Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: None
Component/s: nmstate
Labels:

Pool Team:

sst_network_management
Sub-System Group:

ssg_networking

Story Points:
3
Target Version:

rhel-9.5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:
Hide

Given a system administrator configures an IPSec tunnel between a RHEL VM and an OCP node using nmstate,
When they apply the IPSec host2net configuration that was previously working as expected with IPSec manually,
Then the tunnel should be established successfully, mirroring the success of manual IPSec configuration, without encountering errors related to the deletion of Security Associations.

Definition of Done:

The implementation meets the acceptance criteria

Unit test and integration test are written and pass

The code is part of a downstream build attached to an errata

The fix needs to be backported into RHEL-9.4
Show
Given a system administrator configures an IPSec tunnel between a RHEL VM and an OCP node using nmstate, When they apply the IPSec host2net configuration that was previously working as expected with IPSec manually, Then the tunnel should be established successfully, mirroring the success of manual IPSec configuration, without encountering errors related to the deletion of Security Associations. Definition of Done: The implementation meets the acceptance criteria Unit test and integration test are written and pass The code is part of a downstream build attached to an errata The fix needs to be backported into RHEL-9.4
Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Feature
Release Note Text:

Hide
Since we are changing default values of nmstate, previous working ipsec setup nmstate YAML will not works any if that YAML was dependong in NetworkManager-libreswan default values other than libreswan daemon default values.

The previous ipsec feature documentations should be tested ad updated.

Show
Since we are changing default values of nmstate, previous working ipsec setup nmstate YAML will not works any if that YAML was dependong in NetworkManager-libreswan default values other than libreswan daemon default values. The previous ipsec feature documentations should be tested ad updated.
Release Note Status:
Proposed

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

An IPSec tunnel host2net config works well between a RHEL VM and OCP node when applying with ipsec, the same config fails when applying with nmstate resulting the following error:

"537e6bec-0bec-4e28-92e9-75e4ab442260" #2: netlink response for Del SA esp.bd249048@10.1.98.208: No such process (errno 3)

Please provide the package NVR for which bug is seen:

[root@dhcp-97-113 ~]# ipsec version
Libreswan 4.9
[root@dhcp-97-113 ~]# nmstatectl version
nmstatectl 2.2.23

How reproducible:

Steps to reproduce

Apply the following IPSec config on a RHEL 9.3 VM

conn server01.cnf.com 
    left=10.1.98.208
    leftid=%fromcert 
    leftrsasigkey=%cert 
    leftsubnet=172.16.110.0/24 
    leftcert=server01.cnf.com 
    rightrsasigkey=%cert 
    right=10.46.97.113 
    rightid=%fromcert 
    authby=rsasig 
    ike=aes256-sha1 
    esp=aes256-sha1

Apply the following IPSec nmstate config on an OCP 4.14 BM node

 interfaces:
    - name: hosta_conn
      type: ipsec
      libreswan:
        leftrsasigkey: '%cert'
        left: 10.46.97.113
        leftid: '%fromcert'
        leftcert: client01.cnf.com
        right: 10.1.98.208
        rightrsasigkey: '%cert'
        rightid: '%fromcert'
        rightsubnet: 172.16.110.0/24
        ikev2: insist
        ike: aes256-sha1
        esp: aes256-sha1

IPSec log on the node

eb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": IKE SA proposals (connection add):
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260":   1:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": Child SA proposals (connection add):
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260":   1:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": loaded private key matching left certificate 'client01.cnf.com'
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260": added IKEv2 connection
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: initiating IKEv2 connection
Feb 22 10:46:57 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: sent IKE_SA_INIT request to 10.1.98.208:500
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate 'CN=server01.cnf.com, O=CNF' issued by CA 'CN=cnfca.cnf.com, O=CNF'
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: missing v2CP reply, not attempting to setup child SA
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: IKE SA established but initiator rejected Child SA response
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: deleting larval Child SA using IKE SA #1
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: ERROR: "537e6bec-0bec-4e28-92e9-75e4ab442260" #2: netlink response for Del SA esp.bd249048@10.1.98.208: No such process (errno 3)
Feb 22 10:46:58 dhcp-97-113.lab.eng.tlv2.redhat.com pluto[1930456]: "537e6bec-0bec-4e28-92e9-75e4ab442260" #1: received delete request for IKEv2_SEC_PROTO_ESP SA(0xbd249048) but corresponding state not found

Expected results

The tunnel should be created.

When applying the following IPSec config on the OCP node, the tunnel is configured successfully

conn client01.cnf.com
    leftrsasigkey=%cert
    left=10.46.97.113
    leftid=%fromcert
    leftcert=client01.cnf.com
    right=10.1.98.208
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=172.16.110.0/24
    ikev2=insist
    ike=aes256-sha1
    esp=aes256-sha1

[root@dhcp-97-113 ~]# ipsec show
10.46.97.113/32 <=> 172.16.110.0/24 using reqid 16417

Actual results

"537e6bec-0bec-4e28-92e9-75e4ab442260" #2: netlink response for Del SA esp.bd249048@10.1.98.208: No such process (errno 3)

is blocked by

RHEL-34057 Support using libreswan default values in NM-libreswan

Planning

Assignee:: Stanislas Faye

Reporter:: Sabina Aledort

Developer:: Network Management Team

QA Contact:: Mingyu Shi

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/02/22 11:05 AM

Updated:: 2024/09/26 10:59 AM

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Activity

People

Dates