in the hopes that i'm not just spitting random
nonsense and wasting everyone's time, i upgraded
to -current snapshot:
====
OpenBSD 3.7-current (GENERIC) #164: Sun May 29 17:28:51 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
====
brought /usr/src up to speed with "-PAdD '5/29/2005 19:57'",
recompiled a GENERIC.MP kernel which uses a GENERIC bas with
the following difference:
----
[/usr/src/sys/arch/i386/conf] $ cvs diff -u GENERIC
Index: GENERIC
===================================================================
RCS file: /cvs/src/sys/arch/i386/conf/GENERIC,v
retrieving revision 1.416
diff -u -r1.416 GENERIC
--- GENERIC 27 May 2005 02:08:14 -0000 1.416
+++ GENERIC 1 Jun 2005 01:03:31 -0000
@@ -38,6 +38,7 @@
option COMPAT_AOUT # a.out binaries are emulated
#option NTFS # Experimental NTFS support
+option ENCDEBUG
# or use root on nfs swap on nfs
config bsd swap generic
----
rebooted, mergemastered, put 'net.inet.ip.encdebug=1' in sysctl.conf,
rebooted:
====
OpenBSD 3.7-current (GENERIC.MP) #0: Tue May 31 20:36:40 EDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
====
then setup the ipcomp CPIs/flows again. this machine is the
192.168.7.18 from before, the 192.168.7.17 still has the flows
setup like i mentioned, so i was getting messages like the following
as ipcomp packets from .17 were hitting me:
====
May 31 20:56:56 telperion /bsd: ipsec_common_input(): could not find SA for
packet to 192.168.7.18, spi 00001111
====
so at the point of doing:
----
#!/bin/sh
sudo ipsecadm ipcomp -src 192.168.7.17 -dst 192.168.7.18 -comp deflate -cpi
0x1111
sudo ipsecadm ipcomp -dst 192.168.7.17 -src 192.168.7.18 -comp deflate -cpi
0x2222
sudo ipsecadm flow -proto ipcomp -src 192.168.7.18 -dst 192.168.7.17 -out
-require -addr 192.168.7.18/32 192.168.7.17/32
sudo ipsecadm flow -proto ipcomp -src 192.168.7.18 -dst 192.168.7.17 -in
-require -addr 192.168.7.17/32 192.168.7.18/32
----
i got a kernel/console message of:
====
May 31 20:57:40 telperion /bsd: ipcomp_init(): initialized TDB with ipcomp
algorithm Deflate
May 31 20:57:40 telperion /bsd: ipcomp_init(): initialized TDB with ipcomp
algorithm Deflate
====
and then i can ping from .17 to .18 with large but not fantastically
compressing packets ( eg omitting '-p <Anything>' ).
then i ping with the -p00 and got the message of:
====
May 31 20:58:28 telperion /bsd: ipcomp_input_cb(): crypto error 22
May 31 20:58:36 telperion last message repeated 8 times
====
and it keeps repeating.
so the 'ipcomp_input_cb()' "crypto error 22" seems to be the
thing that is incrementing the XFORM line in netstat -sp ipcomp,
which seems to be pretty much in agreement with line 282 of
ip_ipcomp.c who says:
ipcompstat.ipcomps_noxform++;
... but i don't know where to go from here?, i don't know if
it is useful that i did the encdebug stuff, since i guess
it didn't tell me anything new, other than what we had
been told by alternate means.
i know ipcomp is not as popular as porn, but i'm hoping that
i can either discover something useful before marc.theaimsgroup
runs out of harddrive dealing with my crappy posting.
jared
