[strongSwan] Kernel crashes with AES-GCM

Richard Andrews richard.andrews at symstream.com
Mon Oct 1 11:02:57 CEST 2012


I hit a similar problem with aes-cbc on core i3 processors (2.6 series
kernel at the time).

You should be able to blacklist the kernel module if you want to
continue using your chosen cipher without HW acceleration. I ended up
having to do that.


On Thu, 2012-09-27 at 18:13 +0000, Robert Woodcock wrote:
> I can replicate this as well  - usually in 2-5 hours with 3.2.23 and 3.4.11,
> on 82571EB NICs and a E3-1270 CPU. I don't have a full call trace yet (need
> to set up a serial console first) but the last 25 lines of mine look pretty
> similar to yours.
> 
> I'm using tunnel mode, not transport, with aes128gcm16.
> 
> -----Original Message-----
> From: users-bounces+robert.woodcock=cobaltmortgage.com at lists.strongswan.org [mailto:users-bounces+robert.woodcock=cobaltmortgage.com at lists.strongswan.org] On Behalf Of Guru Shetty
> Sent: Thursday, September 27, 2012 9:59 AM
> To: users at lists.strongswan.org
> Subject: [strongSwan] Kernel crashes with AES-GCM
> 
> This probably is not a strongswan issue, as it is the Linux kernel
> that crashes. But, I felt the wider community may have seen this and
> have some opinions on how to avoid it.
> 
> My ipsec.conf summary is as follows:
> 
> esp=aes128gcm12-modp1024
> ike=aes-sha1-modp1024
> type=transport
> 
> When I use the hardware acceleration provided by Intel CPUs (by
> loading the aesni-intel kernel module), and run netperf tests in a
> loop on a 10G NIC, I see kernel crashes (I do get a very good
> throughput boost). I have seen this issue in Linux 3.2, 3.3, 3.4 and
> 3.5. It is very easy to reproduce in Linux 3.2 (This is the stock
> kernel that comes with Ubuntu 12.04).
> 
> Since Ubuntu 12.04 is a very popular distribution, I was surprised to
> see no prior bug reports on this front. This makes me wonder, whether
> there are other ways the wider community is making use of the hardware
> acceleration.
> 
> Any inputs are deeply appreciated.
> 
> For those of you interested, here is the actual kernel back traces.
> http://marc.info/?l=linux-crypto-vger&m=134852306202727&w=2
> 
> Thanks,
> Guru
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users





More information about the Users mailing list