isakmpd fails on sun v100 ( dc nics )

Mon, 21 Nov 2005 17:07:20 -0800

Using the sample config straight from the vpn man page, my tunnel fails to come up between GENERIC 3.8 or 3.7 on a sunfire v100 ( dmesg below ) and GENERIC on an x86 machine. If I run the same config on another x86 machine it works.
When running `isakmpd -L` I see checksum errors on the sunfire ( see dump below). 



Is this a problem with the dc driver? I have tried both of the 
interfaces but to no avail, there are no pci slots for add on cards


debug output and config files below.

============= tcpdump -nvr  /var/run/isakmpd.pcap==================

16:37:33.685897 192.168.1.13.500 > 192.168.1.15.500:  [bad udp cksum 
1c8e!] isakmp v1.0 exchange ID_PROT

        cookie: 30e6fc2ae5d3ef74->0000000000000000 msgid: 00000000 len: 196
        payload: SA len: 88 DOI: 1(IPSEC) situation: IDENTITY_ONLY

            payload: PROPOSAL len: 76 proposal: 1 proto: ISAKMP spisz: 
0 xforms: 2

                payload: TRANSFORM len: 32
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute NONE =
                        attribute NONE =
                        attribute NONE =
                payload: TRANSFORM len: 0 [|isakmp]
        payload: VENDOR len: 0 [|isakmp] [ttl 0] (id 1, len 224)

16:37:40.693965 192.168.1.15.500 > 192.168.1.13.500:  [bad udp cksum 
8c9d!] isakmp v1.0 exchange ID_PROT

        cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 160
        payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY

            payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 
0 xforms: 1

                payload: TRANSFORM len: 32
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute NONE =
                        attribute NONE =
                        attribute NONE =
        payload: VENDOR len: 0 [|isakmp] [ttl 0] (id 1, len 188)

16:37:40.772058 192.168.1.13.500 > 192.168.1.15.500:  [bad udp cksum 
c4e6!] isakmp v1.0 exchange ID_PROT

        cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 228
        payload: KEY_EXCH len: 132
        payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1, len 256)

16:37:40.784674 192.168.1.15.500 > 192.168.1.13.500:  [bad udp cksum 
bb54!] isakmp v1.0 exchange ID_PROT

        cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 228
        payload: KEY_EXCH len: 132
        payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1, len 256)

16:37:40.786483 192.168.1.13.500 > 192.168.1.15.500:  [udp sum ok] 
isakmp v1.0 exchange INFO

        cookie: d5feed659a4246cc->0000000000000000 msgid: 00000000 len: 40
        payload: NOTIFICATION len: 12
            notification: INVALID PAYLOAD TYPE [ttl 0] (id 1, len 68)


============= tcpdump -nvr  /var/run/isakmpd.pcap==================











============isakmpd -DA=50 ================

163740.784428 Timr 10 timer_remove_event: removing event 
message_send_expire(0x88cc00)
163740.784712 Default message_parse_payloads: invalid next payload type 
RESERVED_MIN in payload of type 10
163740.785137 Default dropped message from 192.168.1.15 port 500 due to 
notification type INVALID_PAYLOAD_TYPE
163740.785434 Timr 10 timer_add_event: event exchange_free_aux(0x892e00) 
added last, expiration in 120s
163740.785729 Exch 10 exchange_establish_p1: 0x892e00 <unnamed> <no 
policy> policy initiator phase 1 doi 1 exchange 5 step 0
163740.785990 Exch 10 exchange_establish_p1: icookie d5feed659a4246cc 
rcookie 0000000000000000

163740.786237 Exch 10 exchange_establish_p1: msgid 00000000

163740.786599 Exch 40 exchange_run: exchange 0x892e00 finished step 0, 
advancing...

163740.786834 Mesg 20 message_free: freeing 0x88d000

163740.787149 Exch 10 exchange_finalize: 0x892e00 <unnamed> <no policy> 
policy initiator phase 1 doi 1 exchange 5 step 1
163740.787413 Exch 10 exchange_finalize: icookie d5feed659a4246cc 
rcookie 0000000000000000

163740.787647 Exch 10 exchange_finalize: msgid 00000000

163740.787879 Timr 10 timer_remove_event: removing event 
exchange_free_aux(0x892e00)

============isakmpd -DA=50 ================


====================dmesg===========
console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.

Copyright (c) 1995-2005 OpenBSD. All rights reserved. 
http://www.OpenBSD.org


OpenBSD 3.7 (GENERIC) #431: Sun Mar 20 14:10:02 MST 2005
    [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
total memory = 536870912
avail memory = 479256576
using 3276 buffers containing 26836992 bytes of memory
bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0
mainbus0 (root): Sun Fire V100 (UltraSPARC-IIe 548MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 548 MHz, version 0 FPU

cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 512K 
external (64 b/l)

psycho0 at mainbus0
SUNW,sabre: impl 0, version 0: ign 7c0 bus range 0 to 0; PCI bus 0
DVMA map: 60000000 to 80000000
IOTDB: 826a6000 to 82726000
pci0 at psycho0
ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
dma at ebus0 addr 0-ffff ipl 42 not configured
rtc0 at ebus0 addr 70-71: m5819
power at ebus0 addr 2000-2007 ipl 35 not configured
SUNW,lomh at ebus0 addr 8010-8011 ipl 42 not configured
com0 at ebus0 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo
com0: console
com1 at ebus0 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo
flashprom at ebus0 addr 0-7ffff not configured

"Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 3 function 0 not 
configured
"Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 3 function 0 not 
configured
dc0 at pci0 dev 12 function 0 "Davicom DM9102" rev 0x31: ivec 3006, 
address 00:03:ba:ce:d8:6b

amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0

dc1 at pci0 dev 5 function 0 "Davicom DM9102" rev 0x31: ivec 301c, 
address 00:03:ba:ce:d8:6c

amphy1 at dc1 phy 1: DM9102 10/100 PHY, rev. 0

ohci0 at pci0 dev 10 function 0 "Acer Labs M5237 USB" rev 0x03: ivec 24, 
version 1.0, legacy support

usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered

pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: 
DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI

pciide0: using ivec 180c for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: <HDS728080PLAT20>
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1 at pciide0 channel 1 drive 0: <HDS728080PLAT20>
wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, P.9A> SCSI0 5/cdrom removable
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:1:1): using PIO mode 4, DMA mode 2
pcons at mainbus0 not configured
No counter-timer -- using %tick at 548MHz as system clock.
root on wd0a
rootdev=0xc00 rrootdev=0x1a00 rawdev=0x1a02
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
====================dmesg===================================





============== sunfire config =============
# cat isakmpd.conf
# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.

[General]
Listen-On=              192.168.1.13

# Incoming phase 1 negotiations are multiplexed on the
# source IP address.  Phase 1 is used to set up a protected
# channel just between the two gateway machines.
# This channel is then used for the phase 2 negotiation
# traffic (i.e. encrypted & authenticated).

[Phase 1]
192.168.1.15=           peer-machineB

# 'Phase 2' defines which connections the daemon
# should establish.  These connections contain the actual
# "IPsec VPN" information.

[Phase 2]
Connections=            VPN-A-B

# ISAKMP phase 1 peers (from [Phase 1])

[peer-machineB]
Phase=                  1
Transport=              udp
Address=                192.168.1.15
Configuration=          Default-main-mode
Authentication=         yoursharedsecret

# IPSEC phase 2 connections (from [Phase 2])

[VPN-A-B]
Phase=                  2
ISAKMP-peer=            peer-machineB
Configuration=          Default-quick-mode
Local-ID=               machineA-internal-network
Remote-ID=              machineB-internal-network

# ID sections (as used in [VPN-A-B])

[machineA-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.50.0
Netmask=                255.255.255.0

[machineB-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.99.0
Netmask=                255.255.255.0

# Main and Quick Mode descriptions
# (as used by peers and connections).

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA,BLF-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE


============= sunfire ===================


============== x86 config ================


# cat isakmpd.conf
i# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.

[General]
Listen-On=              192.168.1.15

# Incoming phase 1 negotiations are multiplexed on the
# source IP address.  Phase 1 is used to set up a protected
# channel just between the two gateway machines.
# This channel is then used for the phase 2 negotiation
# traffic (i.e. encrypted & authenticated).

[Phase 1]
192.168.1.13=           peer-machineA

# 'Phase 2' defines which connections the daemon
# should establish.  These connections contain the actual
# "IPsec VPN" information.

[Phase 2]
Connections=            VPN-B-A

# ISAKMP phase 1 peers (from [Phase 1])

[peer-machineA]
Phase=                  1
Transport=              udp
Address=                192.168.1.13
Configuration=          Default-main-mode
Authentication=         yoursharedsecret

# IPSEC phase 2 connections (from [Phase 2])

[VPN-B-A]
Phase=                  2
ISAKMP-peer=            peer-machineA
Configuration=          Default-quick-mode
Local-ID=               machineB-internal-network
Remote-ID=              machineA-internal-network

# ID sections (as used in [VPN-A-B])

[machineA-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.50.0
Netmask=                255.255.255.0

[machineB-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.99.0
Netmask=                255.255.255.0

# Main and Quick Mode descriptions
# (as used by peers and connections).

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA,BLF-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE


============= x86 config ===============



=========== policy file ================

# cat isakmpd.policy 


Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
                esp_present == "yes" &&
                esp_enc_alg != "null" -> "true";
==========================================























					Reply via email to