Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-79942

Failed to setup ipsec 4in6 subnet tunnel

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Moderate
    • 1
    • rhel-net-mgmt
    • ssg_networking
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • NMT SST - Refine next
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given a system administrator applies a valid IPsec 6in4 tunnel configuration using nmstatectl, 

      When NetworkManager attempts to apply the profile using the libreswan plugin,

      Then the tunnel must be successfully created or clear failure reasons must be exposed through logs. 

      ( ) Integration test case is available upstream

      ( ) Code is reviewed and merged upstream

      ( ) Preliminary testing is done

      ( ) Upstream documentation is written in the upstream MR

      ( ) A demo is recorded

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given a system administrator applies a valid IPsec 6in4 tunnel configuration using nmstatectl,  When NetworkManager attempts to apply the profile using the libreswan plugin, Then the tunnel must be successfully created or clear failure reasons must be exposed through logs.  ( ) Integration test case is available upstream ( ) Code is reviewed and merged upstream ( ) Preliminary testing is done ( ) Upstream documentation is written in the upstream MR ( ) A demo is recorded
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Cannot setup ipsec 6in4 subnet tunnel via nmstatectl.

      RHEL 10 works well if using ipsec.conf directly

      conn hosta
    ikev2=insist
    left=2001:db8:d::a
    leftid=@hosta.example.org
    leftcert=hosta.example.org
    leftsubnet=192.0.6.0/24
    leftmodecfgclient=false
    right=2001:db8:d::b
    rightid=@hostb.example.org
    rightsubnet=192.0.5.0/24

      What is the impact of this issue to you?

      Regression

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      100%

      Steps to reproduce

      echo "
---
interfaces:
- name: hosta_conn
  type: ipsec
  ipv4:
    enabled: true
    dhcp: true
  libreswan:
    ikev2: insist
    left: 2001:db8:d::a
    leftid: '@hosta.example.org'
    leftcert: hosta.example.org
    leftsubnet: 192.0.6.0/24
    leftmodecfgclient: false
    right: 2001:db8:d::b
    rightid: '@hostb.example.org'
    rightsubnet: 192.0.5.0/24" | sudo nmstatectl apply -

      Expected results

      `ip x p` indicate 6in4 ipsec tunnel been created

      Actual results

      src 192.0.6.0/24 dst 192.0.5.0/24
    dir out priority 1757393 ptype main
    tmpl src 2001:db8:d::a dst 2001:db8:d::b
        proto esp reqid 16389 mode tunnel
src 192.0.5.0/24 dst 192.0.6.0/24
    dir fwd priority 1757393 ptype main
    tmpl src 2001:db8:d::b dst 2001:db8:d::a
        proto esp reqid 16389 mode tunnel
src 192.0.5.0/24 dst 192.0.6.0/24
    dir in priority 1757393 ptype main
    tmpl src 2001:db8:d::b dst 2001:db8:d::a
        proto esp reqid 16389 mode tunnel

        1. debug.log
          573 kB

              rh-ee-sfaye Stanislas Faye
              fge@redhat.com Gris Ge
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: