Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32279

Support IPv6 in IPSec VPN via nmstate

    • nmstate-2.2.32-1.el9
    • High
    • 1
    • rhel-sst-network-management
    • ssg_networking
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • NMT - RHEL-9.5 DTM 14
    • Hide

      Given a system administrator configuring an OpenShift node for an IPSec tunnel using the NodeNetworkConfigurationPolicy with specific IPv4/IPv6 settings on both traffic and tunnel,  

      When the configuration is applied and the connection attempt is made between the two specified IPv4/IPv6 endpoints, 

      Then the tunnel is established successfully without errors and IPv4/IPv6 traffic is able to pass through the tunnel. 

       

      Definition of Done:

      • The implementation meets the acceptance criteria
      • The integration tests are written and pass
      •  The fix is part of a downstream build attached to an errata
      • The fix is backported into RHEL-9.4 as a batch update to be consumed by OCP 4.16
      Show
      Given a system administrator configuring an OpenShift node for an IPSec tunnel using the NodeNetworkConfigurationPolicy with specific IPv4/IPv6 settings on both traffic and tunnel,   When the configuration is applied and the connection attempt is made between the two specified IPv4/IPv6 endpoints,  Then the tunnel is established successfully without errors and IPv4/IPv6 traffic is able to pass through the tunnel.    Definition of Done : The implementation meets the acceptance criteria The integration tests are written and pass  The fix is part of a downstream build attached to an errata The fix is backported into RHEL-9.4 as a batch update to be consumed by OCP 4.16
    • Pass
    • Automated
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Filing this bug to track IPv6 support via nmstate. In 4.15 we decided to support this in z streams or 4.16

      Please provide the package NVR for which bug is seen:

      sh-5.1# rpm -qa | grep -i libre
      libreswan-4.12-1.el9.x86_64
      NetworkManager-libreswan-1.2.18-2.el9.x86_64

      How reproducible: Always

      Steps to reproduce

      1. nncp config at left side

      kind: NodeNetworkConfigurationPolicy
      apiVersion: nmstate.io/v1
      metadata:
        name: "ipsec-policy-transport"
      spec:
        nodeSelector:
          kubernetes.io/hostname: "worker-0.offload.openshift-qe.sdn.com"
        desiredState:
          interfaces:
          - name: pluto-VM-transport
            type: ipsec
            libreswan:
              left: fd2e:6f44:5dd8:c956::17
              leftid: '%fromcert'
              leftmodecfgclient: false
              leftrsasigkey: '%cert'
              leftcert: worker0
              hostaddrfamily: ipv6
              clientaddrfamily: ipv6
              right: fd2e:6f44:5dd8:c956::18
              rightid: '%fromcert'
              rightrsasigkey: '%cert'
              rightsubnet: fd2e:6f44:5dd8:c956::18/128
              ike: aes_gcm256-sha2_256
              esp: aes_gcm256
              ikev2: insist
              type: transport

      2. Config at right side

       

      sh-5.1# cat /etc/ipsec.d/nstest.conf 
      conn worker-VM
              type=transport
              left=fd2e:6f44:5dd8:c956::18
              leftid=%fromcert
              leftrsasigkey=%cert
              leftcert=worker1
              hostaddrfamily=ipv6    <<<<<<<<<<<
              clientaddrfamily=ipv6  <<<<<<<<<<<
              right=fd2e:6f44:5dd8:c956::17
              rightid=%fromcert
              rightrsasigkey=%cert
              ike=aes_gcm256-sha2_256
              esp=aes_gcm256
              ikev2=insist
              auto=start
      sh-5.1# 

      3. nncp gets established but tunnel underneath doesn't. Please check ipsec journals at http://10.19.166.176/~anusaxen/ipsec.log

      Expected results: Tunnels should be stablished

      Actual results: Tunnel fails to establish

              fge@redhat.com Gris Ge
              anusaxen Anurag Saxena
              Gris Ge
              Network Management Team Network Management Team
              Mingyu Shi Mingyu Shi
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: