Hi, I've a net5501-70 with a vpn1411. I'm running OpenBSD 4.4 stable with openvpn-2.1rc7.
I've several questions surrounding this configuration. First: I notice that OpenVPN does not work unless you specify a tls-cipher, e.g. tls-cipher EDH-RSA-DES-CBC3-SHA It does not seem to matter if I use 'engine' or specify one of the available engines. The error message (on the openvpn "server side") is: TLS_ERROR: BIO read tls_read_plaintext error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac This can be reproduced with: cd /usr/local/share/examples/openvpn openvpn --config sample-config-files/loopback-client (In one window) openvpn --config sample-config-files/loopback-server (Simultaneously in another window) What's going on here? Do I have to pick a cipher that's supported in-hardware? I tried sysctl -w kern.cryptodevallowsoft=1 and it did not seem to make any difference. FYI, # openvpn --show-engines OpenSSL Crypto Engines BSD cryptodev engine [cryptodev] Dynamic engine loading support [dynamic] Second: I notice that I can't specify 'cipher AES-256-CBC'. The server side of the loopback test fails with: Wed Mar 4 23:22:58 2009 EVP cipher init #2 (OpenSSL) Wed Mar 4 23:22:58 2009 Exiting I thought that the vpn14x1 supported 256 bit AES. Again, what's going on? Is OpenBSD confused by the crypto support in the Geode or what? Third: In researching this I found messages from 5 years ago that said that OpenVPN did not make effective use of hardware crypto both because it it worked 'piecemeal' (I forget the exact phrase) and because it worked in userland. I do see a large number of context switches but cpu usage is not entirely out of control. Is hardware crypto with OpenVPN worth while? I do seem to use somewhat less cpu if I omit 'engine', but seemingly more context switches. What's the recommended approach when using OpenVPN? (I can't use IPSec in this case.) Finally: Any recommended best practices or other comment? Thanks. Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein _______________________________________________ Soekris-tech mailing list [email protected] http://lists.soekris.com/mailman/listinfo/soekris-tech
