you're probably overloading the CPU. try -current, sis(4) has MCLGETI now which should mitigate things a bit. still, that's a lot of load you're putting on a little 486 which will almost certainly be restricting your throughput.
On 2009-06-02, Mikolaj Kucharski <miko...@kucharski.name> wrote: > Hi, > > Soekris is a VPN gateway for 11 clients. All those 12 machines are running > OpenBSD. 10 of client machines are connected to the VPN via wireless and > all of those 10 machines are behind NAT (they share the same external > ip). 1 host is at remote location connected via wire. > > Afer all machine are setup IPsec VPN tunnels I can ssh to them with > their internal IPs and everything works okay. There are no delays on > ssh, all ssh sessions are pretty stable. > > Unforunately VPN is starting to flap when I increast bandwidthd load on > one of the servers. If I start env PKG_PATH=scp://.../ pkg_add -ui > IPsec connection will drop after a while. If I connect to samba and try > to download any file larger than 300MB VPN will drop. > > Another scenario. When all VPNs are up and stable (traffic is low) and > one of the clients is rebooted at boot time when ipsecctl -f > /etc/ipsec.conf is executed it's tunell is setup and _all_ other > tunnels are immediately dropped. > > > > I would really appreciate some help to explain root of the problem. > Below some config files, isakmpd log, and soekris dmesg attached. Not > all clients have the same ipec.conf(5) though. > > > > Soekris: > OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC > > Example client: > OpenBSD 4.5-current (GENERIC) #16: Sun May 31 10:28:18 MDT 2009 > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC > > > # Soekris ipsec.conf(5): > ike passive esp tunnel \ > from { \ > 172.16.0.0/16 192.168.1.0/24 \ > 192.168.2.0/24 192.168.3.0/24 \ > 10.0.0.0/8 any \ > } to any \ > main auth hmac-sha1 enc aes-128 group modp1024 \ > quick auth hmac-sha1 enc aes-128 group modp1024 \ > srcid net4511.ath.cx > > > # Example client ipsec.conf(5): > ike dynamic esp tunnel \ > from egress to any peer net4511.ath.cx \ > main auth hmac-sha1 enc aes-128 group modp1024 \ > quick auth hmac-sha1 enc aes-128 group modp1024 \ > dstid net4511.ath.cx > > > # Logs from Soekris: > Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.53 > Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.66 > Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.50 > Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.59 > Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.65 > Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.52 > Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: invalid next > payload type <Unknown 29> in payload of type 8 > Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.66 port > 500 due to notification type INVALID_PAYLOAD_TYPE > Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved > field non-zero: b3 > Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.50 port > 500 due to notification type PAYLOAD_MALFORMED > Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved > field non-zero: 9e > Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.53 port > 500 due to notification type PAYLOAD_MALFORMED > Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.56 > Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src: > 79.97.195.245 dst: 172.16.0.226 > Jun 2 21:43:45 net4511 isakmpd[16015]: message_parse_payloads: reserved > field non-zero: c7