[Openswan Users] openswan 2.6.27 - klips - kernel panic
陈琳涛
chenlt at icevpn.org
Sat Jun 26 07:15:57 EDT 2010
Linux Kernel : 2.6.27.47 SMP
Linux Openswan 2.6.27 (klips)
## Center
/etc/ipsec.conf
version 2
config setup
protostack=klips
pluto=yes
plutowait=no
plutodebug=none
klipsdebug=none
uniqueids=yes
nat_traversal=yes
nhelpers=0
conn %default
type=tunnel
keyingtries=0
keyexchange=ike
auto=start
authby=secret
auth=esp
ikelifetime=1h
rekeymargin=10m
rekeyfuzz=20%
keylife=8h
conn PROFILE_1
pfs=no
keylife=3600s
ike=des-md5-modp768,des-sha1-modp768,3des-md5,3des-sha1,aes128-md5
esp=aes128-md5
compress=yes
left=172.16.1.5
leftnexthop=172.16.0.1
leftsubnet=192.168.5.0/24
auto=add
right=%any
rekey=no
forceencaps=yes
rightsubnet=vhost:%all
### Branches : SLES11 kernel 2.6.27.45-0.1-pae , Linux Openswan U2.6.16/K2.6.27.45-0.1-pae (netkey)
/etc/ipsec.conf
version 2.0
config setup
klipsdebug=none
plutodebug=none
protostack=netkey
conn %default
type=tunnel
keyingtries=0
keyexchange=ike
authby=secret
auth=esp
#auth=ah
ikelifetime=24h
rekeymargin=10m
rekeyfuzz=20%
keylife=24h
compress=no
conn PROFILE_1
pfs=no
rekey=no
keylife=86400s
auto=add
left=172.16.200.8
leftsubnet=18.18.18.0/24
right=172.16.1.5
rightsubnet=192.168.5.0/24
#### Steps
1. I raised two branches for test.
For SA Recycle test : Such script blow is running on each branch
#!/bin/sh
IPSEC="/usr/sbin/ipsec"
while [ 1 ]; do
$IPSEC auto --replace PROFILE_1
$IPSEC auto --rereadsecrets
$IPSEC auto --up PROFILE_1
done
2. For several minutes , Center crashed as below
kernel BUG at mm/vmalloc.c:217!
invalid opcode: 0000 [#1] SMP
Modules linked in: ipsec xt_connlimit xt_state xt_conntrack ipt_REDIRECT ipt_MASQUERADE nf_nat_tftp nf_nat_pptp nf_nat_proto_gre nf_nat_irc nf_nat_ftp nf_nat_amanda iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack_tftp nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_irc nf_conntrack_ftp nf_conntrack_amanda nf_conntrack
Pid: 5502, comm: pluto Not tainted (2.6.27.47-CORE2-SMP #2)
EIP: 0060:[<c024e161>] EFLAGS: 00010206 CPU: 1
EIP is at __get_vm_area_node+0x22/0x18a
EAX: f7158000 EBX: f8800000 ECX: f8800000 EDX: 000000d2
ESI: 00002000 EDI: ffffffff EBP: 000000d2 ESP: f7159c08
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process pluto (pid: 5502, ti=f7158000 task=f7177800 task.ti=f7158000)
Stack: 00000002 f7159c5c f7159c4c 00002000 f8b402e4 ffffffff 000000d2 c024e55c
ff7fe000 ffffffff 000000d2 f8b402e4 00000163 00000800 00000001 0000000f
00000000 c024e5ac ffffffff f8b402e4 f8b402e4 00000800 00000001 f8b403f1
Call Trace:
[<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
[<c024e55c>] __vmalloc_node+0x64/0x8a
[<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
[<c024e5ac>] vmalloc+0x14/0x17
[<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
[<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
[<f8b403f1>] ipsec_SAref_recycle+0xa9/0x198 [ipsec]
[<f8b405f3>] ipsec_SAref_alloc+0x53/0x10f [ipsec]
[<f8b40fff>] ipsec_sa_intern+0x14/0xe3 [ipsec]
[<f8b4df19>] pfkey_add_parse+0x21d/0x675 [ipsec]
[<f8b538f5>] ultoa+0xb5/0xc0 [ipsec]
[<c03f4f87>] __alloc_skb+0x46/0xee
[<f8b55309>] pfkey_msg_parse+0x41a/0x63a [ipsec]
[<c03f51c4>] skb_queue_tail+0x11/0x2d
[<f8b4ff6e>] pfkey_msg_interp+0x24a/0x2c7 [ipsec]
[<f8b4d71b>] pfkey_sendmsg+0x271/0x37c [ipsec]
[<c03f135d>] sock_aio_write+0xc3/0xd0
[<c025af36>] do_sync_write+0xbf/0x100
[<c02116c7>] ptep_set_access_flags+0x20/0x29
[<c022ad00>] autoremove_wake_function+0x0/0x2d
[<c025b649>] vfs_write+0x7c/0x8d
[<c025b755>] sys_write+0x3c/0x63
[<c02029d9>] sysenter_do_call+0x12/0x25
[<c0460000>] igb_probe+0x15e/0x9d5
=======================
Code: 00 00 89 c8 e9 35 ff ff ff 55 57 56 89 c6 53 89 cb 83 ec 0c 89 e0 89 14 24 25 00 e0 ff ff 8b 54 24 28 f7 40 14 00 ff ff 0f 74 04 <0f> 0b eb fe f6 04 24 01 c7 44 24 08 01 00 00 00 74 30 0f bd c6
EIP: [<c024e161>] __get_vm_area_node+0x22/0x18a SS:ESP 0068:f7159c08
Kernel panic - not syncing: Fatal exception in interrupt
3. I have tried openswan-2.6.26 , just the same .
4. openswan-2.6.23 test OK. But has another problem when running test branches for several hours
2010/06/26 12:46:24 ICEFLOW pluto[25604]: ERROR: "PROFILE_1"[106] 172.16.12.1 #138505: pfkey write() of K_SADB_ADD message 872859 for Add SA tun.26f15 at 172.16.12.1 failed. Errno 28: No space left on device
I must reload ipsec.ko to release SAref space.
5. Openswan 2.6.24 test ok. It doesn't crash and IPSec SA reconnected 78697 times after 3 hours . ( One SAref cycle 2^16 = 32768 ? )
More information about the Users
mailing list