Re: "ping" config kills connections on 2.0rc16

[r.fokkens@xxxxxxxxx]

 James Yonan wrote:

>>Well, the combination of the options "engine padlock" and 
>>"ping/keepalive" results in problematic connections. Without the other 
>>option each option seems to run flawless.
>>
>>Hm. Strange. What distinguishes "ping" traffic from other encrypted 
>>traffic? Smaller packets perhaps?
>>    
>>
>
>Yes -- smaller packets, definitely.  I'm thinking that this is more likely 
>a problem with the padlock and/or padlock OpenSSL interface than with 
>ping.
>
>I've seen issues like this with the padlock accelerator before, where 
>cipher final fails on packets which encrypt/decrypt fine without padlock.
>
>I'm wondering if perhaps the padlock has a stricter API than the standard 
>software-implemented EVP layer in OpenSSL, with regard to length, buffer 
>alignment, etc.
>
>You might try a crypto loopback test:
>
>openvpn --genkey --secret key
>openvpn --test-crypto --secret key --cipher AES-128-CBC --engine padlock --verb 0
>
>James
>
>  
>
It must be the packet size indeed:

    [root@home17 test] openvpn --test-crypto --secret key --cipher AES-128-CBC
--verb 0 --engine padlock
    Sun Apr  3 10:50:19 2005 SELF TEST FAILED, src.len=2 buf.len=0
    [root@home17 test] openvpn --test-crypto --secret key --cipher AES-128-CBC
 --verb 0
    [root@home17 test]

Unfortunately the test bails out on the first failure (as can bee seen without
the --verb 0 option), It would be good te see of larger packet sizes would
pass the test.

Rolf



-- 
_____________________________________________________________________
Versatel ADSL Gratis. De voordelen van gratis internet met de
snelheid van ADSL. Zonder abonnementskosten en zonder vast contract.
Je betaalt alleen voor de tijd online. Nu zonder aansluitkosten en 
met gratis modem. Bestel snel op www.versatel.nl.