Hello list,
2.6.0/IPsec crashes, fully reproducable. Verified with 2.6.1.
Details of the crash are on a couple of jpg's,
http://valentijn.sessink.nl/fotoalbum/2004-01-14%20afscheidscollege%20Frits/img_0017.jpg
and img_0018.jpg
IPsec config on the crashing machine:
add $ip1 $ip2 esp 0x202 -m tunnel -E 3des-cbc $passwd1
-A hmac-md5 $passwd2;
add $ip2 $ip1 esp 0x302 -m tunnel -E 3des-cbc $passwd3
-A hmac-md5 $passwd4;
spdadd net/24 work/24 any -P out ipsec esp/tunnel/$ip1-$ip2/require;
spdadd net/24 work/24 any -P out ipsec esp/tunnel/$ip2-$ip1/require;
note the wrong config, where the second spdadd has an "out" instead of the
correct "in". The other end has correct configuration.
tcpdumping the network now says:
15:07:07.335105 $ip1 > $ip2: ESP(spi=0x00000202,seq=0x1) (DF)
15:07:07.365947 $ip2 > $ip1: ESP(spi=0x00000302,seq=0x5)
15:07:07.365947 truncated-ip - 16 bytes missing!$ip2 > 69.0.0.84:
$ip1 > 69.0.0.84: (frag 13828:4294967256@29112) [tos 0x4c] (ipip)
15:07:08.331514 $ip1 > $ip2: ESP(spi=0x00000202,seq=0x2) (DF)
15:07:08.361917 $ip2 > $ip1: ESP(spi=0x00000302,seq=0x6)
15:07:08.361917 truncated-ip - 16 bytes missing!$ip2 > 69.0.0.84:
$ip1 > 69.0.0.84: (frag 13828:4294967256@29096) [tos 0x4e,ECT] (ipip)
15:07:09.330341 $ip1 > $ip2: ESP(spi=0x00000202,seq=0x3) (DF)
15:07:09.362973 $ip2 > $ip1: ESP(spi=0x00000302,seq=0x7)
15:07:09.362973 truncated-ip - 16 bytes missing!$ip2 > 69.0.0.84:
$ip1 > 69.0.0.84: (frag 13828:4294967256@29080) [tos 0x50] (ipip)
15:07:10.331186 $ip1 > $ip2: ESP(spi=0x00000202,seq=0x4) (DF)
Once the setup was corrected, everything was fine (no crashes).
This is Debian GNU/Linux 3.0, kernel compiled with GCC 2.95.4, a 32Mb Cyrix
6x86MX machine.
Best regards,
Valentijn
--
http://www.openoffice.nl/ Open Office - Linux Office Solutions
Valentijn Sessink [email protected]
On Mon, 19 Jan 2004, Valentijn Sessink wrote:
> 2.6.0/IPsec crashes, fully reproducable. Verified with 2.6.1.
Could you please verify if this still happens with Netfilter and SELinux
disabled at compile time?
- James
--
James Morris
<[email protected]>
On Mon, 19 Jan 2004, Valentijn Sessink wrote:
> Please note that the config file that causes the crash is wrong, so a
> documentation item that says "the Linux kernel is programmed to commit
> suicide on brain dead IPsec configurations" will do ;-)
No, it still shouldn't crash.
- James
--
James Morris
<[email protected]>
Hello James,
At Mon, Jan 19, 2004 at 08:36:57AM -0500, James Morris wrote:
> > 2.6.0/IPsec crashes, fully reproducable. Verified with 2.6.1.
> Could you please verify if this still happens with Netfilter and SELinux
> disabled at compile time?
It crashes as well, same "Fatal exception in interrupt" behaviour.
I disabled NETFILTER and recompiled (the config_security option was off in
the original setup already):
# CONFIG_NETFILTER is not set
# CONFIG_SECURITY is not set
Crash! I made a picture (sorry, no serial connection here) but unfortunately
the cable to my camera is at home, so if you need the information, you'll
have to wait. However, I guess the problem is easily reproducable. I posted
my .config file at http://valentijn.sessink.nl/temp/config-2.6.1-yangtse-isdn
(this being the config with netfilter, the one that's normally running).
The other end is running 2.6.1 as well, config is config-2.6.1-router
Please note that the config file that causes the crash is wrong, so a
documentation item that says "the Linux kernel is programmed to commit
suicide on brain dead IPsec configurations" will do ;-)
Best regards,
Valentijn
--
http://www.openoffice.nl/ Open Office - Linux Office Solutions
Valentijn Sessink [email protected]
