[Openswan Users] openswan-2.6.x KLIPS crashes CentOS 5.3 kernel

Giovani Moda giovani at mrinformatica.com.br
Wed Oct 28 10:23:49 EDT 2009 

Following David's instruction:

> This is probably due to "using and old NAT-T" patch.  If you can,
check that the NAT-T patch you are using for your kernels looks like: 

> 	openswan-2.6.24rc1/nat-t/net/ipv4/udp.c.os2_6.patch

> The thing to check is the udp4_unregister_esp_rcvencap function.

I've recompiled CentOS kernel-2.6.18-164.el5 with a newer NAT-T patch
version, created by running "make nattpatch
KERNELSRC=/lib/modules/kernel-2.6.18-164.el5/build". It did add missing
arguments to udp4_unregister_esp_rcvencap, making it possible to compile
openswan-2.6.24rc1 KLIPS module without modifying ipsec_init.c, but I'm
still having problems when loading/unloading ipsec module. I'm attaching
the resulting patch.

Here's a output from a fresh reboot right after recompiling
openswan-2.4.24rc1 whit David's patches and setting protostack=klips and
interfaces="ipsec0=eth0" to ipsec.conf:

Oct 28 09:24:17 localhost ipsec_setup: Starting Openswan IPsec
2.6.24rc1...
Oct 28 09:24:17 localhost ipsec_setup: Using KLIPS/legacy stack
Oct 28 09:24:17 localhost kernel: padlock: VIA PadLock not detected.
Oct 28 09:24:18 localhost kernel: padlock: VIA PadLock not detected.
Oct 28 09:24:18 localhost kernel: klips_info:ipsec_init: KLIPS startup,
Openswan KLIPS IPsec stack version: 2.6.24rc1
Oct 28 09:24:18 localhost kernel: NET: Registered protocol family 15
Oct 28 09:24:18 localhost kernel: klips_info:ipsec_alg_init: KLIPS alg
v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
Oct 28 09:24:18 localhost kernel: klips_info:ipsec_alg_init: calling
ipsec_alg_static_init()
Oct 28 09:24:18 localhost kernel: ipsec_aes_init(alg_type=15 alg_id=12
name=aes): ret=0
Oct 28 09:24:18 localhost kernel: ipsec_3des_init(alg_type=15 alg_id=3
name=3des): ret=0
Oct 28 09:24:18 localhost ipsec_setup: KLIPS debug `none'
Oct 28 09:24:18 localhost kernel:
Oct 28 09:24:18 localhost ipsec_setup: KLIPS ipsec0 on eth0
192.168.1.31/255.255.255.0 broadcast 192.168.1.255
Oct 28 09:24:19 localhost ipsec_setup: /usr/local/libexec/ipsec/tncfg:
Socket ioctl failed on attach -- No such device.  Is the virtual device
valid?  Is the ipsec module linked into the kernel or loaded as a
module?
Oct 28 09:24:19 localhost ipsec_setup: SIOCSIFADDR: No such device
Oct 28 09:24:19 localhost ipsec_setup: ipsec0: unknown interface: No
such device
Oct 28 09:24:19 localhost ipsec_setup: SIOCSIFBRDADDR: No such device
Oct 28 09:24:19 localhost ipsec_setup: ipsec0: unknown interface: No
such device
Oct 28 09:24:19 localhost ipsec_setup: SIOCSIFNETMASK: No such device
Oct 28 09:24:19 localhost ipsec_setup: ...Openswan IPsec started


And it breaks ifconfig:

[root at localhost ~]# ifconfig
: error fetching interface information: Device not found


Ipsec is running:

[root at localhost ~]# service ipsec status
SIOCGIFXQLEN: No such device
IPsec running  - pluto pid: 3011
pluto pid 3011
No tunnels up


But it fails because it cannot load ipsec0:

[root at localhost ~]# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.6.24rc1 (klips)
Checking for IPsec support in kernel                            [OK]
KLIPS detected, checking for NAT Traversal support              [OLD
STYLE]
Checking for RSA private key (/etc/ipsec.secrets)
[DISABLED]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [FAILED]
Pluto listening for NAT-T on udp 4500                           [FAILED]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support
[DISABLED]


And as soon as the module is removed, it crashes kernel. For test
purposes, I'm removing it manually, but if I shutdown the machine, the
crash occurs while removing the module on the shutdown process:

[root at localhost ~]# rmmod ipsec
BUG: unable to handle kernel NULL pointer dereference at virtual address
0000000
0
 printing eip:
c05bbc8a
*pde = 00000000
Oops: 0002 [#1]
SMP
last sysfs file: /module/ipsec/parameters/natt_available
Modules linked in: netconsole(U) ipv6(U) xfrm_nalgo(U) ipsec(U) ccm(U)
serpent(U
) blowfish(U) twofish(U) ecb(U) xcbc(U) crypto_hash(U) cbc(U) md5(U)
sha256(U) s
ha512(U) des(U) aes_generic(U) testmgr_cipher(U) testmgr(U) aead(U)
crypto_blkci
pher(U) crypto_algapi(U) crypto_api(U) aes_i586(U) autofs4(U) hidp(U)
rfcomm(U)
l2cap(U) bluetooth(U) lockd(U) sunrpc(U) dm_multipath(U) scsi_dh(U)
video(U) hwm
on(U) backlight(U) sbs(U) i2c_ec(U) button(U) battery(U) asus_acpi(U)
ac(U) lp(U
) floppy(U) ide_cd(U) snd_intel8x0(U) snd_ac97_codec(U) ac97_bus(U)
snd_seq_dumm
y(U) snd_seq_oss(U) snd_seq_midi_event(U) snd_seq(U) snd_seq_device(U)
snd_pcm_o
ss(U) snd_mixer_oss(U) snd_pcm(U) pcspkr(U) cdrom(U) snd_timer(U) snd(U)
soundco
re(U) snd_page_alloc(U) parport_pc(U) parport(U) e1000(U) i2c_piix4(U)
i2c_core(
U) serio_raw(U) dm_raid45(U) dm_message(U) dm_region_hash(U)
dm_mem_cache(U) dm_
snapshot(U) dm_zero(U) dm_mirror(U) dm_log(U) dm_mod(U) ata_piix(U)
libata(U) sd
_mod(U) scsi_mod(U) ext3(U) jbd(U) uhci_hcd(U) ohci_hcd(U) ehci_hcd(U)
CPU:    0
EIP:    0060:[<c05bbc8a>]    Tainted: G      VLI
EFLAGS: 00010246   (2.6.18-164.el5.mr #1)
EIP is at unregister_netdevice+0x9a/0x1b8
eax: 00000000   ebx: cf42f400   ecx: cf42f410   edx: 00000000
esi: c15ae030   edi: 00000000   ebp: d0626000   esp: d0626f24
ds: 007b   es: 007b   ss: 0068
Process rmmod (pid: 3702, ti=d0626000 task=cd0bf000 task.ti=d0626000)
Stack: cf42f400 00000000 c05bbdb7 cf42f400 e10d8167 e1122280 00000020
e10d304c
       00000000 d82e6aa0 e1122280 00000020 00000000 d0626000 c043d79c
65737069
       00000063 00000000 c044a5ce 008698e0 bfa42aa0 00000081 40000003
cd0bf000
Call Trace:
 [<c05bbdb7>] unregister_netdev+0xf/0x15
 [<e10d8167>] ipsec_tunnel_cleanup_devices+0x46/0x7c [ipsec]
 [<e10d304c>] cleanup_module+0x4c/0x144 [ipsec]
 [<c043d79c>] sys_delete_module+0x192/0x1ba
 [<c044a5ce>] audit_syscall_entry+0x15a/0x18c
 [<c0404f17>] syscall_call+0x7/0xb
 =======================
Code: 60 01 74 07 89 d8 e8 25 ff ff ff be 00 95 7e c0 eb 6d 39 d8 75 66
b8 60 f9
6a c0 e8 0f c6 05 00 8b 43 10 8d 4b 10 8b 51 04 85 c0 <89> 02 74 03 89
50 04 c7
41 04 00 02 20 00 8b 83 8c 02 00 00 8d
EIP: [<c05bbc8a>] unregister_netdevice+0x9a/0x1b8 SS:ESP 0068:d0626f24
 <0>Kernel panic - not syncing: Fatal exception in interrupt

Let me know if you need more info about it.

Giovani

More information about the Users mailing list