[Openvpn-users] Re: [Openvpn-devel] "ping" config kills connections on 2.0rc16

[James Yonan <jim@xxxxxxxxx>]

On Sat, 2 Apr 2005, Rolf Fokkens wrote:

> James Yonan wrote:
> 
> >On Fri, 1 Apr 2005, Rolf Fokkens wrote:
> >  
> >
> >>> This is not an inactivity-related restart. It looks more like an 
> >>> issue with crypto options.
> >>
> >>There's no inactivity issue here, without the ping all traffic comes
> >>through, for hours and hours. Attached bothe client and server config,
> >>without the keepalive setting.
> >>
> >>
> >>    
> >>
> >
> >Try running without "engine padlock" and see if that changes anything.
> >
> >  
> >
> Well, the combination of the options "engine padlock" and 
> "ping/keepalive" results in problematic connections. Without the other 
> option each option seems to run flawless.
> 
> Hm. Strange. What distinguishes "ping" traffic from other encrypted 
> traffic? Smaller packets perhaps?

Yes -- smaller packets, definitely.  I'm thinking that this is more likely 
a problem with the padlock and/or padlock OpenSSL interface than with 
ping.

I've seen issues like this with the padlock accelerator before, where 
cipher final fails on packets which encrypt/decrypt fine without padlock.

I'm wondering if perhaps the padlock has a stricter API than the standard 
software-implemented EVP layer in OpenSSL, with regard to length, buffer 
alignment, etc.

You might try a crypto loopback test:

openvpn --genkey --secret key
openvpn --test-crypto --secret key --cipher AES-128-CBC --engine padlock --verb 0

James

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users