Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

RHELPRIO AssignedTeam ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.4.z
Component/s: NetworkManager-libreswan
Labels:
- NMT-refined
- Triaged

Regression:
No
Severity:
Moderate

AssignedTeam:
rhel-net-mgmt
Sub-System Group:

ssg_networking

Story Points:
1
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:
Hide

Definition of Done:

Please mark each item below with ( / ) if completed or ( x ) if incomplete:

( ) The acceptance criteria defined below are met.

Given a configured IPv6 IPSec tunnel setup between a host and a subnet,

When NetworkManager is used to activate the connection,

Then, the tunnel should establish successfully, with the ip x p command showing the expected routes and security parameters.

Definition of Done:

The implementation meets the acceptance criteria

Integration tests are written and pass

The code is part of a downstream build attached to an errata

The fix is backported into RHEL-9.4

( ) Code changes are included in a downstream build attached to an errata.

( ) All required testing (manual and/or automated) passes successfully.

( ) Related documentation updates (if applicable) have been completed.
Show
Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given a configured IPv6 IPSec tunnel setup between a host and a subnet, When NetworkManager is used to activate the connection, Then, the tunnel should establish successfully, with the ip x p command showing the expected routes and security parameters. Definition of Done: The implementation meets the acceptance criteria Integration tests are written and pass The code is part of a downstream build attached to an errata The fix is backported into RHEL-9.4 ( ) Code changes are included in a downstream build attached to an errata. ( ) All required testing (manual and/or automated) passes successfully. ( ) Related documentation updates (if applicable) have been completed.
Preliminary Testing:
None
Test Coverage:
None

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When setting up a /128 to /64 ipsec tunnel, NetworkManager fail the connection activation with:

Dec 02 10:50:08 sabina-worker-0.karmalabs.local NetworkManager[1299715]: nm-libreswan[1299715] <warn> IPsec/Pluto Right Peer (VPN Gateway) is missing

What is the impact of this issue to you?

That’s for the OpenShift telco use case, no client is currently waiting for a fix but they might start working on it soon

Please provide the package NVR for which the bug is seen:

NetworkManager-libreswan-1.2.18-3.el9_4.x86_64

How reproducible is this bug?:

100%

Steps to reproduce

Setup ipsec PKI
On the IPSec server side, create /etc/ipsec.d/test.conf

conn sabina-worker-0.karmalabs.local
    hostaddrfamily=ipv6
    clientaddrfamily=ipv6
    left=2001:db8:d::b
    leftid=%fromcert
    leftrsasigkey=%cert
    leftsubnet=fc00::1/7
    leftcert=server01.cnf.com
    rightrsasigkey=%cert
    right=2001:db8:d::c
    rightid=%fromcert
    ikev2=insist
    auto=start
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    leftmodecfgserver=no
    rightmodecfgclient=no

Run `nmstatectl apply` to this YAML file:

interfaces:
- name: hosta_conn
  type: ipsec
  libreswan:
    hostaddrfamily: ipv6
    clientaddrfamily: ipv6
    left: 2001:db8:d::c
    leftid: '%fromcert'
    leftcert: client01.cnf.com
    leftmodecfgclient: false
    leftrsasigkey: '%cert'
    right: 2001:db8:d::b
    rightid: '%fromcert'
    rightrsasigkey: '%cert'
    rightsubnet: fc00::1/7
    ikev2: insist
    type: tunnel

Check ipsec connection by `ip x p` command.

Expected results

The ipsec connection been established with `ip x p` output:

src fc00::/7 dst 2001:db8:d::c/128
	dir out priority 1765889 ptype main
	tmpl src 2001:db8:d::b dst 2001:db8:d::c
		proto esp reqid 16389 mode tunnel
src 2001:db8:d::c/128 dst fc00::/7
	dir fwd priority 1765889 ptype main
	tmpl src 2001:db8:d::c dst 2001:db8:d::b
		proto esp reqid 16389 mode tunnel
src 2001:db8:d::c/128 dst fc00::/7
	dir in priority 1765889 ptype main
	tmpl src 2001:db8:d::c dst 2001:db8:d::b
		proto esp reqid 16389 mode tunnel

Actual results

NetworkManager fail the activation of ipsec connection.

clones

RHEL-69621 Need support on host to subnet IPv6 IPSec tunnel

Closed

Assignee:: Stanislas Faye

Reporter:: Gris Ge

Developer:: Network Management Team

QA Contact:: Vladimir Benes

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/04/02 10:30 AM

Updated:: 2025/07/07 2:22 PM

Resolved:: 2025/07/07 6:28 AM

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates