Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-12278

Connection cannot be established when IPv6 IP SAN is used

    • ZStream
    • 1
    • sst_security_crypto
    • ssg_security
    • 34
    • 1
    • Hide

      10/11: telco priority pending info

      Show
      10/11: telco priority pending info
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • Crypto24Q2
    • Approved Blocker
    • Hide

      AC1) IPsec connection is established even if IPv6 IP SAN is used in the certificate and configuration, following the steps mentioned in the description.

      Show
      AC1) IPsec connection is established even if IPv6 IP SAN is used in the certificate and configuration, following the steps mentioned in the description.
    • None
    • Not Needed
    • Bug Fix
    • Hide
      .Libreswan accepts IPv6 SAN extensions

      Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address.
      With this update, the `pluto` daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.
      Show
      .Libreswan accepts IPv6 SAN extensions Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the `pluto` daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.
    • Done
    • All
    • None

      What were you trying to do that didn't work?

      Libreswan expected IPv4 address in gntoid() function while both IPv4 and IPv6 addresses are allowed in SAN. See

      Issue was reported as https://github.com/libreswan/libreswan/issues/1321. This is not a regression, it was always like that.

      Please provide the package NVR for which bug is seen:

      libreswan-4.12-1.el9

      How reproducible:

      100%

      Steps to reproduce

      1. Create certificates using using SAN with IP using IPv6 addresses:
      # certutil -v 120 -S -k rsa -c "CA" -n "worker1" -s "CN=worker1" -v 12 -t "u,u,u" -d sql:/var/lib/ipsec/nss --extSAN "ip:<ipv6>"
      
      1. Load the following connection:
      # cat /etc/ipsec.d/nstest.conf 
      conn worker1-VM
      	type=transport
              left=<ipv6>
              leftid=%fromcert
              leftrsasigkey=%cert
              leftcert=worker1
              hostaddrfamily=ipv6
              clientaddrfamily=ipv6
              right=<ipv6>
              rightid=%fromcert
              rightrsasigkey=%cert
      	ike=aes_gcm256-sha2_256
      	esp=aes_gcm256
      	ikev2=insist
      
      # ipsec auto --add worker1-VM
      

      Expected results

      Connection is loaded correctly, no warnings. Connection can be established.

      Actual results

      ...

      1. ipsec auto --add worker1-VM
        002 "worker1-VM": terminating SAs using this connection
        002 "worker1-VM": warning: gntoid() failed to initaddr(): IPv4 address must be exactly 4 bytes
        002 "worker1-VM": added IKEv2 connection

            dueno@redhat.com Daiki Ueno
            omoris Ondrej Moris
            Daiki Ueno Daiki Ueno
            SSG Security QE SSG Security QE
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: