Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-20690

Cannot setup point-to-point ipsec tunnel

    • NetworkManager-libreswan-1.2.18-2.el9
    • None
    • ZStream
    • 1
    • rhel-sst-network-management
    • ssg_networking
    • 1
    • Hide

       

      Customer/Partner Jira ID Customer Case Status Details
      OpenShift SDN team RHEL-20690 No Customer Case  [2024-01-04] The team had worked on NMT-994 to support OpenShift's North-South IPSec implementation. However, after delivery, the RHCOS team's QE identified a bug in setting up point-to-point IPSec tunnels, leading to timeouts in NetworkManager. The team is actively investigating the issue in order to fix the bug so that the RHCOS and the OpenShift team can promptly consume the updated feature. 
      [2024-01-08] A fix is needed asap as this issue is blocking OpenShift end-to-end testing. As soon as a fix is available, we will request a RHEL-9.2 async release. 
      [2024-01-09] Investigation identified two key issues: the need to optionally disable leftmodecfgclient=yes in NM-libreswan for server-to-server scenarios, and the requirement for nmstate to explicitly set rightsubnet to avoid defaulting to 0.0.0.0/0. In addition to this fix, the team has created a Nmstate Jira ticket (RHEL-21033) to add two options to be used when configuring P2P IPSec tunnel. A Nmstate PR is already available and OpenShift QE is testing the scratch build.
      [2024-01-12] The provided scratch build fixes the problem and in addition to the NMstate PR, a NetworkManager-libreswan MR is also available and under review. An additional CI failure (RHEL-21221) needs to be fixed before delivering the work in a RHEL-9.2 async release therefore the team is also working on it in priority. 
      [2024-01-17] The additional CI failure is now fixed in this MR. The z-stream builds are ongoing and the goal is to request for an async release as soon as the advisories move to REL_PREP status. 
      [2024-01-19] The advisories are on REL_PREP status and are awaiting Program Managers approval to be shipped asynchronously.
      [2024-01-24] The advisories are now shipped in RHEL-9.2.0.z and the OpenShift QA team has now resumed their testing. 
       

       

       

      Show
        Customer/Partner Jira ID Customer Case Status Details OpenShift SDN team RHEL-20690 No Customer Case  [2024-01-04]  The team had worked on NMT-994 to support OpenShift's North-South IPSec implementation. However, after delivery, the RHCOS team's QE identified a bug in setting up point-to-point IPSec tunnels, leading to timeouts in NetworkManager. The team is actively investigating the issue in order to fix the bug so that the RHCOS and the OpenShift team can promptly consume the updated feature.  [2024-01-08]  A fix is needed asap as this issue is blocking OpenShift end-to-end testing. As soon as a fix is available, we will request a RHEL-9.2 async release.  [2024-01-09]  Investigation identified two key issues: the need to optionally disable leftmodecfgclient=yes in NM-libreswan for server-to-server scenarios, and the requirement for nmstate to explicitly set rightsubnet to avoid defaulting to 0.0.0.0/0 . In addition to this fix, the team has created a Nmstate Jira ticket ( RHEL-21033 ) to add two options to be used when configuring P2P IPSec tunnel. A Nmstate PR is already available and OpenShift QE is testing the scratch build. [2024-01-12] The provided scratch build fixes the problem and in addition to the NMstate PR, a NetworkManager-libreswan MR is also available and under review. An additional CI failure ( RHEL-21221 ) needs to be fixed before delivering the work in a RHEL-9.2 async release therefore the team is also working on it in priority.  [2024-01-17] The additional CI failure is now fixed in this MR . The z-stream builds are ongoing and the goal is to request for an async release as soon as the advisories move to REL_PREP status.  [2024-01-19] The advisories are on REL_PREP status and are awaiting Program Managers approval to be shipped asynchronously. [2024-01-24] The advisories are now shipped in RHEL-9.2.0.z and the OpenShift QA team has now resumed their testing.       
    • False
    • Hide

      None

      Show
      None
    • No
    • NMT - RHEL 8.10/9.4 DTM 22
    • Approved Blocker
    • None

      What were you trying to do that didn't work?

      When ipsec remote has P2P tunnel like:

      conn hostb_conn_crt_p2p
          hostaddrfamily=ipv4
          left=192.0.2.155
          leftsubnet=192.0.2.155/32
          leftid=@hostb.example.org
          leftcert=hostb.example.org
          leftmodecfgserver=yes
          right=192.0.2.248
          rightsubnet=192.0.2.248/32
          rightid=@hosta.example.org
          rightcert=hosta.example.org
          rightmodecfgclient=yes
          ikev2=insist
      

      When activating a ipsec connection with `nmcli c up`, then the ipsec tunnel will failed to setup and timeout.

      Please provide the package NVR for which bug is seen:

      NetworkManager-1.45.9-32883.copr.0e893593a9.el9.x86_64
      NetworkManager-libreswan-1.2.18-1.el9

      How reproducible:

      100%

      Steps to reproduce

      * Deploy the PKI keys to both localhost and remote node.
      * Use above ipsec config to setup ipsec daemon on remote node
      * Apply this state via nmstaetctl
      echo '
      interfaces:
      - name: hosta_conn
        type: ipsec
        libreswan:
          left: 192.0.2.248
          leftid: 'hosta.example.org'
          leftcert: hosta.example.org
          right: 192.0.2.155
          rightid: 'hostb.example.org'
          ikev2: insist
      ' | sudo nmstatectl apply -
      

      Expected results

      IPsec connection been setup and communication between these two nodes is encrypted

      Actual results

      Timeout on activating ipsec VPN connection in NetworkManager.

              rhn-engineering-vbenes Vladimir Benes
              fge@redhat.com Gris Ge
              Beniamino Galvani Beniamino Galvani
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: