[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Fri Apr 2 06:25:42 EDT 2010


Hi David,

It seems that your suggestion did the trick. I needed a few days to
build a new kernel.
For some reason I had a lot of problems with it but it had nothing to do
with openswan.
Now I need to get my roadwarrior setup working, together with l2tp but I
am sure it will 
work eventually.
Thanks for all the help.


Dennis

-----Original Message-----
From: David McCullough [mailto:david_mccullough at mcafee.com] 
Sent: dinsdag 30 maart 2010 6:27
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Still server crash


Jivin Dennis van der Meer lays it down ...
> Hi,
> 
> Last week I have been trying to see if I can get a stable version of
KLIPS working but I seem to crash my entire server
> 
> whenever I try this. I??ve been able to crash my VMWare test system
but also a production server that is not using VMWare.
> 
> As soon as I try to make a connection using ipsec from another
location the whole system crashes. I was able to change
> 
> the number of screen lines to 60 so I could see a little bit more (see
partial info below). Maybe someone can help me track 
> 
> down the problem. So far I have tried a recent GIT build, 2 different
kernel versions and the latest official openswan version;
> 
> all have the same problems with the crash.


We have been seeing problems with the builtin crypto for openswan.  I
haven't had a chance to look at it yet but the workaround is fairly
simple.
We just switch to using the kernel crypto API and not the openswan
included
versions of des etc.

Setup for kernel .config as follows (or similar depending on kernel
version):

	CONFIG_KLIPS=y
	#
	# KLIPS options
	#
	CONFIG_KLIPS_ESP=y
	# CONFIG_KLIPS_AH is not set
	CONFIG_KLIPS_AUTH_HMAC_MD5=y
	CONFIG_KLIPS_AUTH_HMAC_SHA1=y
	CONFIG_KLIPS_ALG=y
	CONFIG_KLIPS_ENC_CRYPTOAPI=y
	# CONFIG_KLIPS_ENC_1DES is not set
	# CONFIG_KLIPS_ENC_3DES is not set
	# CONFIG_KLIPS_ENC_AES is not set
	CONFIG_KLIPS_IPCOMP=y
	# CONFIG_KLIPS_OCF is not set
	CONFIG_KLIPS_DEBUG=y
	CONFIG_KLIPS_IF_MAX=4

	CONFIG_CRYPTO=y
	#
	# Crypto core or helper
	#
	CONFIG_CRYPTO_ALGAPI=y
	CONFIG_CRYPTO_ALGAPI2=y
	CONFIG_CRYPTO_AEAD2=y
	CONFIG_CRYPTO_BLKCIPHER=y
	CONFIG_CRYPTO_BLKCIPHER2=y
	CONFIG_CRYPTO_HASH=y
	CONFIG_CRYPTO_HASH2=y
	CONFIG_CRYPTO_RNG2=y
	CONFIG_CRYPTO_PCOMP=y
	CONFIG_CRYPTO_MANAGER=y
	CONFIG_CRYPTO_MANAGER2=y
	CONFIG_CRYPTO_WORKQUEUE=y
	CONFIG_CRYPTO_CBC=y
	CONFIG_CRYPTO_ECB=y
	CONFIG_CRYPTO_HMAC=y
	CONFIG_CRYPTO_MD5=y
	CONFIG_CRYPTO_SHA1=y
	CONFIG_CRYPTO_SHA256=y
	CONFIG_CRYPTO_SHA512=y
	CONFIG_CRYPTO_AES=y
	CONFIG_CRYPTO_ARC4=y
	CONFIG_CRYPTO_DES=y

That should see you working I think,

Cheers,
Davidm
	

> Partial crash info:
> 
>  
> 
> Code: 00 00 00 23 1f a3 e0 20 1f a3 e0 17 1f a3 e0 13 1f a3 e0 10 1f
a3 e0 0d 1f
> 
>  a3 e0 04 1f a3 e0 55 53 56 57 8b 6c 24 1c 8b 5c 24 2c (8b) 33 8b 7b
04 57 56 57
> 
>  56 89 e3 8b 74 24 24 8b 7c 24 28 8b 4c
> 
> EIP: [(e0a31f9c)] .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec] SS:ESP
0068:de775af0
> 
> CR2: 000000006a5a85a4
> 
> ---[ end trace 33b374d09a6bcf21 ]---
> 
> Kernel panic ?? not syncing: Fatal exception in interrupt
> 
> Pid: 2043, comm.: sh Tainted: G     D    2.6.33 #4
> 
> Call Trace:
> 
>  [<c148fd84>] ? printk+0x18/0x1a
> 
>  [<c148fcb2>] panic+0x43/0xfd
> 
>  [<c100d3c3>] oops_end+0x83/0x90
> 
>  [<c101f4be>] no_context+0xbe/0x160
> 
>  [<c101f5af>] __bad_area_nosemaphone+0x4f/0x180
> 
>  [<c104efd2>] ? sched_clock_local+0xd2/0x170
> 
>  [<c1031423>] ? task_tick_fair+0x33/0x110
> 
>  [<c103108b>] ? scheduler_tick+0xeb/0x150
> 
>  [<c101f6f2>] bad_area_nosemaphone+0x12/0x20
> 
>  [<c101fadc>] do_page_fault+0x25c/0x300
> 
>  [<c10559e5>] ? tick_periodic+0x25/0x70
> 
>  [<c1055a49>] ? tick_handle_periodic+0x19/0x90
> 
>  [<c101f880>] ? do_page_fault+0x0/0x300
> 
>  [<c1492ace>] error_code+0x66/0x6c
> 
>  [<c101f880>] ? do_page_fault+0x0/0x300
> 
>  [<e0a31f9c>] ? .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec]
> 
>  [<e0a2f279>] ? _3des_cbc_encrypt+0x49/0x60 [ipsec]
> 
>  [<e0a2f15d>] ? ipsec_alg_esp_encrypt+0x5d/0x130 [ipsec]
> 
>  [<e0a2a5f5>] ? ipsec_rcv_esp_decrypt+0x75/0x110 [ipsec]
> 
>  [<e0a17cc5>] ? ipsec_rcv_decrypt+0x25/0x60 [ipsec]
> 
>  [<e0a19649>] ? ipsec_rsm+0x49/0x2a0 [ipsec]
> 
>  [<e0a1955b>] ? ipsec_rcv_state_new+0x4b/0xb0 [ipsec]
> 
>  [<e0a199d7>] ? ipsec_rcv+0x27/0x90 [ipsec]
> 
>  [<c14065a6>] ? ip_local_deliver_finish+0x86/0x170
> 
>  [<c140671f>] ? ip_local_deliver+0x8f/0xa0
> 
>  [<c1406520>] ? ip_local_deliver_finish+0x0/0x170
> 
>  [<c1405fbb>] ? ip_rcv_finish+0x14b/0x310
> 
>  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> 
>  [<c14063b5>] ? ip_rcv+0x235/0x290
> 
>  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> 
>  [<c13af3ec>] ? netif_receive_skb+0x1bc/0x450
> 
>  [<e08304f4>] ? e1000_clean_rx_irq+0x2d4/0x420 [e1000]
> 
>  [<e082fbdd>] ? e1000_clean+0x1cd/0x500 [e1000]
> 
>  [<c106c46e>] ? handle_fasteoi_irq+0x7e/0xc0
> 
>  [<c10053ca>] ? handle_irq+0x1a/0x30
> 
>  [<c13afd2d>] ? net_rx_action+0x7d/0x100
> 
>  [<c103af45>] ? __do_softirq+0x85/0x110
> 
>  [<c1040054>] ? update_process_times+0x54/0x70
> 
>  [<c103affd>] ? do_softirq+0x2d/0x40
> 
>  [<c103b15d>] ? irq_exit+0x2d/0x40
> 
>  [<c1017b17>] ? smp_apic_time_interrupt+0x57/0x90
> 
>  [<c14928a2>] ? apic_timer_interrupt+0x2a/0x30
> 
>  [<c125e0a2>] ? prio_tree_remove+0x32/0xe0
> 
>  [<c1088122>] ? vma_prio_tree_remove+0x72/0xf0
> 
>  [<c10917dd>] ? vma_adjust+0xfd/0x470
> 
>  [<c1091c3a>] ? __split_vma+0xea/0x140
> 
>  [<c1091fbf>] ? split_vma+0x2f/0x40
> 
>  [<c1093596>] ? mprotect_fixup+0x306/0x360
> 
>  [<c109376e>] ? sys_mprotect+0x17e/0x220
> 
>  [<c14924b5>] ? syscall_call+0x7/0xb
> 
>  
> 
> Thanks,
> 
>  
> 
> Dennis
> 
> 

> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com
http://www.uCdot.org


More information about the Users mailing list