soekris net5501-60 box with vpn1411 problem

[igy01]

I have 2 x soekris net5501-60 box with vpn1411 and OpenBSD 5.5, so I try simple IPsec between two devices, and it is not working.

hifn is recognized OK in dmesg.

IPsec between two hosts (transport mode) has same transfer rate as without 1411, IPsec between two workstation (tunnel mode) is stalling and/or interupt.

any sugestion?

igy

[jggimi]

Quote:

Originally Posted by igy01

any sugestion?

Provide much more information.

There are many ways to configure IPSec on OpenBSD. Two IKE protocol versions for automatic keying, public key authentication, X.509 certificate authentication, pre-shared keys, keynote authentication... and as you've noted, both transport and tunnel protocols. And then an endless variety of ways to specify IPSec flows and security associations, cipher selections, NAT traversal mechanisms... it really is a broad set of solutions for IPSec.

I just had an informal discussion on the misc@ mailing list about some problems I encountered with IKEv2 in a test network. While you might not be using (or even interested in) IKEv2, the opening post in my thread is an example of the extent of information needed in order for someone to be able to offer you assistance with IPSec on OpenBSD.

[igy01]

More detailed info:

Lab configuration is simple, only four devices:

Device 1 (workstation ftp client)
OpenBSD 5.4
IP=172.30.10.10/24
mygate=172.30.10.1
I
I
Device 2 Soekris 5501-60 IPsec01
OpenBSD 5.5
vr3 IP=172.30.10.1
vr0 IP=10.10.10.1
I
I
Device 3 Soekris 5501-60 IPsec02
OpenBSD 5.5
vr0 IP=10.10.10.2
vr3 IP=172.30.20.1
I
I
Device 4 (workstation ftp server)
Win XP SP3
IP=172.30.20.10/24
mygate=172.30.20.1

ipsec.conf on Device 2:
ike esp from 172.30.10.0/24 to 172.30.20.0/24 \
psk abcd1234

static routes on Device 2 & 3
sysctl: net.inet.ip.forwarding=1

rc.conf.local: isakmpd="-4 -K -T"

pf is off, all the time

test procedure on Device 2
try ping 172.30.20.10,
then ftp -a 172.30.20.10
mget somebigfiles

If there is NO vpn1411 cards, everything seems to bi fine
After reboot: ipsecctl -sa & netstat -rnf encap are OK
ping is OK, there are esp packet on Devices 2 & 3 (tcpdump -ni vr0)
Also on Device 2: ftp -a 172.30.20.10, get some_big_files

If I insert 1411 & reboot, then problem starts.
ipsecctl -sa is the same as before, ping is going on,
problem is: ftp -a 172.30.20.10, get some_big_files
after few megabytes, ftp stalling, and soekris is "frozen"
I can't ssh on it, even serial on 19200 is not working,
so I must turn off & reboot Device 5501

After stalling, there is nothing special in /var/log

I tray to change one Soekris 5501 (I have few of them :-),
and results are the same

Also, I try to change CF cards, and results are the same

Instead of ftp, I have try different "big traffic", same results...

Removing vpn1411 from soekris and everything is fine again.
I have experience on OpenBSD & IPsec on other devices,
and I think IPsec & isakmpd if working fine,
I suppose problem is 1411.

dmesg:

OpenBSD 5.5 (GENERIC) #276: Wed Mar 5 09:57:06 MST 2014
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 432 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMX X,3DNOW2,3DNOW
real mem = 267939840 (255MB)
avail mem = 251256832 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported ??????
pcibios0: PCI IRQ Routing information unavailable. ??????
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
0:20:0: io address conflict 0x6100/0x100 ??????
0:20:0: io address conflict 0x6200/0x200 ??????
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:00:24:d0:51:90
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 00:00:24:d0:51:91
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 00:00:24:d0:51:92
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:00:24:d0:51:93
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
hifn0 at pci0 dev 17 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 15
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <SQF-P10S2-8G-CT2>
wd0: 1-sector PIO, LBA, 7695MB, 15761088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 7, version 1.0, legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 7
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (b8546239e2c1aaab.a) swap on wd0b dump on wd0b
WARNING: / was not properly unmounted

[jggimi]

Thank you, that is much more detailed.

I found this circumvention, which is to limit throughput with the vpn1411 with traffic shaping ... so it may not meet your requirements. I could not find a recent discussion of problems with the vpn1411 (HIFN 7955) on the OpenBSD misc@ or tech@ mailing lists.

(You probably have already seen the 2009 discussion in misc@, but that was a discussion of performance, not of stability.)