Enabling IPSec panics stable/9 (runs OK on stable/8)
Attila Nagy
bra at fsn.hu
Wed Jan 4 15:17:44 UTC 2012
Hi,
On 01/04/12 15:51, VANHULLEBUS Yvan wrote:
I've just upgraded a 8-STABLE box to 9-STABLE (well, just few commits
before it has been tagged as STABLE), which runs from NFS (pxebooted).
It has some IPSec config in ipsec.conf, like this for several boxes:
add 172.28.16.4 172.16.248.2 ah 15704 -A hmac-md5 "asdfgh";
add 172.16.248.2 172.28.16.4 ah 24504 -A hmac-md5 "asdfgh";
add 172.28.16.4 172.16.248.2 esp 15705 -E blowfish-cbc "hgfdsa";
add 172.16.248.2 172.28.16.4 esp 24505 -E blowfish-cbc "hgfdsa";
spdadd 172.28.16.4 172.16.248.2 any -P out ipsec
esp/transport/172.28.16.4-172.16.248.2/default
ah/transport/172.28.16.4-172.16.248.2/default;
There is probably nothing related to the crash, but do you really use
static IPsec without IKE keying ????
Yes. :)
It runs on an intranet, but there's a need to encrypt traffic.
[....]
kgdb says:
(kgdb) bt
#0 doadump (textdump=1) at /data/usr/src/sys/kern/kern_shutdown.c:260
#1 0xffffffff80845705 in kern_reboot (howto=260)
at /data/usr/src/sys/kern/kern_shutdown.c:442
#2 0xffffffff80845bb1 in panic (fmt=Variable "fmt" is not available.
)
at /data/usr/src/sys/kern/kern_shutdown.c:607
#3 0xffffffff80b167a0 in trap_fatal (frame=0xc, eva=Variable "eva" is
not available.
)
at /data/usr/src/sys/amd64/amd64/trap.c:819
#4 0xffffffff80b16ae9 in trap_pfault (frame=0xffffff80002cd2a0,
usermode=0)
at /data/usr/src/sys/amd64/amd64/trap.c:735
#5 0xffffffff80b16faf in trap (frame=0xffffff80002cd2a0)
at /data/usr/src/sys/amd64/amd64/trap.c:474
#6 0xffffffff80b012ef in calltrap ()
at /data/usr/src/sys/amd64/amd64/exception.S:228
#7 0xffffffff809bf779 in ipsec_process_done (m=0xfffffe000c7c7a00,
isr=0xfffffe001bf54380) at
/data/usr/src/sys/netipsec/ipsec_output.c:170
Here seems to be the problem....
Can you do the following (in this order) in kgdb:
frame 7
p saidx
p *saidx
(kgdb) frame 7
#7 0xffffffff809bf779 in ipsec_process_done (m=0xfffffe000c7c7a00,
isr=0xfffffe001bf54380) at
/data/usr/src/sys/netipsec/ipsec_output.c:170
170 switch (saidx->dst.sa.sa_family) {
(kgdb) p saidx
No symbol "saidx" in current context.
The latest will probably generate an error, as (if you have the exact
same ipsec_output.c as I have from HEAD) saidx will probably have an
invalid adress.
I have the same as in HEAD.
[...]
8-STABLE runs fine with the same config.
Strange.... I'll review changes in IPsec stack which have been done in
STABLE/9 and not backported to STABLE/8.....
Oh, sorry, not quite an up-to-date 8-STABLE, it's from Sat May 21
22:05:26 CEST 2011 (csup'd some hours earlier).
Should I check with a more recent version? Does that help?
Thanks for helping.
More information about the freebsd-stable
mailing list