you're probably overloading the CPU. try -current, sis(4) has
MCLGETI now which should mitigate things a bit. still, that's a
lot of load you're putting on a little 486 which will almost
certainly be restricting your throughput.
On 2009-06-02, Mikolaj Kucharski <miko...@kucharski.name> wrote:
> Hi,
>
> Soekris is a VPN gateway for 11 clients. All those 12 machines are running
> OpenBSD. 10 of client machines are connected to the VPN via wireless and
> all of those 10 machines are behind NAT (they share the same external
> ip). 1 host is at remote location connected via wire.
>
> Afer all machine are setup IPsec VPN tunnels I can ssh to them with
> their internal IPs and everything works okay. There are no delays on
> ssh, all ssh sessions are pretty stable.
>
> Unforunately VPN is starting to flap when I increast bandwidthd load on
> one of the servers. If I start env PKG_PATH=scp://.../ pkg_add -ui
> IPsec connection will drop after a while. If I connect to samba and try
> to download any file larger than 300MB VPN will drop.
>
> Another scenario. When all VPNs are up and stable (traffic is low) and
> one of the clients is rebooted at boot time when ipsecctl -f
> /etc/ipsec.conf is executed it's tunell is setup and _all_ other
> tunnels are immediately dropped.
>
>
>
> I would really appreciate some help to explain root of the problem.
> Below some config files, isakmpd log, and soekris dmesg attached. Not
> all clients have the same ipec.conf(5) though.
>
>
>
> Soekris:
> OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>
> Example client:
> OpenBSD 4.5-current (GENERIC) #16: Sun May 31 10:28:18 MDT 2009
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>
>
> # Soekris ipsec.conf(5):
> ike passive esp tunnel \
> from { \
> 172.16.0.0/16 192.168.1.0/24 \
> 192.168.2.0/24 192.168.3.0/24 \
> 10.0.0.0/8 any \
> } to any \
> main auth hmac-sha1 enc aes-128 group modp1024 \
> quick auth hmac-sha1 enc aes-128 group modp1024 \
> srcid net4511.ath.cx
>
>
> # Example client ipsec.conf(5):
> ike dynamic esp tunnel \
> from egress to any peer net4511.ath.cx \
> main auth hmac-sha1 enc aes-128 group modp1024 \
> quick auth hmac-sha1 enc aes-128 group modp1024 \
> dstid net4511.ath.cx
>
>
> # Logs from Soekris:
> Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.53
> Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.66
> Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.50
> Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.59
> Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.65
> Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.52
> Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: invalid next
> payload type <Unknown 29> in payload of type 8
> Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.66 port
> 500 due to notification type INVALID_PAYLOAD_TYPE
> Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved
> field non-zero: b3
> Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.50 port
> 500 due to notification type PAYLOAD_MALFORMED
> Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved
> field non-zero: 9e
> Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.53 port
> 500 due to notification type PAYLOAD_MALFORMED
> Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.56
> Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
> 79.97.195.245 dst: 172.16.0.226
> Jun 2 21:43:45 net4511 isakmpd[16015]: message_parse_payloads: reserved
> field non-zero: c7
