hello,
we have huge problems with the new soekris and pcengines boards vith the "VIA
VT6105M RhineIII" network chipset and OpenBSD.
no machine is able to establish a tunnel to another IPsec peer. we worked for
years with the pcengines WRAP boards - the had no problem.
below is a trace of the tunnel establishment with a normal pc hardware with
fxp interfaces - everything works fine. the other picture shows a trace of a
board with VIA chipset with vr interfaces and the exacty same configuration
(isakmpd.conf and IP adresses) - you can see that there must be a problem with
the tunnel establishment - it is definitely NOT caused by packet loss.
unfortunately the phase I and phase II communication is completely encrypted,
so there is only low chance to discover a bug but at least the headers and all
checksums are correct ...
has anyone discovered similar problems with OpenBSD and the VIA chipset or
other possible positive experiences ?
thanks in advance for a feedback
regards
arno hechenberger
citydata
trace: machine with vr interfaces
No. Time Source Destination Protocol Info
1 0.000000 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
2 0.058193 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
3 0.150492 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
4 0.208460 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
5 0.304038 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
6 0.358672 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
7 0.437001 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
8 0.469804 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
9 0.483476 194.208.33.217 194.208.37.21 ISAKMP Quick
Mode
10 0.494387 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
trace: machine with fxp interfaces
No. Time Source Destination Protocol Info
1 0.000000 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
2 0.055112 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
3 0.089738 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
4 0.135278 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
5 0.147892 194.208.37.21 194.208.33.217 ISAKMP
Identity Protection (Main Mode)
6 0.199866 194.208.33.217 194.208.37.21 ISAKMP
Identity Protection (Main Mode)
7 0.211054 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
8 0.285228 194.208.33.217 194.208.37.21 ISAKMP Quick
Mode
9 0.286238 194.208.37.21 194.208.33.217 ISAKMP Quick
Mode
10 26.826381 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
11 26.906322 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
12 27.836780 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
13 27.876157 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
14 28.840978 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
15 28.886188 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
16 29.857408 194.208.37.21 194.208.33.217 ESP ESP
(SPI=0xfb95abfa)
17 29.901540 194.208.33.217 194.208.37.21 ESP ESP
(SPI=0x0f34b701)
demesg:
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error 80<clock_battery>
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 432
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 133791744 (127MB)
avail mem = 121331712 (115MB)
RTC BIOS diagnostic error 80<clock_battery>
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @ 0xfceb2
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address
00:0d:b9:14:09:a0
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:0d:b9:14:09:a1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:0d:b9:14:09:a2
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 0, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <CF CARD 1GB>
wd0: 1-sector PIO, LBA, 961MB, 1969632 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15, version
1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
biomask e3ef netmask ffef ttymask ffef
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
clock: unknown CMOS layout
WARNING: clock time much less than file system time
WARNING: using file system time
WARNING: CHECK AND RESET THE DATE!
/etc/isakmpd/isakmpd.conf
##########################################################
##########################################################
[Phase 1]
# Remote client (road_warrior) has dynamic IP addressing
Default= road_warrior
[Phase 2]
# Passive connection between client and server
Connections= nw_VPN_Server-nw_1
Passive-Connections= VPN_Server-road_warrior
# IPSec Peers
#############
[road_warrior]
Phase= 1
Transport= udp
# Local-address= 194.208.34.110
Configuration= Default-main-mode
Authentication= xxxxxx
Default= VPN_Server-road_warrior
[fw-1]
Phase= 1
Transport= udp
# LocalAddress= 194.208.34.110
Address= 194.208.33.217
Configuration= main-mode-AES256
Authentication= xxxxxx
# Connections (Phase 2)
#############
[VPN_Server-road_warrior]
Phase= 2
ISAKMP-peer= road_warrior
Configuration= Default-quick-mode
Local-ID= Net-VPN_Server
[nw_VPN_Server-nw_1]
Phase= 2
ISAKMP-peer= fw-1
Configuration= quick-mode-aes256
Local-ID= Net-VPN_Server
Remote-ID= Net-1
# Network definitions
#####################
[Net-VPN_Server]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.98.0
Netmask= 255.255.255.0
[Net-1]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
##########################################################
# Descriptions (Main Mode - Phase 1)
##############
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[main-mode-AES256]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES256-SHA-GRP2
# Descriptions (Quick Mode - Phase 2)
##############
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
[quick-mode-AES256]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-AES256-SHA-GRP2-PFS-SUITE
# Main mode transforms (Phase 1)
######################
# 3DES SHA Group2
[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# AES256 SHA Group2
[AES256-SHA-GRP2]
ENCRYPTION_ALGORITHM= AES_CBC
KEY_LENGTH= 256
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# Quick mode protection suites (Phase 2 - 1/3)
##############################
# 3DES SHA PFS
[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols= QM-ESP-3DES-SHA-PFS
# 3DES SHA
[QM-ESP-3DES-SHA-SUITE]
Protocols= QM-ESP-3DES-SHA
# AES128 SHA PFS
[QM-AES128-SHA-GRP2-PFS-SUITE]
Protocols= QM-ESP-AES-SHA-PFS
# AES256 SHA PFS
[QM-AES256-SHA-GRP2-PFS-SUITE]
Protocols= QM-ESP-AES-SHA-PFS
# Quick mode protocols (Phase 2 - 2/3)
######################
# 3DES SHA PFS
[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-PFS-XF
# 3DES SHA
[QM-ESP-3DES-SHA]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-XF
# AES SHA PFS
[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-AES-SHA-PFS-XF
# Quick mode transforms (Phase 2 - 3/3)
#######################
# 3DES SHA PFS
[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# 3DES SHA
[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# AES SHA PFS
[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID= AES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
KEY_LENGTH= 256
Life= LIFE_3600_SECS
# Lifetimes
###########
# 6 hours
[LIFE_6_HOURS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 21600,18000:25200
# 8 hours
[LIFE_8_HOURS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 28800,25200:32400
# 24 hours / 1 day
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
# 3 min / 180 sec
[LIFE_180_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 180,120:240
# 1 hour
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
