Re: [Openvpn-devel] "ping" config kills connections on 2.0rc16

[Rolf Fokkens <r.fokkens@xxxxxxxxx>]

James Yonan wrote:

Well, the combination of the options "engine padlock" and 
"ping/keepalive" results in problematic connections. Without the other 
option each option seems to run flawless.

Hm. Strange. What distinguishes "ping" traffic from other encrypted 
traffic? Smaller packets perhaps?
    

Yes -- smaller packets, definitely.  I'm thinking that this is more likely 
a problem with the padlock and/or padlock OpenSSL interface than with 
ping.

I've seen issues like this with the padlock accelerator before, where 
cipher final fails on packets which encrypt/decrypt fine without padlock.

I'm wondering if perhaps the padlock has a stricter API than the standard 
software-implemented EVP layer in OpenSSL, with regard to length, buffer 
alignment, etc.

You might try a crypto loopback test:

openvpn --genkey --secret key
openvpn --test-crypto --secret key --cipher AES-128-CBC --engine padlock --verb 0

James

  

It must be the packet size indeed:

[root@home17 test] openvpn --test-crypto --secret key --cipher AES-128-CBC --verb 0 --engine padlock
Sun Apr  3 10:50:19 2005 SELF TEST FAILED, src.len=2 buf.len=0
[root@home17 test] openvpn --test-crypto --secret key --cipher AES-128-CBC  --verb 0
[root@home17 test]

Unfortunately the test bails out on the first failure (as can bee seen without the --verb 0 option), It would be good te see of larger packet sizes would pass the test.

Rolf