Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: rhel-9.6.z
Component/s: NetworkManager-libreswan
Labels:

Regression:
No
Severity:
Moderate
sprint_count:
1

AssignedTeam:
rhel-net-mgmt
Sub-System Group:

ssg_networking

Story Points:
3
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
NMT SST - Future releases

Acceptance Criteria:
Hide

Definition of Done:

Please mark each item below with ( / ) if completed or ( x ) if incomplete:

( ) The acceptance criteria defined below are met.

Given that a NNCP is set up to configure both ends of an IPSec VPN connection between nodes,

When the policy is applied to nodes with the required certificates in place and the option to keep the IPSec connection even when authentication fails,

Then, NetworkManager-libreswan should keep the IPSec connection between both nodes.

Definition of Done:

The implementation meets the acceptance criteria

Integration tests are written and pass

The code is part of a downstream build attached to an errata

( ) Code changes are included in a downstream build attached to an errata.

( ) All required testing (manual and/or automated) passes successfully.

( ) Related documentation updates (if applicable) have been completed.
Show
Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given that a NNCP is set up to configure both ends of an IPSec VPN connection between nodes, When the policy is applied to nodes with the required certificates in place and the option to keep the IPSec connection even when authentication fails, Then, NetworkManager-libreswan should keep the IPSec connection between both nodes. Definition of Done: The implementation meets the acceptance criteria Integration tests are written and pass The code is part of a downstream build attached to an errata ( ) Code changes are included in a downstream build attached to an errata. ( ) All required testing (manual and/or automated) passes successfully. ( ) Related documentation updates (if applicable) have been completed.
Preliminary Testing:
None
Test Coverage:
None

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Trying to deploy below NodeNetworkConfigurationPolicy on a node, but nmstate failed to configure it on the libreswan.

kind: NodeNetworkConfigurationPolicy
  apiVersion: nmstate.io/v1
  metadata:
    name: left-node-ipsec-policy
  spec:
    nodeSelector:
      kubernetes.io/hostname: ip-10-0-47-152.us-east-2.compute.internal
    desiredState:
      interfaces:
      - name: hosta_conn
        type: ipsec
        ipv4:
          enabled: true
          dhcp: true
        libreswan:
          leftrsasigkey: '%cert'
          left: 10.0.47.152
          leftid: '%fromcert'
          leftcert: left_server
          leftmodecfgclient: false
          right: 10.0.77.184
          rightrsasigkey: '%cert'
          rightid: '%fromcert'
          rightsubnet: 10.0.77.184/32
          ike: aes_gcm256-sha2_256
          esp: aes_gcm256
          ikev2: insist
          type: transport

What is the impact of this issue to you?

NNCP deployment failed with following conditions.

status:
  conditions:
  - lastHeartbeatTime: "2024-11-13T09:54:13Z"
    lastTransitionTime: "2024-11-13T09:54:13Z"
    reason: FailedToConfigure
    status: "False"
    type: Available
  - lastHeartbeatTime: "2024-11-13T09:54:13Z"
    lastTransitionTime: "2024-11-13T09:54:13Z"
    message: 1/1 nodes failed to configure
    reason: FailedToConfigure
    status: "True"
    type: Degraded
  - lastHeartbeatTime: "2024-11-13T09:54:13Z"
    lastTransitionTime: "2024-11-13T09:54:13Z"
    reason: ConfigurationProgressing
    status: "False"
    type: Progressing
  lastUnavailableNodeCountUpdate: "2024-11-13T03:57:24Z"

The following error is seen from pluto.log.

X509: authentication failed; peer certificate subjectAltName extension does not match ID_FQDN

For more information, refer to this discussion thread: https://redhat-internal.slack.com/archives/CP7329Z5Z/p1731083204007419

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

is cloned by

RHEL-85789 [RHEL-9.7] Cannot use nmstate to create both end of ipsec transport VPN

Planning

Assignee:: Stanislas Faye

Reporter:: Periyasamy Palanisamy

Developer:: Network Management Team

QA Contact:: Vladimir Benes

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Created:: 2024/11/13 10:48 AM

Updated:: 2025/10/13 5:23 AM

Stale Date:: 2025/11/12

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

For more information, refer to this discussion thread: https://redhat-internal.slack.com/archives/CP7329Z5Z/p1731083204007419

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates