2012/7/11 Paulm <[email protected]>: > One of the two hosts needs to use 'passive' in ipsec.conf so that > it acts as server and listens/responds to incoming requests from peers. > > > > On Wed, Jul 11, 2012 at 02:23:13PM -0300, Rodrigo Mosconi wrote: >> Hi, >> >> I`m having a problem to establish a IPSEC transport between two >> openbsd hosts (one with 5.1 and the other with 4.9). They are >> configured to use the transport mode (confs bellow). >> When I run "isakmpd -K ; ipsecctl -f /etc/ipsec.conf" on both hosts, >> no SA are created. What did I miss? >> >> Thanks, >> >> Mosconi >> >> OBSD51 (hubble): >> PF: >> # pfctl -sr >> pass all flags S/SA >> block drop in on ! lo0 proto tcp from any to any port 6000:6010 >> >> # ping -c 5 spitzer >> PING spitzer.domain (IP_SPITZER): 56 data bytes >> 64 bytes from IP_SPITZER: icmp_seq=0 ttl=244 time=69.193 ms >> 64 bytes from IP_SPITZER: icmp_seq=1 ttl=244 time=70.835 ms >> 64 bytes from IP_SPITZER: icmp_seq=2 ttl=244 time=70.223 ms >> 64 bytes from IP_SPITZER: icmp_seq=3 ttl=244 time=70.740 ms >> 64 bytes from IP_SPITZER: icmp_seq=4 ttl=244 time=69.469 ms >> --- spitzer.domain ping statistics --- >> 5 packets transmitted, 5 packets received, 0.0% packet loss >> round-trip min/avg/max/std-dev = 69.193/70.092/70.835/0.661 ms >> >> # cat /etc/ipsec.conf >> # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ >> # >> # See ipsec.conf(5) for syntax and examples. >> >> # Set up two tunnels using automatic keying with isakmpd(8): >> # >> # First between the networks 10.1.1.0/24 and 10.1.2.0/24, >> # second between the machines 192.168.3.1 and 192.168.3.2. >> # Use FQDNs as IDs. >> >> ike esp transport from hubble to spitzer \ >> main \ >> auth hmac-sha2-512 \ >> enc aes-256 \ >> group modp4096 \ >> srcid hubble.domain \ >> dstid spitzer.domain \ >> psk >> '/+V1gt9G6FTQ"_}/Rn#nny!ZCgmd5+jIe^dKXf+)40R6%ZS(zD8Q2DUt[T(NwJOy' >> >> # ipsecctl -vvf /etc/ipsec.conf >> @0 C set [Phase 1]:IP_SPITZER=peer-IP_SPITZER force >> C set [peer-IP_SPITZER]:Phase=1 force >> C set [peer-IP_SPITZER]:Address=IP_SPITZER force >> C set >> [peer-IP_SPITZER]:Authentication=/+V1gt9G6FTQ"_}/Rn#nny!ZCgmd5+jIe^dKXf+)40R6%ZS(zD8Q2DUt[T(NwJOy >> force >> C set [peer-IP_SPITZER]:Configuration=phase1-peer-IP_SPITZER force >> C set [phase1-peer-IP_SPITZER]:EXCHANGE_TYPE=ID_PROT force >> C add [phase1-peer-IP_SPITZER]:Transforms=AES-256-SHA2-512-GRP16 force >> C set [peer-IP_SPITZER]:ID=id-hubble.domain force >> C set [id-hubble.domain]:ID-type=FQDN force >> C set [id-hubble.domain]:Name=hubble.domain force >> C set [peer-IP_SPITZER]:Remote-ID=id-spitzer.domain force >> C set [id-spitzer.domain]:ID-type=FQDN force >> C set [id-spitzer.domain]:Name=spitzer.domain force >> C set [from-IP_HUBBLE-to-IP_SPITZER]:Phase=2 force >> C set [from-IP_HUBBLE-to-IP_SPITZER]:ISAKMP-peer=peer-IP_SPITZER force >> C set >> [from-IP_HUBBLE-to-IP_SPITZER]:Configuration=phase2-from-IP_HUBBLE-to-IP_SPITZER >> force >> C set [from-IP_HUBBLE-to-IP_SPITZER]:Local-ID=from-IP_HUBBLE force >> C set [from-IP_HUBBLE-to-IP_SPITZER]:Remote-ID=to-IP_SPITZER force >> C set [phase2-from-IP_HUBBLE-to-IP_SPITZER]:EXCHANGE_TYPE=QUICK_MODE force >> C set >> [phase2-from-IP_HUBBLE-to-IP_SPITZER]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE >> force >> C set [from-IP_HUBBLE]:ID-type=IPV4_ADDR force >> C set [from-IP_HUBBLE]:Address=IP_HUBBLE force >> C set [to-IP_SPITZER]:ID-type=IPV4_ADDR force >> C set [to-IP_SPITZER]:Address=IP_SPITZER force >> C add [Phase 2]:Connections=from-IP_HUBBLE-to-IP_SPITZER >> @1 C set [Phase 1]:IP6_SPITZER=peer-IP6_SPITZER force >> C set [peer-IP6_SPITZER]:Phase=1 force >> C set [peer-IP6_SPITZER]:Address=IP6_SPITZER force >> C set >> [peer-IP6_SPITZER]:Authentication=/+V1gt9G6FTQ"_}/Rn#nny!ZCgmd5+jIe^dKXf+)40R6%ZS(zD8Q2DUt[T(NwJOy >> force >> C set [peer-IP6_SPITZER]:Configuration=phase1-peer-IP6_SPITZER force >> C set [phase1-peer-IP6_SPITZER]:EXCHANGE_TYPE=ID_PROT force >> C add [phase1-peer-IP6_SPITZER]:Transforms=AES-256-SHA2-512-GRP16 force >> C set [peer-IP6_SPITZER]:ID=id-hubble.domain force >> C set [id-hubble.domain]:ID-type=FQDN force >> C set [id-hubble.domain]:Name=hubble.domain force >> C set [peer-IP6_SPITZER]:Remote-ID=id-spitzer.domain force >> C set [id-spitzer.domain]:ID-type=FQDN force >> C set [id-spitzer.domain]:Name=spitzer.domain force >> C set [from-IP6_HUBBLE-to-IP6_SPITZER]:Phase=2 force >> C set [from-IP6_HUBBLE-to-IP6_SPITZER]:ISAKMP-peer=peer-IP6_SPITZER force >> C set >> [from-IP6_HUBBLE-to-IP6_SPITZER]:Configuration=phase2-from-IP6_HUBBLE-to-IP6_SPITZER >> force >> C set [from-IP6_HUBBLE-to-IP6_SPITZER]:Local-ID=from-IP6_HUBBLE force >> C set [from-IP6_HUBBLE-to-IP6_SPITZER]:Remote-ID=to-IP6_SPITZER force >> C set [phase2-from-IP6_HUBBLE-to-IP6_SPITZER]:EXCHANGE_TYPE=QUICK_MODE force >> C set >> [phase2-from-IP6_HUBBLE-to-IP6_SPITZER]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE >> force >> C set [from-IP6_HUBBLE]:ID-type=IPV6_ADDR force >> C set [from-IP6_HUBBLE]:Address=IP6_HUBBLE force >> C set [to-IP6_SPITZER]:ID-type=IPV6_ADDR force >> C set [to-IP6_SPITZER]:Address=IP6_SPITZER force >> C add [Phase 2]:Connections=from-IP6_HUBBLE-to-IP6_SPITZER >> >> # cat /var/run/dmesg.boot >> OpenBSD 5.1 (GENERIC) #160: Sun Feb 12 09:46:33 MST 2012 >> [email protected]:/usr/src/sys/arch/i386/compile/GENERIC >> cpu0: QEMU Virtual CPU version 1.0 ("GenuineIntel" 686-class) 2.54 GHz >> cpu0: >> FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,LONG,SSE3,CX16,POPCNT,LAHF >> real mem = 267960320 (255MB) >> avail mem = 253480960 (241MB) >> mainbus0 at root >> bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ >> 0xff046, SMBIOS rev. 2.4 @ 0xfd930 (10 entries) >> bios0: vendor Bochs version "Bochs" date 01/01/2007 >> bios0: Bochs Bochs >> acpi0 at bios0: rev 0 >> acpi0: sleep states S3 S4 S5 >> acpi0: tables DSDT FACP SSDT APIC HPET >> acpi0: wakeup devices >> acpitimer0 at acpi0: 3579545 Hz, 24 bits >> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat >> acpihpet0 at acpi0: 100000000 Hz >> acpiprt0 at acpi0: bus 0 (PCI0) >> acpicpu0 at acpi0 >> mpbios0 at bios0: Intel MP Specification 1.4 >> cpu0 at mainbus0: apid 0 (boot processor) >> cpu0: unknown i686 model 0x2, can't get bus clock (0x0) >> cpu0: apic clock running at 1000MHz >> mpbios0: bus 0 is type PCI >> mpbios0: bus 1 is type ISA >> ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins >> ioapic0: misconfigured as apic 0, remapped to apid 1 >> bios0: ROM list: 0xc0000/0x8e00 0xc9000/0xa00 0xca000/0xa00 >> 0xcb000/0x600 0xcb800/0x2400 >> vmt0 at mainbus0 >> vmware: open failed, eax=564d5868, ecx=0000001e, edx=00005658 >> vmt0: failed to open backdoor RPC channel (TCLO protocol) >> pci0 at mainbus0 bus 0: configuration mode 1 (bios) >> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 >> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 >> pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, >> channel 0 wired to compatibility, channel 1 wired to compatibility >> pciide0: channel 0 disabled (no drives) >> pciide0: channel 1 disabled (no drives) >> uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 1 int 11 >> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 1 int 9 >> iic0 at piixpm0 >> iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words >> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words >> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 >> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) >> wsdisplay0: screen 1-5 added (80x25, vt100 emulation) >> re0 at pci0 dev 3 function 0 "Realtek 8139" rev 0x20: RTL8139C+ >> (0x7480), apic 1 int 11, address 52:54:00:ae:81:38 >> rlphy0 at re0 phy 0: RTL internal PHY >> re1 at pci0 dev 4 function 0 "Realtek 8139" rev 0x20: RTL8139C+ >> (0x7480), apic 1 int 11, address 52:54:00:40:71:14 >> rlphy1 at re1 phy 0: RTL internal PHY >> siop0 at pci0 dev 5 function 0 "Symbios Logic 53c895A" rev 0x00: apic >> 1 int 10, using 8K of on-board RAM >> scsibus0 at siop0: 16 targets, initiator 7 >> siop0: bad offset in siop_sdp (17) >> sd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU HARDDISK, 1.0> SCSI3 0/direct fixed >> sd0: 5120MB, 512 bytes/sector, 10485760 sectors >> siop0: bad offset in siop_sdp (17) >> cd0 at scsibus0 targ 1 lun 0: <QEMU, QEMU CD-ROM, 1.0> SCSI3 5/cdrom >> removable >> "Qumranet Virtio Memory" rev 0x00 at pci0 dev 6 function 0 not configured >> isa0 at pcib0 >> isadma0 at isa0 >> pckbc0 at isa0 port 0x60/5 >> pckbd0 at pckbc0 (kbd slot) >> pckbc0: using irq 1 for kbd slot >> wskbd0 at pckbd0: console keyboard, using wsdisplay0 >> pms0 at pckbc0 (aux slot) >> pckbc0: using irq 12 for aux slot >> wsmouse0 at pms0 mux 0 >> pcppi0 at isa0 port 0x61 >> spkr0 at pcppi0 >> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 >> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 >> fd0 at fdc0 drive 0: density unknown >> fd1 at fdc0 drive 1: density unknown >> usb0 at uhci0: USB revision 1.0 >> uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 >> mtrr: Pentium Pro MTRR support >> nvram: invalid checksum >> vscsi0 at root >> scsibus1 at vscsi0: 256 targets >> softraid0 at root >> scsibus2 at softraid0: 256 targets >> root on sd0a (6c9545cabdb4b09c.a) swap on sd0b dump on sd0b >> clock: unknown CMOS layout >> >> >> OBSD49 (spitzer): >> $ pfctl -sr >> pass all flags S/SA keep state >> block drop in on ! lo0 proto tcp from any to any port 6000:6010 >> >> spitzer[~]$ ping -c 5 hubble >> PING hubble.domain (IP_HUBBLE): 56 data bytes >> 64 bytes from IP_HUBBLE: icmp_seq=0 ttl=244 time=69.185 ms >> 64 bytes from IP_HUBBLE: icmp_seq=1 ttl=244 time=69.367 ms >> 64 bytes from IP_HUBBLE: icmp_seq=2 ttl=244 time=70.129 ms >> 64 bytes from IP_HUBBLE: icmp_seq=3 ttl=244 time=72.605 ms >> 64 bytes from IP_HUBBLE: icmp_seq=4 ttl=244 time=69.694 ms >> --- hubble.domain ping statistics --- >> 5 packets transmitted, 5 packets received, 0.0% packet loss >> round-trip min/avg/max/std-dev = 69.185/70.196/72.605/1.246 ms >> spitzer[~]$ >> >> spitzer[~]$ cat /etc/ipsec.conf >> # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ >> # >> # See ipsec.conf(5) for syntax and examples. >> >> # Set up two tunnels using automatic keying with isakmpd(8): >> # >> # First between the networks 10.1.1.0/24 and 10.1.2.0/24, >> # second between the machines 192.168.3.1 and 192.168.3.2. >> # Use FQDNs as IDs. >> >> ike esp transport from spitzer to hubble \ >> main \ >> auth hmac-sha2-512 \ >> enc aes-256 \ >> group modp4096 \ >> srcid spitzer.domain \ >> dstid hubble.domain \ >> psk >> '/+V1gt9G6FTQ"_}/Rn#nny!ZCgmd5+jIe^dKXf+)40R6%ZS(zD8Q2DUt[T(NwJOy' >> >> $ ipsecctl -vvf /etc/ipsec.conf >> @0 C set [Phase 1]:IP_HUBBLE=peer-IP_HUBBLE force >> C set [peer-IP_HUBBLE]:Phase=1 force >> C set [peer-IP_HUBBLE]:Address=IP_HUBBLE force >> C set >> [peer-IP_HUBBLE]:Authentication=/+V1gt9G6FTQ"_}/Rn#nny!ZCgmd5+jIe^dKXf+)40R6%ZS(zD8Q2DUt[T(NwJOy >> force >> C set [peer-IP_HUBBLE]:Configuration=phase1-peer-IP_HUBBLE force >> C set [phase1-peer-IP_HUBBLE]:EXCHANGE_TYPE=ID_PROT force >> C add [phase1-peer-IP_HUBBLE]:Transforms=AES-256-SHA2-512-GRP16 force >> C set [peer-IP_HUBBLE]:ID=id-spitzer.domain force >> C set [id-spitzer.domain]:ID-type=FQDN force >> C set [id-spitzer.domain]:Name=spitzer.domain force >> C set [peer-IP_HUBBLE]:Remote-ID=id-hubble.domain force >> C set [id-hubble.domain]:ID-type=FQDN force >> C set [id-hubble.domain]:Name=hubble.domain force >> C set [from-IP_SPITZER-to-IP_HUBBLE]:Phase=2 force >> C set [from-IP_SPITZER-to-IP_HUBBLE]:ISAKMP-peer=peer-IP_HUBBLE force >> C set >> [from-IP_SPITZER-to-IP_HUBBLE]:Configuration=phase2-from-IP_SPITZER-to-IP_HUBBLE >> force >> C set [from-IP_SPITZER-to-IP_HUBBLE]:Local-ID=from-IP_SPITZER force >> C set [from-IP_SPITZER-to-IP_HUBBLE]:Remote-ID=to-IP_HUBBLE force >> C set [phase2-from-IP_SPITZER-to-IP_HUBBLE]:EXCHANGE_TYPE=QUICK_MODE force >> C set >> [phase2-from-IP_SPITZER-to-IP_HUBBLE]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE >> force >> C set [from-IP_SPITZER]:ID-type=IPV4_ADDR force >> C set [from-IP_SPITZER]:Address=IP_SPITZER force >> C set [to-IP_HUBBLE]:ID-type=IPV4_ADDR force >> C set [to-IP_HUBBLE]:Address=IP_HUBBLE force >> C add [Phase 2]:Connections=from-IP_SPITZER-to-IP_HUBBLE >> @1 C set [Phase 1]:IP6_HUBBLE=peer-IP6_HUBBLE force >> C set [peer-IP6_HUBBLE]:Phase=1 force >> C set [peer-IP6_HUBBLE]:Address=IP6_HUBBLE force >> C set >> [peer-IP6_HUBBLE]:Authentication=/+V1gt9G6FTQ"_}/Rn#nny!ZCgmd5+jIe^dKXf+)40R6%ZS(zD8Q2DUt[T(NwJOy >> force >> C set [peer-IP6_HUBBLE]:Configuration=phase1-peer-IP6_HUBBLE force >> C set [phase1-peer-IP6_HUBBLE]:EXCHANGE_TYPE=ID_PROT force >> C add [phase1-peer-IP6_HUBBLE]:Transforms=AES-256-SHA2-512-GRP16 force >> C set [peer-IP6_HUBBLE]:ID=id-spitzer.domain force >> C set [id-spitzer.domain]:ID-type=FQDN force >> C set [id-spitzer.domain]:Name=spitzer.domain force >> C set [peer-IP6_HUBBLE]:Remote-ID=id-hubble.domain force >> C set [id-hubble.domain]:ID-type=FQDN force >> C set [id-hubble.domain]:Name=hubble.domain force >> C set [from-IP6_SPITZER-to-IP6_HUBBLE]:Phase=2 force >> C set [from-IP6_SPITZER-to-IP6_HUBBLE]:ISAKMP-peer=peer-IP6_HUBBLE force >> C set >> [from-IP6_SPITZER-to-IP6_HUBBLE]:Configuration=phase2-from-IP6_SPITZER-to-IP6_HUBBLE >> force >> C set [from-IP6_SPITZER-to-IP6_HUBBLE]:Local-ID=from-IP6_SPITZER force >> C set [from-IP6_SPITZER-to-IP6_HUBBLE]:Remote-ID=to-IP6_HUBBLE force >> C set [phase2-from-IP6_SPITZER-to-IP6_HUBBLE]:EXCHANGE_TYPE=QUICK_MODE force >> C set >> [phase2-from-IP6_SPITZER-to-IP6_HUBBLE]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE >> force >> C set [from-IP6_SPITZER]:ID-type=IPV6_ADDR force >> C set [from-IP6_SPITZER]:Address=IP6_SPITZER force >> C set [to-IP6_HUBBLE]:ID-type=IPV6_ADDR force >> C set [to-IP6_HUBBLE]:Address=IP6_HUBBLE force >> C add [Phase 2]:Connections=from-IP6_SPITZER-to-IP6_HUBBLE >> >> >> $ dmesg >> OpenBSD 4.9 (GENERIC) #671: Wed Mar 2 07:09:00 MST 2011 >> [email protected]:/usr/src/sys/arch/i386/compile/GENERIC >> cpu0: QEMU Virtual CPU version 0.14.1 ("GenuineIntel" 686-class) 2.54 GHz >> cpu0: >> FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,POPCNT >> real mem = 267993088 (255MB) >> avail mem = 253476864 (241MB) >> mainbus0 at root >> bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ >> 0xff046, SMBIOS rev. 2.4 @ 0xffffef0 (10 entries) >> bios0: vendor Bochs version "Bochs" date 01/01/2007 >> bios0: Bochs Bochs >> acpi0 at bios0: rev 0 >> acpi0: sleep states S3 S4 S5 >> acpi0: tables DSDT FACP SSDT APIC HPET >> acpi0: wakeup devices >> acpitimer0 at acpi0: 3579545 Hz, 24 bits >> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat >> acpihpet0 at acpi0: 100000000 Hz >> acpiprt0 at acpi0: bus 0 (PCI0) >> acpicpu0 at acpi0 >> mpbios0 at bios0: Intel MP Specification 1.4 >> cpu0 at mainbus0: apid 0 (boot processor) >> cpu0: unknown i686 model 0x2, can't get bus clock (0x0) >> cpu0: apic clock running at 999MHz >> mpbios0: bus 0 is type PCI >> mpbios0: bus 1 is type ISA >> ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins >> ioapic0: misconfigured as apic 0, remapped to apid 1 >> bios0: ROM list: 0xc0000/0x8c00 0xc9000/0x10000 0xd9000/0x600 >> 0xd9800/0x2200 >> vmt0 at mainbus0 >> vmware: open failed, eax=564d5868, ecx=0000001e, edx=00005658 >> vmt0: failed to open backdoor RPC channel (TCLO protocol) >> pci0 at mainbus0 bus 0: configuration mode 1 (bios) >> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 >> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 >> pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, >> channel 0 wired to compatibility, channel 1 wired to compatibility >> pciide0: channel 0 disabled (no drives) >> pciide0: channel 1 disabled (no drives) >> uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 1 >> int 11 (irq 11) >> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic >> 1 int 9 (irq 10) >> iic0 at piixpm0 >> iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words >> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words >> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00=0000 >> 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 >> words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000 >> vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 >> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) >> wsdisplay0: screen 1-5 added (80x25, vt100 emulation) >> re0 at pci0 dev 3 function 0 "Realtek 8139" rev 0x20: RTL8139C+ >> (0x7480), apic 1 int 11 (irq 11), address 52:54:00:92:c4:b6 >> rlphy0 at re0 phy 0: RTL internal PHY >> re1 at pci0 dev 4 function 0 "Realtek 8139" rev 0x20: RTL8139C+ >> (0x7480), apic 1 int 11 (irq 11), address 52:54:00:fc:42:df >> rlphy1 at re1 phy 0: RTL internal PHY >> siop0 at pci0 dev 5 function 0 "Symbios Logic 53c895A" rev 0x00: apic >> 1 int 10 (irq 10), using 8K of on-board RAM >> scsibus0 at siop0: 16 targets, initiator 7 >> siop0: bad offset in siop_sdp (17) >> sd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU HARDDISK, 0.14> SCSI3 0/direct >> fixed >> sd0: 5120MB, 512 bytes/sec, 10485760 sec total >> siop0: bad offset in siop_sdp (17) >> cd0 at scsibus0 targ 1 lun 0: <QEMU, QEMU CD-ROM, 0.14> SCSI3 5/cdrom >> removable >> "Qumranet Virtio Memory" rev 0x00 at pci0 dev 6 function 0 not configured >> isa0 at pcib0 >> isadma0 at isa0 >> pckbc0 at isa0 port 0x60/5 >> pckbd0 at pckbc0 (kbd slot) >> pckbc0: using irq 1 for kbd slot >> wskbd0 at pckbd0: console keyboard, using wsdisplay0 >> pms0 at pckbc0 (aux slot) >> pckbc0: using irq 12 for aux slot >> wsmouse0 at pms0 mux 0 >> pcppi0 at isa0 port 0x61 >> spkr0 at pcppi0 >> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 >> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 >> fd0 at fdc0 drive 0: density unknown >> fd1 at fdc0 drive 1: density unknown >> usb0 at uhci0: USB revision 1.0 >> uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 >> mtrr: Pentium Pro MTRR support >> nvram: invalid checksum >> vscsi0 at root >> scsibus1 at vscsi0: 256 targets >> softraid0 at root >> root on sd0a swap on sd0b dump on sd0b >> clock: unknown CMOS layout >> scsibus2 at softraid0: 1 targets >> sd1 at scsibus2 targ 0 lun 0: <OPENBSD, SR CRYPTO, 004> SCSI2 0/direct fixed >> sd1: 4470MB, 512 bytes/sec, 9156522 sec total >
If I remove the auth+enc+group, it start normally, ie, SA are created. If I add a auth or enc parameter, no SA is created.
