[Openswan Users] Problem : unregister_netdevice: waiting for ipsec0 to become free

Jean-Michel Bonnefond pompon2 at gmail.com
Fri Sep 19 09:42:16 EDT 2008 

Hello,

I've performed some tests with the klips stack 2.6.16 with my server based
on userland 2.4.13 and are is the results :

At the startup, I got these error messages :

ipsec_setup: Starting Openswan IPsec 2.4.13...
ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY
ipsec_setup: calcgoo: warning: 2.6 kernel with kallsyms not supported yet
ipsec_setup: insmod /lib/modules/2.6.18-k26/kernel/net/ipsec/ipsec.ko
ipsec_setup: /usr/local/libexec/ipsec/eroute: pfkey write failed, returning
-1 with error=96
ipsec_setup: Unknown socket write error 96. Please report as much detail as
possible to development team.


However the tunnels are negociated (Ipsec SA established), but the outgoing
packets sent aren't received by the opposite gateway.
Here is an example of a ping inside the tunnel sent from a remote openswan
2.4.9 gateway to the 2.4.13/2.6.16 server subnet :

Dump on ipsec0 on REMOTE-GATEWAY-2.4.9
12:47:53.361741 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) REMOTE-GATEWAY-2.4.9-SUBNET-IP >
GATEWAY-2.6.16-SUBNET-IP: ICMP echo request, id 43024, seq 1, length 64

--> no answer received

Dump on ipsec0 on GATEWAY-2.6.16
12:47:53.539822 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) REMOTE-GATEWAY-2.4.9-SUBNET-IP >
GATEWAY-2.6.16-SUBNET-IP: ICMP echo request, id 43024, seq 1, length 64
12:47:53.539960 IP (tos 0x0, ttl  64, id 29898, offset 0, flags [none],
proto: ICMP (1), length: 84) GATEWAY-2.6.16-SUBNET-IP >
REMOTE-GATEWAY-2.4.9-SUBNET-IP: ICMP echo reply, id 43024, seq 1, length 64

--> clear answer is sent

Dump on eth0 on GATEWAY-2.6.16
12:47:53.539822 IP (tos 0x0, ttl  44, id 2688, offset 0, flags [none],
proto: ESP (50), length: 136) REMOTE-GATEWAY-2.4.9 > GATEWAY-2.6.16:
ESP(spi=0x5640248e,seq=0x4), length 116

--> There is no encrypted packet for the echo reply that go outside the
server.


Same logs with the 2.4.13/2.4.13 version :

Dump on ipsec0 on REMOTE-GATEWAY-2.4.9
13:06:10.281018 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) REMOTE-GATEWAY-2.4.9-SUBNET-IP >
GATEWAY-2.4.13-SUBNET-IP: ICMP echo request, id 36356, seq 1, length 64
13:06:10.412048 IP (tos 0x0, ttl  64, id 4779, offset 0, flags [none],
proto: ICMP (1), length: 84) GATEWAY-2.4.13-SUBNET-IP >
REMOTE-GATEWAY-2.4.9-SUBNET-IP: ICMP echo reply, id 36356, seq 1, length 64

Dump on ipsec0 on GATEWAY-2.4.13
13:06:10.355104 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) REMOTE-GATEWAY-2.4.9-SUBNET-IP >
GATEWAY-2.4.13-SUBNET-IP: ICMP echo request, id 36356, seq 1, length 64
13:06:10.355184 IP (tos 0x0, ttl  64, id 4779, offset 0, flags [none],
proto: ICMP (1), length: 84) GATEWAY-2.4.13-SUBNET-IP >
REMOTE-GATEWAY-2.4.9-SUBNET-IP: ICMP echo reply, id 36356, seq 1, length 64

Dump on eth0 on GATEWAY-2.4.13
13:06:10.355104 IP (tos 0x0, ttl  44, id 9276, offset 0, flags [none],
proto: ESP (50), length: 136) REMOTE-GATEWAY-2.4.9 > GATEWAY-2.4.13:
ESP(spi=0x11fb7634,seq=0x2), length 116
13:06:10.355215 IP (tos 0x0, ttl  64, id 4780, offset 0, flags [none],
proto: ESP (50), length: 136) GATEWAY-2.4.13 > REMOTE-GATEWAY-2.4.9:
ESP(spi=0xcdaa611b,seq=0x2), length 116


Now when I try to stop ipsec on the 2.4.13/2.4.16 version :

localhost:~# ipsec --version
Linux Openswan U2.4.13/K2.6.16 (klips)
See `ipsec --copyright' for copyright information.
localhost:~# /etc/init.d/ipsec stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: /usr/local/libexec/ipsec/eroute: pfkey write failed, returning
-1 with errno=96.
ipsec_setup: Unknown socket write error 96.  Please report as much detail as
possible to development team.
ipsec_setup: ERROR: Removing 'ipsec': Device or resource busy
localhost:~# ipsec --version
Linux Openswan U2.4.13/K2.6.16 (klips)
See `ipsec --copyright' for copyright information.

Pluto stops (and don't freeze with unregister_netdevice message) but the
kernel stack isn't unloaded.

Hope it helps,
Jean-Michel.


2008/9/18 Paul Wouters <paul at xelerance.com>

> On Thu, 18 Sep 2008, Jean-Michel Bonnefond wrote:
>
> > You're right it come from the 2.4.13 klips stack. I've compiled 2
> versions,
> > using the same server, same kernel, same openswan version and here is the
> > result :
>
> Try compiling the KLIPS stack from 2.6.16 and use that with the 2.4.13
> userland.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080919/e2663dba/attachment-0001.html

More information about the Users mailing list