|
OpenBSD Installation and Upgrading Installing and upgrading OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
soekris net5501-60 box with vpn1411 problem
I have 2 x soekris net5501-60 box with vpn1411 and OpenBSD 5.5, so I try simple IPsec between two devices, and it is not working.
hifn is recognized OK in dmesg. IPsec between two hosts (transport mode) has same transfer rate as without 1411, IPsec between two workstation (tunnel mode) is stalling and/or interupt. any sugestion? igy |
|
||||
Provide much more information.
There are many ways to configure IPSec on OpenBSD. Two IKE protocol versions for automatic keying, public key authentication, X.509 certificate authentication, pre-shared keys, keynote authentication... and as you've noted, both transport and tunnel protocols. And then an endless variety of ways to specify IPSec flows and security associations, cipher selections, NAT traversal mechanisms... it really is a broad set of solutions for IPSec. I just had an informal discussion on the misc@ mailing list about some problems I encountered with IKEv2 in a test network. While you might not be using (or even interested in) IKEv2, the opening post in my thread is an example of the extent of information needed in order for someone to be able to offer you assistance with IPSec on OpenBSD. |
|
|||
More detailed info:
Lab configuration is simple, only four devices: Device 1 (workstation ftp client) OpenBSD 5.4 IP=172.30.10.10/24 mygate=172.30.10.1 I I Device 2 Soekris 5501-60 IPsec01 OpenBSD 5.5 vr3 IP=172.30.10.1 vr0 IP=10.10.10.1 I I Device 3 Soekris 5501-60 IPsec02 OpenBSD 5.5 vr0 IP=10.10.10.2 vr3 IP=172.30.20.1 I I Device 4 (workstation ftp server) Win XP SP3 IP=172.30.20.10/24 mygate=172.30.20.1 ipsec.conf on Device 2: ike esp from 172.30.10.0/24 to 172.30.20.0/24 \ psk abcd1234 static routes on Device 2 & 3 sysctl: net.inet.ip.forwarding=1 rc.conf.local: isakmpd="-4 -K -T" pf is off, all the time test procedure on Device 2 try ping 172.30.20.10, then ftp -a 172.30.20.10 mget somebigfiles If there is NO vpn1411 cards, everything seems to bi fine After reboot: ipsecctl -sa & netstat -rnf encap are OK ping is OK, there are esp packet on Devices 2 & 3 (tcpdump -ni vr0) Also on Device 2: ftp -a 172.30.20.10, get some_big_files If I insert 1411 & reboot, then problem starts. ipsecctl -sa is the same as before, ping is going on, problem is: ftp -a 172.30.20.10, get some_big_files after few megabytes, ftp stalling, and soekris is "frozen" I can't ssh on it, even serial on 19200 is not working, so I must turn off & reboot Device 5501 After stalling, there is nothing special in /var/log I tray to change one Soekris 5501 (I have few of them :-), and results are the same Also, I try to change CF cards, and results are the same Instead of ftp, I have try different "big traffic", same results... Removing vpn1411 from soekris and everything is fine again. I have experience on OpenBSD & IPsec on other devices, and I think IPsec & isakmpd if working fine, I suppose problem is 1411. dmesg: OpenBSD 5.5 (GENERIC) #276: Wed Mar 5 09:57:06 MST 2014 deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 432 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMX X,3DNOW2,3DNOW real mem = 267939840 (255MB) avail mem = 251256832 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40 pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000 pcibios0: pcibios_get_intr_routing - function not supported ?????? pcibios0: PCI IRQ Routing information unavailable. ?????? pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa800 cpu0 at mainbus0: (uniprocessor) mtrr: K6-family MTRR support (2 registers) amdmsr0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) 0:20:0: io address conflict 0x6100/0x100 ?????? 0:20:0: io address conflict 0x6200/0x200 ?????? pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:00:24:d0:51:90 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 00:00:24:d0:51:91 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 00:00:24:d0:51:92 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:00:24:d0:51:93 ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 hifn0 at pci0 dev 17 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 15 glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: <SQF-P10S2-8G-CT2> wd0: 1-sector PIO, LBA, 7695MB, 15761088 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 7, version 1.0, legacy support ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 7 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (b8546239e2c1aaab.a) swap on wd0b dump on wd0b WARNING: / was not properly unmounted |
|
||||
Thank you, that is much more detailed.
I found this circumvention, which is to limit throughput with the vpn1411 with traffic shaping ... so it may not meet your requirements. I could not find a recent discussion of problems with the vpn1411 (HIFN 7955) on the OpenBSD misc@ or tech@ mailing lists. (You probably have already seen the 2009 discussion in misc@, but that was a discussion of performance, not of stability.) Last edited by jggimi; 5th November 2014 at 02:23 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
firewalling with a small soekris appliance | wesley | OpenBSD Security | 2 | 6th June 2011 05:29 PM |
Soekris experiences | Carpetsmoker | General Hardware | 42 | 21st August 2009 01:52 PM |
Boot problem. Geometry problem? | gulanito | FreeBSD Installation and Upgrading | 0 | 3rd July 2009 03:03 AM |
soekris help | revzalot | OpenBSD Installation and Upgrading | 6 | 17th December 2008 07:40 PM |
Soekris Help | revzalot | General Hardware | 2 | 27th August 2008 01:35 PM |