[Openswan Users]

panos panos at kamaradata.com
Tue Mar 1 08:45:33 CET 2005 

Thanks for the info.  I will be moving away from sonicwalls soon for a
pure linux solution.  I was able to load KLIPS.  However, after some
configuring and operations I got a kernel panic.  If I try to load and
unload klips I also get a segmentation vault which does not lock up the
kernel.
 
Here I more information. Hope it helps.

===========================
Unable to unload mod
===========================
[root at kirk ~]# insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipsec/ipsec.ko
[root at kirk ~]# rmmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipsec/ipsec.ko
Segmentation fault

..from syslog...

Mar  1 11:45:26 kirk kernel: klips_info:ipsec_init: KLIPS startup,
Openswan KLIPS IPsec stack version: 2.3.0
Mar  1 11:45:26 kirk kernel: NET: Registered protocol family 15
Mar  1 11:45:26 kirk kernel: klips_info:ipsec_alg_init: KLIPS alg
v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
Mar  1 11:45:26 kirk kernel: klips_info:ipsec_alg_init: calling
ipsec_alg_static_init()
Mar  1 11:45:26 kirk kernel: ipsec_aes_init(alg_type=15 alg_id=12
name=aes): ret=0
Mar  1 11:45:32 kirk kernel:
Mar  1 11:45:32 kirk kernel: klips_info:pfkey_cleanup: shutting down
PF_KEY domain sockets.
Mar  1 11:45:32 kirk kernel: NET: Unregistered protocol family 15
Mar  1 11:45:32 kirk kernel: ------------[ cut here ]------------
Mar  1 11:45:32 kirk kernel: kernel BUG at fs/proc/generic.c:688!
Mar  1 11:45:32 kirk kernel: invalid operand: 0000 [#1]
Mar  1 11:45:32 kirk kernel: Modules linked in: ipsec(U) appletalk md5
ipv6 parport_pc lp parport autofs4 sunrpc button battery ac ohci1394
ieee1394 uhci_hcd ehci_hcd snd_intel8x0 snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc gameport snd_mpu401_uart
snd_rawmidi snd_seq_device snd soundcore tg3 8139too mii floppy
dm_snapshot dm_zero dm_mirror ext3 jbd dm_mod
Mar  1 11:45:32 kirk kernel: CPU:    0
Mar  1 11:45:32 kirk kernel: EIP:    0060:[<c019d963>]    Not tainted
VLI
Mar  1 11:45:32 kirk kernel: EFLAGS: 00010282   (2.6.9-1.724_FC3)
Mar  1 11:45:32 kirk kernel: EIP is at remove_proc_entry+0x8d/0xde
Mar  1 11:45:32 kirk kernel: eax: 00000001   ebx: e0777e30   ecx:
00000000   edx: 00000001
Mar  1 11:45:32 kirk kernel: esi: df7e01b4   edi: dc8e9480   ebp:
00000005   esp: db143f48
Mar  1 11:45:32 kirk kernel: ds: 007b   es: 007b   ss: 0068
Mar  1 11:45:32 kirk kernel: Process rmmod (pid: 3348,
threadinfo=db143000 task=db169970)
Mar  1 11:45:32 kirk kernel: Stack: df7e0180 e0777e30 00000000 c0349620
00000000 db143000 e07471ab e0793200
Mar  1 11:45:32 kirk kernel:        e07471d8 c0137b45 00000000 65737069
00000063 00000202 00000000 de23c080
Mar  1 11:45:32 kirk kernel:        b7fff000 b8000000 c0152d08 de23c080
db904954 c01530b7 db9048ac de23c080
Mar  1 11:45:32 kirk kernel: Call Trace:
Mar  1 11:45:32 kirk kernel:  [<e07471ab>] ipsec_cleanup+0xdc/0xea
[ipsec]
Mar  1 11:45:32 kirk kernel:  [<e07471d8>] cleanup_module+0x19/0x25
[ipsec]
Mar  1 11:45:32 kirk kernel:  [<c0137b45>] sys_delete_module+0x132/0x179
Mar  1 11:45:32 kirk kernel:  [<c0152d08>] unmap_vma_list+0xe/0x17
Mar  1 11:45:32 kirk kernel:  [<c01530b7>] do_munmap+0x1c8/0x1d2
Mar  1 11:45:32 kirk kernel:  [<c0118f6e>] do_page_fault+0x0/0x4dc
Mar  1 11:45:32 kirk kernel:  [<c01062c7>] syscall_call+0x7/0xb
Mar  1 11:45:32 kirk kernel: Code: 00 0f b7 47 0c 25 00 f0 00 00 3d 00
40 00 00 75 07 8b 04 24 66 ff 48 0e 89 f8 e8 c7 fb ff ff 83 7f 34 00 66
c7 47 0e 00 00 74 08 <0f> 0b b0 02 1f be 30 c0 8b 47 44 85 c0 75 09 89
f8 e8 26 ff ff


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, March 01, 2005 1:32 AM
To: panos
Cc: users at openswan.org
Subject: RE: [Openswan Users]

On Mon, 28 Feb 2005, panos wrote:

> When I start openswan I get ... Linux Openswan U2.3.0/K2.6.9-1.724_FC3
> (netkey)
> How do I prevent "netkey" module from being loaded at boot time.

Ensure the ipsec module is loaded before starting openswan. This should
prevent netkey from getting loaded.

> I know should be using automatic keying but our vpn server on the
other
> side is not a linux box, but a sonic wall and it only interops with
> manual keying.

If a "VPN box" only supports manual keying, it should be used as a
doorstop
at most. With manual keying you will never rekey your connection, so
your
entire duration of the VPN is using 1 key, potentially for years. The
encrypted traffic can be logged, and if a year later either openswan or
the "vpn box" is compromised and the key obtained, all communications
can be
decrypted. This is not possible when using automatic keying.
I find it hard to believe Sonic wall would sell manual keying only
devices.

A simple ADSL router these days support automatic keying and cost less
then
a $100. How valuable is your privacy?

> /lib/modules/2.6.9-1.724_FC3/kernel/net/key/af_key.ko
> ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ah4.ko
> ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/esp4.ko
> ipsec_setup: insmod >
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ipcomp.ko
> ipsec_setup: insmod >
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/xfrm4_tunnel.ko

Make sure to unload these with rmmod before loading the iopsec (klips)
module.

Paul

More information about the Users mailing list