strongSwan

Hello Tobias,
thx for the fast response :-)
The Router with 64 bit Linux has no Problems.
The Roadwarriorlaptop has kernelpanic with 3.0 and 3.1 32 Bit Kernel, with a 64 BIt Kernel everything works fine.
if i use a 2.6 32 BIt kernel i got a general protectionfault on the Laptop.
these symptoms are reproducible with both testet versions of strongswan (4.5.2 and 4.6.1)

best regards
Heinz

The Roadwarriorlaptop has kernelpanic with 3.0 and 3.1 32 Bit Kernel, with a 64 BIt Kernel everything works fine.
if i use a 2.6 32 BIt kernel i got a general protectionfault on the Laptop.

So your laptop basically crashes if you use a 32-bit kernel (whatever version). Do you have some more details on the crashes? What is logged in the system logs prior/during the crashes?

these symptoms are reproducible with both testet versions of strongswan (4.5.2 and 4.6.1)

I'm still not convinced that this is actually a strongSwan issue. As I already mentioned, strongSwan works in userland and once the tunnel is up the kernel is responsible for the tunnel traffic.
So perhaps you should ask in one of the kernel mailing lists.

Hi Heinz,

I probably ran into the same problem today. In my case it was a 2.6.38 x86 kernel on fairly new hardware. Trying to transmit user data resulted in a kernel panic (general protection fault).
The culprit turned out to be the aesni_intel module. Preventing this module from getting loaded (i.e. blacklisting it in /etc/modprobe.d/) resolved the issue. Using any algorithm other than AES should work around the issue too.

This bug has recently been reported on the linux-crypto mailing list by someone. But no response so far.

Regards,
Tobias

Hi.
That problem actually still for kernel 3.3 with OpenSuse 12.1.
Versions:

localhost:~ # uname -a
Linux localhost 3.3.0-0-default #1 SMP Fri Mar 30 15:21:05 FET 2012 (028c29f) i686 i686 i386 GNU/Linux

localhost:~ # lsmod|egrep aes
aesni_intel 18236 0
cryptd 15725 1 aesni_intel
aes_i586 16956 1 aesni_intel
localhost:~ # rpm -qa|egrep wan
strongswan-libs0-4.5.3-5.4.1.i586
strongswan-ikev2-4.5.3-5.4.1.i586
strongswan-doc-4.5.3-5.4.1.i586
strongswan-4.5.3-5.4.1.i586
strongswan-nm-4.5.3-5.4.1.i586
strongswan-sqlite-4.5.3-5.4.1.i586
strongswan-mysql-4.5.3-5.4.1.i586
strongswan-ipsec-4.5.3-5.4.1.i586
strongswan-ikev1-4.5.3-5.4.1.i586
localhost:~ #

If I try to ping peer after connection, then my PC gets "Kernal panic" and makes reboot (as after sysrq).

But if I add - blacklist aesni_intel, then I see:

localhost:~ # /etc/init.d/ipsec start
localhost:~ # lsmod|egrep crypt
cryptd 15725 1 serpent_sse2_i586
crypto_null 12782 0
localhost:~ #

I don't see aes modules ...
ping is working, But whether work ipsec?????

Hi. Seem I found a relative answer:
From: http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.3

Date: Wed May 30 01:43:08 2012 +0200

crypto: aesni-intel - fix unaligned cbc decrypt for x86-32

commit 7c8d51848a88aafdb68f42b6b650c83485ea2f84 upstream.

The 32 bit variant of cbc(aes) decrypt is using instructions requiring
    128 bit aligned memory locations but fails to ensure this constraint in
    the code. Fix this by loading the data into intermediate registers with
    load unaligned instructions.

This fixes reported general protection faults related to aesni.

References: https://bugzilla.kernel.org/show_bug.cgi?id=43223
    Reported-by: Daniel <garkein@mailueberfall.de>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Possibly, strongswan don't makes encryp with kernel before version 3.4 ...?