have
made tests with
> Fabio and that was the problem.
>
> Regarding the ipsec
configuration behind nat routers it has been tested
> successfully between a
4.9 and a 4.4 openbsd with udp encapsulation and between
> a 4.9 openbsd and
a fortigate (not behind nat). However I don't know about
> long term
stability in those two cases.
> Regarding the configuration to adopt when the
ipsec gateway is natted, I'm
> wondering if it's necessary to port forward
udp 500 and 4500 pointing to the
> ipsec gateway on the LAN. I think yes if
the two ipsec gateways are natted, and
> maybe if only one of them is natted.
>
> As for the configuration that I described below I have not tried to do a
ping
> from LAN1 to LAN2 with the OpenBSD having only one interface. I will
try to test
> it when I'll be able to.
>
> Something I'm still wondering is,
how Openbsd knows that he's natted or
> not so that he should use udp 4500. I
haven't seen anywhere in the
> configuration stating that I would use nat-t
or not. Also, if two ipsec gateways
> are not natted but I want to force
nat-t would that be possible ?
>
>
> Thanks
>
>
>
> ----- Mail original
-----
>> De : Joosep <[hidden email]>
>> @ : [hidden email]
>> Cc :
>>
Envoyi le : Lundi 14 Novembre 2011 14h08
>> Objet : Re: OpenBSD ipsec gateway
behind a router
>>
>> On Mon, Nov 14, 2011 at 2:00 PM, Mentesan
<[hidden email]> wrote:
>>
>>>   Hi :)
>>>
>>>   I'm trying to do
exactly this setup, between two OpenBSD boxes -
> 4.4
>>>   (central
>>>  
office) and 4.9 (branch office).
>>>   With the following setup I can bring
the tunnel up, but the networks
>> can't
>>>   talk to each other:
>>>
>>>  
Central ipsec.conf
>>>   -------------------------
>>>   ike passive esp
tunnel from 10.20.0.0/16 to any \
>>>                 srcid
matriz.domain.com.br \
>>>                 psk testefilial
>>>   ------------
>>>
>>>   Branch ipsec.conf
>>>   -------------------------
>>>   matriz_net
= "10.20.0.0/16"
>>>   matriz_gw = "178.9.35.10"
>>>   filial_net =
"10.10.11.0/24"
>>>
>>>   ike dynamic esp tunnel from $filial_net to
$matriz_net peer $matriz_gw
>
>> \
>>>                 srcid
filial.domain.com.br \
>>>                 dstid matriz.domain.com.br \
>>>  
              psk testefilial
>>>   -----------
>>>
>>>   # ipsecctl -sa
>>>
  FLOWS:
>>>   flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer
185.53.27.23 srcid
>>>   matriz.gruponp.com.br dstid filial.gruponp.com.br
type use
>>>   flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer
185.53.27.23
> srcid
>>>   matriz.gruponp.com.br dstid filial.gruponp.com.br
type require
>>>
>>>   SAD:
>>>   esp tunnel from 178.9.35.10 to 185.53.27.23
spi 0x59f8b098 auth
>>>   hmac-sha2-256
>>>   enc aes
>>>   esp tunnel from
185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth
>>>   hmac-sha2-256
>>>   enc
aes
>>>
>>>   -----------
>>>
>>>   # route -n show -encap
>>>   Routing
tables
>>>
>>>   Encap:
>>>   Source             Port  Destination      
Port  Proto
>>>   SA(Address/Proto/Type/Direction)
>>>   10.10.11/24        0
   10.20/16           0     0
>>>   185.53.27.23/esp/use/in
>>>   10.20/16  
       0     10.10.11/24        0     0

>>>   185.53.27.23/esp/require/out
>>>
>>>
>>>   Fabio Almeida
>>>
>>>   Em 13/11/2011, `s 12:06, Mik J escreveu:
>>>
>>>   > Hello,
>>>   >
>>>   > I would like to know if such configuration
is possible.
>>>   >
>>>   > LAN1
>>>   > (192.168.10.0/24) <--> OpenBSD .99
<--> .254 Router
> IPx
>> <--> Internet
>>>   <-->
>>>   IPy
>>>   >
IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>>>   >
>>>   > As you can see
the OpenBSD 4.9
>>>   > server sits on the LAN1 and has one physical
interface.
>>>   > When it wants to
>>>   > access to the internet, its
address 192.168.10.99 is natted in
> IPx and
>>>   that's
>>>   > how the
IPSec_GW(Vendor) sees the source packets.
>>>   >
>>>   > It's not really
important
>>>   > now if other machines on LAN1 should ping machines on LAN2.
I
> would
>> like
>>>   for
>>>   > now that the OpenBSD could ping machines
on LAN2.
>>>   >
>>>   > I have search for examples
>>>   > on the internet
for this particular case because the OpenBSD is
> behind
>> a
>>>   nat
>>>
  > router. And I haven't found the proper way to do this. I
> don't
>> even
know
>>>   if
>>>   > it's possible. I know some kind of nat-t should be used
> though.
>>>   >
>>>   > Does anyone
>>>   > have this configuration in place
?
>>>   >
>>>   > Thanks
>>>
>>>   [demime 1.01d removed an attachment of
type application/pgp-signature
>>>   which had a name of signature.asc]
>>>
>>>
>> Hi!
>>
>> I think the problem in your case is HMAC-SHA2
incompatibility between
>> releases before 4.7 and 4.7(and upwards) releases.
Please check this link
>> http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>>
>> regards,
>> Joosep

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD ipsec gateway behind a router

Mentesan
In reply to this post by Mik J
Hi,

In fact, there's no need to redirect ports, it's working even behind two
nats:

Openbsd ---NAT OpenBSD ---NAT Router--<<<<>>>>--- OpenBSD

Thanks
Fabio Almeida

Em 15/11/2011, `s 17:38, Mik J escreveu:

> Hello,
>
> Joosep, thank you for pointing out this incompatibility. I have made
> tests with Fabio and that was the problem.
>
> Regarding the ipsec configuration
> behind nat routers it has been tested successfully between a 4.9 and a 4.4
> openbsd with udp encapsulation and between a 4.9 openbsd and a fortigate
(not
> behind nat). However I don't know about long term stability in those two
> cases.
> Regarding the configuration to adopt when the ipsec gateway is natted,
> I'm wondering if it's necessary to port forward udp 500 and 4500 pointing
to
> the ipsec gateway on the LAN. I think yes if the two ipsec gateways are
> natted, and maybe if only one of them is natted.
>
> As for the configuration
> that I described below I have not tried to do a ping from LAN1 to LAN2 with
> the OpenBSD having only one interface. I will try to test it when I'll be
able

> to.
>
> Something I'm still wondering is, how Openbsd knows that he's natted or
> not so that he should use udp 4500. I haven't seen anywhere in the
> configuration stating that I would use nat-t or not. Also, if two ipsec
> gateways are not natted but I want to force nat-t would that be possible ?
> Thanks
>
>
>
> ----- Mail original -----
>> De : Joosep <[hidden email]>
>> @ :
> [hidden email]
>> Cc :
>> Envoyi le : Lundi 14 Novembre 2011 14h08
>> Objet :
> Re: OpenBSD ipsec gateway behind a router
>>
>> On Mon, Nov 14, 2011 at 2:00
> PM, Mentesan <[hidden email]> wrote:
>>
>>> Hi :)
>>>
>>> I'm trying to do
> exactly this setup, between two OpenBSD boxes - 4.4
>>> (central
>>> office)
> and 4.9 (branch office).
>>> With the following setup I can bring the tunnel
> up, but the networks
>> can't
>>> talk to each other:
>>>
>>> Central
> ipsec.conf
>>> -------------------------
>>> ike passive esp tunnel from
> 10.20.0.0/16 to any \
>>>                srcid matriz.domain.com.br \
>>>
>          psk testefilial
>>> ------------
>>>
>>> Branch ipsec.conf
>>>
> -------------------------
>>> matriz_net = "10.20.0.0/16"
>>> matriz_gw =
> "178.9.35.10"
>>> filial_net =  "10.10.11.0/24"
>>>
>>> ike dynamic esp tunnel
> from $filial_net to $matriz_net peer $matriz_gw
>> \
>>>                srcid
> filial.domain.com.br \
>>>                dstid matriz.domain.com.br \
>>>
>            psk testefilial
>>> -----------
>>>
>>> # ipsecctl -sa
>>> FLOWS:
>>> flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
>>>
> matriz.gruponp.com.br dstid filial.gruponp.com.br type use
>>> flow esp out
> from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
>>>
> matriz.gruponp.com.br dstid filial.gruponp.com.br type require
>>>
>>> SAD:
>>>
> esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth
>>>
> hmac-sha2-256
>>> enc aes
>>> esp tunnel from 185.53.27.23 to 178.9.35.10 spi
> 0xda08a9c3 auth
>>> hmac-sha2-256
>>> enc aes
>>>
>>> -----------
>>>
>>> #
> route -n show -encap
>>> Routing tables
>>>
>>> Encap:
>>> Source
> Port  Destination        Port  Proto
>>> SA(Address/Proto/Type/Direction)
>>>
> 10.10.11/24        0     10.20/16           0     0
>>>
> 185.53.27.23/esp/use/in
>>> 10.20/16           0     10.10.11/24        0
> 0
>>> 185.53.27.23/esp/require/out
>>>
>>>
>>> Fabio Almeida
>>>
>>> Em
> 13/11/2011, `s 12:06, Mik J escreveu:
>>>
>>>> Hello,
>>>>
>>>> I would
> like to know if such configuration is possible.
>>>>
>>>> LAN1
>>>>
> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx
>> <--> Internet
>>>
> <-->
>>> IPy
>>>> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>>>>
>>>>
> As you can see the OpenBSD 4.9
>>>> server sits on the LAN1 and has one
> physical interface.
>>>> When it wants to
>>>> access to the internet, its
> address 192.168.10.99 is natted in IPx and
>>> that's
>>>> how the
> IPSec_GW(Vendor) sees the source packets.
>>>>
>>>> It's not really
> important
>>>> now if other machines on LAN1 should ping machines on LAN2. I
> would
>> like
>>> for
>>>> now that the OpenBSD could ping machines on LAN2.
>>>>
>>>> I have search for examples
>>>> on the internet for this
> particular case because the OpenBSD is behind
>> a
>>> nat
>>>> router. And I
> haven't found the proper way to do this. I don't
>> even know
>>> if
>>>>
> it's possible. I know some kind of nat-t should be used though.
>>>>
>>>>
> Does anyone
>>>> have this configuration in place ?
>>>>
>>>> Thanks
>>>
>>>
> [demime 1.01d removed an attachment of type application/pgp-signature
>>>
> which had a name of signature.asc]
>>>
>>>
>> Hi!
>>
>> I think the problem in
> your case is HMAC-SHA2 incompatibility between
>> releases before 4.7 and
> 4.7(and upwards) releases. Please check this link
>>
> http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>>
>> regards,
>> Joosep

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: cdio burning images

Sviatoslav Chagaev-2
In reply to this post by John Tate-8
If you are using a CD-RW -- make sure you have blanked it first by

  cdio blank


Also, if you're using the first drive, i.e. cd0, you don't have
to specify the device, you can just type

  cdio tao image.iso


On Fri, 11 Nov 2011 23:07:41 +1100 John Tate <[hidden email]> wrote:
> # cdio -f cd0c tao /home/john/ubuntu-11.10-desktop-i386.iso
> cdio: The media can't be written in TAO mode
>
> What am I doing wrong?
>
>
> --
> www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: cdio burning images

John Tate-8
In reply to this post by Norman Golisz-3
I did, I have actually solved the problem now.

On Sat, Nov 12, 2011 at 11:11 PM, Norman Golisz <[hidden email]> wrote:

> Hi John,
>
> On Fri Nov 11 2011 16:44, Norman Golisz wrote:
>> On Fri Nov 11 2011 23:07, John Tate wrote:
>> > # cdio -f cd0c tao /home/john/ubuntu-11.10-desktop-i386.iso
>> > cdio: The media can't be written in TAO mode
>> >
>> > What am I doing wrong?
>>
>> You don't read manuals.
>>
>> cdio(1):
>>
>> > -f device
>> >     Specifies the name of the CD device, such as /dev/rcd0c.  Both
>> >     absolute and relative paths to /dev filenames are possible; the
>> >     raw partition name is added if needed.
>>
>> Meaning that when you specify "-f cd0" it internally converts it to
>> "-f /dev/rcd0c".
>>
>> Also, you probably want to explore disklabel(8) and the difference
>> between raw-level and block-level access of block devices. Read a UNIX
>> book of your choice, or stick with Google hunting for an explanation.
>
> even though this information is not principally wrong, it was unrelated,
> incomplete and written inadequately rude. Sorry for that.
>
> However, did you compare the ISO's checksum after downloading it?
>
> Norman.
>
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re : OpenBSD ipsec gateway behind a router

Mik J
In reply to this post by Boris Goldberg
> MJ> LAN1 (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <-->
Internet <--> IPy IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
> MJ> As you
can see the OpenBSD 4.9 server sits on the LAN1 and has one physical
interface.
> MJ> When it wants to access to the internet, its address
192.168.10.99 is natted in IPx and that's how the IPSec_GW(Vendor) sees the
source packets.

>   I would recommend to get a computer with 2 network
interfaces. Otherwise
> it's going to be very complicated at best. /24 (on the
left) is for sure
> not going to work.

Hello Boris,

I just wanted to give
you a feedback about this configuration. It works.
I'm able to ping a machine
on LAN2 from LAN1. The OpenBSD ipsec gateway has only one physical interface.
I haven't done anything special to make it work except adding a specific route
on my LAN1 computer to LAN2 with NH OpenBSD .99 and enable
net.inet.ip.forwarding