[Openswan Users] 2.6.24rc3 KLIPS Module compilation problem

Sven Schiwek ml-openswan at svenux.de
Thu Nov 19 00:13:30 EST 2009 

Paul Wouters wrote:
> On Wed, 18 Nov 2009, Sven Schiwek wrote:
> 
>>> I assume something changes with bounds.h, and we are not doing the right
>>> thing
>>> for that kernel version.
>>>
>>
>> Hi,
>>
>> after a Kernel recompile the error has disappeared - well ok, but I have
> 
> Good to know.
> 
>> an interesting ipsec restart affect. The UDP Ports 500 and 4500 are not
>> released so on every restart a "new" socket pair is created.
> 
> if you stop the pluto daemon, nothing should be on those udp ports anymore.
> 
>> How can I tell Openswan to release all sockets on a restart? (Normally I
>> do a '/etc/init.d/ipsec restart')
> 
> That should work.
> 
>> $ netstat -a -u -p -n | grep 500
>> udp        0      0 111.111.111.111:4500    0.0.0.0:*        12264/pluto
>>
>> udp        0      0 222.222.222.222:4500    0.0.0.0:*        12264/pluto
>> udp        0      0 111.111.111.111:4500    0.0.0.0:*        -
>> udp        0      0 222.222.222.222:4500    0.0.0.0:*        -
>> udp        0      0 111.111.111.111:4500    0.0.0.0:*        -
>> udp        0      0 222.222.222.222:4500    0.0.0.0:*        -
>> udp        0      0 111.111.111.111:500     0.0.0.0:*        12264/pluto
>> udp        0      0 222.222.222.222:500     0.0.0.0:*        12264/pluto
>> udp     1272      0 111.111.111.111:500     0.0.0.0:*        -
>> udp     1272      0 222.222.222.222:500     0.0.0.0:*        -
>> udp     2120      0 111.111.111.111:500     0.0.0.0:*        -
>> udp     6536      0 222.222.222.222:500     0.0.0.0:*        -
> 
> I am not entirely sure what this output means, and what the "-" means. If
> the port was still bound, then the new pluto would not be able to bind it.
> 
> Perhaps this is an artifact of the new ENCAP marking of a udp port? And
> that
> the old netstat comand does not properly understand this?
> 
> Are you sure you in fact have a problem?
> 


Hi Paul,

sorry, I don't know what the "new ENCAP" and the "old" netstat is - I'm
using Debian stable with a kernel from kernel.org.
As long as I don't unload the ipsec module I have no problems.

I have manually unloaded the ipsec module and get a Kernel panic (see
attachment). Here are some more shell output I hope this is helpful.

Please let my know if you need more informations.
Sven


[22:48] root enterprise[1]:~# /etc/init.d/ipsec stop
ipsec_setup: Stopping Openswan IPsec...
[24494.114906] IPSEC EVENT: KLIPS device ipsec0 shut down.
[24494.202210] IPSEC EVENT: KLIPS device ipsec1 shut down.
[24494.320069]
[22:48] root enterprise[2]:~# netstat -a -u -p -n | grep 500
udp        0      0 209.239.114.109:4500    0.0.0.0:*    -
udp        0      0 209.239.116.203:4500    0.0.0.0:*    -
udp        0      0 209.239.114.109:4500    0.0.0.0:*    -
udp        0      0 209.239.116.203:4500    0.0.0.0:*    -
udp        0      0 209.239.114.109:4500    0.0.0.0:*    -
udp        0      0 209.239.116.203:4500    0.0.0.0:*    -
udp     1696      0 209.239.114.109:500     0.0.0.0:*    -
udp     4216      0 209.239.116.203:500     0.0.0.0:*    -
udp     1272      0 209.239.114.109:500     0.0.0.0:*    -
udp     1272      0 209.239.116.203:500     0.0.0.0:*    -
udp     2120      0 209.239.114.109:500     0.0.0.0:*    -
udp     6536      0 209.239.116.203:500     0.0.0.0:*    -
[22:48] root enterprise[3]:~# lsmod | grep ipsec
ipsec                 343524  0
[22:49] root enterprise[4]:~# rmmod ipsec
[24537.944587] ------------[ cut here ]------------
[24537.948517] kernel BUG at net/core/dev.c:4823!
<snip>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: panic.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091118/efc66d97/attachment-0001.txt

More information about the Users mailing list