[strongSwan] HA kernel patch and CONFIG_XFRM_OFFLOAD

Jean-Daniel jddupas at xooloo.com
Sun May 27 10:16:33 CEST 2018


I’m trying to setup an HA strongswan cluster. I encounter an issue. I’m trying to use the last Ubuntu LTS (18.04) with kernel 4.15.x.

I managed to rebuild it with the 4.15.7 HA patch, but this kernel panic very often. I think the issue is because the ubuntu kernel enable CONFIG_XFRM_OFFLOAD by default.

In the strongswan kernel branch, the commit "xfrm: Add XFRM replay failover function to increment outgoing sequence numbers » adds a failover function to struct xfrm_replay, but this filed is populated only when CONFIG_XFRM_OFFLOAD is disabled ( https://git.strongswan.org/?p=linux-dumm.git;a=commitdiff;h=411c1f9e1b566f316bdc33c79ad32aa0950ac963 ). As this field is not properly setup, each time the code try to call
The failover function, it results in a null pointer access and a kernel panic.

So my question is what is the proper way to fix this ?
Was the CONFIG_XFRM_OFFLOAD missing failover an overlook and I can safely populate the failover field in xfrm_replay.c
or is it intentional because using CONFIG_XFRM_OFFLOAD introduce some known incompatibility with the HA patch ?

More information about the Users mailing list