Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-26755

[RFE] Support for `leftsubnet` in IPSec configuration in NMState

    • nmstate-2.2.31-1.el9
    • 1
    • sst_network_management
    • ssg_networking
    • 2
    • False
    • Hide

      None

      Show
      None
    • No
    • NMT - RHEL-9.5 DTM 12
    • Hide

      User story:

      • As a system administrator, I want to configure IPsec tunnels between two subnets within our OpenShift cluster and an external partner network, so that all traffic between these subnets is securely encrypted.
      • As a system administrator, I need to define IPsec policies that apply to specific subnets within our network architecture, allowing for efficient management and implementation of security protocols across the cluster.

      Acceptance criteria:
      Given a system administrator managing IPsec configurations in a network environment with NMState,
      When they specify leftsubnet in combination with rightsubnet properties in the IPsec configuration,
      Then, the net2net IPSec tunnel should be set up according to the subnet specifications.

      Definition of Done:

      • The implementation meets the acceptance criteria
      • Unit test and integration test are written and pass
      • The code is part of a downstream build attached to an errata
      • The Release Note Text is filled
      • The fix needs to be backported into RHEL-9.4
      Show
      User story: As a system administrator, I want to configure IPsec tunnels between two subnets within our OpenShift cluster and an external partner network, so that all traffic between these subnets is securely encrypted. As a system administrator, I need to define IPsec policies that apply to specific subnets within our network architecture, allowing for efficient management and implementation of security protocols across the cluster. Acceptance criteria: Given a system administrator managing IPsec configurations in a network environment with NMState, When they specify leftsubnet in combination with rightsubnet properties in the IPsec configuration, Then, the net2net IPSec tunnel should be set up according to the subnet specifications. Definition of Done: The implementation meets the acceptance criteria Unit test and integration test are written and pass The code is part of a downstream build attached to an errata The Release Note Text is filled The fix needs to be backported into RHEL-9.4
    • Pass
    • Automated
    • Enhancement
    • Hide
      .`nmstate` now supports the `leftsubnet` option

      You can define entire subnets for IPsec (Internet Protocol Security) connections when configuring Libreswan connections through the `nmstate` utility by using the `leftsubnet` option. This ensures secure communication between different network segments. The following example YAML file sets the `leftsubnet` option:

      ----
      interfaces:
      - name: hosta
         type: ipsec
         ipv4:
           enabled: true
           dhcp: true
         libreswan:
           left: 192.0.2.246
           leftid: _<hosta.example.org>_
           leftcert: _<hosta.example.org>_
           leftsubnet: 192.0.4.0/24
           leftmodecfgclient: no
           right: 192.0.2.157
           rightid: _<hostb.example.org>_
           rightsubnet: 192.0.3.0/24
           ikev2: insist
      ----

      Note that the IPsec technology requires a peer-to-peer configuration, including another server with appropriate IP addresses and IPsec settings.
      Show
      .`nmstate` now supports the `leftsubnet` option You can define entire subnets for IPsec (Internet Protocol Security) connections when configuring Libreswan connections through the `nmstate` utility by using the `leftsubnet` option. This ensures secure communication between different network segments. The following example YAML file sets the `leftsubnet` option: ---- interfaces: - name: hosta    type: ipsec    ipv4:      enabled: true      dhcp: true    libreswan:      left: 192.0.2.246      leftid: _<hosta.example.org>_      leftcert: _<hosta.example.org>_      leftsubnet: 192.0.4.0/24      leftmodecfgclient: no      right: 192.0.2.157      rightid: _<hostb.example.org>_      rightsubnet: 192.0.3.0/24      ikev2: insist ---- Note that the IPsec technology requires a peer-to-peer configuration, including another server with appropriate IP addresses and IPsec settings.
    • Done
    • None

      To enhance NMState's capabilities in configuring IPsec for complex network architectures, particularly for net2net scenarios within OpenShift clusters, there is a need to support leftsubnet property. This feature will enable system administrators to specify entire subnets for IPsec tunnels, facilitating secure communication between different network segments.

      For more details on the use case, see https://docs.google.com/document/d/1togmmRF6u3gEorwQU2Zv1PQ--yILOC00GgykhwoAEAg/edit?usp=sharing

              ferferna Fernando Fernandez Mancera
              rh-ee-sfaye Stanislas Faye
              Network Management Team Network Management Team
              Mingyu Shi Mingyu Shi
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: