Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-69621

Need support on host to subnet IPv6 IPSec tunnel

XMLWordPrintable

    • No
    • Moderate
    • 1
    • rhel-sst-network-management
    • ssg_networking
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • NMT SST - Future releases
    • Hide

      Given a configured IPv6 IPSec tunnel setup between a host and a subnet,

      When NetworkManager is used to activate the connection,

      Then, the tunnel should establish successfully, with the ip x p command showing the expected routes and security parameters.

      Definition of Done:

      • The implementation meets the acceptance criteria
      • Integration tests are written and pass 
      • The code is part of a downstream build attached to an errata
      • The fix is backported into RHEL-9.4
      Show
      Given a configured IPv6 IPSec tunnel setup between a host and a subnet, When NetworkManager is used to activate the connection, Then, the tunnel should establish successfully, with the ip x p command showing the expected routes and security parameters. Definition of Done: The implementation meets the acceptance criteria Integration tests are written and pass  The code is part of a downstream build attached to an errata The fix is backported into RHEL-9.4
    • None
    • None
    • None

      What were you trying to do that didn't work?

      When setting up a /128 to /64 ipsec tunnel, NetworkManager fail the connection activation with:

      Dec 02 10:50:08 sabina-worker-0.karmalabs.local NetworkManager[1299715]: nm-libreswan[1299715] <warn> IPsec/Pluto Right Peer (VPN Gateway) is missing

      What is the impact of this issue to you?

      That’s for the OpenShift telco use case, no client is currently waiting for a fix but they might start working on it soon

      Please provide the package NVR for which the bug is seen:

      NetworkManager-libreswan-1.2.18-3.el9_4.x86_64

      How reproducible is this bug?:

      100%

      Steps to reproduce

      • Setup ipsec PKI
      • On the IPSec server side, create /etc/ipsec.d/test.conf
      conn sabina-worker-0.karmalabs.local
    hostaddrfamily=ipv6
    clientaddrfamily=ipv6
    left=2001:db8:d::b
    leftid=%fromcert
    leftrsasigkey=%cert
    leftsubnet=fc00::1/7
    leftcert=server01.cnf.com
    rightrsasigkey=%cert
    right=2001:db8:d::c
    rightid=%fromcert
    ikev2=insist
    auto=start
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    leftmodecfgserver=no
    rightmodecfgclient=no
      • Run `nmstatectl apply` to this YAML file:
      interfaces:
- name: hosta_conn
  type: ipsec
  libreswan:
    hostaddrfamily: ipv6
    clientaddrfamily: ipv6
    left: 2001:db8:d::c
    leftid: '%fromcert'
    leftcert: client01.cnf.com
    leftmodecfgclient: false
    leftrsasigkey: '%cert'
    right: 2001:db8:d::b
    rightid: '%fromcert'
    rightrsasigkey: '%cert'
    rightsubnet: fc00::1/7
    ikev2: insist
    type: tunnel
      • Check ipsec connection by `ip x p` command.

      Expected results

      The ipsec connection been established with `ip x p` output:

      src fc00::/7 dst 2001:db8:d::c/128
	dir out priority 1765889 ptype main
	tmpl src 2001:db8:d::b dst 2001:db8:d::c
		proto esp reqid 16389 mode tunnel
src 2001:db8:d::c/128 dst fc00::/7
	dir fwd priority 1765889 ptype main
	tmpl src 2001:db8:d::c dst 2001:db8:d::b
		proto esp reqid 16389 mode tunnel
src 2001:db8:d::c/128 dst fc00::/7
	dir in priority 1765889 ptype main
	tmpl src 2001:db8:d::c dst 2001:db8:d::b
		proto esp reqid 16389 mode tunnel

      Actual results

      NetworkManager fail the activation of ipsec connection.

        1. nm.log
          285 kB

              rh-ee-sfaye Stanislas Faye
              fge@redhat.com Gris Ge
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: