[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fedora 9, IPSec, and 2.6.26 kernels...



Hey all,

        I just ran into this massive problem this weekend.  Several of
my Fedora 9 systems are linked by IPSec (OpenSWAN) tunnels across three
remote sites.  I recently updated the kernels on them (about a half a
dozen systems) to 2.6.26-45 and each and every system with IPsec
destabilized.  They would run for anywhere from a few minutes to a few
hours and then lock dead up.  No network.  Outside pings on IPv4 and
IPv6 all return "no route to host".  If they had X-Windows running,
no response to keyboard.  Mouse MIGHT work but would also shortly lock
up.  USB locked pretty solid.  No ability to log in.  No user space
activity.  Enabled Magic SysRq key and each machine could be rebooted
via Alt-SysRq S-U-B, so interrupts are functioning and the kernel is
responding to the keyboard on that level even if it's a USB keyboard.
Could not switch from X-Windows to a virtual console and cntrl-alt-del
had no effect.  Set sysctl kernel.panic = 5 with no effect so there
doesn't seem to be a kernel panic involved that I can't see on the consoles.

        Backed up to the last 2.6.25 kernel and they are all stable again.
All have now been running, once again, for over 24 hours.  I don't know
the status of any intervening 2.6.26 kernels.  The machines that
destabilized had not been rebooted on a 2.6.26 kernel before.  Other
systems with F9 2.6.26-45 kernels w/o IPSec seem stable.  Restarting
OpenSWAN a few times seems to be a pretty reliable way to lock the
system up with or without X Windows present.

        Anyone else seeing this?  Anyone with an idea what might be
going wrong?

        I have not, as yet, tried as non-Fedora kernel.  Some of my other
systems are running OpenVZ kernels (some with IPsec), currently sitting
at 2.6.24, and are stable.  I'll be trying the OpenVZ 2.6.26 kernel as
soon as it's released later this week.

        BTW...  OpenSWAN 2.6.14, in Fedora 9, is pretty well busted for
X.509 certificates (problems in connection identification for X.509).
Been debugging this with the OpenSWAN dudes for the last week or so and
finally got that resolved when  I ran into this.  OpenSWAN 2.6.18 should
resolve the X.509 certificate issues and some rekeying issues.

        Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw WittsEnd com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]