[Openswan Users] Still server crash

David McCullough david_mccullough at mcafee.com
Tue Mar 30 00:27:27 EDT 2010


Jivin Dennis van der Meer lays it down ...
> Hi,
> 
> Last week I have been trying to see if I can get a stable version of KLIPS working but I seem to crash my entire server
> 
> whenever I try this. I??ve been able to crash my VMWare test system but also a production server that is not using VMWare.
> 
> As soon as I try to make a connection using ipsec from another location the whole system crashes. I was able to change
> 
> the number of screen lines to 60 so I could see a little bit more (see partial info below). Maybe someone can help me track 
> 
> down the problem. So far I have tried a recent GIT build, 2 different kernel versions and the latest official openswan version;
> 
> all have the same problems with the crash.


We have been seeing problems with the builtin crypto for openswan.  I
haven't had a chance to look at it yet but the workaround is fairly simple.
We just switch to using the kernel crypto API and not the openswan included
versions of des etc.

Setup for kernel .config as follows (or similar depending on kernel version):

	CONFIG_KLIPS=y
	#
	# KLIPS options
	#
	CONFIG_KLIPS_ESP=y
	# CONFIG_KLIPS_AH is not set
	CONFIG_KLIPS_AUTH_HMAC_MD5=y
	CONFIG_KLIPS_AUTH_HMAC_SHA1=y
	CONFIG_KLIPS_ALG=y
	CONFIG_KLIPS_ENC_CRYPTOAPI=y
	# CONFIG_KLIPS_ENC_1DES is not set
	# CONFIG_KLIPS_ENC_3DES is not set
	# CONFIG_KLIPS_ENC_AES is not set
	CONFIG_KLIPS_IPCOMP=y
	# CONFIG_KLIPS_OCF is not set
	CONFIG_KLIPS_DEBUG=y
	CONFIG_KLIPS_IF_MAX=4

	CONFIG_CRYPTO=y
	#
	# Crypto core or helper
	#
	CONFIG_CRYPTO_ALGAPI=y
	CONFIG_CRYPTO_ALGAPI2=y
	CONFIG_CRYPTO_AEAD2=y
	CONFIG_CRYPTO_BLKCIPHER=y
	CONFIG_CRYPTO_BLKCIPHER2=y
	CONFIG_CRYPTO_HASH=y
	CONFIG_CRYPTO_HASH2=y
	CONFIG_CRYPTO_RNG2=y
	CONFIG_CRYPTO_PCOMP=y
	CONFIG_CRYPTO_MANAGER=y
	CONFIG_CRYPTO_MANAGER2=y
	CONFIG_CRYPTO_WORKQUEUE=y
	CONFIG_CRYPTO_CBC=y
	CONFIG_CRYPTO_ECB=y
	CONFIG_CRYPTO_HMAC=y
	CONFIG_CRYPTO_MD5=y
	CONFIG_CRYPTO_SHA1=y
	CONFIG_CRYPTO_SHA256=y
	CONFIG_CRYPTO_SHA512=y
	CONFIG_CRYPTO_AES=y
	CONFIG_CRYPTO_ARC4=y
	CONFIG_CRYPTO_DES=y

That should see you working I think,

Cheers,
Davidm
	

> Partial crash info:
> 
>  
> 
> Code: 00 00 00 23 1f a3 e0 20 1f a3 e0 17 1f a3 e0 13 1f a3 e0 10 1f a3 e0 0d 1f
> 
>  a3 e0 04 1f a3 e0 55 53 56 57 8b 6c 24 1c 8b 5c 24 2c (8b) 33 8b 7b 04 57 56 57
> 
>  56 89 e3 8b 74 24 24 8b 7c 24 28 8b 4c
> 
> EIP: [(e0a31f9c)] .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec] SS:ESP 0068:de775af0
> 
> CR2: 000000006a5a85a4
> 
> ---[ end trace 33b374d09a6bcf21 ]---
> 
> Kernel panic ?? not syncing: Fatal exception in interrupt
> 
> Pid: 2043, comm.: sh Tainted: G     D    2.6.33 #4
> 
> Call Trace:
> 
>  [<c148fd84>] ? printk+0x18/0x1a
> 
>  [<c148fcb2>] panic+0x43/0xfd
> 
>  [<c100d3c3>] oops_end+0x83/0x90
> 
>  [<c101f4be>] no_context+0xbe/0x160
> 
>  [<c101f5af>] __bad_area_nosemaphone+0x4f/0x180
> 
>  [<c104efd2>] ? sched_clock_local+0xd2/0x170
> 
>  [<c1031423>] ? task_tick_fair+0x33/0x110
> 
>  [<c103108b>] ? scheduler_tick+0xeb/0x150
> 
>  [<c101f6f2>] bad_area_nosemaphone+0x12/0x20
> 
>  [<c101fadc>] do_page_fault+0x25c/0x300
> 
>  [<c10559e5>] ? tick_periodic+0x25/0x70
> 
>  [<c1055a49>] ? tick_handle_periodic+0x19/0x90
> 
>  [<c101f880>] ? do_page_fault+0x0/0x300
> 
>  [<c1492ace>] error_code+0x66/0x6c
> 
>  [<c101f880>] ? do_page_fault+0x0/0x300
> 
>  [<e0a31f9c>] ? .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec]
> 
>  [<e0a2f279>] ? _3des_cbc_encrypt+0x49/0x60 [ipsec]
> 
>  [<e0a2f15d>] ? ipsec_alg_esp_encrypt+0x5d/0x130 [ipsec]
> 
>  [<e0a2a5f5>] ? ipsec_rcv_esp_decrypt+0x75/0x110 [ipsec]
> 
>  [<e0a17cc5>] ? ipsec_rcv_decrypt+0x25/0x60 [ipsec]
> 
>  [<e0a19649>] ? ipsec_rsm+0x49/0x2a0 [ipsec]
> 
>  [<e0a1955b>] ? ipsec_rcv_state_new+0x4b/0xb0 [ipsec]
> 
>  [<e0a199d7>] ? ipsec_rcv+0x27/0x90 [ipsec]
> 
>  [<c14065a6>] ? ip_local_deliver_finish+0x86/0x170
> 
>  [<c140671f>] ? ip_local_deliver+0x8f/0xa0
> 
>  [<c1406520>] ? ip_local_deliver_finish+0x0/0x170
> 
>  [<c1405fbb>] ? ip_rcv_finish+0x14b/0x310
> 
>  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> 
>  [<c14063b5>] ? ip_rcv+0x235/0x290
> 
>  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> 
>  [<c13af3ec>] ? netif_receive_skb+0x1bc/0x450
> 
>  [<e08304f4>] ? e1000_clean_rx_irq+0x2d4/0x420 [e1000]
> 
>  [<e082fbdd>] ? e1000_clean+0x1cd/0x500 [e1000]
> 
>  [<c106c46e>] ? handle_fasteoi_irq+0x7e/0xc0
> 
>  [<c10053ca>] ? handle_irq+0x1a/0x30
> 
>  [<c13afd2d>] ? net_rx_action+0x7d/0x100
> 
>  [<c103af45>] ? __do_softirq+0x85/0x110
> 
>  [<c1040054>] ? update_process_times+0x54/0x70
> 
>  [<c103affd>] ? do_softirq+0x2d/0x40
> 
>  [<c103b15d>] ? irq_exit+0x2d/0x40
> 
>  [<c1017b17>] ? smp_apic_time_interrupt+0x57/0x90
> 
>  [<c14928a2>] ? apic_timer_interrupt+0x2a/0x30
> 
>  [<c125e0a2>] ? prio_tree_remove+0x32/0xe0
> 
>  [<c1088122>] ? vma_prio_tree_remove+0x72/0xf0
> 
>  [<c10917dd>] ? vma_adjust+0xfd/0x470
> 
>  [<c1091c3a>] ? __split_vma+0xea/0x140
> 
>  [<c1091fbf>] ? split_vma+0x2f/0x40
> 
>  [<c1093596>] ? mprotect_fixup+0x306/0x360
> 
>  [<c109376e>] ? sys_mprotect+0x17e/0x220
> 
>  [<c14924b5>] ? syscall_call+0x7/0xb
> 
>  
> 
> Thanks,
> 
>  
> 
> Dennis
> 
> 

> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list