[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Tue Mar 30 09:49:56 EDT 2010


Hi David,

No problem. As I have said in my previous email I got the compile
working. There is just a little error in the
kernel patch which prevented the compile. I was able to fix it manually
since the patch was only adding one
extra line in a Makefile. The KLIPS options are not available unless the
kernel is patched and I got a little
stuck after the patching but it is resolved now fortunately.
Unfortunately I noticed I had a lot of outdated packages on my system so
I am building a whole new system now
which will take the rest of the day. But tomorrow I should be ready to
test the ipsec module and see if the
changes you gave me will keep the system going.
I will keep you updated on my progress.


Dennis

-----Original Message-----
From: David McCullough [mailto:david_mccullough at mcafee.com] 
Sent: dinsdag 30 maart 2010 15:35
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Still server crash


Jivin Dennis van der Meer lays it down ...
> Hi David,
> 
> Thanks for your quick reply. Unfortunately applying the kernel patch
> seems a little bit more trouble than
> I thought. There are two errors when applying the patch and there is a
> critical error when compiling the kernel (2.6.33).
> All errors are included below. I have solved the kernel compile error
by
> changing the net/Makefile manually. It seems
> the offset probably changed between kernel version. The last patch
error
> is because of the first one?
> I will test the rest as soon as possible. I will first need to tweak
my
> kernel again.

I am (unfortunately) not an expert on how you should build openswan
on a distro.  I didn't think it was done with patching.  Perhaps someone
else can comment (paul).

Hopefully someone else knows either the right way to build OSW2.6.25
or a fix for what you are seeing below.  If not I'll try and have a look
at
it soon,

Cheers,
Davidm

> 
> make kernelpatch2.6 | tee /usr/src/linux/openswan.patch | (cd
> /usr/src/linux && patch -p1 -b -z .preipsec --forward
> --ignore-whitespace )
> patching file README.openswan-2
> patching file include/des/des_locl.h
> patching file include/des/des_ver.h
> patching file include/des/podd.h
> patching file include/des/sk.h
> patching file include/des/spr.h
> patching file include/klips-crypto/aes.h
> patching file include/klips-crypto/aes_cbc.h
> patching file include/klips-crypto/aes_xcbc_mac.h
> patching file include/klips-crypto/cbc_generic.h
> patching file include/klips-crypto/des.h
> patching file include/openswan.h
> patching file include/openswan/ipcomp.h
> patching file include/openswan/ipsec_ah.h
> patching file include/openswan/ipsec_alg.h
> patching file include/openswan/ipsec_alg_3des.h
> patching file include/openswan/ipsec_auth.h
> patching file include/openswan/ipsec_encap.h
> patching file include/openswan/ipsec_eroute.h
> patching file include/openswan/ipsec_errs.h
> patching file include/openswan/ipsec_esp.h
> patching file include/openswan/ipsec_ipcomp.h
> patching file include/openswan/ipsec_ipe4.h
> patching file include/openswan/ipsec_ipip.h
> patching file include/openswan/ipsec_kern24.h
> patching file include/openswan/ipsec_kversion.h
> patching file include/openswan/ipsec_life.h
> patching file include/openswan/ipsec_mast.h
> patching file include/openswan/ipsec_md5h.h
> patching file include/openswan/ipsec_param.h
> patching file include/openswan/ipsec_param2.h
> patching file include/openswan/ipsec_policy.h
> patching file include/openswan/ipsec_proto.h
> patching file include/openswan/ipsec_radij.h
> patching file include/openswan/ipsec_rcv.h
> patching file include/openswan/ipsec_sa.h
> patching file include/openswan/ipsec_sha1.h
> patching file include/openswan/ipsec_stats.h
> patching file include/openswan/ipsec_sysctl.h
> patching file include/openswan/ipsec_tunnel.h
> patching file include/openswan/ipsec_xform.h
> patching file include/openswan/ipsec_xmit.h
> patching file include/openswan/mast.h
> patching file include/openswan/passert.h
> patching file include/openswan/pfkey.h
> patching file include/openswan/pfkey_debug.h
> patching file include/openswan/pfkeyv2.h
> patching file include/openswan/radij.h
> patching file include/zlib/zconf.h
> patching file include/zlib/zlib.h
> patching file include/zlib/zutil.h
> patching file net/Kconfig
> Hunk #1 succeeded at 278 (offset 63 lines).
> patching file net/Makefile
> Hunk #1 FAILED at 42.
> 1 out of 1 hunk FAILED -- saving rejects to file net/Makefile.rej
> patching file net/ipsec/Kconfig
> patching file net/ipsec/Makefile
> patching file net/ipsec/README-zlib
> patching file net/ipsec/README-zlib.freeswan
> patching file net/ipsec/addrtoa.c
> patching file net/ipsec/addrtot.c
> patching file net/ipsec/addrtypeof.c
> patching file net/ipsec/adler32.c
> patching file net/ipsec/aes/Makefile
> patching file net/ipsec/aes/aes-i586.S
> patching file net/ipsec/aes/aes.c
> patching file net/ipsec/aes/aes_cbc.c
> patching file net/ipsec/aes/aes_xcbc_mac.c
> patching file net/ipsec/aes/ipsec_alg_aes.c
> patching file net/ipsec/alg/Config.alg_aes.in
> patching file net/ipsec/alg/Config.alg_cryptoapi.in
> patching file net/ipsec/alg/Config.in
> patching file net/ipsec/alg/Makefile.alg_aes
> patching file net/ipsec/alg/Makefile.alg_cryptoapi
> patching file net/ipsec/alg/ipsec_alg_cryptoapi.c
> patching file net/ipsec/alg/scripts/mk-static_init.c.sh
> patching file net/ipsec/anyaddr.c
> patching file net/ipsec/datatot.c
> patching file net/ipsec/defconfig
> patching file net/ipsec/deflate.c
> patching file net/ipsec/deflate.h
> patching file net/ipsec/des/COPYRIGHT
> patching file net/ipsec/des/INSTALL
> patching file net/ipsec/des/Makefile
> patching file net/ipsec/des/README
> patching file net/ipsec/des/README.freeswan
> patching file net/ipsec/des/VERSION
> patching file net/ipsec/des/asm/des-586.pl
> patching file net/ipsec/des/asm/des686.pl
> patching file net/ipsec/des/asm/desboth.pl
> patching file net/ipsec/des/asm/readme
> patching file net/ipsec/des/cbc_enc.c
> patching file net/ipsec/des/des.doc
> patching file net/ipsec/des/des_enc.c
> patching file net/ipsec/des/des_opts.c
> patching file net/ipsec/des/dx86unix.S
> patching file net/ipsec/des/ecb_enc.c
> patching file net/ipsec/des/ipsec_alg_3des.c
> patching file net/ipsec/des/set_key.c
> patching file net/ipsec/goodmask.c
> patching file net/ipsec/infblock.c
> patching file net/ipsec/infblock.h
> patching file net/ipsec/infcodes.c
> patching file net/ipsec/infcodes.h
> patching file net/ipsec/inffast.c
> patching file net/ipsec/inffast.h
> patching file net/ipsec/inffixed.h
> patching file net/ipsec/inflate.c
> patching file net/ipsec/inftrees.c
> patching file net/ipsec/inftrees.h
> patching file net/ipsec/infutil.c
> patching file net/ipsec/infutil.h
> patching file net/ipsec/initaddr.c
> patching file net/ipsec/ipcomp.c
> patching file net/ipsec/ipsec_ah.c
> patching file net/ipsec/ipsec_alg.c
> patching file net/ipsec/ipsec_alg_cryptoapi.c
> patching file net/ipsec/ipsec_esp.c
> patching file net/ipsec/ipsec_init.c
> patching file net/ipsec/ipsec_ipcomp.c
> patching file net/ipsec/ipsec_ipip.c
> patching file net/ipsec/ipsec_kern24.c
> patching file net/ipsec/ipsec_life.c
> patching file net/ipsec/ipsec_mast.c
> patching file net/ipsec/ipsec_md5c.c
> patching file net/ipsec/ipsec_ocf.c
> patching file net/ipsec/ipsec_ocf.h
> patching file net/ipsec/ipsec_proc.c
> patching file net/ipsec/ipsec_radij.c
> patching file net/ipsec/ipsec_rcv.c
> patching file net/ipsec/ipsec_sa.c
> patching file net/ipsec/ipsec_sha1.c
> patching file net/ipsec/ipsec_snprintf.c
> patching file net/ipsec/ipsec_tunnel.c
> patching file net/ipsec/ipsec_xform.c
> patching file net/ipsec/ipsec_xmit.c
> patching file net/ipsec/match586.S
> patching file net/ipsec/match686.S
> patching file net/ipsec/pfkey_v2.c
> patching file net/ipsec/pfkey_v2_build.c
> patching file net/ipsec/pfkey_v2_debug.c
> patching file net/ipsec/pfkey_v2_ext_bits.c
> patching file net/ipsec/pfkey_v2_ext_process.c
> patching file net/ipsec/pfkey_v2_parse.c
> patching file net/ipsec/pfkey_v2_parser.c
> patching file net/ipsec/prng.c
> patching file net/ipsec/radij.c
> patching file net/ipsec/rangetoa.c
> patching file net/ipsec/satot.c
> patching file net/ipsec/subnetof.c
> patching file net/ipsec/subnettoa.c
> patching file net/ipsec/sysctl_net_ipsec.c
> patching file net/ipsec/trees.c
> patching file net/ipsec/trees.h
> patching file net/ipsec/ultoa.c
> patching file net/ipsec/ultot.c
> patching file net/ipsec/version.c
> patching file net/ipsec/zutil.c
> patching file net/ipv4/af_inet.c
> Hunk #1 succeeded at 1627 with fuzz 2 (offset 458 lines).
> patching file net/ipsec/Makefile.ver
> make: *** [applypatch] Error 1
> 
> And for the kernel compilation error:
> 
> scripts/kconfig/conf -s arch/x86/Kconfig
>   CHK     include/linux/version.h
>   CHK     include/generated/utsrelease.h
>   CALL    scripts/checksyscalls.sh
>   CHK     include/generated/compile.h
>   CC      crypto/sha256_generic.o
>   CC      crypto/sha512_generic.o
>   LD      crypto/built-in.o
>   CC      net/ipv4/af_inet.o
>   LD      net/ipv4/built-in.o
>   LD      net/built-in.o
>   LD      vmlinux.o
>   MODPOST vmlinux.o
>   GEN     .version
>   CHK     include/generated/compile.h
>   UPD     include/generated/compile.h
>   CC      init/version.o
>   LD      init/built-in.o
>   LD      .tmp_vmlinux1
> Net/built-in.o: In function 'inet_init';
> af_inet.c:(.init.text+0x1f81): undefined reference to
'ipsec_klips_init'
> make: *** [.tmp_vmlinux1] Error 1
> 
> -----Original Message-----
> From: David McCullough [mailto:david_mccullough at mcafee.com] 
> Sent: dinsdag 30 maart 2010 6:27
> To: Dennis van der Meer
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
> 
> 
> Jivin Dennis van der Meer lays it down ...
> > Hi,
> > 
> > Last week I have been trying to see if I can get a stable version of
> KLIPS working but I seem to crash my entire server
> > 
> > whenever I try this. I??ve been able to crash my VMWare test system
> but also a production server that is not using VMWare.
> > 
> > As soon as I try to make a connection using ipsec from another
> location the whole system crashes. I was able to change
> > 
> > the number of screen lines to 60 so I could see a little bit more
(see
> partial info below). Maybe someone can help me track 
> > 
> > down the problem. So far I have tried a recent GIT build, 2
different
> kernel versions and the latest official openswan version;
> > 
> > all have the same problems with the crash.
> 
> 
> We have been seeing problems with the builtin crypto for openswan.  I
> haven't had a chance to look at it yet but the workaround is fairly
> simple.
> We just switch to using the kernel crypto API and not the openswan
> included
> versions of des etc.
> 
> Setup for kernel .config as follows (or similar depending on kernel
> version):
> 
> 	CONFIG_KLIPS=y
> 	#
> 	# KLIPS options
> 	#
> 	CONFIG_KLIPS_ESP=y
> 	# CONFIG_KLIPS_AH is not set
> 	CONFIG_KLIPS_AUTH_HMAC_MD5=y
> 	CONFIG_KLIPS_AUTH_HMAC_SHA1=y
> 	CONFIG_KLIPS_ALG=y
> 	CONFIG_KLIPS_ENC_CRYPTOAPI=y
> 	# CONFIG_KLIPS_ENC_1DES is not set
> 	# CONFIG_KLIPS_ENC_3DES is not set
> 	# CONFIG_KLIPS_ENC_AES is not set
> 	CONFIG_KLIPS_IPCOMP=y
> 	# CONFIG_KLIPS_OCF is not set
> 	CONFIG_KLIPS_DEBUG=y
> 	CONFIG_KLIPS_IF_MAX=4
> 
> 	CONFIG_CRYPTO=y
> 	#
> 	# Crypto core or helper
> 	#
> 	CONFIG_CRYPTO_ALGAPI=y
> 	CONFIG_CRYPTO_ALGAPI2=y
> 	CONFIG_CRYPTO_AEAD2=y
> 	CONFIG_CRYPTO_BLKCIPHER=y
> 	CONFIG_CRYPTO_BLKCIPHER2=y
> 	CONFIG_CRYPTO_HASH=y
> 	CONFIG_CRYPTO_HASH2=y
> 	CONFIG_CRYPTO_RNG2=y
> 	CONFIG_CRYPTO_PCOMP=y
> 	CONFIG_CRYPTO_MANAGER=y
> 	CONFIG_CRYPTO_MANAGER2=y
> 	CONFIG_CRYPTO_WORKQUEUE=y
> 	CONFIG_CRYPTO_CBC=y
> 	CONFIG_CRYPTO_ECB=y
> 	CONFIG_CRYPTO_HMAC=y
> 	CONFIG_CRYPTO_MD5=y
> 	CONFIG_CRYPTO_SHA1=y
> 	CONFIG_CRYPTO_SHA256=y
> 	CONFIG_CRYPTO_SHA512=y
> 	CONFIG_CRYPTO_AES=y
> 	CONFIG_CRYPTO_ARC4=y
> 	CONFIG_CRYPTO_DES=y
> 
> That should see you working I think,
> 
> Cheers,
> Davidm
> 	
> 
> > Partial crash info:
> > 
> >  
> > 
> > Code: 00 00 00 23 1f a3 e0 20 1f a3 e0 17 1f a3 e0 13 1f a3 e0 10 1f
> a3 e0 0d 1f
> > 
> >  a3 e0 04 1f a3 e0 55 53 56 57 8b 6c 24 1c 8b 5c 24 2c (8b) 33 8b 7b
> 04 57 56 57
> > 
> >  56 89 e3 8b 74 24 24 8b 7c 24 28 8b 4c
> > 
> > EIP: [(e0a31f9c)] .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec] SS:ESP
> 0068:de775af0
> > 
> > CR2: 000000006a5a85a4
> > 
> > ---[ end trace 33b374d09a6bcf21 ]---
> > 
> > Kernel panic ?? not syncing: Fatal exception in interrupt
> > 
> > Pid: 2043, comm.: sh Tainted: G     D    2.6.33 #4
> > 
> > Call Trace:
> > 
> >  [<c148fd84>] ? printk+0x18/0x1a
> > 
> >  [<c148fcb2>] panic+0x43/0xfd
> > 
> >  [<c100d3c3>] oops_end+0x83/0x90
> > 
> >  [<c101f4be>] no_context+0xbe/0x160
> > 
> >  [<c101f5af>] __bad_area_nosemaphone+0x4f/0x180
> > 
> >  [<c104efd2>] ? sched_clock_local+0xd2/0x170
> > 
> >  [<c1031423>] ? task_tick_fair+0x33/0x110
> > 
> >  [<c103108b>] ? scheduler_tick+0xeb/0x150
> > 
> >  [<c101f6f2>] bad_area_nosemaphone+0x12/0x20
> > 
> >  [<c101fadc>] do_page_fault+0x25c/0x300
> > 
> >  [<c10559e5>] ? tick_periodic+0x25/0x70
> > 
> >  [<c1055a49>] ? tick_handle_periodic+0x19/0x90
> > 
> >  [<c101f880>] ? do_page_fault+0x0/0x300
> > 
> >  [<c1492ace>] error_code+0x66/0x6c
> > 
> >  [<c101f880>] ? do_page_fault+0x0/0x300
> > 
> >  [<e0a31f9c>] ? .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec]
> > 
> >  [<e0a2f279>] ? _3des_cbc_encrypt+0x49/0x60 [ipsec]
> > 
> >  [<e0a2f15d>] ? ipsec_alg_esp_encrypt+0x5d/0x130 [ipsec]
> > 
> >  [<e0a2a5f5>] ? ipsec_rcv_esp_decrypt+0x75/0x110 [ipsec]
> > 
> >  [<e0a17cc5>] ? ipsec_rcv_decrypt+0x25/0x60 [ipsec]
> > 
> >  [<e0a19649>] ? ipsec_rsm+0x49/0x2a0 [ipsec]
> > 
> >  [<e0a1955b>] ? ipsec_rcv_state_new+0x4b/0xb0 [ipsec]
> > 
> >  [<e0a199d7>] ? ipsec_rcv+0x27/0x90 [ipsec]
> > 
> >  [<c14065a6>] ? ip_local_deliver_finish+0x86/0x170
> > 
> >  [<c140671f>] ? ip_local_deliver+0x8f/0xa0
> > 
> >  [<c1406520>] ? ip_local_deliver_finish+0x0/0x170
> > 
> >  [<c1405fbb>] ? ip_rcv_finish+0x14b/0x310
> > 
> >  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> > 
> >  [<c14063b5>] ? ip_rcv+0x235/0x290
> > 
> >  [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> > 
> >  [<c13af3ec>] ? netif_receive_skb+0x1bc/0x450
> > 
> >  [<e08304f4>] ? e1000_clean_rx_irq+0x2d4/0x420 [e1000]
> > 
> >  [<e082fbdd>] ? e1000_clean+0x1cd/0x500 [e1000]
> > 
> >  [<c106c46e>] ? handle_fasteoi_irq+0x7e/0xc0
> > 
> >  [<c10053ca>] ? handle_irq+0x1a/0x30
> > 
> >  [<c13afd2d>] ? net_rx_action+0x7d/0x100
> > 
> >  [<c103af45>] ? __do_softirq+0x85/0x110
> > 
> >  [<c1040054>] ? update_process_times+0x54/0x70
> > 
> >  [<c103affd>] ? do_softirq+0x2d/0x40
> > 
> >  [<c103b15d>] ? irq_exit+0x2d/0x40
> > 
> >  [<c1017b17>] ? smp_apic_time_interrupt+0x57/0x90
> > 
> >  [<c14928a2>] ? apic_timer_interrupt+0x2a/0x30
> > 
> >  [<c125e0a2>] ? prio_tree_remove+0x32/0xe0
> > 
> >  [<c1088122>] ? vma_prio_tree_remove+0x72/0xf0
> > 
> >  [<c10917dd>] ? vma_adjust+0xfd/0x470
> > 
> >  [<c1091c3a>] ? __split_vma+0xea/0x140
> > 
> >  [<c1091fbf>] ? split_vma+0x2f/0x40
> > 
> >  [<c1093596>] ? mprotect_fixup+0x306/0x360
> > 
> >  [<c109376e>] ? sys_mprotect+0x17e/0x220
> > 
> >  [<c14924b5>] ? syscall_call+0x7/0xb
> > 
> >  
> > 
> > Thanks,
> > 
> >  
> > 
> > Dennis
> > 
> > 
> 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> >
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com
> http://www.uCdot.org
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com
http://www.uCdot.org


More information about the Users mailing list