Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-26350

IPSec host2net config failing when applying with nmstate

XMLWordPrintable

    • rhel-sst-network-management
    • ssg_networking
    • 3
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      Given a system administrator configures an IPSec tunnel between a RHEL VM and an OCP node using nmstate,
      When they apply the IPSec host2net configuration that was previously working as expected with IPSec manually,
      Then the tunnel should be established successfully, mirroring the success of manual IPSec configuration, without encountering errors related to the deletion of Security Associations.

      Definition of Done:

      • The implementation meets the acceptance criteria
      • Unit test and integration test are written and pass
      • The code is part of a downstream build attached to an errata
      • The fix needs to be backported into RHEL-9.4
      Show
      Given a system administrator configures an IPSec tunnel between a RHEL VM and an OCP node using nmstate, When they apply the IPSec host2net configuration that was previously working as expected with IPSec manually, Then the tunnel should be established successfully, mirroring the success of manual IPSec configuration, without encountering errors related to the deletion of Security Associations. Definition of Done: The implementation meets the acceptance criteria Unit test and integration test are written and pass The code is part of a downstream build attached to an errata The fix needs to be backported into RHEL-9.4
    • None
    • None
    • Feature
    • Hide
      Since we are changing default values of nmstate, previous working ipsec setup nmstate YAML will not works any if that YAML was dependong in NetworkManager-libreswan default values other than libreswan daemon default values.

      The previous ipsec feature documentations should be tested ad updated.
      Show
      Since we are changing default values of nmstate, previous working ipsec setup nmstate YAML will not works any if that YAML was dependong in NetworkManager-libreswan default values other than libreswan daemon default values. The previous ipsec feature documentations should be tested ad updated.
    • Proposed
    • None

      What were you trying to do that didn't work?

      An IPSec tunnel host2net config works well between a RHEL VM and OCP node when applying with ipsec, the same config fails when applying with nmstate resulting the following error:

       

      "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: netlink response for Del SA esp.bd249048@10.1.98.208: No such process (errno 3)

       

      Please provide the package NVR for which bug is seen:

       

      [root@dhcp-97-113 ~]# ipsec version
Libreswan 4.9
[root@dhcp-97-113 ~]# nmstatectl version
nmstatectl 2.2.23

       

      How reproducible:

      Steps to reproduce

      1. Apply the following IPSec config on a RHEL 9.3 VM

       

      conn server01.cnf.com 
    left=10.1.98.208
    leftid=%fromcert 
    leftrsasigkey=%cert 
    leftsubnet=172.16.110.0/24 
    leftcert=server01.cnf.com 
    rightrsasigkey=%cert 
    right=10.46.97.113 
    rightid=%fromcert 
    authby=rsasig 
    ike=aes256-sha1 
    esp=aes256-sha1
      1. Apply the following IPSec nmstate config on an OCP 4.14 BM node
       interfaces:
    - name: hosta_conn
      type: ipsec
      libreswan:
        leftrsasigkey: '%cert'
        left: 10.46.97.113
        leftid: '%fromcert'
        leftcert: client01.cnf.com
        right: 10.1.98.208
        rightrsasigkey: '%cert'
        rightid: '%fromcert'
        rightsubnet: 172.16.110.0/24
        ikev2: insist
        ike: aes256-sha1
        esp: aes256-sha1
      1. IPSec log on the node

       

      eb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": IKE SA proposals (connection add):
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260":   1:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": Child SA proposals (connection add):
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260":   1:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": loaded private key matching left certificate 'client01.cnf.com'
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": added IKEv2 connection
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: initiating IKEv2 connection
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: sent IKE_SA_INIT request to 10.1.98.208:500
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate 'CN=server01.cnf.com, O=CNF' issued by CA 'CN=cnfca.cnf.com, O=CNF'
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: missing v2CP reply, not attempting to setup child SA
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: IKE SA established but initiator rejected Child SA response
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: deleting larval Child SA using IKE SA #1
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: ERROR: "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: netlink response for Del SA esp.bd249048@10.1.98.208: No such process (errno 3)
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: received delete request for IKEv2_SEC_PROTO_ESP SA(0xbd249048) but corresponding state not found

      Expected results

      The tunnel should be created.

      When applying the following IPSec config on the OCP node, the tunnel is configured successfully

      conn client01.cnf.com
    leftrsasigkey=%cert
    left=10.46.97.113
    leftid=%fromcert
    leftcert=client01.cnf.com
    right=10.1.98.208
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=172.16.110.0/24
    ikev2=insist
    ike=aes256-sha1
    esp=aes256-sha1
      [root@dhcp-97-113 ~]# ipsec show
10.46.97.113/32 <=> 172.16.110.0/24 using reqid 16417

      Actual results

      "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: netlink response for Del SA esp.bd249048@10.1.98.208: No such process (errno 3)

       

              rh-ee-sfaye Stanislas Faye
              saledort@redhat.com Sabina Aledort
              Network Management Team Network Management Team
              Mingyu Shi Mingyu Shi
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: