| Summary: | ipsec auto --down CONNECTION returns error for tunnels | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Aster <jaster> |
| Component: | libreswan | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.3 | CC: | omoris, ovasik, pwouters, tis |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 3.20-3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 12:31:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Note this seems to be a side-effect of using connection aliases, as regular connections dont give that error: root@thinkpad:/home/paul# ipsec auto --down private-or-clear#193.110.157.131/32 002 "private-or-clear#193.110.157.131/32"[1] 100.64.0.1/32=== ...193.110.157.131: terminating SAs using this connection 005 "private-or-clear#193.110.157.131/32" #2: ESP traffic information: in=84B out=84B 002 "private-or-clear#193.110.157.131/32" #1: deleting state (STATE_PARENT_I3) root@thinkpad:/home/paul# echo $? 0 OLD (libreswan-3.15-8.el7) ========================== :: [ BEGIN ] :: Running 'ipsec auto --down test' 021 no connection named "test" 000 terminating all conns with alias='test' 002 "test/1x1": terminating SAs using this connection 002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2) 005 "test/1x1" #2: ESP traffic information: in=0B out=0B 002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager 002 "test/1x1" #2: down-client output: nm-libreswan-helper[???,26235]: <warn> Could not call the plugin: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.NetworkManager.libreswan was not provided by any .service files 002 "test/1x1" #1: deleting state #1 (STATE_MAIN_I4) :: [ FAIL ] :: Command 'ipsec auto --down test' (Expected 0, got 21) NEW (libreswan-3.20-2.el7) ========================== :: [ BEGIN ] :: Running 'ipsec auto --down test' 000 no such connection found, looking for all conns with alias='test' 002 "test/1x1": terminating SAs using this connection 002 "test/1x1" #2: deleting state (STATE_QUICK_I2) 005 "test/1x1" #2: ESP traffic information: in=0B out=0B 002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager 002 "test/1x1" #2: down-client output: /usr/libexec/ipsec/_updown.netkey: line 345: /usr/libexec/nm-libreswan-service-helper: No such file or directory 002 "test/1x1" #1: deleting state (STATE_MAIN_I4) :: [ PASS ] :: Command 'ipsec auto --down test' (Expected 0, got 0) See TJ#1870062 for more details. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2101 |
Description of problem: ipsec auto --down CONNECTION returns error for tunnels. Version-Release number of selected component (if applicable): libreswan-3.15-6.el7 How reproducible: 100% Steps to Reproduce: 1, configuration for both, initiator and responder # cat /etc/ipsec.conf config setup protostack=netkey plutodebug=all conn test left=LEFT_IP leftsubnets={172.29.28.0/24, 172.29.27.0/24} right=RIGHT_IP rightsubnets=172.29.29.0/24 authby=secret auto=add type=tunnel # cat /etc/ipsec.secrets : PSK "redhat" 2, I: # service ipsec start R: # service ipsec start I: # ipsec auto --up test # ipsec auto --up test 000 initiating all conns with alias='test' 002 "test/2x1" #1: initiating Main Mode 104 "test/2x1" #1: STATE_MAIN_I1: initiate 003 "test/2x1" #1: received Vendor ID payload [Dead Peer Detection] 003 "test/2x1" #1: received Vendor ID payload [FRAGMENTATION] 003 "test/2x1" #1: received Vendor ID payload [RFC 3947] 002 "test/2x1" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) 002 "test/2x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 106 "test/2x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "test/2x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected 002 "test/2x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 108 "test/2x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "test/2x1" #1: received Vendor ID payload [CAN-IKEv2] 002 "test/2x1" #1: Main mode peer ID is ID_IPV4_ADDR: 'RIGHT_IP' 002 "test/2x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 004 "test/2x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048} 002 "test/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:28677a16 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} 002 "test/2x1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:c4a367bc proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} 117 "test/1x1" #2: STATE_QUICK_I1: initiate 117 "test/2x1" #3: STATE_QUICK_I1: initiate 002 "test/1x1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "test/1x1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9c718cf1 <0x9e2071b8 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive} 002 "test/2x1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "test/2x1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x048fcacb <0x87133f3e xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive} # echo $? 0 # ipsec auto --down test 021 no connection named "test" 000 terminating all conns with alias='test' 002 "test/2x1": terminating SAs using this connection 002 "test/2x1" #3: deleting state #3 (STATE_QUICK_I2) 005 "test/2x1" #3: ESP traffic information: in=0B out=0B 002 "test/2x1" #1: deleting state #1 (STATE_MAIN_I4) 002 "test/1x1": terminating SAs using this connection 002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2) 005 "test/1x1" #2: ESP traffic information: in=0B out=0B # echo $? 21 Actual results: ipsec auto --down test fails and returns non-zero return code. Expected results: ipsec auto --down test does not fail and return zero return code.