Using the sample config straight from the vpn man page, my tunnel fails
to come up between GENERIC 3.8 or 3.7 on a sunfire v100 ( dmesg below )
and GENERIC on an x86 machine. If I run the same config on another x86
machine it works.
When running `isakmpd -L` I see checksum errors on the sunfire ( see
dump below).
Is this a problem with the dc driver? I have tried both of the
interfaces but to no avail, there are no pci slots for add on cards
debug output and config files below.
============= tcpdump -nvr /var/run/isakmpd.pcap==================
16:37:33.685897 192.168.1.13.500 > 192.168.1.15.500: [bad udp cksum
1c8e!] isakmp v1.0 exchange ID_PROT
cookie: 30e6fc2ae5d3ef74->0000000000000000 msgid: 00000000 len: 196
payload: SA len: 88 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 76 proposal: 1 proto: ISAKMP spisz:
0 xforms: 2
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute NONE =
attribute NONE =
attribute NONE =
payload: TRANSFORM len: 0 [|isakmp]
payload: VENDOR len: 0 [|isakmp] [ttl 0] (id 1, len 224)
16:37:40.693965 192.168.1.15.500 > 192.168.1.13.500: [bad udp cksum
8c9d!] isakmp v1.0 exchange ID_PROT
cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 160
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute NONE =
attribute NONE =
attribute NONE =
payload: VENDOR len: 0 [|isakmp] [ttl 0] (id 1, len 188)
16:37:40.772058 192.168.1.13.500 > 192.168.1.15.500: [bad udp cksum
c4e6!] isakmp v1.0 exchange ID_PROT
cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1, len 256)
16:37:40.784674 192.168.1.15.500 > 192.168.1.13.500: [bad udp cksum
bb54!] isakmp v1.0 exchange ID_PROT
cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1, len 256)
16:37:40.786483 192.168.1.13.500 > 192.168.1.15.500: [udp sum ok]
isakmp v1.0 exchange INFO
cookie: d5feed659a4246cc->0000000000000000 msgid: 00000000 len: 40
payload: NOTIFICATION len: 12
notification: INVALID PAYLOAD TYPE [ttl 0] (id 1, len 68)
============= tcpdump -nvr /var/run/isakmpd.pcap==================
============isakmpd -DA=50 ================
163740.784428 Timr 10 timer_remove_event: removing event
message_send_expire(0x88cc00)
163740.784712 Default message_parse_payloads: invalid next payload type
RESERVED_MIN in payload of type 10
163740.785137 Default dropped message from 192.168.1.15 port 500 due to
notification type INVALID_PAYLOAD_TYPE
163740.785434 Timr 10 timer_add_event: event exchange_free_aux(0x892e00)
added last, expiration in 120s
163740.785729 Exch 10 exchange_establish_p1: 0x892e00 <unnamed> <no
policy> policy initiator phase 1 doi 1 exchange 5 step 0
163740.785990 Exch 10 exchange_establish_p1: icookie d5feed659a4246cc
rcookie 0000000000000000
163740.786237 Exch 10 exchange_establish_p1: msgid 00000000
163740.786599 Exch 40 exchange_run: exchange 0x892e00 finished step 0,
advancing...
163740.786834 Mesg 20 message_free: freeing 0x88d000
163740.787149 Exch 10 exchange_finalize: 0x892e00 <unnamed> <no policy>
policy initiator phase 1 doi 1 exchange 5 step 1
163740.787413 Exch 10 exchange_finalize: icookie d5feed659a4246cc
rcookie 0000000000000000
163740.787647 Exch 10 exchange_finalize: msgid 00000000
163740.787879 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x892e00)
============isakmpd -DA=50 ================
====================dmesg===========
console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2005 OpenBSD. All rights reserved.
http://www.OpenBSD.org
OpenBSD 3.7 (GENERIC) #431: Sun Mar 20 14:10:02 MST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
total memory = 536870912
avail memory = 479256576
using 3276 buffers containing 26836992 bytes of memory
bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0
mainbus0 (root): Sun Fire V100 (UltraSPARC-IIe 548MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 548 MHz, version 0 FPU
cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 512K
external (64 b/l)
psycho0 at mainbus0
SUNW,sabre: impl 0, version 0: ign 7c0 bus range 0 to 0; PCI bus 0
DVMA map: 60000000 to 80000000
IOTDB: 826a6000 to 82726000
pci0 at psycho0
ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
dma at ebus0 addr 0-ffff ipl 42 not configured
rtc0 at ebus0 addr 70-71: m5819
power at ebus0 addr 2000-2007 ipl 35 not configured
SUNW,lomh at ebus0 addr 8010-8011 ipl 42 not configured
com0 at ebus0 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo
com0: console
com1 at ebus0 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo
flashprom at ebus0 addr 0-7ffff not configured
"Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 3 function 0 not
configured
"Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 3 function 0 not
configured
dc0 at pci0 dev 12 function 0 "Davicom DM9102" rev 0x31: ivec 3006,
address 00:03:ba:ce:d8:6b
amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0
dc1 at pci0 dev 5 function 0 "Davicom DM9102" rev 0x31: ivec 301c,
address 00:03:ba:ce:d8:6c
amphy1 at dc1 phy 1: DM9102 10/100 PHY, rev. 0
ohci0 at pci0 dev 10 function 0 "Acer Labs M5237 USB" rev 0x03: ivec 24,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3:
DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using ivec 180c for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: <HDS728080PLAT20>
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1 at pciide0 channel 1 drive 0: <HDS728080PLAT20>
wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, P.9A> SCSI0 5/cdrom removable
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:1:1): using PIO mode 4, DMA mode 2
pcons at mainbus0 not configured
No counter-timer -- using %tick at 548MHz as system clock.
root on wd0a
rootdev=0xc00 rrootdev=0x1a00 rawdev=0x1a02
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
dc1: failed to force tx and rx to idle state
====================dmesg===================================
============== sunfire config =============
# cat isakmpd.conf
# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.
[General]
Listen-On= 192.168.1.13
# Incoming phase 1 negotiations are multiplexed on the
# source IP address. Phase 1 is used to set up a protected
# channel just between the two gateway machines.
# This channel is then used for the phase 2 negotiation
# traffic (i.e. encrypted & authenticated).
[Phase 1]
192.168.1.15= peer-machineB
# 'Phase 2' defines which connections the daemon
# should establish. These connections contain the actual
# "IPsec VPN" information.
[Phase 2]
Connections= VPN-A-B
# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineB]
Phase= 1
Transport= udp
Address= 192.168.1.15
Configuration= Default-main-mode
Authentication= yoursharedsecret
# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase= 2
ISAKMP-peer= peer-machineB
Configuration= Default-quick-mode
Local-ID= machineA-internal-network
Remote-ID= machineB-internal-network
# ID sections (as used in [VPN-A-B])
[machineA-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.50.0
Netmask= 255.255.255.0
[machineB-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.99.0
Netmask= 255.255.255.0
# Main and Quick Mode descriptions
# (as used by peers and connections).
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
============= sunfire ===================
============== x86 config ================
# cat isakmpd.conf
i# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.
[General]
Listen-On= 192.168.1.15
# Incoming phase 1 negotiations are multiplexed on the
# source IP address. Phase 1 is used to set up a protected
# channel just between the two gateway machines.
# This channel is then used for the phase 2 negotiation
# traffic (i.e. encrypted & authenticated).
[Phase 1]
192.168.1.13= peer-machineA
# 'Phase 2' defines which connections the daemon
# should establish. These connections contain the actual
# "IPsec VPN" information.
[Phase 2]
Connections= VPN-B-A
# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineA]
Phase= 1
Transport= udp
Address= 192.168.1.13
Configuration= Default-main-mode
Authentication= yoursharedsecret
# IPSEC phase 2 connections (from [Phase 2])
[VPN-B-A]
Phase= 2
ISAKMP-peer= peer-machineA
Configuration= Default-quick-mode
Local-ID= machineB-internal-network
Remote-ID= machineA-internal-network
# ID sections (as used in [VPN-A-B])
[machineA-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.50.0
Netmask= 255.255.255.0
[machineB-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.99.0
Netmask= 255.255.255.0
# Main and Quick Mode descriptions
# (as used by peers and connections).
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
============= x86 config ===============
=========== policy file ================
# cat isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
==========================================