Bug 1891128
| Summary: | [Rebase] rebase libreswan to 4.3 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Paul Wouters <pwouters> |
| Component: | libreswan | Assignee: | Daiki Ueno <dueno> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | medium | ||
| Version: | 8.4 | CC: | jafiala, mjahoda, omoris |
| Target Milestone: | rc | Keywords: | FutureFeature, Rebase, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libreswan-4.3-1.el8 | Doc Type: | Enhancement |
| Doc Text: |
.`libreswan` rebased to 4.3
The `libreswan` packages have been upgraded to version 4.3. Notable changes over the previous version include:
* IKE and ESP over TCP support (RFC 8229)
* IKEv2 Labeled IPsec support
* IKEv2 leftikeport/rightikeport support
* Experimental support for Intermediate Exchange
* Extended Redirect support for loadbalancing
* Default IKE lifetime changed from 1 h to 8 h for increased interoperability
* `:RSA` sections in the `ipsec.secrets` file are no longer required
* Fixed Windows 10 rekeying
* Fixed sending certificate for ECDSA authentication
* Fixes for MOBIKE and NAT-T
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:38:31 UTC | Type: | Component Upgrade |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Paul Wouters
2020-10-23 20:30:07 UTC
Are there any notable new or removed features and bugfixes we should focus on during the testing? I briefly scanned changelog and noticed IKE/ESP over TPC, support for leftikeport= and rightikeport=, FIPS changes and change of default NSS DB location. Is there anything else you want to highlight for the testing? Also, does ITM6 (Dec 14) sound reasonable for delivering the code? Note that for RHEL8 we keep the /etc/ipsec.d location for the NSS DB. Other than the ones you mention I would also look closely at: * pluto: Support for rereading configured certificates from NSS I just noticed we don't have an upstream test case for this yet :) So I will add it. Basically it is updating the cert, then use: paul@thinkpad:~/libreswan (main *=)$ sudo ipsec whack --rereadcerts 000 "vpn.nohats.ca": certificate leftcert=letoams.nohats.ca has been reloaded 000 "ssw.nohats.ca": certificate leftcert=client5.nohats.ca has been reloaded * IKEv2: Add load-balance support (multiple targets) to redirect That one might also be good to test. But we can use the upstream redirect test cases for that, just like for ikeport and TCP And double check the labeled ipsec works properly - we don't have an upstream test working with targeted selinux policy yet. (want to port yours to upstream?) Paul, I noticed that the following was present in the default ipsec.conf in RHEL-8.3:
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
But it is no longer present in the default config in libreswan-4.3. Don't we need it anymore?
That value was only used for IKEv1 in combination with the vhost keyword in: rightsubnet=vhost:%priv,%no Furthermore, it was really only used for VPN servers using Transport Mode with NAT where you did not get an address assigned, eg L2TP/IPsec. For these reasons, it was removed from upstream. We could put it back, if you want to ensure backwards compatibility. Or we can add a release note for it so that people still using L2TP/IPsec on a VPN server can put it back. I don't believe this setup is very common anymore. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:1803 |