16 Feb 2024 |
wubot | <michel> make it understandable | 14:50:20 |
tobhe | welcome | 14:50:20 |
tobhe | I'll try to see how we can improve it | 14:50:32 |
19 Feb 2024 |
wubot | <michel> Hey wubot_ I hope you don't mine, me writing to you straigt... Is there a way to deny a network flow like !10.0.0.0/24 ? Somethink like from dynamic to any, from dynamic to !10.0.0.0/24 ? | 07:27:59 |
wubot | <michel> I remember that this was possible with ikev1 | 07:28:17 |
tobhe | michel: no, iked won't let you deny flows. you might be able to use ipsecctl to do it but I don't think i ever tried | 08:37:30 |
wubot | <Voyager_MP> Ok, that might me to improved :D | 08:50:34 |
wubot | <Voyager_MP> I'n sorry, very bad english, I mean't: that seems something that can be improved :D | 11:27:54 |
tobhe | probably yes. It's just that no one voiced that complaint so far 🙂 | 11:33:09 |
tobhe | the ikev2 protocol is a bit weird in that it doesn't actually work with flows internally at all but uses Traffic Selectors which are IP-ranges (not networks) | 11:34:16 |
tobhe | so you could even do sth like 10.0.3.123 - 10.188.4.5 | 11:34:48 |
tobhe | but of course that is not how kernels and routing tables and networking in general in the real world work | 11:35:21 |
1 Mar 2024 |
wubot | <Voyager_MP> Hi, currently I work with a produkt that uses multicast ipsec mash vpn, basicly one vpn server and the vm's connect to the server via multicast oder anycast (not so sure), They use a groupkey. I would like to understand that produkt better. Therefor I was wondering if I could build such a vpn using openbsd openiked. | 09:16:07 |
wubot | <Voyager_MP> basicly its just a point to point vpn, but using a multicast group, But there is my problem, I don't really understand that, is it possible after all ? | 09:20:00 |
tobhe | that sounds like gdoi/gikev2. is it cisco hardware? | 09:53:56 |
tobhe | we don't support group key management/multicast | 09:54:13 |
wubot | <Voyager_MP> @wubot_ no it ain't we are in a secret envirement, its build up on DPU's in Linux | 10:43:51 |
wubot | <crest> Voyager_MP: afaik openiked can handle the IKEv2 key exhanges you need, but you also need something to turn it from a point to point vpn | 19:30:57 |
wubot | <crest> into either point to multipoint or broadcast/multicast emulated on top of unicast (either at the edge or through dedicated repeaters) | 19:31:32 |
2 Mar 2024 |
w4chhund | ca9bf0ecb24 Bump to OpenIKED 7.4 | 17:23:05 |
w4chhund | 2117af4583b Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue. | 17:23:05 |
4 Mar 2024 |
wubot | <Voyager_MP> @wubot_ would you be so kind in helping me setting something like this up ? ikev2 mash vpn with ospf and multilink Active/Active as POC | 08:59:36 |
22 Mar 2024 |
w4chhund | 3e9ba4a2d88 Avoid redundant allocation in ikev2_prfplus() | 00:25:28 |
24 Mar 2024 |
w4chhund | 142156d01f6 Allow zero-length identity response | 01:22:49 |
w4chhund | 6805d3cd025 Remove radius.c which is added mistakenly and under review. | 01:22:49 |
2 Apr 2024 |
w4chhund | 49012907d58 Add check to make sure EAP header length matches expected payload length. | 21:23:06 |
8 Apr 2024 |
w4chhund | 2a1b6222200 Move daemon() after proc_setup() to sync with other proc.c daemons. | 14:22:25 |
9 Apr 2024 |
w4chhund | 2269e2921ab Sync removal of setsid(), setpgid() and a few dup2() from relayd. They are redundant since we call daemon() earlier. | 17:25:50 |
13 Apr 2024 |
w4chhund | 3a5505f2748 document "psk file path" notation; from josh rickmar ok tobhe | 13:22:52 |
w4chhund | 38100d85fbf check group and world permissions of iked psk files | 22:26:02 |