Hello, I have setup an OpenBSD 6.3 (amd64) firewall that I also use for a site-to-site VPN with iked to a remote firewall also using OpenBSD 6.3.
My iked.conf setup is quite lean and consists only of the following two IKEv2 policies: ikev2 active esp from $local_ip to $remote_ip local $local_ip peer $remote_ip srcid $local_ip dstid $remote_ip ikev2 active esp from $local_network to $remote_network local $local_ip peer $remote_ip srcid $local_ip dstid $remote_ip The VPN works fine for low data traffic but as soon as I start a big transfer between the two sites the kernel panics when iked wants to rekey the SA. I can reproduce this on demand by using the iperf tool for example. If I turn off SA rekeying by adding the "lifetime 0 bytes 0" parameters to my two IKEv2 policies then there are no kernel panics. I managed to gather hopefully enough useful information from the kernel debugger which I have pasted below in this mail. The dmesg of the one firewall can be found here: https://marc.info/?l=openbsd-misc&m=152391869413661&w=2 Note that the kernel also panics on the remote firewall from time to time. Don't hesitate to contact me back if additional information is required. Best regards, Mabi show panic ---------- ddb{7}> show panic kernel page fault uvm_fault(0xffffffff81b292e8, 0x8, 0, 1) -> e swcr_authcompute(ffff8000001bc460,ffffff03998e7748,0,1,16) at swcr_authcompute+ 0x2f end trace frame: 0xffff80002231d230, count: 0 trace ----- swcr_authcompute(ffff8000001bc460,ffffff03998e7748,0,1,16) at swcr_authcompute+ 0x2f aesni_process(ffffff03998e7748) at aesni_process+0x124 crypto_invoke(ffffffff8141a3a0) at crypto_invoke+0xd0 taskq_thread(0) at taskq_thread+0x67 end trace frame: 0x0, count: -4 mach ddbcpu 0 - trace --------------------- Stopped at x86_ipi_db+0x5: popq %rbp x86_ipi_db(ffff80000013c000) at x86_ipi_db+0x5 x86_ipi_handler() at x86_ipi_handler+0x6a Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1f --- interrupt --- _kernel_lock(ffff800000116680,ffffffff81aca6c0) at _kernel_lock+0x82 Xsoftclock() at Xsoftclock+0x1f --- interrupt --- end of kernel end trace frame: 0x1388, count: -5 0x8: mach ddbcpu 1 - trace --------------------- x86_ipi_db(ffffffff813bc7a5) at x86_ipi_db+0x5 x86_ipi_handler() at x86_ipi_handler+0x6a Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1f --- interrupt --- _kernel_lock(ffff8000222cb690,ffffff039edfa1b8) at _kernel_lock+0x89 sorwakeup(ffffff00d9c1f600) at sorwakeup+0x6a udp_input(2,ffffffff8190bfb0,2,11) at udp_input+0xe60 ip_deliver(ffff8000222cb68c,ffff8000222cb690,ffff800000027040,ffff8000222cb6e0) at ip_deliver+0x1fe ipintr() at ipintr+0x5a if_netisr(ffffffff8141a3a0) at if_netisr+0x5a taskq_thread(0) at taskq_thread+0x67 end trace frame: 0x0, count: -10 mach ddbcpu 2 - trace --------------------- Stopped at x86_ipi_db+0x5: popq %rbp ddb{2}> trace x86_ipi_db(ffffffff813bc7a5) at x86_ipi_db+0x5 x86_ipi_handler() at x86_ipi_handler+0x6a Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1f --- interrupt --- acpicpu_idle() at acpicpu_idle+0x22a cpu_idle_cycle(0,0,ffff80002201aff0,ffffffff812a0c50,ffffffff812a0e75,ffffffff8 11f11f0) at cpu_idle_cycle+0x10 end trace frame: 0x0, count: -5 mach ddbcpu 3 - trace --------------------- Stopped at x86_ipi_db+0x5: popq %rbp ddb{3}> trace x86_ipi_db(ffff8000224cbb90) at x86_ipi_db+0x5 x86_ipi_handler() at x86_ipi_handler+0x6a Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1f --- interrupt --- _kernel_lock(0,ffff8000223ad650) at _kernel_lock+0x89 end of kernel end trace frame: 0x7f7ffffc3b00, count: -4 mach ddbcpu 4 - trace --------------------- Stopped at x86_ipi_db+0x5: popq %rbp ddb{4}> trace x86_ipi_db(ffffffff813bc7a5) at x86_ipi_db+0x5 x86_ipi_handler() at x86_ipi_handler+0x6a Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1f --- interrupt --- acpicpu_idle() at acpicpu_idle+0x22a cpu_idle_cycle(0,0,ffff80002202cff0,ffffffff812a0c50,ffffffff812a0e75,ffffffff8 11f11f0) at cpu_idle_cycle+0x10 end trace frame: 0x0, count: -5 mach ddbcpu 5 - trace --------------------- Stopped at x86_ipi_db+0x5: popq %rbp ddb{5}> trace x86_ipi_db(ffff80002254d540) at x86_ipi_db+0x5 x86_ipi_handler() at x86_ipi_handler+0x6a Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1f --- interrupt --- ___mp_acquire_count(10,ffff80002254d640) at ___mp_acquire_count+0x62 mi_switch() at mi_switch+0x267 sleep_finish(ffff80002254d6d8,118) at sleep_finish+0x70 tsleep(40,ffff80002254d800,40,ffffff03a1446e08) at tsleep+0xc4 kqueue_scan(ffffff03a1446e00,ffff8000223ac258,ffff80002254db00,0,ffffff041aa36c b0,94b38bdd3e7f8351) at kqueue_scan+0x4f6 sys_kevent(480,ffff8000223ac258,0) at sys_kevent+0x2b2 syscall() at syscall+0x279 --- syscall (number 72) --- end of kernel end trace frame: 0x7f7ffffebda0, count: -10 0x2ea8e76cd2a: mach ddbcpu 6 - trace --------------------- Stopped at x86_ipi_db+0x5: popq %rbp ddb{6}> trace x86_ipi_db(ffff80002203eff0) at x86_ipi_db+0x5 x86_ipi_handler() at x86_ipi_handler+0x6a Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1f --- interrupt --- acpicpu_idle() at acpicpu_idle+0x22a cpu_idle_cycle(0,0,ffff80002203eff0,ffffffff812a0c50,ffffffff812a0e75,ffffffff8 11f11f0) at cpu_idle_cycle+0x10 end trace frame: 0x0, count: -5 mach ddbcpu 7 - trace --------------------- Stopped at swcr_authcompute+0x2f: movq 0x8(%rbx),%rdi ddb{7}> trace swcr_authcompute(ffff8000001bc460,ffffff03998e7748,0,1,16) at swcr_authcompute+ 0x2f aesni_process(ffffff03998e7748) at aesni_process+0x124 crypto_invoke(ffffffff8141a3a0) at crypto_invoke+0xd0 taskq_thread(0) at taskq_thread+0x67 end trace frame: 0x0, count: -4 ps -- PID TID PPID UID S FLAGS WAIT COMMAND 97558 445082 26343 1000 3 0x83 nanosleep vmstat 31402 34021 77038 101 7 0x100010 iked 32701 435773 77038 101 3 0x100090 kqread iked 6476 132716 77038 101 3 0x100090 kqread iked 77038 378902 1 0 3 0x100080 kqread iked 12844 430357 26343 1000 3 0x900483 kqread tail 25205 522733 6087 73 7 0x100090 syslogd 6087 214440 1 0 3 0x100082 netio syslogd 26343 377897 80778 1000 3 0x10008b pause ksh 80778 18392 31069 1000 3 0x90 select sshd 31069 58771 77073 0 3 0x92 poll sshd 47594 321953 1 0 3 0x100083 ttyin ksh 79935 449732 1 0 3 0x100083 ttyin getty 26053 65344 1 0 3 0x100083 ttyin getty 86966 440299 1 0 3 0x100083 ttyin getty 28836 176637 1 0 3 0x100083 ttyin getty 80124 489048 1 0 3 0x100083 ttyin getty 55249 279670 1 0 3 0x100098 poll cron 62353 221052 1 77 3 0x100090 poll dhcrelay 61731 125496 1 77 3 0x100090 poll dhcrelay 84986 117092 1 77 3 0x100090 poll dhcrelay 78332 443275 1 0 3 0x80 nanosleep snortsam 38448 518271 1 32767 3 0x90 netcon pfstatd 18588 463302 1 556 3 0x90 select nrpe 36101 239331 1 760 3 0x90 select snmpd 29281 343527 1 99 3 0x100090 poll sndiod 80924 394589 1 110 3 0x100090 poll sndiod 89416 381426 92930 95 3 0x100092 kqread smtpd 72888 418274 92930 103 3 0x100092 kqread smtpd 74034 358253 92930 95 3 0x100092 kqread smtpd 65553 150798 92930 95 3 0x100092 kqread smtpd 82607 495067 92930 95 3 0x100092 kqread smtpd 33546 320655 92930 95 3 0x100092 kqread smtpd 92930 225036 1 0 3 0x100080 kqread smtpd 77073 436522 1 0 3 0x80 select sshd 54613 10336 51193 83 3 0x100092 poll ntpd 51193 478947 74216 83 3 0x100092 poll ntpd 74216 353557 1 0 3 0x100080 poll ntpd 52843 155282 81660 74 3 0x100092 bpf pflogd 81660 43569 1 0 3 0x80 netio pflogd 96095 330124 34792 115 3 0x100092 kqread slaacd 78165 511628 34792 115 3 0x100092 kqread slaacd 34792 96417 1 0 3 0x80 kqread slaacd 80323 137540 0 0 3 0x14200 pgzero zerothread 80047 414409 0 0 3 0x14200 aiodoned aiodoned 540 125258 0 0 3 0x14200 syncer update 36676 51938 0 0 3 0x14200 cleaner cleaner 74250 488832 0 0 3 0x14200 reaper reaper 17022 154410 0 0 3 0x14200 pgdaemon pagedaemon 44860 168974 0 0 3 0x14200 bored srdis *81234 481498 0 0 7 0x14200 crynlk 6133 418023 0 0 3 0x14200 bored crypto 85591 462471 0 0 3 0x14200 usbtsk usbtask 63322 48505 0 0 3 0x14200 usbatsk usbatsk 85892 366582 0 0 3 0x40014200 acpi0 acpi0 95234 292459 0 0 3 0x40014200 idle7 82117 379587 0 0 7 0x40014200 idle6 53674 63170 0 0 3 0x40014200 idle5 74065 182834 0 0 7 0x40014200 idle4 17191 291418 0 0 3 0x40014200 idle3 43478 350490 0 0 7 0x40014200 idle2 25077 218797 0 0 3 0x40014200 idle1 63941 325056 0 0 3 0x14200 bored sensors 58186 354054 0 0 7 0x14200 softnet 86451 361916 0 0 3 0x14200 bored systqmp 89906 177621 0 0 3 0x14200 bored systq 33978 144833 0 0 3 0x40014200 bored softclock 28280 448215 0 0 7 0x40014200 idle0 1 264559 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper
