[Openswan Users] openswan 2.6.27 - klips - kernel panic

Paul Wouters paul at xelerance.com
Sat Jun 26 12:05:00 EDT 2010 

On Sat, 26 Jun 2010, 陈琳涛 wrote:

> Subject: [Openswan Users] openswan 2.6.27 - klips - kernel panic

Can you test openswan-2.6.28dr1? It might fix your crasher.
Also, if you want to use saref, you should use protostack=mast

Paul

> Linux Kernel : 2.6.27.47 SMP
> Linux Openswan 2.6.27 (klips)
>
> ## Center
> /etc/ipsec.conf
> version 2
> config setup
>        protostack=klips
>        pluto=yes
>        plutowait=no
>        plutodebug=none
>        klipsdebug=none
>        uniqueids=yes
>        nat_traversal=yes
>        nhelpers=0
>
> conn    %default
>        type=tunnel
>        keyingtries=0
>        keyexchange=ike
>        auto=start
>        authby=secret
>        auth=esp
>        ikelifetime=1h
>        rekeymargin=10m
>        rekeyfuzz=20%
>        keylife=8h
>
> conn PROFILE_1
>        pfs=no
>        keylife=3600s
>        ike=des-md5-modp768,des-sha1-modp768,3des-md5,3des-sha1,aes128-md5
>        esp=aes128-md5
>        compress=yes
>        left=172.16.1.5
>        leftnexthop=172.16.0.1
>        leftsubnet=192.168.5.0/24
>        auto=add
>        right=%any
>        rekey=no
>        forceencaps=yes
>        rightsubnet=vhost:%all
>
> ### Branches : SLES11 kernel  2.6.27.45-0.1-pae , Linux Openswan U2.6.16/K2.6.27.45-0.1-pae (netkey)
> /etc/ipsec.conf
> version 2.0
>
> config setup
>    klipsdebug=none
>    plutodebug=none
>    protostack=netkey
>
> conn    %default
>        type=tunnel
>        keyingtries=0
>        keyexchange=ike
>        authby=secret
>        auth=esp
>        #auth=ah
>        ikelifetime=24h
>        rekeymargin=10m
>        rekeyfuzz=20%
>        keylife=24h
>        compress=no
>
> conn PROFILE_1
>        pfs=no
>        rekey=no
>        keylife=86400s
>        auto=add
>        left=172.16.200.8
>        leftsubnet=18.18.18.0/24
>        right=172.16.1.5
>        rightsubnet=192.168.5.0/24
>
>
> #### Steps
> 1. I raised two branches for test.
> For SA Recycle test : Such script blow is running on each branch
> #!/bin/sh
>
> IPSEC="/usr/sbin/ipsec"
>
> while [ 1 ]; do
>
> $IPSEC auto --replace PROFILE_1
> $IPSEC auto --rereadsecrets
> $IPSEC auto --up PROFILE_1
>
> done
>
> 2. For several minutes , Center crashed as below
>
> kernel BUG at mm/vmalloc.c:217!
> invalid opcode: 0000 [#1] SMP
> Modules linked in: ipsec xt_connlimit xt_state xt_conntrack ipt_REDIRECT ipt_MASQUERADE nf_nat_tftp nf_nat_pptp nf_nat_proto_gre nf_nat_irc nf_nat_ftp nf_nat_amanda iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack_tftp nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_irc nf_conntrack_ftp nf_conntrack_amanda nf_conntrack
>
> Pid: 5502, comm: pluto Not tainted (2.6.27.47-CORE2-SMP #2)
> EIP: 0060:[<c024e161>] EFLAGS: 00010206 CPU: 1
> EIP is at __get_vm_area_node+0x22/0x18a
> EAX: f7158000 EBX: f8800000 ECX: f8800000 EDX: 000000d2
> ESI: 00002000 EDI: ffffffff EBP: 000000d2 ESP: f7159c08
> DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process pluto (pid: 5502, ti=f7158000 task=f7177800 task.ti=f7158000)
> Stack: 00000002 f7159c5c f7159c4c 00002000 f8b402e4 ffffffff 000000d2 c024e55c
>       ff7fe000 ffffffff 000000d2 f8b402e4 00000163 00000800 00000001 0000000f
>       00000000 c024e5ac ffffffff f8b402e4 f8b402e4 00000800 00000001 f8b403f1
> Call Trace:
> [<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
> [<c024e55c>] __vmalloc_node+0x64/0x8a
> [<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
> [<c024e5ac>] vmalloc+0x14/0x17
> [<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
> [<f8b402e4>] ipsec_SArefSubTable_alloc+0x2c/0x90 [ipsec]
> [<f8b403f1>] ipsec_SAref_recycle+0xa9/0x198 [ipsec]
> [<f8b405f3>] ipsec_SAref_alloc+0x53/0x10f [ipsec]
> [<f8b40fff>] ipsec_sa_intern+0x14/0xe3 [ipsec]
> [<f8b4df19>] pfkey_add_parse+0x21d/0x675 [ipsec]
> [<f8b538f5>] ultoa+0xb5/0xc0 [ipsec]
> [<c03f4f87>] __alloc_skb+0x46/0xee
> [<f8b55309>] pfkey_msg_parse+0x41a/0x63a [ipsec]
> [<c03f51c4>] skb_queue_tail+0x11/0x2d
> [<f8b4ff6e>] pfkey_msg_interp+0x24a/0x2c7 [ipsec]
> [<f8b4d71b>] pfkey_sendmsg+0x271/0x37c [ipsec]
> [<c03f135d>] sock_aio_write+0xc3/0xd0
> [<c025af36>] do_sync_write+0xbf/0x100
> [<c02116c7>] ptep_set_access_flags+0x20/0x29
> [<c022ad00>] autoremove_wake_function+0x0/0x2d
> [<c025b649>] vfs_write+0x7c/0x8d
> [<c025b755>] sys_write+0x3c/0x63
> [<c02029d9>] sysenter_do_call+0x12/0x25
> [<c0460000>] igb_probe+0x15e/0x9d5
> =======================
> Code: 00 00 89 c8 e9 35 ff ff ff 55 57 56 89 c6 53 89 cb 83 ec 0c 89 e0 89 14 24 25 00 e0 ff ff 8b 54 24 28 f7 40 14 00 ff ff 0f 74 04 <0f> 0b eb fe f6 04 24 01 c7 44 24 08 01 00 00 00 74 30 0f bd c6
> EIP: [<c024e161>] __get_vm_area_node+0x22/0x18a SS:ESP 0068:f7159c08
> Kernel panic - not syncing: Fatal exception in interrupt
>
> 3. I have tried openswan-2.6.26 , just the same .
> 4. openswan-2.6.23 test OK. But has another problem when running test branches for several hours
> 2010/06/26 12:46:24 ICEFLOW pluto[25604]: ERROR: "PROFILE_1"[106] 172.16.12.1 #138505: pfkey write() of K_SADB_ADD message 872859 for Add SA tun.26f15 at 172.16.12.1 failed. Errno 28: No space left on device
>
> I must reload ipsec.ko to release SAref space.
>
> 5. Openswan 2.6.24 test ok. It doesn't crash  and  IPSec SA  reconnected  78697 times after 3 hours . ( One SAref cycle 2^16 = 32768 ? )
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list