Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.2
Affects Version/s: rhel-10.2
Component/s: NetworkManager-libreswan
Labels:
None

Regression:
No
Severity:
None

AssignedTeam:
rhel-net-mgmt

Story Points:
3
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None
Target Backport Versions:

rhel-9.8

Acceptance Criteria:

Hide

Definition of Done:

Please mark each item below with ( / ) if completed or ( x ) if incomplete:

( ) The acceptance criteria defined below are met.

Given a sysadmin configures a VPN connection using nmcli with nm-auto-defaults=no,
When they run "nmcli connection export <connection-name>",
Then the exported libreswan conf file should include:
- # nm-auto-defaults parameter (it has PARAM_IGNORE flag)
- contain all parameters from vpn.data that are marked exportable

—
Given a sysadmin configures a VPN connection using nmcli with nm-auto-defaults=no,
When they export the connection and then import it back,
Then the imported connection should:
- Have nm-auto-defaults=no behavior (no automatic defaults)
- Contain the same explicitly set parameters as the original
- NOT contain any automatically added default values

( ) Code is reviewed and merged upstream.

( ) Preliminary testing is done.

( ) A demo is recorded

Show
Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given a sysadmin configures a VPN connection using nmcli with nm-auto-defaults=no, When they run "nmcli connection export <connection-name>", Then the exported libreswan conf file should include: - # nm-auto-defaults parameter (it has PARAM_IGNORE flag) - contain all parameters from vpn.data that are marked exportable — Given a sysadmin configures a VPN connection using nmcli with nm-auto-defaults=no, When they export the connection and then import it back, Then the imported connection should: - Have nm-auto-defaults=no behavior (no automatic defaults) - Contain the same explicitly set parameters as the original - NOT contain any automatically added default values ( ) Code is reviewed and merged upstream. ( ) Preliminary testing is done. ( ) A demo is recorded
Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

```

[root@wifi4-ml5-vm5 NetworkManager-ci]# nmcli connection add type vpn con-name VPNX ifname '*' autoconnect no vpn-type libreswan vpn.data 'right=1.2.3.4, rightid=@server, rightrsasigkey=server-key, left=1.2.3.5, leftid=@client, leftrsasigkey=client-key, leftcert=client-cert, ike=aes256-sha1;modp1536, esp=aes256-sha1, nm-auto-defaults=no'
Connection 'VPNX' (fd7a7e65-1271-4e84-9325-e7db425cf4c6) successfully added.
[root@wifi4-ml5-vm5 NetworkManager-ci]# nmcli connection export VPNX > /tmp/VPNX.txt
[root@wifi4-ml5-vm5 NetworkManager-ci]# cat /tmp/VPNX.txt
conn VPNX
right=1.2.3.4
leftid=@client
rightid=@server
leftcert="client-cert"
rightrsasigkey="server-key"
leftrsasigkey="client-key"
left=1.2.3.5
ike=aes256-sha1;modp1536

```

Check that nm-auto-defaults is not exported. Upon other imports, we have all NM-libreswan defaults back in. This is not what the user expects.

so to solve this:

[root@wifi4-ml5-vm5 NetworkManager-ci]# echo "nm-auto-defaults=no" >> /tmp/VPNX.txt

[root@wifi4-ml5-vm5 NetworkManager-ci]# nmcli con import file /tmp/VPNX.txt type libreswan
Connection 'VPNX' (a908bf54-5104-4aee-b75c-6ce4f72a1d26) successfully added.

[root@wifi4-ml5-vm5 NetworkManager-ci]# nmcli connection show VPNX |grep nm-auto-defaults
vpn.data: ike = aes256-sha1;modp1536, left = 1.2.3.5, leftcert = client-cert, leftid = @client, leftrsasigkey = client-key, nm-auto-defaults = no, right = 1.2.3.4, rightid = @server, rightrsasigkey = server-key

but w/o it:

[root@wifi4-ml5-vm5 NetworkManager-ci]# nmcli connection show VPNX |grep data
vpn.data: ike = aes256-sha1;modp1536, ikelifetime = 24h, ikev2 = never, left = 1.2.3.5, leftcert = client-cert, leftid = @client, leftmodecfgclient = yes, leftrsasigkey = client-key, rekey = yes, right = 1.2.3.4, rightid = @server, rightrsasigkey = server-key, rightsubnet = 0.0.0.0/0, salifetime = 24h

so this is the other behaviour.

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

NetworkManager-libreswan-1.2.27-1.el10.x86_64

How reproducible is this bug?:

always

Steps to reproduce

as described above

Expected results

Consistent export and import

Actual results

Inconsistent export and import

Assignee:: Network Management Team

Reporter:: Vladimir Benes

Developer:: Network Management Team

QA Contact:: Vladimir Benes

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/10/07 12:17 PM

Updated:: 2025/10/17 12:29 PM

Stale Date:: 2026/10/12

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide