strongswan: ikev2 config working with 18.06.2 causes oops and reboot with 18.06.4

[shantikulkarni]

Maintainer: @stintel Environment: apm821xx / Meraki MX60 / Openwrt 18.06.4 r7808-ef686b7292

Description: My ikev2 ipsec config works on 18.0.2 but causes an oops and reboot on 18.0.4 with strongswan-full installed. I downgraded back to 18.0.2 to confirm it worked, and back to 18.0.4 to confirm it didn't.

/etc/ipsec.conf

config setup
    # strictcrlpolicy=yes
    # uniqueids = no
    uniqueids=never

conn %default
    keyexchange=ikev2
    compress=no
    dpdaction=restart
    dpddelay=300s
    forceencaps = yes
    fragmentation = accept
    left=75.146.aaa.bbb
    leftid=pluto.mydomain.org
    leftcert=pluto_VPN_server_cert.crt
    leftauth=pubkey
    leftsendcert=always
    leftsubnet=192.168.24.0/21
    right=%any
    rightsourceip=%dhcp
    rightdns=192.168.29.253
    auto=add

conn kerouac
    rightauth=pubkey
    rightcert=kerouac_VPN_cert.crt
    rightid=kerouac-YtLXGtgqZ5@ls.mydomain.org

/etc/strongswan.d/charon/dhcp.conf

dhcp {

    # Always use the configured server address.
    # force_server_address = no

    # Derive user-defined MAC address from hash of IKE identity and send client
    # identity DHCP option.
    # identity_lease = no

    # Interface name the plugin uses for address allocation.
    # interface =

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # DHCP server unicast or broadcast IP address.
    # server = 255.255.255.255

    identity_lease = yes
    server = 192.168.29.253
}

logread -f via ssh, connection dropped at reboot

Sat Sep 21 03:31:18 2019 daemon.info : 09[NET] received packet: from 174.250.40.2[20877] to 75.146.aaa.bbb[500] (432 bytes)
Sat Sep 21 03:31:18 2019 daemon.info : 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sat Sep 21 03:31:18 2019 daemon.info : 09[IKE] 174.250.40.2 is initiating an IKE_SA
Sat Sep 21 03:31:18 2019 authpriv.info : 09[IKE] 174.250.40.2 is initiating an IKE_SA
Sat Sep 21 03:31:18 2019 daemon.info : 09[IKE] remote host is behind NAT
Sat Sep 21 03:31:18 2019 daemon.info : 09[IKE] sending cert request for "C=US, O=mydomain.org, CN=ls-mydomain-org ca certificate, E=namemaster@mydomain.org"
Sat Sep 21 03:31:18 2019 daemon.info : 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sat Sep 21 03:31:18 2019 daemon.info : 09[NET] sending packet: from 75.146.aaa.bbb[500] to 174.250.40.2[20877] (473 bytes)
Sat Sep 21 03:31:19 2019 daemon.info : 14[NET] received packet: from 174.250.40.2[20870] to 75.146.aaa.bbb[4500] (532 bytes)
Sat Sep 21 03:31:19 2019 daemon.info : 14[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ]
Sat Sep 21 03:31:19 2019 daemon.info : 14[ENC] received fragment #1 of 5, waiting for complete IKE message
Sat Sep 21 03:31:19 2019 daemon.info : 15[NET] received packet: from 174.250.40.2[20870] to 75.146.aaa.bbb[4500] (532 bytes)
Sat Sep 21 03:31:19 2019 daemon.info : 15[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ]
Sat Sep 21 03:31:19 2019 daemon.info : 15[ENC] received fragment #2 of 5, waiting for complete IKE message
Sat Sep 21 03:31:19 2019 daemon.info : 15[NET] received packet: from 174.250.40.2[20870] to 75.146.aaa.bbb[4500] (532 bytes)
Sat Sep 21 03:31:19 2019 daemon.info : 15[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ]
Sat Sep 21 03:31:19 2019 daemon.info : 15[ENC] received fragment #3 of 5, waiting for complete IKE message
Sat Sep 21 03:31:19 2019 daemon.info : 07[NET] received packet: from 174.250.40.2[20870] to 75.146.aaa.bbb[4500] (532 bytes)
Sat Sep 21 03:31:19 2019 daemon.info : 07[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ]
Sat Sep 21 03:31:19 2019 daemon.info : 07[ENC] received fragment #4 of 5, waiting for complete IKE message
Sat Sep 21 03:31:19 2019 daemon.info : 06[NET] received packet: from 174.250.40.2[20870] to 75.146.aaa.bbb[4500] (516 bytes)
Sat Sep 21 03:31:19 2019 daemon.info : 06[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ]
Sat Sep 21 03:31:19 2019 daemon.info : 06[ENC] received fragment #5 of 5, reassembling fragmented IKE message
Sat Sep 21 03:31:19 2019 daemon.info : 06[ENC] unknown attribute type (25)
Sat Sep 21 03:31:19 2019 daemon.info : 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] received cert request for "C=US, O=mydomain.org, CN=ls-mydomain-org ca certificate, E=namemaster@mydomain.org"
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] received end entity cert "O=mydomain.org, CN=kerouac_VPN_cert, E=kerouac-YtLXGtgqZ5@ls.mydomain.org"
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG] looking for peer configs matching 75.146.aaa.bbb[pluto.mydomain.org]...174.250.40.2[kerouac-YtLXGtgqZ5@ls.mydomain.org]
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG] selected peer config 'kerouac'
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG]   using trusted ca certificate "C=US, O=mydomain.org, CN=ls-mydomain-org ca certificate, E=namemaster@mydomain.org"
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG] checking certificate status of "O=mydomain.org, CN=kerouac_VPN_cert, E=kerouac-YtLXGtgqZ5@ls.mydomain.org"
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG] certificate status is not available
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG]   reached self-signed root ca with a path length of 0
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG]   using trusted certificate "O=mydomain.org, CN=kerouac_VPN_cert, E=kerouac-YtLXGtgqZ5@ls.mydomain.org"
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] authentication of 'kerouac-YtLXGtgqZ5@ls.mydomain.org' with RSA signature successful
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] peer supports MOBIKE
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] authentication of 'pluto.mydomain.org' (myself) with RSA signature successful
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] IKE_SA kerouac[1] established between 75.146.aaa.bbb[pluto.mydomain.org]...174.250.40.2[kerouac-YtLXGtgqZ5@ls.mydomain.org]
Sat Sep 21 03:31:19 2019 authpriv.info : 06[IKE] IKE_SA kerouac[1] established between 75.146.aaa.bbb[pluto.mydomain.org]...174.250.40.2[kerouac-YtLXGtgqZ5@ls.mydomain.org]
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] scheduling reauthentication in 9891s
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] maximum IKE_SA lifetime 10431s
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] sending end entity cert "O=mydomain.org, CN=pluto, E=namemaster@mydomain.org"
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] peer requested virtual IP %any
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG] sending DHCP DISCOVER to 192.168.29.253
Sat Sep 21 03:31:19 2019 daemon.info : 14[CFG] received DHCP OFFER 192.168.29.157 from 192.168.29.253
Sat Sep 21 03:31:19 2019 daemon.info : 06[CFG] sending DHCP REQUEST for 192.168.29.157 to 192.168.29.253
Sat Sep 21 03:31:19 2019 daemon.info : 15[CFG] received DHCP ACK for 192.168.29.157
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] assigning virtual IP 192.168.29.157 to peer 'kerouac-YtLXGtgqZ5@ls.mydomain.org'
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] peer requested virtual IP %any6
Sat Sep 21 03:31:19 2019 daemon.info : 06[IKE] no virtual IP found for %any6 requested by 'kerouac-YtLXGtgqZ5@ls.mydomain.org'
packet_write_wait: Connection to 192.168.29.254 port 22: Broken pipe

/sys/kernel/debug/crashlog

Time: 1569036680.257516
Modules:    xt_recent@e1ece000+1c61 xt_policy@e1ec5000+880  xt_helper@e1ebf000+3c0  xt_esp@e1eb9000+320 xt_connmark@e1eb3000+4c0    xt_connlimit@e1eac000+1221  xt_connbytes@e1ea5000+6e0   ipt_ah@e1e9f000+2e0 ipcomp6@e1e99000+760    xfrm6_tunnel@e1e92000+940   xfrm6_mode_tunnel@e1e8b000+700  xfrm6_mode_transport@e1e85000+560   xfrm6_mode_beet@e1e7f000+5c0    esp6@e1e78000+1f60  ah6@e1e6e000+15a0   ipcomp@e1e66000+6c0 xfrm4_tunnel@e1e5f000+4c0   xfrm4_mode_tunnel@e1e59000+740  xfrm4_mode_transport@e1e53000+520   xfrm4_mode_beet@e1e4d000+640    esp4@e1e46000+2000  ah4@e1e3c000+1560   tunnel6@e1e34000+780    tunnel4@e1e2d000+8c0    af_key@e1e20000+6504    xfrm_user@e1e0d000+5840 xfrm_ipcomp@e1e02000+cc8    xfrm_algo@e1dfd000+da0  algif_skcipher@e1df6000+dc0 algif_hash@e1dee000+1200    af_alg@e1de4000+2a84    sha1_generic@e1dda000+840   md5@e1dd2000+1080   echainiv@e1dcb000+640   des_generic@e1dc1000+4220   cbc@e1db7000+940    authenc@e1db0000+fa0    ath9k@e1b5e000+17c34    ath9k_common@e1b36000+2ae0  pppoe@e1b2a000+2280 ppp_async@e1b20000+1e60 ath9k_hw@e1ac7000+53b20 ath@e1a64000+4820   pppox@e1a58000+550  ppp_generic@e1a4d000+5d6c   nf_conntrack_ipv6@e1a3e000+16e0 mac80211@e19c7000+66d80 iptable_nat@e193d000+340    ipt_REJECT@e1937000+440 ipt_MASQUERADE@e1931000+2c0 cfg80211@e18f0000+39ad0 xt_time@e18a1000+6c0    xt_tcpudp@e189b000+780  xt_state@e1895000+300   xt_nat@e188f000+540 xt_multiport@e1889000+4a0   xt_mark@e1883000+2c0    xt_mac@e187d000+260 xt_limit@e1877000+4a0   xt_conntrack@e1871000+960   xt_comment@e186a000+1e0xt_TCPMSS@e1864000+ba0   xt_REDIRECT@e185d000+2e0    xt_LOG@e1857000+320 xt_FLOWOFFLOAD@e1851000+c04 xt_CT@e184a000+ac0  spi_gpio@e1842000+1680  spi_bitbang@e183c000+a80    slhc@e1836000+1200  nf_reject_ipv4@e1831000+900 nf_nat_redirect@e182d000+440    nf_nat_masquerade_ipv4@e1829000+5e4 nf_conntrack_ipv4@e1822000+15c0 nf_nat_ipv4@e181a000+f20    nf_nat@e1811000+2860    nf_log_ipv4@e1807000+dc0    nf_flow_table_hw@e1800000+8c0   nf_flow_table@e17f6000+3500 nf_defrag_ipv6@e17eb000+14c0    nf_defrag_ipv4@e17e3000+4a0 nf_conntrack_rtcache@e17dd000+a80   nf_conntrack@e17c8000+ef40  iptable_mangle@e17ad000+3c0 iptable_filter@e17a7000+2c0 ip_tables@e179f000+2904 crc_ccitt@e1797000+3e0  compat@e1791000+240 ledtrig_usbport@e178b000+c04    ip6t_REJECT@e1784000+4a0    nf_reject_ipv6@e1780000+a60 nf_log_ipv6@e1778000+1040   nf_log_common@e1770000+a00  ip6table_mangle@e1769000+460    ip6table_filter@e1763000+2c0    ip6_tables@e175b000+2898    x_tables@e174f000+3424  usb_storage@e1282000+a560   leds_gpio@e1257000+cc0  dwc2@e123d000+13880 gpio_button_hotplug@e121e000+1c40   usbcore@e11f1000+2561c  nls_base@e11b9000+1360  usb_common@e11b4000+9e0
<14>[    4.699423] kmodloader: loading kernel modules from /etc/modules-boot.d/*
<6>[    4.747945] usbcore: registered new interface driver usbfs
<6>[    4.753492] usbcore: registered new interface driver hub
<6>[    4.758867] usbcore: registered new device driver usb
<6>[    4.871454] dwc2 4bff80000.usbotg: DWC OTG Controller
<6>[    4.876550] dwc2 4bff80000.usbotg: new USB bus registered, assigned bus number 1
<6>[    4.883964] dwc2 4bff80000.usbotg: irq 33, io mem 0x4bff80000
<6>[    4.890331] hub 1-0:1.0: USB hub found
<6>[    4.894262] hub 1-0:1.0: 1 port detected
<6>[    4.904337] usbcore: registered new interface driver usb-storage
<14>[    4.910809] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
<14>[    4.928325] init: - preinit -
<6>[    5.308810] eth0: link is up, 1000 FDX
<6>[    5.312954] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
<6>[    5.318830] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
<5>[    5.334850] random: procd: uninitialized urandom read (4 bytes read)
<14>[    8.451232] mount_root: loading kmods from internal overlay
<14>[    8.468337] kmodloader: loading kernel modules from //etc/modules-boot.d/*
<14>[    8.475962] kmodloader: done loading kernel modules from //etc/modules-boot.d/*
<5>[    8.612496] UBIFS (ubi0:4): background thread "ubifs_bgt0_4" started, PID 488
<5>[    8.697858] UBIFS (ubi0:4): UBIFS: mounted UBI device 0, volume 4, name "rootfs_data"
<5>[    8.705688] UBIFS (ubi0:4): LEB size: 129024 bytes (126 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
<5>[    8.715570] UBIFS (ubi0:4): FS size: 1017096192 bytes (969 MiB, 7883 LEBs), journal size 33546240 bytes (31 MiB, 260 LEBs)
<5>[    8.726572] UBIFS (ubi0:4): reserved for root: 4952683 bytes (4836 KiB)
<5>[    8.733171] UBIFS (ubi0:4): media format: w4/r0 (latest is w5/r0), UUID F87626E3-19A7-4913-9977-671C31621BA9, small LPT model
<14>[    8.745202] block: attempting to load /tmp/ubifs_cfg/upper/etc/config/fstab
<11>[    8.752291] block: unable to load configuration (fstab: Entry not found)
<14>[    8.759042] block: attempting to load /tmp/ubifs_cfg/etc/config/fstab
<11>[    8.765560] block: unable to load configuration (fstab: Entry not found)
<14>[    8.772307] block: attempting to load /etc/config/fstab
<11>[    8.778696] block: unable to load configuration (fstab: Entry not found)
<11>[    8.785438] block: no usable configuration
<5>[    8.793473] UBIFS (ubi0:4): un-mount UBI device 0
<5>[    8.798179] UBIFS (ubi0:4): background thread "ubifs_bgt0_4" stops
<5>[    8.812584] UBIFS (ubi0:4): background thread "ubifs_bgt0_4" started, PID 490
<5>[    8.896806] UBIFS (ubi0:4): UBIFS: mounted UBI device 0, volume 4, name "rootfs_data"
<5>[    8.904646] UBIFS (ubi0:4): LEB size: 129024 bytes (126 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
<5>[    8.914525] UBIFS (ubi0:4): FS size: 1017096192 bytes (969 MiB, 7883 LEBs), journal size 33546240 bytes (31 MiB, 260 LEBs)
<5>[    8.925519] UBIFS (ubi0:4): reserved for root: 4952683 bytes (4836 KiB)
<5>[    8.932122] UBIFS (ubi0:4): media format: w4/r0 (latest is w5/r0), UUID F87626E3-19A7-4913-9977-671C31621BA9, small LPT model
<14>[    9.011886] block: attempting to load /tmp/ubifs_cfg/upper/etc/config/fstab
<11>[    9.018952] block: unable to load configuration (fstab: Entry not found)
<14>[    9.025697] block: attempting to load /tmp/ubifs_cfg/etc/config/fstab
<11>[    9.032225] block: unable to load configuration (fstab: Entry not found)
<14>[    9.038980] block: attempting to load /etc/config/fstab
<11>[    9.044276] block: unable to load configuration (fstab: Entry not found)
<11>[    9.051009] block: no usable configuration
<14>[    9.056151] mount_root: overlay filesystem has not been fully initialized yet
<14>[    9.064101] mount_root: switching to ubifs overlay
<12>[    9.186229] urandom-seed: Seed file not found (/etc/urandom.seed)
<14>[    9.231403] procd: - early -
<14>[    9.234381] procd: - watchdog -
<14>[    9.796913] procd: - watchdog -
<14>[    9.800260] procd: - ubus -
<5>[    9.855004] random: ubusd: uninitialized urandom read (4 bytes read)
<5>[    9.862085] random: ubusd: uninitialized urandom read (4 bytes read)
<5>[    9.868717] random: ubusd: uninitialized urandom read (4 bytes read)
<14>[    9.875720] procd: - init -
<14>[   10.104245] kmodloader: loading kernel modules from /etc/modules.d/*
<6>[   10.113982] ip6_tables: (C) 2000-2006 Netfilter Core Team
<6>[   10.126917] Loading modules backported from Linux version wt-2017-11-01-0-gfe248fc2c180
<6>[   10.134924] Backport generated by backports.git v4.14-rc2-1-31-g86cf0e5d
<6>[   10.143515] ip_tables: (C) 2000-2006 Netfilter Core Team
<6>[   10.155205] nf_conntrack version 0.5.0 (8192 buckets, 32768 max)
<6>[   10.194953] xt_time: kernel timezone is -0000
<6>[   10.246327] PPP generic driver version 2.4.2
<6>[   10.252279] NET: Registered protocol family 24
<14>[   10.280451] kmodloader: done loading kernel modules from /etc/modules.d/*
<4>[   11.496993] urandom_read: 5 callbacks suppressed
<5>[   11.497000] random: jshn: uninitialized urandom read (4 bytes read)
<5>[   13.586464] ubi0: fixable bit-flip detected at PEB 1712
<5>[   13.591692] ubi0: schedule PEB 1712 for scrubbing
<5>[   13.629380] ubi0: fixable bit-flip detected at PEB 1712
<5>[   13.666792] ubi0: scrubbed PEB 1712 (LEB 3:14), data moved to PEB 1258
<6>[   17.232815] eth0: link is up, 1000 FDX
<6>[   17.252103] br-lan: port 1(eth0.1) entered blocking state
<6>[   17.257518] br-lan: port 1(eth0.1) entered disabled state
<6>[   17.263150] device eth0.1 entered promiscuous mode
<6>[   17.267943] device eth0 entered promiscuous mode
<6>[   17.350454] br-lan: port 1(eth0.1) entered blocking state
<6>[   17.355866] br-lan: port 1(eth0.1) entered forwarding state
<6>[   17.361571] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
<6>[   18.296117] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
<5>[   19.943417] random: fast init done
<5>[  196.671488] random: crng init done
<14>[  216.308312] kmodloader: loading kernel modules from /etc/modules.d/*
<6>[  216.335289] NET: Registered protocol family 38
<6>[  216.346364] Initializing XFRM netlink socket
<6>[  216.352914] NET: Registered protocol family 15
<14>[  216.383448] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.442308] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.451971] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.514636] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.524195] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.621405] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.631052] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.689773] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.699399] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.758309] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.767863] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.826732] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.836309] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.894693] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.904271] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  216.963367] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  216.972901] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.031880] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.041385] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.099636] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.109207] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.167953] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.177579] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.236412] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.246036] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.304246] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.313823] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.372236] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.381789] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.439541] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.449927] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.508039] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.517590] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.576202] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.585913] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.643636] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.653247] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.712402] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.722031] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.780930] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.790463] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.848324] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.857936] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.917045] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.926651] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  217.985681] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  217.995198] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  218.053369] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  218.062958] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  219.269483] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  219.303155] kmodloader: done loading kernel modules from /etc/modules.d/*
<14>[  222.939817] kmodloader: loading kernel modules from /etc/modules.d/*
<14>[  222.961012] kmodloader: done loading kernel modules from /etc/modules.d/*
<1>[ 3719.211530] Unable to handle kernel paging request for data at address 0x00000010
<1>[ 3719.219009] Faulting instruction address: 0xe1e46b48
<4>[ 3719.223966] Oops: Kernel access of bad area, sig: 11 [#1]
<4>[ 3719.229340] BE PowerPC 44x Platform
<4>[ 3719.232814] Modules linked in: xt_recent xt_policy xt_helper xt_esp xt_connmark xt_connlimit xt_connbytes ipt_ah ipcomp6 xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_beet esp6 ah6 ipcomp xfrm4_tunnel xfrm4_mode_tunnel xfrm4_mode_transport xfrm4_mode_beet esp4 ah4 tunnel6 tunnel4 af_key xfrm_user xfrm_ipcomp xfrm_algo algif_skcipher algif_hash af_alg sha1_generic md5 echainiv des_generic cbc authenc ath9k ath9k_common pppoe ppp_async ath9k_hw ath pppox ppp_generic nf_conntrack_ipv6 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD xt_CT spi_gpio spi_bitbang slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4
<4>[ 3719.303749]  nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat ledtrig_usbport ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables x_tables usb_storage leds_gpio dwc2 gpio_button_hotplug usbcore nls_base usb_common
<4>[ 3719.337011] CPU: 0 PID: 7601 Comm: charon Not tainted 4.14.131 #0
<4>[ 3719.343081] task: df43b840 task.stack: de9a0000
<4>[ 3719.347590] NIP:  e1e46b48 LR: e1e46b38 CTR: c045ca48
<4>[ 3719.352618] REGS: de9a1ad0 TRAP: 0300   Not tainted  (4.14.131)
<4>[ 3719.358509] MSR:  00029000 <CE,EE,ME>  CR: 44022284  XER: 20000000
<4>[ 3719.364670] DEAR: 00000010 ESR: 00000000 
<4>[ 3719.364670] GPR00: e1e46b38 de9a1b80 df43b840 e1dfd938 e1dfd728 de92f380 00000100 dea80088 
<4>[ 3719.364670] GPR08: 00000000 00000000 00000000 00000004 c045ca48 00000000 1051b1d0 00000001 
<4>[ 3719.364670] GPR16: 00000002 b67fe3dc 00000000 00000010 b67fe244 00000000 e1e47cb8 000000c8 
<4>[ 3719.364670] GPR24: c0595d80 00000100 dea80068 de92f380 dea80060 00000010 00000048 de9e8800 
<4>[ 3719.401916] Call Trace:
<4>[ 3719.404361] [de9a1b80] [e1e46b38] 0xe1e46b38 [esp4@e1e46000+0x2000] (unreliable)
<4>[ 3719.411727] [de9a1c30] [e1e478f8] 0xe1e478f8 [esp4@e1e46000+0x2000]
<4>[ 3719.417971] [de9a1c40] [c03e4848] 0xc03e4848
<4>[ 3719.422225] [de9a1c80] [e1e11a38] 0xe1e11a38 [xfrm_user@e1e0d000+0x5840]
<4>[ 3719.428903] [de9a1cd0] [e1e0e53c] 0xe1e0e53c [xfrm_user@e1e0d000+0x5840]
<4>[ 3719.435580] [de9a1d70] [c037493c] 0xc037493c
<4>[ 3719.439833] [de9a1db0] [e1e0da38] 0xe1e0da38 [xfrm_user@e1e0d000+0x5840]
<4>[ 3719.446509] [de9a1dc0] [c0374030] 0xc0374030
<4>[ 3719.450759] [de9a1e00] [c037454c] 0xc037454c
<4>[ 3719.455011] [de9a1e50] [c031c8dc] 0xc031c8dc
<4>[ 3719.459262] [de9a1e60] [c031eb50] 0xc031eb50
<4>[ 3719.463512] [de9a1f40] [c000d204] 0xc000d204
<4>[ 3719.467765] --- interrupt: c01 at 0xb7e4b894
<4>[ 3719.467765]     LR = 0xb7e1d19c
<4>[ 3719.475132] Instruction dump:
<4>[ 3719.478090] 80bb0040 38a50007 54a5e8fe 480010bd 38800000 7f63db78 833b0040 4bfb66f9 
<4>[ 3719.485820] 7c690034 5529d97e 0f090000 a0c3000e <80bd0000> 54c6e8fe 7f862840 41be0020 
<4>[ 3719.493720] ---[ end trace fdc37e0cb157e938 ]---

opkg list-installed | sort

base-files - 194.2-r7808-ef686b7292
block-mount - 2019-03-28-ff1ded63-5
busybox - 1.28.4-3
ca-bundle - 20190110-1
dnsmasq - 2.80-1.4
dropbear - 2017.75-7.1
firewall - 2018-08-13-1c4d5bcd-1
fstools - 2019-03-28-ff1ded63-5
fwtool - 1
hostapd-common - 2018-05-21-62566bc2-6
ip-tiny - 4.16.0-8
ip6tables - 1.6.2-1
iptables - 1.6.2-1
iptables-mod-ipsec - 1.6.2-1
iw - 4.14-1
iwinfo - 2018-07-31-65b8333f-1
jshn - 2018-07-25-c83a84af-2
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 4.14.131-1-463da4b41dee7069c6db4e9c6a606bae
kmod-ath - 4.14.131+2017-11-01-10
kmod-ath9k - 4.14.131+2017-11-01-10
kmod-ath9k-common - 4.14.131+2017-11-01-10
kmod-cfg80211 - 4.14.131+2017-11-01-10
kmod-crypto-acompress - 4.14.131-1
kmod-crypto-aead - 4.14.131-1
kmod-crypto-authenc - 4.14.131-1
kmod-crypto-cbc - 4.14.131-1
kmod-crypto-deflate - 4.14.131-1
kmod-crypto-des - 4.14.131-1
kmod-crypto-echainiv - 4.14.131-1
kmod-crypto-hash - 4.14.131-1
kmod-crypto-hmac - 4.14.131-1
kmod-crypto-iv - 4.14.131-1
kmod-crypto-manager - 4.14.131-1
kmod-crypto-md5 - 4.14.131-1
kmod-crypto-null - 4.14.131-1
kmod-crypto-pcompress - 4.14.131-1
kmod-crypto-rng - 4.14.131-1
kmod-crypto-sha1 - 4.14.131-1
kmod-crypto-sha256 - 4.14.131-1
kmod-crypto-user - 4.14.131-1
kmod-crypto-wq - 4.14.131-1
kmod-gpio-button-hotplug - 4.14.131-2
kmod-i2c-core - 4.14.131-1
kmod-ip6tables - 4.14.131-1
kmod-ipsec - 4.14.131-1
kmod-ipsec4 - 4.14.131-1
kmod-ipsec6 - 4.14.131-1
kmod-ipt-conntrack - 4.14.131-1
kmod-ipt-conntrack-extra - 4.14.131-1
kmod-ipt-core - 4.14.131-1
kmod-ipt-ipsec - 4.14.131-1
kmod-ipt-nat - 4.14.131-1
kmod-ipt-offload - 4.14.131-1
kmod-iptunnel4 - 4.14.131-1
kmod-iptunnel6 - 4.14.131-1
kmod-leds-gpio - 4.14.131-1
kmod-lib-crc-ccitt - 4.14.131-1
kmod-lib-zlib-deflate - 4.14.131-1
kmod-lib-zlib-inflate - 4.14.131-1
kmod-mac80211 - 4.14.131+2017-11-01-10
kmod-nf-conntrack - 4.14.131-1
kmod-nf-conntrack6 - 4.14.131-1
kmod-nf-flow - 4.14.131-1
kmod-nf-ipt - 4.14.131-1
kmod-nf-ipt6 - 4.14.131-1
kmod-nf-nat - 4.14.131-1
kmod-nf-reject - 4.14.131-1
kmod-nf-reject6 - 4.14.131-1
kmod-nls-base - 4.14.131-1
kmod-ppp - 4.14.131-1
kmod-pppoe - 4.14.131-1
kmod-pppox - 4.14.131-1
kmod-scsi-core - 4.14.131-1
kmod-slhc - 4.14.131-1
kmod-spi-bitbang - 4.14.131-1
kmod-spi-gpio - 4.14.131-1
kmod-usb-core - 4.14.131-1
kmod-usb-dwc2 - 4.14.131-1
kmod-usb-ledtrig-usbport - 4.14.131-1
kmod-usb-storage - 4.14.131-1
libatomic - 7.3.0-1
libblobmsg-json - 2018-07-25-c83a84af-2
libc - 1.1.19-1
libcurl - 7.60.0-4
libgcc - 7.3.0-1
libgcrypt - 1.6.6-2
libgmp - 6.1.2-1
libgpg-error - 1.12-1
libip4tc - 1.6.2-1
libip6tc - 1.6.2-1
libiwinfo - 2018-07-31-65b8333f-1
libiwinfo-lua - 2018-07-31-65b8333f-1
libjson-c - 0.12.1-2
libjson-script - 2018-07-25-c83a84af-2
liblua - 5.1.5-1
liblucihttp - 2019-06-05-91c01c3c-1
liblucihttp-lua - 2019-06-05-91c01c3c-1
libmariadbclient - 10.1.41-2
libmbedtls - 2.16.1-1
libmnl - 1.0.4-1
libnl-tiny - 0.1-5
libopenldap - 2.4.45-2
libopenssl - 1.0.2s-1
libpthread - 1.1.19-1
libsasl2 - 2.1.27-rc7-1
libsqlite3 - 3260000-4
libstdcpp - 7.3.0-1
libubox - 2018-07-25-c83a84af-2
libubus - 2018-10-06-221ce7e7-1
libubus-lua - 2018-10-06-221ce7e7-1
libuci - 2019-05-17-f199b961-1
libuclient - 2018-11-24-3ba74ebc-1
libxml2 - 2.9.9-1
libxtables - 1.6.2-1
logd - 2018-02-14-128bc35f-2
lua - 5.1.5-1
luci - git-19.170.32094-4d6d8bc-1
luci-app-firewall - git-19.170.32094-4d6d8bc-1
luci-base - git-19.170.32094-4d6d8bc-1
luci-lib-ip - git-19.170.32094-4d6d8bc-1
luci-lib-jsonc - git-19.170.32094-4d6d8bc-1
luci-lib-nixio - git-19.170.32094-4d6d8bc-1
luci-mod-admin-full - git-19.170.32094-4d6d8bc-1
luci-proto-ipv6 - git-19.170.32094-4d6d8bc-1
luci-proto-ppp - git-19.170.32094-4d6d8bc-1
luci-theme-bootstrap - git-19.170.32094-4d6d8bc-1
mtd - 23
netifd - 2019-01-31-a2aba5c7-2.1
odhcp6c - 2018-07-14-67ae6a71-15
odhcpd-ipv6only - 1.15-3
openwrt-keyring - 2018-05-18-103a32e9-1
opkg - 2019-01-18-7708a01a-1
ppp - 2.4.7-12
ppp-mod-pppoe - 2.4.7-12
procd - 2018-03-28-dfb68f85-1
rpcd - 2018-11-28-3aa81d0d-2
rpcd-mod-rrdns - 20170710
strongswan - 5.6.3-3
strongswan-charon - 5.6.3-3
strongswan-charon-cmd - 5.6.3-3
strongswan-full - 5.6.3-3
strongswan-ipsec - 5.6.3-3
strongswan-libtls - 5.6.3-3
strongswan-mod-addrblock - 5.6.3-3
strongswan-mod-aes - 5.6.3-3
strongswan-mod-af-alg - 5.6.3-3
strongswan-mod-agent - 5.6.3-3
strongswan-mod-attr - 5.6.3-3
strongswan-mod-attr-sql - 5.6.3-3
strongswan-mod-blowfish - 5.6.3-3
strongswan-mod-ccm - 5.6.3-3
strongswan-mod-cmac - 5.6.3-3
strongswan-mod-connmark - 5.6.3-3
strongswan-mod-constraints - 5.6.3-3
strongswan-mod-coupling - 5.6.3-3
strongswan-mod-ctr - 5.6.3-3
strongswan-mod-curl - 5.6.3-3
strongswan-mod-curve25519 - 5.6.3-3
strongswan-mod-des - 5.6.3-3
strongswan-mod-dhcp - 5.6.3-3
strongswan-mod-dnskey - 5.6.3-3
strongswan-mod-duplicheck - 5.6.3-3
strongswan-mod-eap-identity - 5.6.3-3
strongswan-mod-eap-md5 - 5.6.3-3
strongswan-mod-eap-mschapv2 - 5.6.3-3
strongswan-mod-eap-radius - 5.6.3-3
strongswan-mod-eap-tls - 5.6.3-3
strongswan-mod-farp - 5.6.3-3
strongswan-mod-fips-prf - 5.6.3-3
strongswan-mod-forecast - 5.6.3-3
strongswan-mod-gcm - 5.6.3-3
strongswan-mod-gcrypt - 5.6.3-3
strongswan-mod-gmp - 5.6.3-3
strongswan-mod-ha - 5.6.3-3
strongswan-mod-hmac - 5.6.3-3
strongswan-mod-kernel-netlink - 5.6.3-3
strongswan-mod-ldap - 5.6.3-3
strongswan-mod-led - 5.6.3-3
strongswan-mod-load-tester - 5.6.3-3
strongswan-mod-md4 - 5.6.3-3
strongswan-mod-md5 - 5.6.3-3
strongswan-mod-mysql - 5.6.3-3
strongswan-mod-nonce - 5.6.3-3
strongswan-mod-openssl - 5.6.3-3
strongswan-mod-pem - 5.6.3-3
strongswan-mod-pgp - 5.6.3-3
strongswan-mod-pkcs1 - 5.6.3-3
strongswan-mod-pkcs11 - 5.6.3-3
strongswan-mod-pkcs12 - 5.6.3-3
strongswan-mod-pkcs7 - 5.6.3-3
strongswan-mod-pkcs8 - 5.6.3-3
strongswan-mod-pubkey - 5.6.3-3
strongswan-mod-random - 5.6.3-3
strongswan-mod-rc2 - 5.6.3-3
strongswan-mod-resolve - 5.6.3-3
strongswan-mod-revocation - 5.6.3-3
strongswan-mod-sha1 - 5.6.3-3
strongswan-mod-sha2 - 5.6.3-3
strongswan-mod-smp - 5.6.3-3
strongswan-mod-socket-default - 5.6.3-3
strongswan-mod-sql - 5.6.3-3
strongswan-mod-sqlite - 5.6.3-3
strongswan-mod-sshkey - 5.6.3-3
strongswan-mod-stroke - 5.6.3-3
strongswan-mod-test-vectors - 5.6.3-3
strongswan-mod-uci - 5.6.3-3
strongswan-mod-unity - 5.6.3-3
strongswan-mod-updown - 5.6.3-3
strongswan-mod-vici - 5.6.3-3
strongswan-mod-whitelist - 5.6.3-3
strongswan-mod-x509 - 5.6.3-3
strongswan-mod-xauth-eap - 5.6.3-3
strongswan-mod-xauth-generic - 5.6.3-3
strongswan-mod-xcbc - 5.6.3-3
strongswan-pki - 5.6.3-3
strongswan-scepclient - 5.6.3-3
strongswan-swanctl - 5.6.3-3
swconfig - 11
ubi-utils - 2.0.2-1
ubox - 2018-02-14-128bc35f-2
ubus - 2018-10-06-221ce7e7-1
ubusd - 2018-10-06-221ce7e7-1
uci - 2019-05-17-f199b961-1
uclient-fetch - 2018-11-24-3ba74ebc-1
uhttpd - 2018-11-28-cdfc902a-3
usign - 2015-07-04-ef641914-1
wireless-regdb - 2017-10-20-4343d359
wpad-mini - 2018-05-21-62566bc2-6
zlib - 1.2.11-2

[stintel]

This looks like a kernel bug, please try the latest 18.06 snapshot. If you still experience the same bug there, please report it upstream and on https://bugs.openwrt.org with a link to the upstream bug report.