Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-107158

Libreswan: Add leftprotoport and rightprotoport support

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.2
    • rhel-9.6.z, rhel-10.0
    • nmstate
    • None
    • None
    • ZStream
    • rhel-net-mgmt
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given an OpenShift worker running kubernetes-nmstate,

      When an NNCP specifying an IPsec interface sets libreswan.leftprotoport: icmp and libreswan.rightprotoport: icmp and the policy is applied,

      Then nmstatectl accepts the schema, pushes the desired state without rollback, and Libreswan establishes the transport SA for ICMP traffic.

      ( ) Code changes are included in a downstream build attached to an errata.

      ( ) All required testing (manual and/or automated) passes successfully.

      ( ) Related documentation updates (if applicable) have been completed.

      ( ) All necessary backports to the related RHEL streams (linked as 'relates' in this issue) have been completed and verified.

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given an OpenShift worker running kubernetes-nmstate, When an NNCP specifying an IPsec interface sets libreswan.leftprotoport: icmp and libreswan.rightprotoport: icmp and the policy is applied, Then nmstatectl accepts the schema, pushes the desired state without rollback, and Libreswan establishes the transport SA for ICMP traffic. ( ) Code changes are included in a downstream build attached to an errata. ( ) All required testing (manual and/or automated) passes successfully. ( ) Related documentation updates (if applicable) have been completed. ( ) All necessary backports to the related RHEL streams (linked as 'relates' in this issue) have been completed and verified.
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Trying to configure Libreswan via NCCP to encrypt ICMP traffic using leftprotoport and rightprotoport.

      kind: NodeNetworkConfigurationPolicy
apiVersion: nmstate.io/v1
metadata:
  name: left-node-ipsec-policy
spec:
  nodeSelector:
    kubernetes.io/hostname: worker-0
  desiredState:
    interfaces:
    - name: hosta_conn
      type: ipsec
      ipv4:
        enabled: true
        dhcp: true
      libreswan:
        leftrsasigkey: '%cert'
        left: 192.168.111.23
        leftid: '%fromcert'
        leftcert: left_server
        leftmodecfgclient: false
        right: 192.168.111.24
        rightrsasigkey: '%cert'
        rightid: '%fromcert'
        rightsubnet: 192.168.111.24/32
        ike: aes_gcm256-sha2_256
        esp: aes_gcm256
        ikev2: insist
        type: transport
        leftprotoport: icmp
        rightprotoport: icmp

      What is the impact of this issue to you?

      nmstate-handler pod fails to configure Libreswan as it's not able to support leftprotoport and rightprotoport fields.

       

      {"level":"info","ts":"2025-08-04T03:06:09.075Z","logger":"enactmentstatus","msg":"status: {DesiredState: DesiredStateMetaInfo:{Version: TimeStamp:0001-01-01 00:00:00 +0000 UTC} CapturedStates:map[] PolicyGeneration:1 Conditions:[{Type:Failing Status:True Reason:FailedToConfigure Message:failure generating desiredState and capturedStates: failed calling nmstatectl rollback: , [2025-08-04T03:06:09Z INFO  nmstatectl] Nmstate version: 2.2.44\nNmstateError: InvalidArgument: unknown field `leftprotoport`, expected one of `right`, `rightid`, `rightrsasigkey`, `rightcert`, `left`, `leftid`, `leftrsasigkey`, `leftcert`, `ikev2`, `psk`, `ikelifetime`, `salifetime`, `ike`, `esp`, `dpddelay`, `dpdtimeout`, `dpdaction`, `ipsec-interface`, `authby`, `rightsubnet`, `leftsubnet`, `leftmodecfgclient`, `type`, `hostaddrfamily`, `clientaddrfamily`, `require-id-on-certificate`\n: failed to execute nmstatectl policy --current /tmp/currentState658254429 --json --output-captured /tmp/capturedState717063227 /tmp/policy1230028993: exit status 1 LastHeartbeatTime:2025-08-04 03:06:09.075823659 +0000 UTC m=+254378.488762970 LastTransitionTime:2025-08-04 03:06:09.075823659 +0000 UTC m=+254378.488762970} {Type:Available Status:False Reason:FailedToConfigure Message: LastHeartbeatTime:2025-08-04 03:06:09.075824112 +0000 UTC m=+254378.488763424 LastTransitionTime:2025-08-04 03:06:09.075824112 +0000 UTC m=+254378.488763424} {Type:Progressing Status:False Reason:FailedToConfigure Message: LastHeartbeatTime:2025-08-04 03:06:09.075824443 +0000 UTC m=+254378.488763752 LastTransitionTime:2025-08-04 03:06:09.075824443 +0000 UTC m=+254378.488763752} {Type:Pending Status:False Reason:FailedToConfigure Message: LastHeartbeatTime:2025-08-04 03:06:09.075824886 +0000 UTC m=+254378.488764194 LastTransitionTime:2025-08-04 03:06:09.075824886 +0000 UTC m=+254378.488764194} {Type:Aborted Status:False Reason:SuccessfullyConfigured Message: LastHeartbeatTime:2025-08-04 03:06:09.07582501 +0000 UTC m=+254378.488764320 LastTransitionTime:2025-08-04 03:06:09.07582501 +0000 UTC m=+254378.488764320}] Features:[]}","enactment":"worker-0.left-node-ipsec-policy"}
{"level":"error","ts":"2025-08-04T03:06:09.081Z","logger":"controllers.NodeNetworkConfigurationPolicy","msg":"failed filling in the NNCE status","nodenetworkconfigurationpolicy":{"name":"left-node-ipsec-policy"},"error":"failed calling nmstatectl rollback: , [2025-08-04T03:06:09Z INFO  nmstatectl] Nmstate version: 2.2.44\nNmstateError: InvalidArgument: unknown field `leftprotoport`, expected one of `right`, `rightid`, `rightrsasigkey`, `rightcert`, `left`, `leftid`, `leftrsasigkey`, `leftcert`, `ikev2`, `psk`, `ikelifetime`, `salifetime`, `ike`, `esp`, `dpddelay`, `dpdtimeout`, `dpdaction`, `ipsec-interface`, `authby`, `rightsubnet`, `leftsubnet`, `leftmodecfgclient`, `type`, `hostaddrfamily`, `clientaddrfamily`, `require-id-on-certificate`\n: failed to execute nmstatectl policy --current /tmp/currentState658254429 --json --output-captured /tmp/capturedState717063227 /tmp/policy1230028993: exit status 1","errorVerbose":", [2025-08-04T03:06:09Z INFO  nmstatectl] Nmstate version: 2.2.44\nNmstateError: InvalidArgument: unknown field `leftprotoport`, expected one of `right`, `rightid`, `rightrsasigkey`, `rightcert`, `left`, `leftid`, `leftrsasigkey`, `leftcert`, `ikev2`, `psk`, `ikelifetime`, `salifetime`, `ike`, `esp`, `dpddelay`, `dpdtimeout`, `dpdaction`, `ipsec-interface`, `authby`, `rightsubnet`, `leftsubnet`, `leftmodecfgclient`, `type`, `hostaddrfamily`, `clientaddrfamily`, `require-id-on-certificate`\n: failed to execute nmstatectl policy --current /tmp/currentState658254429 --json --output-captured /tmp/capturedState717063227 /tmp/policy1230028993: exit status 1\nfailed calling nmstatectl rollback\ngithub.com/nmstate/kubernetes-nmstate/pkg/nmstatectl.Policy\n\t/pkg/nmstatectl/nmstatectl.go:197\ngithub.com/nmstate/kubernetes-nmstate/pkg/nmpolicy.GenerateState\n\t/pkg/nmpolicy/generate.go:59\ngithub.com/nmstate/kubernetes-nmstate/controllers/handler.(*NodeNetworkConfigurationPolicyReconciler).fillInEnactmentStatus\n\t/controllers/handler/nodenetworkconfigurationpolicy_controller.go:350\ngithub.com/nmstate/kubernetes-nmstate/controllers/handler.(*NodeNetworkConfigurationPolicyReconciler).Reconcile\n\t/controllers/handler/nodenetworkconfigurationpolicy_controller.go:181\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:116\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:303\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:224\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1700","stacktrace":"github.com/nmstate/kubernetes-nmstate/controllers/handler.(*NodeNetworkConfigurationPolicyReconciler).Reconcile\n\t/controllers/handler/nodenetworkconfigurationpolicy_controller.go:183\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:116\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:303\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:224"}

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      Always

      Nmstate version: 2.2.44

      Steps to reproduce

      1. Install OCP cluster.
      2. Deploy nmstate operator.
      3. Import IPsec certificates into nss db.
      4. Deploy NNCP.

      Expected results

      NNCP must be deployed successfully and Libreswan must get appropriate IKE SAs with the peer node.

      Actual results

              nm-team Network Management Team
              pepalani@redhat.com Periyasamy Palanisamy
              Network Management Team Network Management Team
              Mingyu Shi Mingyu Shi
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: