[Swan-dev] KLIPS crashes after kernel update

Roel van Meer roel.vanmeer at bokxing-it.nl
Fri Nov 1 16:33:16 EET 2013

Thomas Geulig writes:

> after upgrading from kernel 3.4.65 to 3.4.66 I experienced
> crashes in the KLIPS function ipsec_xmit_ipip().
> I narrowed the problem down to an API change in the function
> ip_select_ident().
> Before:
> static inline void ip_select_ident(struct iphdr *iph, struct dst_entry *dst,
>         struct sock *sk)
> After:
> static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry  
> *dst,
>         struct sock *sk)
> This function is referencd in linux/include/libreswan/ipsec_param2.h.
> After I changed the first parameter there, the crashes were gone.

Thomas, does your setup work with the 3.4.66 kernel?

I am seeing the problem that, while your fix makes my kernel not crash  
anymore, packets get an incorrect checksum so they are dropped at the other  

Verified as working ok:
kernel 3.4.65 w libreswan 3.6
kernel 3.4.62 w libreswan 3.3

Problems with:
kernel 3.4.67 w libreswan 3.3, 3.4, 3.5 or 3.6
kernel 3.10.17 w libreswan 3.6

At first I thought the problem was caused by my libreswan upgrade, but it  
turns out to be caused by the kernel update.
Symptoms are: tunnel comes up correctly, packets traverse the tunnel, but at  
the receiving end they are dropped by the kernel. A 'tcpdump -v' shows this:

14:46:02.361288 IP (tos 0x0, ttl 64, id 57076, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 3738 (->cc61)!) > ICMP echo request, id 10819, seq 6, length 64

This happens at the receiving end of the tunnel. The affected kernel version  
is at the transmitting end.

Best regards,


More information about the Swan-dev mailing list