Hi,
Soekris is a VPN gateway for 11 clients. All those 12 machines are running
OpenBSD. 10 of client machines are connected to the VPN via wireless and
all of those 10 machines are behind NAT (they share the same external
ip). 1 host is at remote location connected via wire.
Afer all machine are setup IPsec VPN tunnels I can ssh to them with
their internal IPs and everything works okay. There are no delays on
ssh, all ssh sessions are pretty stable.
Unforunately VPN is starting to flap when I increast bandwidthd load on
one of the servers. If I start env PKG_PATH=scp://.../ pkg_add -ui
IPsec connection will drop after a while. If I connect to samba and try
to download any file larger than 300MB VPN will drop.
Another scenario. When all VPNs are up and stable (traffic is low) and
one of the clients is rebooted at boot time when ipsecctl -f
/etc/ipsec.conf is executed it's tunell is setup and _all_ other
tunnels are immediately dropped.
I would really appreciate some help to explain root of the problem.
Below some config files, isakmpd log, and soekris dmesg attached. Not
all clients have the same ipec.conf(5) though.
Soekris:
OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
Example client:
OpenBSD 4.5-current (GENERIC) #16: Sun May 31 10:28:18 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
# Soekris ipsec.conf(5):
ike passive esp tunnel \
from { \
172.16.0.0/16 192.168.1.0/24 \
192.168.2.0/24 192.168.3.0/24 \
10.0.0.0/8 any \
} to any \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 group modp1024 \
srcid net4511.ath.cx
# Example client ipsec.conf(5):
ike dynamic esp tunnel \
from egress to any peer net4511.ath.cx \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 group modp1024 \
dstid net4511.ath.cx
# Logs from Soekris:
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.53
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.66
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.50
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.59
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.65
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.52
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: invalid next
payload type <Unknown 29> in payload of type 8
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.66 port
500 due to notification type INVALID_PAYLOAD_TYPE
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved field
non-zero: b3
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.50 port
500 due to notification type PAYLOAD_MALFORMED
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved field
non-zero: 9e
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.53 port
500 due to notification type PAYLOAD_MALFORMED
Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.56
Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.226
Jun 2 21:43:45 net4511 isakmpd[16015]: message_parse_payloads: reserved field
non-zero: c7
--
best regards
q#
OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
cpu0: FPU
real mem = 66678784 (63MB)
avail mem = 55160832 (52MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/50/27, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00: product 0
stepping 1.1, CPU clock 100MHz, reset 0
gpio0 at elansc0: 32 pins
cbb0 at pci0 dev 9 function 0 "TI PCI1410 CardBus" rev 0x02: irq 10
hifn0 at pci0 dev 16 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5
SHA1 RNG AES PK, 32KB dram, irq 11
sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 5,
address 00:00:24:c5:23:58
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 9,
address 00:00:24:c5:23:59
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 1 device 0 cacheline 0x10, lattimer 0x3f
pcmcia0 at cardslot0
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: <SAMSUNG CF/ATA>
wd0: 1-sector PIO, LBA, 497MB, 1018080 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask f5c5 netmask ffe5 ttymask ffff
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
ath0 at cardbus0 dev 0 function 0 "Atheros AR5212" rev 0x01: irq 10
ath0: AR5213A 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address 00:15:6d:54:45:e6
