Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-28898

RFE: nmstate support libreswan configurations with leftcert&rightcert

XMLWordPrintable

    • nmstate-2.2.30-1.el9
    • ZStream
    • 1
    • rhel-sst-network-management
    • ssg_networking
    • 3
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • NMT - RHEL-9.5 DTM 10
    • Approved Blocker
    • Hide

      User story:

      As an OpenShift administrator,

      I want to securely connect my OpenShift cluster to a Single Node OpenShift (SNO) instance using nmstate to configure IPSec connections with certificate-based authentication,

      So that I can ensure secure communication channels between my cluster and SNO, leveraging mutual TLS for authentication.

      Acceptance criteria:

      Given a system with nmstate and NetworkManager-libreswan installed,

      When a network administrator attempts to configure an IPSec connection using nmstate with certificate-based authentication, specifying `leftcert` and `rightcert` parameters, 

      Then nmstate must successfully interpret and apply these parameters within the IPSec configuration, enabling mTLS for host-to-host VPN connections.

      Definition of Done:

      • The implementation meets the acceptance criteria
      • Unit test and integration test are written and pass
      • The code is part of a downstream build attached to an errata
      • The code is backported into RHEL-9.2
      • The release note text is filled and the nmstate.io documentation is updated
      Show
      User story: As an OpenShift administrator, I want to securely connect my OpenShift cluster to a Single Node OpenShift (SNO) instance using nmstate to configure IPSec connections with certificate-based authentication, So that I can ensure secure communication channels between my cluster and SNO, leveraging mutual TLS for authentication. Acceptance criteria: Given a system with nmstate and NetworkManager-libreswan installed, When a network administrator attempts to configure an IPSec connection using nmstate with certificate-based authentication, specifying `leftcert` and `rightcert` parameters,  Then nmstate must successfully interpret and apply these parameters within the IPSec configuration, enabling mTLS for host-to-host VPN connections. Definition of Done: The implementation meets the acceptance criteria Unit test and integration test are written and pass The code is part of a downstream build attached to an errata The code is backported into RHEL-9.2 The release note text is filled and the nmstate.io documentation is updated
    • Pass
    • None
    • Enhancement
    • Hide
      .The `nmstate` utility now supports the `rightcert` option

      You can use the `rightcert` option when configuring Libreswan connections through the `nmstate` utility. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using the certificate. The following example YAML file sets the `rightcert` option:

      ----
      ---
      interfaces:
      - name: hosta_conn
         type: ipsec
         ipv4:
           enabled: true
           dhcp: true
         libreswan:
           left: 192.0.2.1
           leftid: '%fromcert'
           leftrsasigkey: '%cert'
           leftmodecfgclient: false
           leftcert: leftcert.example.com
           right: 192.0.2.2
           rightid: '%fromcert'
           rightrsasigkey: '%cert'
           rightcert: rightcert.example.com
           rightsubnet: 192.0.2.2/32
      ----


      Show
      .The `nmstate` utility now supports the `rightcert` option You can use the `rightcert` option when configuring Libreswan connections through the `nmstate` utility. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using the certificate. The following example YAML file sets the `rightcert` option: ---- --- interfaces: - name: hosta_conn    type: ipsec    ipv4:      enabled: true      dhcp: true    libreswan:      left: 192.0.2.1      leftid: '%fromcert'      leftrsasigkey: '%cert'      leftmodecfgclient: false      leftcert: leftcert.example.com      right: 192.0.2.2      rightid: '%fromcert'      rightrsasigkey: '%cert'      rightcert: rightcert.example.com      rightsubnet: 192.0.2.2/32 ----
    • Done
    • All
    • None

      What were you trying to do that didn't work?

       

      I was trying to configure an IPSec configuration through nmstate with nmstate Libreswan.

       

      With native ipsec configurations it is possible to define something like:

       

      conn host-to-host-cert
        auto=start        

        leftid=%fromcert
        left=192.168.126.10
        leftrsasigkey=%cert
        leftcert=south        
        
        rightid=%fromcert
        right=192.168.126.1
        rightrsasigkey=%cert
        rightcert=north

      Which is a really basic implementation of certificate based verification of the hosts. 

       

      However, this is not possible in nmstate due to (not only, but importantly) the rightcert field not being supported:

      https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/blob/main/shared/nm-service-defines.h?ref_type=heads#L37-44

      https://github.com/nmstate/nmstate/blob/6a1d3c70be068b8dd25f5989bd8ba654a914a926/rust/src/lib/ifaces/ipsec.rs#L86

      Please provide the package NVR for which bug is seen:

      This is an issue in all versions of nmstate and NetworkManager-libreswan

      How reproducible: 100%

      Steps to reproduce

      Try to configure right-cert for an nmstate configuration

       

          interfaces:
    - name: hosta_conn
      type: ipsec
      ipv4:
        enabled: true
        dhcp: true
      libreswan:
        left: 10.1.39.96
        leftid: '%fromcert'         
        leftrsasigkey: '%cert'         
        leftmodecfgclient: false
        leftcert: sno.ipsec.scalelab.redhat.com
        right: 10.1.36.25
        rightid: '%fromcert'
        rightrsasigkey: '%cert'         
        rightcert: north.ipsec.scalelab.redhat.com         
        rightsubnet: 10.1.36.25/32
        ikev2: insist
        ike: aes256-sha1
        esp: aes256-sha1

       

       

      Unrelated to this specific issue but still problematic in my view: It should be noted that also a rightsubnet definition of 10.1.36.25/32 should not be necessary and imo it should be resolved automatically in the code if its really a mandatory field for nmstate. IMO a user should not have to define a /32 cidr for this field if true Host-To-Host VPNs are targeted. Similarly leftmodecfgclient should not be necessary by default. Currently this makes it really weird for users coming from native ipsec going to nmstate.

      Expected results

      mTLS Host to Host VPN network configurations should work ootb

      Actual results

      rightcert field is not supported.

              ihuguet@redhat.com Inigo Huguet
              rh-ee-jmoller Jakob Moeller (Inactive)
              Network Management Team Network Management Team
              Mingyu Shi Mingyu Shi
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: