crossbow discuss - Nov 2008 - [networking-discuss] OpenVPN and IPSec

I have a problem, it seems that I cannot use tun driver and ip.tun at the same
time.

Blastwave''s ''tun'' driver is loaded at the boot time
but when I type ''ifconfig
ip.tun0 plumb'' the machine is almost halted. Reset is the only way to
go...

It''s SXCE101 + latest Crossbow BFU on 64bit x86 machine.

Dan McDonald pisze:
> On Fri, Nov 14, 2008 at 10:23:59AM +0100, Piotr Jasiukajtis wrote:
>> Can I use OpenVPN (tun driver from the Blastwave) and VPN IPSec
(ip.tun) in
>> the same time on the same machine?
> 
> It depends.
> 
> The built-in IPsec can be configured to be narrow enough such that your
> OpenVPN stuff should not get tripped up by IPsec policy.  Combine that with
> proper routing, and you should be okay.  If anything will get you,
it''ll be
> the routing.
> 
> If you connect to two private nets where both share common RFC 1918
prefixes,
> your client will get VERY confused.
> 
> Dan

-- 
Regards,
Piotr Jasiukajtis | estibi | SCA OS0072
http://estseg.blogspot.com

On Mon, Nov 17, 2008 at 01:29:31PM +0100, Piotr Jasiukajtis
wrote:
> Blastwave''s ''tun'' driver is loaded at the boot
time but when I type
> ''ifconfig ip.tun0 plumb'' the machine is almost halted.
Reset is the only way
> to go...
"almost halted"... does that mean if you boot on kmdb you cannnot even
break
into kdmb?

A system dump would be most useful here.
> It''s SXCE101 + latest Crossbow BFU on 64bit x86 machine.
Ahh, even stranger.  Did you compile OpenVPN (which obviously introduces
kernel modules) with Crossbow and its headers (which may have changed kernel
data structures)?

Dan

Piotr Jasiukajtis writes:
> I have a problem, it seems that I cannot use tun driver and ip.tun at the
same time.
> 
> Blastwave''s ''tun'' driver is loaded at the boot
time but when I type ''ifconfig
> ip.tun0 plumb'' the machine is almost halted. Reset is the only way
to go...
I''d expect that having two different kernel modules with the same name
is likely to be problematic.

Is there any way that Blastwave ''tun'' driver can be renamed?

-- 
James Carlson, Solaris Networking              <james.d.carlson at
sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677

On Mon, 2008-11-17 at 10:03 -0500, James Carlson wrote:
> Piotr Jasiukajtis writes:
> > I have a problem, it seems that I cannot use tun driver and ip.tun at
the same time.
> > 
> > Blastwave''s ''tun'' driver is loaded at the
boot time but when I type ''ifconfig
> > ip.tun0 plumb'' the machine is almost halted. Reset is the
only way to go...
> 
> I''d expect that having two different kernel modules with the same
name
> is likely to be problematic.
Indeed.  FWIW, the Clearview IP Tunneling component is removing the
"tun" STREAMS module that is clashing with the OpenVPN one, and
creating
a new "iptun" GLDv3 driver.  There is a light at the end of this
tunnel. ;-)

-Seb

Sebastien Roy pisze:
> On Mon, 2008-11-17 at 10:03 -0500, James Carlson wrote:
>> Piotr Jasiukajtis writes:
>>> I have a problem, it seems that I cannot use tun driver and ip.tun
at the same time.
>>>
>>> Blastwave''s ''tun'' driver is loaded at
the boot time but when I type ''ifconfig
>>> ip.tun0 plumb'' the machine is almost halted. Reset is the
only way to go...
>> I''d expect that having two different kernel modules with the
same name
>> is likely to be problematic.
> 
> Indeed.  FWIW, the Clearview IP Tunneling component is removing the
> "tun" STREAMS module that is clashing with the OpenVPN one, and
creating
> a new "iptun" GLDv3 driver.  There is a light at the end of this
> tunnel. ;-)
Sebasien,
I completely forgot about Clearview''s iptun driver! :)
So, what is the best way to get it instead of building the whole
clearview-gate?

-- 
Regards,
Piotr Jasiukajtis | estibi | SCA OS0072
http://estseg.blogspot.com

Hi Piotr,

On Mon, 2008-11-17 at 20:42 +0100, Piotr Jasiukajtis
wrote:
> Sebastien Roy pisze:
> > Indeed.  FWIW, the Clearview IP Tunneling component is removing the
> > "tun" STREAMS module that is clashing with the OpenVPN one,
and creating
> > a new "iptun" GLDv3 driver.  There is a light at the end of
this
> > tunnel. ;-)
> 
> Sebasien,
> I completely forgot about Clearview''s iptun driver! :)
> So, what is the best way to get it instead of building the whole
> clearview-gate?
Because the iptun driver requires modifications to GLDv3 itself, along
with changes to the dladm command, libdladm library, ifconfig, ip kernel
module, etc., using the iptun module is not as easy as replacing one or
two modules.  Installation of the clearview gate bits is what I would
recommend to anyone wanting to use this feature under development.

-Seb

Sebastien Roy pisze:
> Hi Piotr,
> 
> On Mon, 2008-11-17 at 20:42 +0100, Piotr Jasiukajtis wrote:
>> Sebastien Roy pisze:
>>> Indeed.  FWIW, the Clearview IP Tunneling component is removing the
>>> "tun" STREAMS module that is clashing with the OpenVPN
one, and creating
>>> a new "iptun" GLDv3 driver.  There is a light at the end
of this
>>> tunnel. ;-)
>> Sebasien,
>> I completely forgot about Clearview''s iptun driver! :)
>> So, what is the best way to get it instead of building the whole
>> clearview-gate?
> 
> Because the iptun driver requires modifications to GLDv3 itself, along
> with changes to the dladm command, libdladm library, ifconfig, ip kernel
> module, etc., using the iptun module is not as easy as replacing one or
> two modules.  Installation of the clearview gate bits is what I would
> recommend to anyone wanting to use this feature under development.
Hmm, a lot of changes... so what is the integration date?

-- 
Regards,
Piotr Jasiukajtis | estibi | SCA OS0072
http://estseg.blogspot.com

On Mon, 2008-11-17 at 21:15 +0100, Piotr Jasiukajtis
wrote:
> Sebastien Roy pisze:
> > Because the iptun driver requires modifications to GLDv3 itself, along
> > with changes to the dladm command, libdladm library, ifconfig, ip
kernel
> > module, etc., using the iptun module is not as easy as replacing one
or
> > two modules.  Installation of the clearview gate bits is what I would
> > recommend to anyone wanting to use this feature under development.
> Hmm, a lot of changes... so what is the integration date?
That''s always the next question, isn''t it? ;-)  The Clearview
project is
currently focused on delivering the IPMP Rearchitecture component next,
followed by the IP Tunneling component.  It won''t appear in OpenSolaris
until at least build 110, and that''s not a hard-target (but rather a
minimum) as we''re currently re-planning to account for a change in the
way the builds are laid-out for the Spring release of OpenSolaris.

-Seb

Dan McDonald pisze:
> On Mon, Nov 17, 2008 at 01:29:31PM +0100, Piotr Jasiukajtis wrote:
>> Blastwave''s ''tun'' driver is loaded at the
boot time but when I type
>> ''ifconfig ip.tun0 plumb'' the machine is almost
halted. Reset is the only way
>> to go...
> 
> "almost halted"... does that mean if you boot on kmdb you cannnot
even break
> into kdmb?
I didn''t try kmdb. System works since ip.tun0 is not plumbed after
reboot by default.
> A system dump would be most useful here.
> 
>> It''s SXCE101 + latest Crossbow BFU on 64bit x86 machine.
> 
> Ahh, even stranger.  Did you compile OpenVPN (which obviously introduces
> kernel modules) with Crossbow and its headers (which may have changed
kernel
> data structures)?
No.

I will do some tests tomorrow.

-- 
Regards,
Piotr Jasiukajtis | estibi | SCA OS0072
http://estseg.blogspot.com

Piotr Jasiukajtis pisze:
> Dan McDonald pisze:
>> On Mon, Nov 17, 2008 at 01:29:31PM +0100, Piotr Jasiukajtis wrote:
>>> Blastwave''s ''tun'' driver is loaded at
the boot time but when I type
>>> ''ifconfig ip.tun0 plumb'' the machine is almost
halted. Reset is the only way
>>> to go...
>> "almost halted"... does that mean if you boot on kmdb you
cannnot even break
>> into kdmb?
> I didn''t try kmdb. System works since ip.tun0 is not plumbed after
> reboot by default.
> 
>> A system dump would be most useful here.
>>
>>> It''s SXCE101 + latest Crossbow BFU on 64bit x86 machine.
>> Ahh, even stranger.  Did you compile OpenVPN (which obviously
introduces
>> kernel modules) with Crossbow and its headers (which may have changed
kernel
>> data structures)?
> No.
> 
> I will do some tests tomorrow.
I compiled the tun driver and it didn''t change anything.

# mpstat 1
CPU minf mjf xcal  intr ithr  csw icsw migr smtx  srw syscl  usr sys  wt idl
  0  117   0  242   445  193  655   10   63   82    0   867    1   2   0  97
  1  108   0   48   271   12  840   15   96   78    0   907    1   2   0  98
CPU minf mjf xcal  intr ithr  csw icsw migr smtx  srw syscl  usr sys  wt idl
  0    7   0 3892  4216 1351 19847    0 2750 1381    0     1    0  62
0  38
  1  133  64 2651  4017   10 28406   16 6933 1239    0   265    0  33
0  67
CPU minf mjf xcal  intr ithr  csw icsw migr smtx  srw syscl  usr sys  wt idl
  0   55  32 17043  2191 1059 20228    7 2848 4803    0     6    0  60
 0  40
  1   90  45  921 17286   10 33909    6 5649 4235    0   233    0  74
0  26
CPU minf mjf xcal  intr ithr  csw icsw migr smtx  srw syscl  usr sys  wt idl
  0   52  21 15219  3615  964 20740    2 1866 5216    2   239    0  73
 0  27
  1  132  43 2432 15301    9 34996   18 7373 4708    9    18    0  51
0  49
CPU minf mjf xcal  intr ithr  csw icsw migr smtx  srw syscl  usr sys  wt idl
  0  225  62 2788 18667 1134 18797   22   66 3383    5   459    2  70
0  28
  1    9   0 17338  2838   16 1897    0   45 4269    0     0    0  42
0  58
CPU minf mjf xcal  intr ithr  csw icsw migr smtx  srw syscl  usr sys  wt idl
  0  139  56 12932  6440  926 22302   14 1754 5007    1   181    0  72
 0  28
  1   79  48 5354 13075    9 27741    8 6075 4775    3     8    0  59
0  41


-- 
Regards,
Piotr Jasiukajtis | estibi | SCA OS0072
http://estseg.blogspot.com

In that case, it''s what Jim mentioned before -- a case of module-name
overload causing ip.tun0 to probably load the wrong "tun".

Dan