-
Story
-
Resolution: Done
-
Major
-
None
-
nmstate-2.2.52-1.el10
-
None
-
ZStream
-
rhel-net-mgmt
-
2
-
False
-
False
-
-
No
-
None
-
Regression Exception
-
Definition of Done:
Please mark each item below with ( / ) if completed or ( x ) if incomplete:
The acceptance criteria defined below are met.Given a system administrator has written a nmstate YAML containing leftsendcert: always (or never, sendifasked),
When they apply the configuration,
Then, the Nmstate validation succeed, nmstatectl show reflects the chosen value, the derived /etc/ipsec.d/*.conf carries leftsendcert=<value>, the connection comes up, invalid values are rejected at validation time, and leaving the field out retains the default sendifasked behaviour.
Integration test case is available upstream.
Code is reviewed and merged upstream.
Preliminary testing is done.
( ) A demo is recorded
Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: The acceptance criteria defined below are met. Given a system administrator has written a nmstate YAML containing leftsendcert: always (or never, sendifasked), When they apply the configuration, Then, the Nmstate validation succeed, nmstatectl show reflects the chosen value, the derived /etc/ipsec.d/*.conf carries leftsendcert=<value>, the connection comes up, invalid values are rejected at validation time, and leaving the field out retains the default sendifasked behaviour. Integration test case is available upstream. Code is reviewed and merged upstream. Preliminary testing is done. ( ) A demo is recorded -
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
Some VPN servers require the ability to explicitly send the left certificate as part of X.509-based authentication. Currently, this critical feature is missing from nmstate, which prevents successful connection in such configurations.
I kindly request the prompt implementation of this feature to ensure compatibility with standard certificate-based IPsec VPN setups.
```
- nmstatectl validate ipsec.yaml
[2025-07-20T20:57:24Z INFO nmstatectl] Nmstate version: 2.2.45
Provide file is not valid NetworkState or NetworkPolicy: interfaces: unknown field `leftsendcert`,
expected one of `right`, `rightid`, `rightrsasigkey`, `rightcert`, `left`, `leftid`, `leftrsasigkey`, `leftcert`, `ikev2`, `psk`, `ikelifetime`, `salifetime`, `ike`, `esp`, `dpddelay`, `dpdtimeout`, `dpdaction`, `ipsec-interface`, `authby`, `rightsubnet`, `leftsubnet`, `leftmodecfgclient`, `type`, `hostaddrfamily`, `clientaddrfamily`, `require-id-on-certificate` at line 2 column 1
```
https://libreswan.org/man/ipsec.conf.5.html
> leftsendcert
> This option configures when Libreswan will send X.509 certificates to the remote host. Acceptable values are yes|always (signifying that we should always send a certificate), sendifasked (signifying that we should send a certificate if the remote end asks for it), and no|never (signifying that we will never send a X.509 certificate). The default for this option is sendifasked which may break compatibility with other vendor's IPsec implementations, such as Cisco and SafeNet. If you find that you are getting errors about no ID/Key found, you likely need to set this to always. This per-conn option replaces the obsolete global nocrsend option.
- links to
-
RHBA-2025:154283
nmstate update
