please apply all patches for 3.7. I've lately added a patch for this issue to the 3.7 errata page.
HJ. On Mon, Nov 21, 2005 at 05:01:28PM -0800, Dag Richards wrote: > Using the sample config straight from the vpn man page, my tunnel fails > to come up between GENERIC 3.8 or 3.7 on a sunfire v100 ( dmesg below ) > and GENERIC on an x86 machine. If I run the same config on another x86 > machine it works. > > When running `isakmpd -L` I see checksum errors on the sunfire ( see > dump below). > > > Is this a problem with the dc driver? I have tried both of the > interfaces but to no avail, there are no pci slots for add on cards > > debug output and config files below. > > ============= tcpdump -nvr /var/run/isakmpd.pcap================== > 16:37:33.685897 192.168.1.13.500 > 192.168.1.15.500: [bad udp cksum > 1c8e!] isakmp v1.0 exchange ID_PROT > cookie: 30e6fc2ae5d3ef74->0000000000000000 msgid: 00000000 len: 196 > payload: SA len: 88 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 76 proposal: 1 proto: ISAKMP spisz: > 0 xforms: 2 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute NONE = > attribute NONE = > attribute NONE = > payload: TRANSFORM len: 0 [|isakmp] > payload: VENDOR len: 0 [|isakmp] [ttl 0] (id 1, len 224) > 16:37:40.693965 192.168.1.15.500 > 192.168.1.13.500: [bad udp cksum > 8c9d!] isakmp v1.0 exchange ID_PROT > cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 160 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: > 0 xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute NONE = > attribute NONE = > attribute NONE = > payload: VENDOR len: 0 [|isakmp] [ttl 0] (id 1, len 188) > 16:37:40.772058 192.168.1.13.500 > 192.168.1.15.500: [bad udp cksum > c4e6!] isakmp v1.0 exchange ID_PROT > cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 228 > payload: KEY_EXCH len: 132 > payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1, len 256) > 16:37:40.784674 192.168.1.15.500 > 192.168.1.13.500: [bad udp cksum > bb54!] isakmp v1.0 exchange ID_PROT > cookie: 30e6fc2ae5d3ef74->8cb97ec972120f6e msgid: 00000000 len: 228 > payload: KEY_EXCH len: 132 > payload: NONCE len: 0 [|isakmp] [ttl 0] (id 1, len 256) > 16:37:40.786483 192.168.1.13.500 > 192.168.1.15.500: [udp sum ok] > isakmp v1.0 exchange INFO > cookie: d5feed659a4246cc->0000000000000000 msgid: 00000000 len: 40 > payload: NOTIFICATION len: 12 > notification: INVALID PAYLOAD TYPE [ttl 0] (id 1, len 68) > > > ============= tcpdump -nvr /var/run/isakmpd.pcap================== > > > > > > > > > > > > ============isakmpd -DA=50 ================ > 163740.784428 Timr 10 timer_remove_event: removing event > message_send_expire(0x88cc00) > 163740.784712 Default message_parse_payloads: invalid next payload type > RESERVED_MIN in payload of type 10 > 163740.785137 Default dropped message from 192.168.1.15 port 500 due to > notification type INVALID_PAYLOAD_TYPE > 163740.785434 Timr 10 timer_add_event: event exchange_free_aux(0x892e00) > added last, expiration in 120s > 163740.785729 Exch 10 exchange_establish_p1: 0x892e00 <unnamed> <no > policy> policy initiator phase 1 doi 1 exchange 5 step 0 > 163740.785990 Exch 10 exchange_establish_p1: icookie d5feed659a4246cc > rcookie 0000000000000000 > 163740.786237 Exch 10 exchange_establish_p1: msgid 00000000 > 163740.786599 Exch 40 exchange_run: exchange 0x892e00 finished step 0, > advancing... > 163740.786834 Mesg 20 message_free: freeing 0x88d000 > 163740.787149 Exch 10 exchange_finalize: 0x892e00 <unnamed> <no policy> > policy initiator phase 1 doi 1 exchange 5 step 1 > 163740.787413 Exch 10 exchange_finalize: icookie d5feed659a4246cc > rcookie 0000000000000000 > 163740.787647 Exch 10 exchange_finalize: msgid 00000000 > 163740.787879 Timr 10 timer_remove_event: removing event > exchange_free_aux(0x892e00) > ============isakmpd -DA=50 ================ > > > ====================dmesg=========== > console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8 > Copyright (c) 1982, 1986, 1989, 1991, 1993 > The Regents of the University of California. All rights reserved. > Copyright (c) 1995-2005 OpenBSD. All rights reserved. > http://www.OpenBSD.org > > OpenBSD 3.7 (GENERIC) #431: Sun Mar 20 14:10:02 MST 2005 > [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC > total memory = 536870912 > avail memory = 479256576 > using 3276 buffers containing 26836992 bytes of memory > bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 > mainbus0 (root): Sun Fire V100 (UltraSPARC-IIe 548MHz) > cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 548 MHz, version 0 FPU > cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 512K > external (64 b/l) > psycho0 at mainbus0 > SUNW,sabre: impl 0, version 0: ign 7c0 bus range 0 to 0; PCI bus 0 > DVMA map: 60000000 to 80000000 > IOTDB: 826a6000 to 82726000 > pci0 at psycho0 > ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 > dma at ebus0 addr 0-ffff ipl 42 not configured > rtc0 at ebus0 addr 70-71: m5819 > power at ebus0 addr 2000-2007 ipl 35 not configured > SUNW,lomh at ebus0 addr 8010-8011 ipl 42 not configured > com0 at ebus0 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo > com0: console > com1 at ebus0 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo > flashprom at ebus0 addr 0-7ffff not configured > "Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 3 function 0 not > configured > "Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 3 function 0 not > configured > dc0 at pci0 dev 12 function 0 "Davicom DM9102" rev 0x31: ivec 3006, > address 00:03:ba:ce:d8:6b > amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0 > dc1 at pci0 dev 5 function 0 "Davicom DM9102" rev 0x31: ivec 301c, > address 00:03:ba:ce:d8:6c > amphy1 at dc1 phy 1: DM9102 10/100 PHY, rev. 0 > ohci0 at pci0 dev 10 function 0 "Acer Labs M5237 USB" rev 0x03: ivec 24, > version 1.0, legacy support > usb0 at ohci0: USB revision 1.0 > uhub0 at usb0 > uhub0: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: > DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI > pciide0: using ivec 180c for native-PCI interrupt > wd0 at pciide0 channel 0 drive 0: <HDS728080PLAT20> > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > wd1 at pciide0 channel 1 drive 0: <HDS728080PLAT20> > wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors > atapiscsi0 at pciide0 channel 1 drive 1 > scsibus0 at atapiscsi0: 2 targets > cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, P.9A> SCSI0 5/cdrom removable > wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 > cd0(pciide0:1:1): using PIO mode 4, DMA mode 2 > pcons at mainbus0 not configured > No counter-timer -- using %tick at 548MHz as system clock. > root on wd0a > rootdev=0xc00 rrootdev=0x1a00 rawdev=0x1a02 > dc1: failed to force tx and rx to idle state > dc1: failed to force tx and rx to idle state > dc1: failed to force tx and rx to idle state > dc1: failed to force tx and rx to idle state > dc1: failed to force tx and rx to idle state > dc1: failed to force tx and rx to idle state > dc1: failed to force tx and rx to idle state > dc1: failed to force tx and rx to idle state > ====================dmesg=================================== > > > > > > ============== sunfire config ============= > # cat isakmpd.conf > # Filter incoming phase 1 negotiations so they are only > # valid if negotiating with this local address. > > [General] > Listen-On= 192.168.1.13 > > # Incoming phase 1 negotiations are multiplexed on the > # source IP address. Phase 1 is used to set up a protected > # channel just between the two gateway machines. > # This channel is then used for the phase 2 negotiation > # traffic (i.e. encrypted & authenticated). > > [Phase 1] > 192.168.1.15= peer-machineB > > # 'Phase 2' defines which connections the daemon > # should establish. These connections contain the actual > # "IPsec VPN" information. > > [Phase 2] > Connections= VPN-A-B > > # ISAKMP phase 1 peers (from [Phase 1]) > > [peer-machineB] > Phase= 1 > Transport= udp > Address= 192.168.1.15 > Configuration= Default-main-mode > Authentication= yoursharedsecret > > # IPSEC phase 2 connections (from [Phase 2]) > > [VPN-A-B] > Phase= 2 > ISAKMP-peer= peer-machineB > Configuration= Default-quick-mode > Local-ID= machineA-internal-network > Remote-ID= machineB-internal-network > > # ID sections (as used in [VPN-A-B]) > > [machineA-internal-network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.0.50.0 > Netmask= 255.255.255.0 > > [machineB-internal-network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.0.99.0 > Netmask= 255.255.255.0 > > # Main and Quick Mode descriptions > # (as used by peers and connections). > > [Default-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA,BLF-SHA > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-3DES-SHA-SUITE > > > ============= sunfire =================== > > > ============== x86 config ================ > > > # cat isakmpd.conf > i# Filter incoming phase 1 negotiations so they are only > # valid if negotiating with this local address. > > [General] > Listen-On= 192.168.1.15 > > # Incoming phase 1 negotiations are multiplexed on the > # source IP address. Phase 1 is used to set up a protected > # channel just between the two gateway machines. > # This channel is then used for the phase 2 negotiation > # traffic (i.e. encrypted & authenticated). > > [Phase 1] > 192.168.1.13= peer-machineA > > # 'Phase 2' defines which connections the daemon > # should establish. These connections contain the actual > # "IPsec VPN" information. > > [Phase 2] > Connections= VPN-B-A > > # ISAKMP phase 1 peers (from [Phase 1]) > > [peer-machineA] > Phase= 1 > Transport= udp > Address= 192.168.1.13 > Configuration= Default-main-mode > Authentication= yoursharedsecret > > # IPSEC phase 2 connections (from [Phase 2]) > > [VPN-B-A] > Phase= 2 > ISAKMP-peer= peer-machineA > Configuration= Default-quick-mode > Local-ID= machineB-internal-network > Remote-ID= machineA-internal-network > > # ID sections (as used in [VPN-A-B]) > > [machineA-internal-network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.0.50.0 > Netmask= 255.255.255.0 > > [machineB-internal-network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.0.99.0 > Netmask= 255.255.255.0 > > # Main and Quick Mode descriptions > # (as used by peers and connections). > > [Default-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA,BLF-SHA > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-3DES-SHA-SUITE > > > ============= x86 config =============== > > > > =========== policy file ================ > # cat isakmpd.policy > > Keynote-version: 2 > Authorizer: "POLICY" > Conditions: app_domain == "IPsec policy" && > esp_present == "yes" && > esp_enc_alg != "null" -> "true"; > ==========================================
