SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002926: Update from 2.3 to 2.4 breaks IPSec (Part 2) - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002926Endian FirewallVPN - IPSecpublic2010-05-27 18:232011-02-15 10:23
Reporteraender 
Assigned Tolorenzo-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.4 
Target VersionFixed in Version2.4.1 
Summary0002926: Update from 2.3 to 2.4 breaks IPSec (Part 2)
DescriptionIPsec's pluto seems to crash under certain circumstances.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0004278)
aender (reporter)
2010-05-27 18:51

Looks like a kernel OOPS

May 27 20:49:46 efw pluto[17434]: loading secrets from "/etc/ipsec/ipsec.secrets"
May 27 20:49:46 efw ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
May 27 20:49:46 efw kernel: [ 2255.700260] BUG: unable to handle kernel paging request at 65776f70
May 27 20:49:46 efw kernel: [ 2255.700533] IP: [<c04c85fe>] selinux_socket_sock_rcv_skb+0x18/0x32f
May 27 20:49:46 efw kernel: [ 2255.700757] *pde = 00000000
May 27 20:49:46 efw kernel: [ 2255.700967] Oops: 0000 [0000135] SMP
May 27 20:49:46 efw kernel: [ 2255.701225] Modules linked in: sg raid1 dock libata scsi_mod ata_piix sr_mod capi button jbd cdrom ata_generic pcspkr uhci_hcd libphy ext3 mii pata_acpi ehci_hcd i2c_core fan i2c_i801 r8169 capifs iptable_filter tg3 sd_mod usb_storage dm_mod nf_conntrack_ftp nf_conntrack_amanda nf_conntrack_ipv4 kernelcapi x_tables nf_nat ip_tables iptable_nat nf_conntrack ts_kmp nf_nat_amanda nf_nat_h323 nf_nat_ftp xt_tcpudp nf_conntrack_irc nf_nat_irc nf_nat_tftp nf_conntrack_h323 nf_conntrack_tftp nf_conntrack_proto_gre nf_conntrack_pptp nf_nat_proto_gre nf_nat_pptp nf_nat_sip nf_conntrack_netbios_ns nf_conntrack_sip nf_nat_snmp_basic llc stp garp iptable_mangle ebtables 8021q ebtable_filter ebtable_nat ipt_REJECT bridge xt_state xt_TCPMSS xt_MARK xt_physdev ebt_mark_m xt_limit xt_mark xt_iprange tun xt_connmark xt_CONNMARK crypto_blkcipher aes_generic des_generic aes_i586 xt_hashlimit twofish cbc sha512_generic xcbc sha256_generic ecb blowfish twofish_common aead ccm ipv6 serpent ocf(P) ipsec
May 27 20:49:46 efw kernel: [ 2255.701253]
May 27 20:49:46 efw kernel: [ 2255.701253] Pid: 17434, comm: pluto Tainted: P D (2.6.27.19-72.e22 0000001)
May 27 20:49:46 efw kernel: [ 2255.701253] EIP: 0060:[<c04c85fe>] EFLAGS: 00010286 CPU: 1
May 27 20:49:46 efw kernel: [ 2255.701253] EIP is at selinux_socket_sock_rcv_skb+0x18/0x32f
May 27 20:49:46 efw kernel: [ 2255.701253] EAX: 65776f70 EBX: f654a038 ECX: c06b8180 EDX: f658a840
May 27 20:49:46 efw kernel: [ 2255.701253] ESI: f658a840 EDI: f654a018 EBP: f658a840 ESP: f4f23b0c
May 27 20:49:46 efw kernel: [ 2255.701253] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
May 27 20:49:46 efw kernel: [ 2255.701253] Process pluto (pid: 17434, ti=f4f23000 task=f71deb50 task.ti=f4f23000)
May 27 20:49:46 efw kernel: [ 2255.701253] Stack: f654a018 00000001 f8c3aa5e f4f23d10 f4f23d10 f4f23d2c 00000018 00000282
May 27 20:49:46 efw kernel: [ 2255.701253] f8c3d17a 00000018 00000003 f4f23d2c 00000010 f8c3d17a f5441b08 00180000
May 27 20:49:46 efw kernel: [ 2255.701253] f4f23c48 f4f23ba4 00000000 f8c3cccb 00010000 35353200 3535322e 3535322e
May 27 20:49:46 efw kernel: [ 2255.701253] Call Trace:
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3aa5e>] addrtoa+0x92/0xa8 [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3d17a>] pfkey_address_build+0x24e/0x2e7 [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3d17a>] pfkey_address_build+0x24e/0x2e7 [ipsec]
May 27 20:49:46 efw ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 245: 17434 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --use-auto --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.124.0/24,%v4:!192.168.99.0/24,%v4:!10.254.1.0/24
May 27 20:49:46 efw pluto[17439]: pluto_crypto_helper: helper (0) is normal exiting
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3cccb>] pfkey_sa_build+0x8f/0x97 [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<c04c3379>] security_sock_rcv_skb+0xc/0xd
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0599a78>] sk_filter+0xc/0x6c
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0588eeb>] sock_queue_rcv_skb+0x26/0xb1
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c340be>] pfkey_upmsgsk+0x12d/0x161 [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c39145>] pfkey_x_addflow_parse+0x65b/0x71a [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0480068>] __pollwait+0x0/0xac
May 27 20:49:46 efw kernel: [ 2255.701253] [<c041fded>] default_wake_function+0x0/0x8
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3a9c0>] ultoa+0xa8/0xb4 [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<c041fded>] default_wake_function+0x0/0x8
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c38267>] pfkey_alloc_eroute+0x3f/0xea [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c39acd>] pfkey_address_process+0x24b/0x48b [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c34f91>] pfkey_msg_interp+0x240/0x2bd [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c34b2d>] pfkey_sendmsg+0x287/0x396 [ipsec]
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0585f8e>] sock_aio_write+0xdd/0xea
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0474dd4>] do_sync_write+0xbf/0x100
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0434a60>] autoremove_wake_function+0x0/0x2d
May 27 20:49:46 efw kernel: [ 2255.701253] [<c04c97db>] selinux_file_permission+0xe6/0xfc
May 27 20:49:46 efw kernel: [ 2255.701253] [<c04c2ed4>] security_file_permission+0xc/0xd
May 27 20:49:46 efw kernel: [ 2255.701253] [<c047555e>] vfs_write+0x94/0x120
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0475acd>] sys_write+0x40/0x8e
May 27 20:49:46 efw kernel: [ 2255.701253] [<c0403a5e>] system_call_done+0x0/0x4
May 27 20:49:46 efw kernel: [ 2255.701253] [<c05f0000>] quirk_e100_interrupt+0x76/0x159
May 27 20:49:46 efw kernel: [ 2255.701253] =======================
May 27 20:49:46 efw kernel: [ 2255.701253] Code: 00 00 00 00 e8 45 8d fa ff 83 c4 14 89 d8 5b 5e 5f 5d c3 55 89 d5 57 56 53 83 ec 6c 89 04 24 8b 18 8b 80 40 01 00 00 66 83 fb 02 <8b> 00 89 44 24 04 74 19 31 ff 66 83 fb 0a 0f 85 f9 02 00 00 66
May 27 20:49:46 efw kernel: [ 2255.701253] EIP: [<c04c85fe>] selinux_socket_sock_rcv_skb+0x18/0x32f SS:ESP 0068:f4f23b0c
May 27 20:49:46 efw kernel: [ 2255.723670] ---[ end trace cdf975f694efb29a ]---
May 27 20:49:46 efw ipsec__plutorun: whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
May 27 20:49:46 efw ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)
May 27 20:49:46 efw ipsec__plutorun: restarting IPsec after pause...
May 27 20:49:50 efw sudo: nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ipsec auto --status
May 27 20:49:55 efw kernel: [ 2264.498018] ipsec0: no IPv6 routers present
(0004279)
aender (reporter)
2010-05-27 19:05

RESOLVED !?

Delete the IPSec Tunnel
Create new Tunnel with the same settings
Reboot Firewall

WORKS AT THE MOMENT !?
(0004280)
christian-endian (administrator)
2010-05-27 19:32

I will split this bug in order to be able to process both issues accordingly. Notes referring to the first part of the bug will be removed here... They can be found in bug 0002927.
(0004281)
christian-endian (administrator)
2010-05-27 19:36
edited on: 2010-05-27 19:36

Are you using certificates in your setup?

We had similar issues with openswan 2.6.25 which is why we had to go back to choose version 2.6.24 which solved all the issues (being it roadwarrior-, net-to-net-, certificate-based or psk connections) in our test environment...

Please keep us updated here - thank you!

(0004282)
aender (reporter)
2010-05-27 19:40

No certificates and net-to-net

cat /var/efw/vpn/config
2,on,vpntunnel,,net,psk,passphrase,,,x.x.x.0/24,,y.y.y.y,z.z.z.0/24,on,off,off,off,1,1,3des,md5,1024,3des,md5,,off,,UPLINK:main,restart,on
root@efw:~ #

old tunnel with problems was

2,on,vpntunnel,,net,psk,passphrase,,,x.x.x..0/24,,y.y.y.y,z.z.z.0/24,on,off,off,off,1,1,3des,md5,1024,3des,md5,modp1024,off,,UPLINK:main,restart,on
root@efw:~ #
(0004285)
aender (reporter)
2010-05-27 19:53

also RED instead of UPLINK:main
(0005656)
lorenzo-endian (manager)
2011-02-10 09:34

Hi aender!

did the problem still exist?

Thanks in advance!

Lo
(0005660)
aender (reporter)
2011-02-10 10:29

DonĀ“t know because we use ipsec no longer
(0005697)
lorenzo-endian (manager)
2011-02-15 10:23

Hi aender,

I have done some upgrading tests with IPsec up and running and none of these upgrades lead to this error, so for us the problem has been fixed.

Thanks a lot for reporting this problem!

Lo

- Issue History
Date Modified Username Field Change
2010-05-27 18:23 aender New Issue
2010-05-27 18:37 aender Note Added: 0004277
2010-05-27 18:51 aender Note Added: 0004278
2010-05-27 19:05 aender Note Added: 0004279
2010-05-27 19:28 christian-endian Issue cloned: 0002927
2010-05-27 19:30 christian-endian Note Deleted: 0004277
2010-05-27 19:32 christian-endian Note Added: 0004280
2010-05-27 19:32 christian-endian Status new => acknowledged
2010-05-27 19:33 christian-endian Summary Update from 2.3 to 2.4 breaks IPSec => Update from 2.3 to 2.4 breaks IPSec (Part 2)
2010-05-27 19:33 christian-endian Description Updated
2010-05-27 19:36 christian-endian Note Added: 0004281
2010-05-27 19:36 christian-endian Note Edited: 0004281
2010-05-27 19:40 aender Note Added: 0004282
2010-05-27 19:53 aender Note Added: 0004285
2010-05-27 20:11 christian-endian Status acknowledged => feedback
2011-02-10 09:33 lorenzo-endian Customer Occurencies => 0
2011-02-10 09:33 lorenzo-endian Assigned To => lorenzo-endian
2011-02-10 09:34 lorenzo-endian Note Added: 0005656
2011-02-10 10:29 aender Note Added: 0005660
2011-02-15 10:23 lorenzo-endian Note Added: 0005697
2011-02-15 10:23 lorenzo-endian Status feedback => closed
2011-02-15 10:23 lorenzo-endian Resolution open => fixed
2011-02-15 10:23 lorenzo-endian Fixed in Version => 2.4.1

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker