Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-67307

Support creating both ends of IPsec (Libreswan) tunnels with NM

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • NetworkManager-libreswan-1.2.29-1.el10
    • No
    • Moderate
    • ZStream
    • rhel-net-mgmt
    • ssg_networking
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      The acceptance criteria defined below are met.

      Given that a NNCP is set up to configure both ends of an IPSec VPN connection between nodes,

      When the policy is applied to nodes with the required certificates in place and the option to keep the IPSec connection even when authentication fails, 

      Then, NetworkManager-libreswan should keep the IPSec connection between both nodes.

      Integration test case is available upstream

      Code is reviewed and merged

      Preliminary testing is done

      ( ) A demo is recorded

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: The acceptance criteria defined below are met. Given that a NNCP is set up to configure both ends of an IPSec VPN connection between nodes, When the policy is applied to nodes with the required certificates in place and the option to keep the IPSec connection even when authentication fails,  Then, NetworkManager-libreswan should keep the IPSec connection between both nodes. Integration test case is available upstream Code is reviewed and merged Preliminary testing is done ( ) A demo is recorded
    • Pass
    • Automated
    • Enhancement
    • Hide
      `NetworkManager-libreswan` supports on-demand IPsec connections::
      +
      With this enhancement, you can use the `NetworkManager-libreswan` plugin to start Libreswan IPsec connections in listening mode. Previously, NetworkManager failed to activate a connection if the remote endpoint was unreachable. By setting the new `nm-connect-mode` property to `ondemand` in the connection profile, the tunnel remains active in a listening state after an initial failure. This ensures the system can still accept incoming connection requests even if it could not initiate the primary tunnel.
      Show
      `NetworkManager-libreswan` supports on-demand IPsec connections:: + With this enhancement, you can use the `NetworkManager-libreswan` plugin to start Libreswan IPsec connections in listening mode. Previously, NetworkManager failed to activate a connection if the remote endpoint was unreachable. By setting the new `nm-connect-mode` property to `ondemand` in the connection profile, the tunnel remains active in a listening state after an initial failure. This ensures the system can still accept incoming connection requests even if it could not initiate the primary tunnel.
    • Done
    • Done
    • Done
    • Not Required
    • None

      What were you trying to do that didn't work?

      Trying to deploy below NodeNetworkConfigurationPolicy on a node, but nmstate failed to configure it on the libreswan.

       

      kind: NodeNetworkConfigurationPolicy
  apiVersion: nmstate.io/v1
  metadata:
    name: left-node-ipsec-policy
  spec:
    nodeSelector:
      kubernetes.io/hostname: ip-10-0-47-152.us-east-2.compute.internal
    desiredState:
      interfaces:
      - name: hosta_conn
        type: ipsec
        ipv4:
          enabled: true
          dhcp: true
        libreswan:
          leftrsasigkey: '%cert'
          left: 10.0.47.152
          leftid: '%fromcert'
          leftcert: left_server
          leftmodecfgclient: false
          right: 10.0.77.184
          rightrsasigkey: '%cert'
          rightid: '%fromcert'
          rightsubnet: 10.0.77.184/32
          ike: aes_gcm256-sha2_256
          esp: aes_gcm256
          ikev2: insist
          type: transport

      What is the impact of this issue to you?

      NNCP deployment failed with following conditions.

      status:
  conditions:
  - lastHeartbeatTime: "2024-11-13T09:54:13Z"
    lastTransitionTime: "2024-11-13T09:54:13Z"
    reason: FailedToConfigure
    status: "False"
    type: Available
  - lastHeartbeatTime: "2024-11-13T09:54:13Z"
    lastTransitionTime: "2024-11-13T09:54:13Z"
    message: 1/1 nodes failed to configure
    reason: FailedToConfigure
    status: "True"
    type: Degraded
  - lastHeartbeatTime: "2024-11-13T09:54:13Z"
    lastTransitionTime: "2024-11-13T09:54:13Z"
    reason: ConfigurationProgressing
    status: "False"
    type: Progressing
  lastUnavailableNodeCountUpdate: "2024-11-13T03:57:24Z"

      The following error is seen from pluto.log.

      X509: authentication failed; peer certificate subjectAltName extension does not match ID_FQDN

      For more information, refer to this discussion thread: https://redhat-internal.slack.com/archives/CP7329Z5Z/p1731083204007419

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      Actual results

              nm-team Network Management Team
              pepalani@redhat.com Periyasamy Palanisamy
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Marc Muehlfeld Marc Muehlfeld
              Votes:
              0 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: