Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.2
Affects Version/s: rhel-9.6
Component/s: NetworkManager-libreswan
Labels:
None

Regression:
Yes
Severity:
Important
Keywords:

ZStream

AssignedTeam:
rhel-net-mgmt

Story Points:
3
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None
Release Blocker:
Regression Exception
Target Backport Versions:

rhel-9.6.z, rhel-10.0.z, rhel-9.7.z, rhel-10.1.z, rhel-9.8

Acceptance Criteria:

Hide

Definition of Done:

Please mark each item below with ( / ) if completed or ( x ) if incomplete:

( ) The acceptance criteria defined below are met.

Given a system running NetworkManager,
When a sysadmin (via nmcli or Nmstate) creates and activates an IPsec transport profile that specifies libreswan.esp=aes_gcm256,

Then the VPN connection reaches NM_ACTIVE_CONNECTION_STATE_ACTIVATED and the generated ipsec.conf contains only a single esp= line with no phase2alg= entries, so ipsec addconn no longer logs “duplicate key 'phase2alg'” during activation.
Also, check the other options that might be impacted by this bug.

( ) Integration test case is available upstream.

( ) Code is reviewed and merged upstream.

( ) Preliminary testing is done.

Show
Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given a system running NetworkManager, When a sysadmin (via nmcli or Nmstate) creates and activates an IPsec transport profile that specifies libreswan.esp=aes_gcm256, Then the VPN connection reaches NM_ACTIVE_CONNECTION_STATE_ACTIVATED and the generated ipsec.conf contains only a single esp= line with no phase2alg= entries, so ipsec addconn no longer logs “duplicate key 'phase2alg'” during activation. Also, check the other options that might be impacted by this bug. ( ) Integration test case is available upstream. ( ) Code is reviewed and merged upstream. ( ) Preliminary testing is done.
Git Pull Request:
https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/merge_requests/62
Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

OCP ipsec CI jobs are failing when applying a nmstate NNCP defining an ipsec connection.

This is the job
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/70826/rehearse-70826-pull-ci-openshift-machine-config-operator-release-4.21-e2e-aws-ovn-serial-ipsec/1988602439900598272

This is the NNCP

apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"nmstate.io/v1","kind":"NodeNetworkConfigurationPolicy","metadata":{"annotations":{},"name":"left-node-ipsec-policy"},"spec":{"desiredState":{"interfaces":[{"ipv4":{"dhcp":true,"enabled":true},"libreswan":{"esp":"aes_gcm256","ike":"aes_gcm256-sha2_256","ikev2":"insist","left":"10.0.15.154","leftcert":"left_server","leftid":"%fromcert","leftmodecfgclient":false,"leftrsasigkey":"%cert","right":"10.0.57.43","rightid":"%fromcert","rightrsasigkey":"%cert","rightsubnet":"10.0.57.43/32","type":"transport"},"name":"hosta_conn","type":"ipsec"}]},"nodeSelector":{"kubernetes.io/hostname":"ip-10-0-15-154.us-west-1.compute.internal"}}}
    nmstate.io/webhook-mutating-timestamp: "1762963458607809394"
  creationTimestamp: "2025-11-12T16:04:18Z"
  generation: 1
  name: left-node-ipsec-policy
  resourceVersion: "64147"
  uid: cd19bcc6-20fe-474a-8648-2f2a9089b218
spec:
  desiredState:
    interfaces:
    - ipv4:
        dhcp: true
        enabled: true
      libreswan:
        esp: aes_gcm256
        ike: aes_gcm256-sha2_256
        ikev2: insist
        left: 10.0.15.154
        leftcert: left_server
        leftid: '%fromcert'
        leftmodecfgclient: false
        leftrsasigkey: '%cert'
        right: 10.0.57.43
        rightid: '%fromcert'
        rightrsasigkey: '%cert'
        rightsubnet: 10.0.57.43/32
        type: transport
      name: hosta_conn
      type: ipsec
  nodeSelector:
    kubernetes.io/hostname: ip-10-0-15-154.us-west-1.compute.internal
status:
  conditions:
  - lastHeartbeatTime: "2025-11-12T16:04:34Z"
    lastTransitionTime: "2025-11-12T16:04:34Z"
    status: Unknown
    type: Available
  - lastHeartbeatTime: "2025-11-12T16:04:34Z"
    lastTransitionTime: "2025-11-12T16:04:34Z"
    status: Unknown
    type: Degraded
  - lastHeartbeatTime: "2025-11-12T16:04:34Z"
    lastTransitionTime: "2025-11-12T16:04:34Z"
    status: Unknown
    type: Progressing
  - lastHeartbeatTime: "2025-11-12T16:04:34Z"
    lastTransitionTime: "2025-11-12T16:04:34Z"
    status: Unknown
    type: Ignored
  unavailableNodeCountMap:
    "1": 1

This is the nmstate error

{"level":"error","ts":"2025-11-12T16:04:33.768Z","logger":"controllers.NodeNetworkConfigurationPolicy","msg":"Rolling back network configuration, manual intervention needed: ","nodenetworkconfigurationpolicy":{"name":"left-node-ipsec-policy"},"error":"error reconciling NodeNetworkConfigurationPolicy on node ip-10-0-15-154.us-west-1.compute.internal at desired state apply: \"\",\n , [2025-11-12T16:04:19Z INFO  nmstatectl] Nmstate version: 2.2.54\n[2025-11-12T16:04:20Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:20Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface genev_sys_6081 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 94eb5fd124504a8 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 3b2ebed857defff type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 8688ecc8dc52c9d type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface patch-br-ex_ip-10-0-15-154.us-west-1.compute.internal-to-br-int type ovs-interface\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface a4d3610d63e733d type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 5cff113fa5eef94 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 308cfdcfc8d1fd7 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 07d1d951b4ecace type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface br-int type ovs-interface\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 9aa784aec419383 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface bde578687f271dc type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 5b6d8f5cd446d1a type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 6011f9dd3de7241 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 8462fe9f20688db type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface ovn-k8s-mp0 type ovs-interface\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface patch-br-int-to-br-ex_ip-10-0-15-154.us-west-1.compute.internal type ovs-interface\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface c1b0c532295b030 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface baed19c33527489 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface cc3bc2afa489417 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 13fecde53314763 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 3802bfc79e0f6fe type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 07f00c732a5f090 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 560d4d1e94abefa type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 3682fb32fef7d10 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 8ff8836a93e2276 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 708b0a67d3e76f7 type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::ifaces::inter_ifaces] Ignoring interface 3866a051150eacf type ethernet\n[2025-11-12T16:04:20Z INFO  nmstate::query_apply::net_state] Created checkpoint /org/freedesktop/NetworkManager/Checkpoint/1\n[2025-11-12T16:04:20Z INFO  nmstate::nm::query_apply::connection] Creating connection 98317cf9-ebff-482f-86f0-88b8c0b1e751: hosta_conn/vpn\n[2025-11-12T16:04:20Z INFO  nmstate::nm::query_apply::connection] Activating connection 98317cf9-ebff-482f-86f0-88b8c0b1e751: /vpn\n[2025-11-12T16:04:21Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:21Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:22Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:22Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:23Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:23Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:24Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:24Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:26Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:26Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:28Z INFO  nmstate::nm::query_apply::connection] Modifying connection 98317cf9-ebff-482f-86f0-88b8c0b1e751: hosta_conn/vpn\n[2025-11-12T16:04:28Z INFO  nmstate::nm::query_apply::connection] Activating connection 98317cf9-ebff-482f-86f0-88b8c0b1e751: /vpn\n[2025-11-12T16:04:28Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:28Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:29Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:29Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:31Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:31Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:32Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:32Z INFO  nmstate::query_apply::net_state] Retrying on: VerificationError: Failed to find desired interface hosta_conn Ipsec\n[2025-11-12T16:04:33Z INFO  nmstate::nm::show] Got unsupported interface type generic: genev_sys_6081, ignoring\n[2025-11-12T16:04:33Z INFO  nmstate::query_apply::net_state] Rollbacked to checkpoint /org/freedesktop/NetworkManager/Checkpoint/1\nNmstateError: VerificationError: Failed to find desired interface hosta_conn Ipsec\n: failed to execute nmstatectl apply --no-commit --timeout 480: exit status 1","stacktrace":"github.com/nmstate/kubernetes-nmstate/controllers/handler.(*NodeNetworkConfigurationPolicyReconciler).Reconcile\n\t/go/src/github.com/openshift/kubernetes-nmstate/controllers/handler/nodenetworkconfigurationpolicy_controller.go:234\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/go/src/github.com/openshift/kubernetes-nmstate/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:116\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/src/github.com/openshift/kubernetes-nmstate/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:303\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/src/github.com/openshift/kubernetes-nmstate/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/src/github.com/openshift/kubernetes-nmstate/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:224"}

Attached the NM error.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

nm-ipsec-error.txt
58 kB
2025/11/13 1:23 PM

is depended on by

OCPBUGS-59506 e2e-aws-ovn-serial-ipsec pod-to-host-disruption

ASSIGNED

links to

openshift/release#70826: OVNK ipsec: deploy konflux build of nmstate operator

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates