[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Tue Mar 30 05:19:54 EDT 2010

Hi David,

Thanks for your quick reply. Unfortunately applying the kernel patch
seems a little bit more trouble than
I thought. There are two errors when applying the patch and there is a
critical error when compiling the kernel (2.6.33).
All errors are included below. I have solved the kernel compile error by
changing the net/Makefile manually. It seems
the offset probably changed between kernel version. The last patch error
is because of the first one?
I will test the rest as soon as possible. I will first need to tweak my
kernel again.

make kernelpatch2.6 | tee /usr/src/linux/openswan.patch | (cd
/usr/src/linux && patch -p1 -b -z .preipsec --forward
--ignore-whitespace )
patching file README.openswan-2
patching file include/des/des_locl.h
patching file include/des/des_ver.h
patching file include/des/podd.h
patching file include/des/sk.h
patching file include/des/spr.h
patching file include/klips-crypto/aes.h
patching file include/klips-crypto/aes_cbc.h
patching file include/klips-crypto/aes_xcbc_mac.h
patching file include/klips-crypto/cbc_generic.h
patching file include/klips-crypto/des.h
patching file include/openswan.h
patching file include/openswan/ipcomp.h
patching file include/openswan/ipsec_ah.h
patching file include/openswan/ipsec_alg.h
patching file include/openswan/ipsec_alg_3des.h
patching file include/openswan/ipsec_auth.h
patching file include/openswan/ipsec_encap.h
patching file include/openswan/ipsec_eroute.h
patching file include/openswan/ipsec_errs.h
patching file include/openswan/ipsec_esp.h
patching file include/openswan/ipsec_ipcomp.h
patching file include/openswan/ipsec_ipe4.h
patching file include/openswan/ipsec_ipip.h
patching file include/openswan/ipsec_kern24.h
patching file include/openswan/ipsec_kversion.h
patching file include/openswan/ipsec_life.h
patching file include/openswan/ipsec_mast.h
patching file include/openswan/ipsec_md5h.h
patching file include/openswan/ipsec_param.h
patching file include/openswan/ipsec_param2.h
patching file include/openswan/ipsec_policy.h
patching file include/openswan/ipsec_proto.h
patching file include/openswan/ipsec_radij.h
patching file include/openswan/ipsec_rcv.h
patching file include/openswan/ipsec_sa.h
patching file include/openswan/ipsec_sha1.h
patching file include/openswan/ipsec_stats.h
patching file include/openswan/ipsec_sysctl.h
patching file include/openswan/ipsec_tunnel.h
patching file include/openswan/ipsec_xform.h
patching file include/openswan/ipsec_xmit.h
patching file include/openswan/mast.h
patching file include/openswan/passert.h
patching file include/openswan/pfkey.h
patching file include/openswan/pfkey_debug.h
patching file include/openswan/pfkeyv2.h
patching file include/openswan/radij.h
patching file include/zlib/zconf.h
patching file include/zlib/zlib.h
patching file include/zlib/zutil.h
patching file net/Kconfig
Hunk #1 succeeded at 278 (offset 63 lines).
patching file net/Makefile
Hunk #1 FAILED at 42.
1 out of 1 hunk FAILED -- saving rejects to file net/Makefile.rej
patching file net/ipsec/Kconfig
patching file net/ipsec/Makefile
patching file net/ipsec/README-zlib
patching file net/ipsec/README-zlib.freeswan
patching file net/ipsec/addrtoa.c
patching file net/ipsec/addrtot.c
patching file net/ipsec/addrtypeof.c
patching file net/ipsec/adler32.c
patching file net/ipsec/aes/Makefile
patching file net/ipsec/aes/aes-i586.S
patching file net/ipsec/aes/aes.c
patching file net/ipsec/aes/aes_cbc.c
patching file net/ipsec/aes/aes_xcbc_mac.c
patching file net/ipsec/aes/ipsec_alg_aes.c
patching file net/ipsec/alg/Config.alg_aes.in
patching file net/ipsec/alg/Config.alg_cryptoapi.in
patching file net/ipsec/alg/Config.in
patching file net/ipsec/alg/Makefile.alg_aes
patching file net/ipsec/alg/Makefile.alg_cryptoapi
patching file net/ipsec/alg/ipsec_alg_cryptoapi.c
patching file net/ipsec/alg/scripts/mk-static_init.c.sh
patching file net/ipsec/anyaddr.c
patching file net/ipsec/datatot.c
patching file net/ipsec/defconfig
patching file net/ipsec/deflate.c
patching file net/ipsec/deflate.h
patching file net/ipsec/des/COPYRIGHT
patching file net/ipsec/des/INSTALL
patching file net/ipsec/des/Makefile
patching file net/ipsec/des/README
patching file net/ipsec/des/README.freeswan
patching file net/ipsec/des/VERSION
patching file net/ipsec/des/asm/des-586.pl
patching file net/ipsec/des/asm/des686.pl
patching file net/ipsec/des/asm/desboth.pl
patching file net/ipsec/des/asm/readme
patching file net/ipsec/des/cbc_enc.c
patching file net/ipsec/des/des.doc
patching file net/ipsec/des/des_enc.c
patching file net/ipsec/des/des_opts.c
patching file net/ipsec/des/dx86unix.S
patching file net/ipsec/des/ecb_enc.c
patching file net/ipsec/des/ipsec_alg_3des.c
patching file net/ipsec/des/set_key.c
patching file net/ipsec/goodmask.c
patching file net/ipsec/infblock.c
patching file net/ipsec/infblock.h
patching file net/ipsec/infcodes.c
patching file net/ipsec/infcodes.h
patching file net/ipsec/inffast.c
patching file net/ipsec/inffast.h
patching file net/ipsec/inffixed.h
patching file net/ipsec/inflate.c
patching file net/ipsec/inftrees.c
patching file net/ipsec/inftrees.h
patching file net/ipsec/infutil.c
patching file net/ipsec/infutil.h
patching file net/ipsec/initaddr.c
patching file net/ipsec/ipcomp.c
patching file net/ipsec/ipsec_ah.c
patching file net/ipsec/ipsec_alg.c
patching file net/ipsec/ipsec_alg_cryptoapi.c
patching file net/ipsec/ipsec_esp.c
patching file net/ipsec/ipsec_init.c
patching file net/ipsec/ipsec_ipcomp.c
patching file net/ipsec/ipsec_ipip.c
patching file net/ipsec/ipsec_kern24.c
patching file net/ipsec/ipsec_life.c
patching file net/ipsec/ipsec_mast.c
patching file net/ipsec/ipsec_md5c.c
patching file net/ipsec/ipsec_ocf.c
patching file net/ipsec/ipsec_ocf.h
patching file net/ipsec/ipsec_proc.c
patching file net/ipsec/ipsec_radij.c
patching file net/ipsec/ipsec_rcv.c
patching file net/ipsec/ipsec_sa.c
patching file net/ipsec/ipsec_sha1.c
patching file net/ipsec/ipsec_snprintf.c
patching file net/ipsec/ipsec_tunnel.c
patching file net/ipsec/ipsec_xform.c
patching file net/ipsec/ipsec_xmit.c
patching file net/ipsec/match586.S
patching file net/ipsec/match686.S
patching file net/ipsec/pfkey_v2.c
patching file net/ipsec/pfkey_v2_build.c
patching file net/ipsec/pfkey_v2_debug.c
patching file net/ipsec/pfkey_v2_ext_bits.c
patching file net/ipsec/pfkey_v2_ext_process.c
patching file net/ipsec/pfkey_v2_parse.c
patching file net/ipsec/pfkey_v2_parser.c
patching file net/ipsec/prng.c
patching file net/ipsec/radij.c
patching file net/ipsec/rangetoa.c
patching file net/ipsec/satot.c
patching file net/ipsec/subnetof.c
patching file net/ipsec/subnettoa.c
patching file net/ipsec/sysctl_net_ipsec.c
patching file net/ipsec/trees.c
patching file net/ipsec/trees.h
patching file net/ipsec/ultoa.c
patching file net/ipsec/ultot.c
patching file net/ipsec/version.c
patching file net/ipsec/zutil.c
patching file net/ipv4/af_inet.c
Hunk #1 succeeded at 1627 with fuzz 2 (offset 458 lines).
patching file net/ipsec/Makefile.ver
make: *** [applypatch] Error 1

And for the kernel compilation error:

scripts/kconfig/conf -s arch/x86/Kconfig
  CHK     include/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
  CHK     include/generated/compile.h
  CC      crypto/sha256_generic.o
  CC      crypto/sha512_generic.o
  LD      crypto/built-in.o
  CC      net/ipv4/af_inet.o
  LD      net/ipv4/built-in.o
  LD      net/built-in.o
  LD      vmlinux.o
  MODPOST vmlinux.o
  GEN     .version
  CHK     include/generated/compile.h
  UPD     include/generated/compile.h
  CC      init/version.o
  LD      init/built-in.o
  LD      .tmp_vmlinux1
Net/built-in.o: In function 'inet_init';
af_inet.c:(.init.text+0x1f81): undefined reference to 'ipsec_klips_init'
make: *** [.tmp_vmlinux1] Error 1

-----Original Message-----
From: David McCullough [mailto:david_mccullough at mcafee.com] 
Sent: dinsdag 30 maart 2010 6:27
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Still server crash

Jivin Dennis van der Meer lays it down ...
> Hi,
> Last week I have been trying to see if I can get a stable version of
KLIPS working but I seem to crash my entire server
> whenever I try this. I??ve been able to crash my VMWare test system
but also a production server that is not using VMWare.
> As soon as I try to make a connection using ipsec from another
location the whole system crashes. I was able to change
> the number of screen lines to 60 so I could see a little bit more (see
partial info below). Maybe someone can help me track 
> down the problem. So far I have tried a recent GIT build, 2 different
kernel versions and the latest official openswan version;
> all have the same problems with the crash.

We have been seeing problems with the builtin crypto for openswan.  I
haven't had a chance to look at it yet but the workaround is fairly
We just switch to using the kernel crypto API and not the openswan
versions of des etc.

Setup for kernel .config as follows (or similar depending on kernel

	# KLIPS options
	# CONFIG_KLIPS_AH is not set
	# CONFIG_KLIPS_ENC_1DES is not set
	# CONFIG_KLIPS_ENC_3DES is not set
	# CONFIG_KLIPS_ENC_AES is not set
	# CONFIG_KLIPS_OCF is not set

	# Crypto core or helper

That should see you working I think,


> Partial crash info:
> Code: 00 00 00 23 1f a3 e0 20 1f a3 e0 17 1f a3 e0 13 1f a3 e0 10 1f
a3 e0 0d 1f
>  a3 e0 04 1f a3 e0 55 53 56 57 8b 6c 24 1c 8b 5c 24 2c (8b) 33 8b 7b
04 57 56 57
>  56 89 e3 8b 74 24 24 8b 7c 24 28 8b 4c
> EIP: [(e0a31f9c)] .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec] SS:ESP
> CR2: 000000006a5a85a4
> ---[ end trace 33b374d09a6bcf21 ]---
> Kernel panic ?? not syncing: Fatal exception in interrupt
> Pid: 2043, comm.: sh Tainted: G     D    2.6.33 #4
> Call Trace:
>  [<c148fd84>] ? printk+0x18/0x1a
>  [<c148fcb2>] panic+0x43/0xfd
>  [<c100d3c3>] oops_end+0x83/0x90
>  [<c101f4be>] no_context+0xbe/0x160
>  [<c101f5af>] __bad_area_nosemaphone+0x4f/0x180
>  [<c104efd2>] ? sched_clock_local+0xd2/0x170
>  [<c1031423>] ? task_tick_fair+0x33/0x110
>  [<c103108b>] ? scheduler_tick+0xeb/0x150
>  [<c101f6f2>] bad_area_nosemaphone+0x12/0x20
>  [<c101fadc>] do_page_fault+0x25c/0x300
>  [<c10559e5>] ? tick_periodic+0x25/0x70
>  [<c1055a49>] ? tick_handle_periodic+0x19/0x90
>  [<c101f880>] ? do_page_fault+0x0/0x300
>  [<c1492ace>] error_code+0x66/0x6c
>  [<c101f880>] ? do_page_fault+0x0/0x300
>  [<e0a31f9c>] ? .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec]
>  [<e0a2f279>] ? _3des_cbc_encrypt+0x49/0x60 [ipsec]
>  [<e0a2f15d>] ? ipsec_alg_esp_encrypt+0x5d/0x130 [ipsec]
>  [<e0a2a5f5>] ? ipsec_rcv_esp_decrypt+0x75/0x110 [ipsec]
>  [<e0a17cc5>] ? ipsec_rcv_decrypt+0x25/0x60 [ipsec]
>  [<e0a19649>] ? ipsec_rsm+0x49/0x2a0 [ipsec]
>  [<e0a1955b>] ? ipsec_rcv_state_new+0x4b/0xb0 [ipsec]
>  [<e0a199d7>] ? ipsec_rcv+0x27/0x90 [ipsec]
>  [<c14065a6>] ? ip_local_deliver_finish+0x86/0x170
>  [<c140671f>] ? ip_local_deliver+0x8f/0xa0
>  [<c1406520>] ? ip_local_deliver_finish+0x0/0x170
>  [<c1405fbb>] ? ip_rcv_finish+0x14b/0x310
>  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
>  [<c14063b5>] ? ip_rcv+0x235/0x290
>  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
>  [<c13af3ec>] ? netif_receive_skb+0x1bc/0x450
>  [<e08304f4>] ? e1000_clean_rx_irq+0x2d4/0x420 [e1000]
>  [<e082fbdd>] ? e1000_clean+0x1cd/0x500 [e1000]
>  [<c106c46e>] ? handle_fasteoi_irq+0x7e/0xc0
>  [<c10053ca>] ? handle_irq+0x1a/0x30
>  [<c13afd2d>] ? net_rx_action+0x7d/0x100
>  [<c103af45>] ? __do_softirq+0x85/0x110
>  [<c1040054>] ? update_process_times+0x54/0x70
>  [<c103affd>] ? do_softirq+0x2d/0x40
>  [<c103b15d>] ? irq_exit+0x2d/0x40
>  [<c1017b17>] ? smp_apic_time_interrupt+0x57/0x90
>  [<c14928a2>] ? apic_timer_interrupt+0x2a/0x30
>  [<c125e0a2>] ? prio_tree_remove+0x32/0xe0
>  [<c1088122>] ? vma_prio_tree_remove+0x72/0xf0
>  [<c10917dd>] ? vma_adjust+0xfd/0x470
>  [<c1091c3a>] ? __split_vma+0xea/0x140
>  [<c1091fbf>] ? split_vma+0x2f/0x40
>  [<c1093596>] ? mprotect_fixup+0x306/0x360
>  [<c109376e>] ? sys_mprotect+0x17e/0x220
>  [<c14924b5>] ? syscall_call+0x7/0xb
> Thanks,
> Dennis

> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 

David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com

More information about the Users mailing list