Major What were you trying to do that didn't work?
ipsec delete fails with exit code 52 while running OVS system tests:
./system-ipsec.at:630: ipsec $auto --ctlsocket $ovs_base/node-1/pluto.ctl \
--config $ovs_base/node-1/ipsec.conf \
--delete tun-3-out-1
stdout:
"tun-3-out-1": terminating SAs using this connection
"tun-3-out-1" #7: deleting IKE SA (ESTABLISHED_IKE_SA) aged 2.432485s and sending notification
EXPECTATION FAILED: "tun-3-out-1": ike == ((void *)0) (terminate_v2_states() +163 programs/pluto/terminate.c)
"tun-3-out-1" #6: ESP traffic information: in=0B out=0B
"tun-3-out-1" #4: deleting IKE SA (established IKE SA)
"tun-3-in-1" #8: ESP traffic information: in=0B out=0B
./system-ipsec.at:630: exit code was 52, expected 0
The cause is that while establishing two separate connections that share the same IKE SA, one of the connections ends up with two IKE SAs (new one and the replaced one) and the Child SA that belongs to the replaced IKE SA. While destroying this Child SA, the expectation failure is hit, because its old IKE SA still exists.
Solution should likely be that Child SAs should be replaced as well while replacing the IKE SA.
More detailed analysis is available in the upstream issue: https://github.com/libreswan/libreswan/issues/2101
What is the impact of this issue to you?
OVS tests fail unpredictably. Potentially this condition would cause issues for the actual traffic to pass if this condition (Child SAs do not belong to connection's IKE SA) is hit in practice.
Please provide the package NVR for which the bug is seen:
libreswan-5.2-1.el9fdp (should be the same as rhel10 package)
How reproducible is this bug?:
Reproducible, but may take a few hours of running the test in a loop.
Steps to reproduce
- Get OVS sources.
- make check-kernel TESTSUITEFLAGS='-k reconciliation'
Expected results
Test passes.
Actual results
Test fails with ipsec delete exiting with internal error (code 52).