0002926: Update from 2.3 to 2.4 breaks IPSec (Part 2)

Notes
(0004278) aender (reporter) 2010-05-27 18:51	Looks like a kernel OOPS May 27 20:49:46 efw pluto[17434]: loading secrets from "/etc/ipsec/ipsec.secrets" May 27 20:49:46 efw ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T May 27 20:49:46 efw kernel: [ 2255.700260] BUG: unable to handle kernel paging request at 65776f70 May 27 20:49:46 efw kernel: [ 2255.700533] IP: [<c04c85fe>] selinux_socket_sock_rcv_skb+0x18/0x32f May 27 20:49:46 efw kernel: [ 2255.700757] *pde = 00000000 May 27 20:49:46 efw kernel: [ 2255.700967] Oops: 0000 [0000135] SMP May 27 20:49:46 efw kernel: [ 2255.701225] Modules linked in: sg raid1 dock libata scsi_mod ata_piix sr_mod capi button jbd cdrom ata_generic pcspkr uhci_hcd libphy ext3 mii pata_acpi ehci_hcd i2c_core fan i2c_i801 r8169 capifs iptable_filter tg3 sd_mod usb_storage dm_mod nf_conntrack_ftp nf_conntrack_amanda nf_conntrack_ipv4 kernelcapi x_tables nf_nat ip_tables iptable_nat nf_conntrack ts_kmp nf_nat_amanda nf_nat_h323 nf_nat_ftp xt_tcpudp nf_conntrack_irc nf_nat_irc nf_nat_tftp nf_conntrack_h323 nf_conntrack_tftp nf_conntrack_proto_gre nf_conntrack_pptp nf_nat_proto_gre nf_nat_pptp nf_nat_sip nf_conntrack_netbios_ns nf_conntrack_sip nf_nat_snmp_basic llc stp garp iptable_mangle ebtables 8021q ebtable_filter ebtable_nat ipt_REJECT bridge xt_state xt_TCPMSS xt_MARK xt_physdev ebt_mark_m xt_limit xt_mark xt_iprange tun xt_connmark xt_CONNMARK crypto_blkcipher aes_generic des_generic aes_i586 xt_hashlimit twofish cbc sha512_generic xcbc sha256_generic ecb blowfish twofish_common aead ccm ipv6 serpent ocf(P) ipsec May 27 20:49:46 efw kernel: [ 2255.701253] May 27 20:49:46 efw kernel: [ 2255.701253] Pid: 17434, comm: pluto Tainted: P D (2.6.27.19-72.e22 0000001) May 27 20:49:46 efw kernel: [ 2255.701253] EIP: 0060:[<c04c85fe>] EFLAGS: 00010286 CPU: 1 May 27 20:49:46 efw kernel: [ 2255.701253] EIP is at selinux_socket_sock_rcv_skb+0x18/0x32f May 27 20:49:46 efw kernel: [ 2255.701253] EAX: 65776f70 EBX: f654a038 ECX: c06b8180 EDX: f658a840 May 27 20:49:46 efw kernel: [ 2255.701253] ESI: f658a840 EDI: f654a018 EBP: f658a840 ESP: f4f23b0c May 27 20:49:46 efw kernel: [ 2255.701253] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 May 27 20:49:46 efw kernel: [ 2255.701253] Process pluto (pid: 17434, ti=f4f23000 task=f71deb50 task.ti=f4f23000) May 27 20:49:46 efw kernel: [ 2255.701253] Stack: f654a018 00000001 f8c3aa5e f4f23d10 f4f23d10 f4f23d2c 00000018 00000282 May 27 20:49:46 efw kernel: [ 2255.701253] f8c3d17a 00000018 00000003 f4f23d2c 00000010 f8c3d17a f5441b08 00180000 May 27 20:49:46 efw kernel: [ 2255.701253] f4f23c48 f4f23ba4 00000000 f8c3cccb 00010000 35353200 3535322e 3535322e May 27 20:49:46 efw kernel: [ 2255.701253] Call Trace: May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3aa5e>] addrtoa+0x92/0xa8 [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3d17a>] pfkey_address_build+0x24e/0x2e7 [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3d17a>] pfkey_address_build+0x24e/0x2e7 [ipsec] May 27 20:49:46 efw ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 245: 17434 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --use-auto --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.124.0/24,%v4:!192.168.99.0/24,%v4:!10.254.1.0/24 May 27 20:49:46 efw pluto[17439]: pluto_crypto_helper: helper (0) is normal exiting May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3cccb>] pfkey_sa_build+0x8f/0x97 [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<c04c3379>] security_sock_rcv_skb+0xc/0xd May 27 20:49:46 efw kernel: [ 2255.701253] [<c0599a78>] sk_filter+0xc/0x6c May 27 20:49:46 efw kernel: [ 2255.701253] [<c0588eeb>] sock_queue_rcv_skb+0x26/0xb1 May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c340be>] pfkey_upmsgsk+0x12d/0x161 [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c39145>] pfkey_x_addflow_parse+0x65b/0x71a [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<c0480068>] __pollwait+0x0/0xac May 27 20:49:46 efw kernel: [ 2255.701253] [<c041fded>] default_wake_function+0x0/0x8 May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c3a9c0>] ultoa+0xa8/0xb4 [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<c041fded>] default_wake_function+0x0/0x8 May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c38267>] pfkey_alloc_eroute+0x3f/0xea [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c39acd>] pfkey_address_process+0x24b/0x48b [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c34f91>] pfkey_msg_interp+0x240/0x2bd [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<f8c34b2d>] pfkey_sendmsg+0x287/0x396 [ipsec] May 27 20:49:46 efw kernel: [ 2255.701253] [<c0585f8e>] sock_aio_write+0xdd/0xea May 27 20:49:46 efw kernel: [ 2255.701253] [<c0474dd4>] do_sync_write+0xbf/0x100 May 27 20:49:46 efw kernel: [ 2255.701253] [<c0434a60>] autoremove_wake_function+0x0/0x2d May 27 20:49:46 efw kernel: [ 2255.701253] [<c04c97db>] selinux_file_permission+0xe6/0xfc May 27 20:49:46 efw kernel: [ 2255.701253] [<c04c2ed4>] security_file_permission+0xc/0xd May 27 20:49:46 efw kernel: [ 2255.701253] [<c047555e>] vfs_write+0x94/0x120 May 27 20:49:46 efw kernel: [ 2255.701253] [<c0475acd>] sys_write+0x40/0x8e May 27 20:49:46 efw kernel: [ 2255.701253] [<c0403a5e>] system_call_done+0x0/0x4 May 27 20:49:46 efw kernel: [ 2255.701253] [<c05f0000>] quirk_e100_interrupt+0x76/0x159 May 27 20:49:46 efw kernel: [ 2255.701253] ======================= May 27 20:49:46 efw kernel: [ 2255.701253] Code: 00 00 00 00 e8 45 8d fa ff 83 c4 14 89 d8 5b 5e 5f 5d c3 55 89 d5 57 56 53 83 ec 6c 89 04 24 8b 18 8b 80 40 01 00 00 66 83 fb 02 <8b> 00 89 44 24 04 74 19 31 ff 66 83 fb 0a 0f 85 f9 02 00 00 66 May 27 20:49:46 efw kernel: [ 2255.701253] EIP: [<c04c85fe>] selinux_socket_sock_rcv_skb+0x18/0x32f SS:ESP 0068:f4f23b0c May 27 20:49:46 efw kernel: [ 2255.723670] ---[ end trace cdf975f694efb29a ]--- May 27 20:49:46 efw ipsec__plutorun: whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused) May 27 20:49:46 efw ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11) May 27 20:49:46 efw ipsec__plutorun: restarting IPsec after pause... May 27 20:49:50 efw sudo: nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ipsec auto --status May 27 20:49:55 efw kernel: [ 2264.498018] ipsec0: no IPv6 routers present

(0004279) aender (reporter) 2010-05-27 19:05	RESOLVED !? Delete the IPSec Tunnel Create new Tunnel with the same settings Reboot Firewall WORKS AT THE MOMENT !?

(0004280) christian-endian (administrator) 2010-05-27 19:32	I will split this bug in order to be able to process both issues accordingly. Notes referring to the first part of the bug will be removed here... They can be found in bug 0002927.

(0004281) christian-endian (administrator) 2010-05-27 19:36 edited on: 2010-05-27 19:36	Are you using certificates in your setup? We had similar issues with openswan 2.6.25 which is why we had to go back to choose version 2.6.24 which solved all the issues (being it roadwarrior-, net-to-net-, certificate-based or psk connections) in our test environment... Please keep us updated here - thank you!

(0004282) aender (reporter) 2010-05-27 19:40	No certificates and net-to-net cat /var/efw/vpn/config 2,on,vpntunnel,,net,psk,passphrase,,,x.x.x.0/24,,y.y.y.y,z.z.z.0/24,on,off,off,off,1,1,3des,md5,1024,3des,md5,,off,,UPLINK:main,restart,on root@efw:~ # old tunnel with problems was 2,on,vpntunnel,,net,psk,passphrase,,,x.x.x..0/24,,y.y.y.y,z.z.z.0/24,on,off,off,off,1,1,3des,md5,1024,3des,md5,modp1024,off,,UPLINK:main,restart,on root@efw:~ #

(0004285) aender (reporter) 2010-05-27 19:53	also RED instead of UPLINK:main

(0005656) lorenzo-endian (manager) 2011-02-10 09:34	Hi aender! did the problem still exist? Thanks in advance! Lo

(0005660) aender (reporter) 2011-02-10 10:29	Don´t know because we use ipsec no longer

(0005697) lorenzo-endian (manager) 2011-02-15 10:23	Hi aender, I have done some upgrading tests with IPsec up and running and none of these upgrades lead to this error, so for us the problem has been fixed. Thanks a lot for reporting this problem! Lo

Issue History
Date Modified	Username	Field	Change
2010-05-27 18:23	aender	New Issue
2010-05-27 18:37	aender	Note Added: 0004277
2010-05-27 18:51	aender	Note Added: 0004278
2010-05-27 19:05	aender	Note Added: 0004279
2010-05-27 19:28	christian-endian	Issue cloned: 0002927
2010-05-27 19:30	christian-endian	Note Deleted: 0004277
2010-05-27 19:32	christian-endian	Note Added: 0004280
2010-05-27 19:32	christian-endian	Status	new => acknowledged
2010-05-27 19:33	christian-endian	Summary	Update from 2.3 to 2.4 breaks IPSec => Update from 2.3 to 2.4 breaks IPSec (Part 2)
2010-05-27 19:33	christian-endian	Description Updated
2010-05-27 19:36	christian-endian	Note Added: 0004281
2010-05-27 19:36	christian-endian	Note Edited: 0004281
2010-05-27 19:40	aender	Note Added: 0004282
2010-05-27 19:53	aender	Note Added: 0004285
2010-05-27 20:11	christian-endian	Status	acknowledged => feedback
2011-02-10 09:33	lorenzo-endian	Customer Occurencies	=> 0
2011-02-10 09:33	lorenzo-endian	Assigned To	=> lorenzo-endian
2011-02-10 09:34	lorenzo-endian	Note Added: 0005656
2011-02-10 10:29	aender	Note Added: 0005660
2011-02-15 10:23	lorenzo-endian	Note Added: 0005697
2011-02-15 10:23	lorenzo-endian	Status	feedback => closed
2011-02-15 10:23	lorenzo-endian	Resolution	open => fixed
2011-02-15 10:23	lorenzo-endian	Fixed in Version	=> 2.4.1

Relationships

Please see now our new Bugtracker system: JIRA