Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-104444

[FR] NM-libreswan - Support for sending left certificate(leftsendcert) in X.509-Based VPN Authentication

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • NetworkManager-libreswan-1.2.27-1.el10
    • None
    • ZStream
    • rhel-net-mgmt
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Regression Exception
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      The acceptance criteria defined below are met.

      Given a system administrator configuring a host with NetworkManager-libreswan,

      When they create or edit an IPsec VPN profile (via nmcli or the GUI) that sets vpn.data leftsendcert to always, sendifasked, or never and then activate it,

      Then, the profile is stored with that exact key, the generated /etc/ipsec.d/*.conf file contains the matching leftsendcert=<value> line, the VPN connects successfully, any attempt to use an unsupported value returns an immediate validation error, and omitting the key preserves the current default behaviour (sendifasked) without disrupting existing configurations.

      Integration test case is available upstream.

      Code is reviewed and merged upstream.

      Preliminary testing is done.

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: The acceptance criteria defined below are met. Given a system administrator configuring a host with NetworkManager-libreswan, When they create or edit an IPsec VPN profile (via nmcli or the GUI) that sets vpn.data leftsendcert to always, sendifasked, or never and then activate it, Then, the profile is stored with that exact key, the generated /etc/ipsec.d/*.conf file contains the matching leftsendcert=<value> line, the VPN connects successfully, any attempt to use an unsupported value returns an immediate validation error, and omitting the key preserves the current default behaviour (sendifasked) without disrupting existing configurations. Integration test case is available upstream. Code is reviewed and merged upstream. Preliminary testing is done.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Some VPN servers require the ability to explicitly send the left certificate as part of X.509-based authentication. Currently, this critical feature is missing from networkmanager-libreswan, which prevents successful connection in such configurations.

      I kindly request the prompt implementation of this feature to ensure compatibility with standard certificate-based IPsec VPN setups.

      https://libreswan.org/man/ipsec.conf.5.html

      leftsendcert
      This option configures when Libreswan will send X.509 certificates to the remote host. Acceptable values are yes|always (signifying that we should always send a certificate), sendifasked (signifying that we should send a certificate if the remote end asks for it), and no|never (signifying that we will never send a X.509 certificate). The default for this option is sendifasked which may break compatibility with other vendor's IPsec implementations, such as Cisco and SafeNet. If you find that you are getting errors about no ID/Key found, you likely need to set this to always. This per-conn option replaces the obsolete global nocrsend option.

              rhn-engineering-vbenes Vladimir Benes
              rhn-support-rsahoo Ramesh Sahoo
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: