Bug 1920341
| Summary: | [OVS IPsec] RHEL7 self-signed certificate mode, X509: CERT payload bogus or revoked | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | qding |
| Component: | openvswitch3.1 | Assignee: | Mike Pattrick <mpattric> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | qding |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | FDP 21.A | CC: | ctrautma, fleitner, jhsiao, mpattric, ralongi |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-04 20:07:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Can you post the keys and the full libreswan logs from both sides? I just tested your certificates by pulling them into our upstream test case: https://github.com/libreswan/libreswan/tree/main/testing/pluto/ikev2-x509-29-selfsigned and it works fine. So I tested it on rhel 7.9 and indeed I see your error. ausearch shows me: type=PROCTITLE msg=audit(1611957832.875:429): proctitle=2F7573722F6C6962657865632F69707365632F706C75746F002D2D6C65616B2D646574656374697665002D2D636F6E666967002F6574632F69707365632E636F6E66002D2D6E6F666F726B type=AVC msg=audit(1611957852.729:439): avc: denied { create } for pid=21631 comm="pluto" name="dbTemp.Xs5t6y" scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1611957852.729:439): arch=c000003e syscall=83 success=no exit=-13 a0=564fd63396b0 a1=1c0 a2=1fe a3=6014865c items=0 ppid=1 pid=21631 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null) This is related to how nss handles importing things into its database. This setting is tweaked by nss's SDB_MEASURE_USE_TEMP_DIR compile time feature. Apparently, this nss change was requested by the kernel people. relyea: NSS create a temp directory and delete it at the end. The previous code was creating massive amounts of negative cache entries (cache entries for deleted files). relyea: It was changes in NSS upstream actually. relyea: recently means mid last year. relyea: It's also in other OS's, but we don't do auto by default, so you need to set an environment variable to get the behavior on RHEL8 and fedora. hkario: pwouters: does that system have new enough selinux policy? hkario: pwouters: I remember we had bugs for that and we fixed those This is using selinux-policy-3.13.1-268.el7_9.2.noarch relyea: pwouters, If you just need to get over an issue you can set NSS_SDB_USE_CACHE=no So this is an selinux-policy change that is required. However, it seems to be more complicated. Even with setenforce 0, it still fails for me. Okay this bug in selfsigned certificates was fixed in libreswan 3.28
The nodes send a CERT payload, but since this is a selfsigned certificate, it is a root CA. So the certificate is rejected. Since there are no other certs in the CERT payload, it throws the above error.
Please use the following workaround by adding these two lines to your config:
leftsendcert=never
rightsendcert=never
I don't have a good answer why for you it seems just disabling selinux fixed your issue. Either you were using a newer libreswan package (3.28 or higher) or perhaps you had these two lines in your config already, but the config shared with me was an older one?
note also, that I dont know how you import your certificates, from the provisioning layer into libreswan, but I used: yum install libreswan ipsec initnss openssl pkcs12 -export -in h2-cert.pem -inkey h2-privkey.pem -out h2.p12 -name h2 openssl pkcs12 -export -in h1-cert.pem -inkey h1-privkey.pem -out h1.p12 -name h1 ipsec import h2.p12 ipsec import h1.p12 certutil -M -t CT,, -n h1 -d sql:/etc/ipsec.d certutil -M -t CT,, -n h2 -d sql:/etc/ipsec.d systemctl start libreswan (In reply to Paul Wouters from comment #10) > note also, that I dont know how you import your certificates, from the > provisioning layer into libreswan, but I used: > > yum install libreswan > ipsec initnss > openssl pkcs12 -export -in h2-cert.pem -inkey h2-privkey.pem -out h2.p12 > -name h2 > openssl pkcs12 -export -in h1-cert.pem -inkey h1-privkey.pem -out h1.p12 > -name h1 > ipsec import h2.p12 > ipsec import h1.p12 > certutil -M -t CT,, -n h1 -d sql:/etc/ipsec.d > certutil -M -t CT,, -n h2 -d sql:/etc/ipsec.d > systemctl start libreswan They are imported using a python script that calls some commands. Extracting these commands from the script, I see that: openssl pkcs12 -export -in <cert> -inkey <key> -out <path> -name <name> -passout pass: pk12util -i <path> -d sql:/etc/ipsec.d/ -W The remote cert gets added with certutil -A -a -i <cert> -d sql:/etc/ipsec.d/ -n <name> -t P,P,P Is the workaround above ("leftsendcert=never") forwards compatible. What I mean by this is it safe to leave this in for all other versions libreswan? Also, is the environment variable mentioned in comment 8 also acceptable (NSS_SDB_USE_CACHE=no) as a workaround? Yes the keyword is forward compatible. It is used normally to decide whether to send the CERT payload for when there is a CA chain. For selfsigned certificates, there is simply no need to send a CERT payload. You might need to change the trust setting for selfsigned certs you use from "-t P,P,P" to "-t CT,,," because the self signed cert is really a Root CA in disguise, so nss normally needs to explicitely trust it. It might be that older nss did not require this, but I think newer ones do. Note that on RHEL9, the ipsec nss db files will go into /var/lib/ipsec/nss so perhaps it is better to switch it from certutil -A to use "ipsec import" on the pkcs12 format file of the certificate. I would not tweak the environment variable. It is harder to track through all the moving parts that start up things, systemd or otherwise. There is a big chance the env variable will be lost. Please do let me know if the sendcert=never options resolve your issue fully, as I noticed by setup still behaved slightly different from yours. (In reply to Paul Wouters from comment #12) > Yes the keyword is forward compatible. It is used normally to decide whether > to send the CERT payload for when there is a CA chain. For selfsigned > certificates, there is simply no need to send a CERT payload. However, for the case in which the cert is CA-signed, I would need to send it? I will need to update some scripts so I am trying to understand if I can make this change for all cert types or should I specify the self-signed case. > > You might need to change the trust setting for selfsigned certs you use from > "-t P,P,P" to "-t CT,,," because the self signed cert is really a Root CA in > disguise, so nss normally needs to explicitely trust it. It might be that > older nss did not require this, but I think newer ones do. This only required for the self-signed case? > > Note that on RHEL9, the ipsec nss db files will go into /var/lib/ipsec/nss > so perhaps it is better to switch it from certutil -A to use "ipsec import" > on the pkcs12 format file of the certificate. Good catch > > I would not tweak the environment variable. It is harder to track through > all the moving parts that start up things, systemd or otherwise. There is a > big chance the env variable will be lost. > > Please do let me know if the sendcert=never options resolve your issue > fully, as I noticed by setup still behaved slightly different from yours. Closing because it seems to be fixed in RHEL8 and 9. Also seems to be fixed in OVS 2.17: https://beaker.engineering.redhat.com/jobs/8138960 |
Description of problem: For RHEL7, self-signed mode doesn't work and there are messages below Jan 26 01:14:20 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #22: STATE_PARENT_I2: retransmission; will wait 32 seco Jan 26 01:14:20 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #22: X509: temporary cert import operation failed Jan 26 01:14:20 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #22: cert verify failed with internal error Jan 26 01:14:20 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #22: X509: Certificate rejected for this connection Jan 26 01:14:20 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #22: X509: CERT payload bogus or revoked [root@dell-per730-04 ipsec]# ovs-vsctl show 732f835e-793e-4331-8b82-2bc590658c07 Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: gre options: {local_ip="192.168.123.1", remote_cert="/tmp/keys/h2-cert.pem", remote_ip="192.168.123.2"} ovs_version: "2.13.2" [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# ip add show eno1np0 8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff inet 192.168.123.1/24 scope global eno1np0 valid_lft forever preferred_lft forever inet6 2001:db8:123::1/64 scope global valid_lft forever preferred_lft forever [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# systemctl status openvswitch --no-pager -l ● openvswitch.service - Open vSwitch Loaded: loaded (/usr/lib/systemd/system/openvswitch.service; disabled; vendor preset: disabled) Active: active (exited) since Tue 2021-01-26 00:59:41 EST; 11min ago Process: 14895 ExecStop=/bin/true (code=exited, status=0/SUCCESS) Process: 15203 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 15203 (code=exited, status=0/SUCCESS) CGroup: /system.slice/openvswitch.service Jan 26 00:59:41 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Starting Open vSwitch... Jan 26 00:59:41 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Started Open vSwitch. [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# systemctl status openvswitch-ipsec --no-pager -l ● openvswitch-ipsec.service - OVS IPsec daemon Loaded: loaded (/usr/lib/systemd/system/openvswitch-ipsec.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-01-26 00:59:47 EST; 11min ago Process: 15213 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --ike-daemon=libreswan start-ovs-ipsec (code=exited, status=0/SUCCESS) Main PID: 15606 (ovs-monitor-ips) CGroup: /system.slice/openvswitch-ipsec.service ├─15605 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock └─15606 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock Jan 26 00:59:46 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[15213]: 2021-01-26T05:59:46Z | 1 | ovs-monitor-ipsec | INFO | Restarting LibreSwan Jan 26 00:59:46 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[15227]: ovs| 1 | ovs-monitor-ipsec | INFO | Restarting LibreSwan Jan 26 00:59:46 dell-per730-04.rhts.eng.pek2.redhat.com ovs-ctl[15213]: Redirecting to: systemctl restart ipsec.service Jan 26 00:59:47 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[15606]: ovs| 3 | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connecting... Jan 26 00:59:47 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[15606]: ovs| 6 | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connected Jan 26 00:59:47 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: openvswitch-ipsec.service: Supervising process 15606 which is not our child. We'll most likely not notice when it exits. Jan 26 00:59:47 dell-per730-04.rhts.eng.pek2.redhat.com systemd[1]: Started OVS IPsec daemon. Jan 26 00:59:58 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[15606]: ovs| 12 | ovs-monitor-ipsec | INFO | Refreshing LibreSwan configuration Jan 26 00:59:58 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[15606]: ovs| 14 | ovs-monitor-ipsec | INFO | Tunnel tun123 appeared in OVSDB Jan 26 00:59:58 dell-per730-04.rhts.eng.pek2.redhat.com ovs-monitor-ips[15606]: ovs| 16 | ovs-monitor-ipsec | INFO | Refreshing LibreSwan configuration [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# systemctl status ipsec --no-pager -l ● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-01-26 00:59:52 EST; 11min ago Docs: man:ipsec(8) man:pluto(8) man:ipsec.conf(5) Process: 15623 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS) Process: 15619 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS) Process: 15616 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS) Process: 15614 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS) Process: 15897 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS) Process: 15894 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS) Process: 15632 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS) Process: 15630 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS) Main PID: 15910 (pluto) Status: "Startup completed." CGroup: /system.slice/ipsec.service └─15910 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_256 group=MODP2048} Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: X509: temporary cert import operation failed Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: cert verify failed with internal error Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: X509: Certificate rejected for this connection Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: IKEv2 mode peer ID is ID_FQDN: '@h2' Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: Authenticated using RSA Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: local ESP/AH proposals for tun123-1 (IKE SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #18: proposal 1:ESP:SPI=54c5238d;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #19: negotiated connection [192.168.123.1-192.168.123.1:0-65535 47] -> [192.168.123.2-192.168.123.2:0-65535 47] Jan 26 01:10:23 dell-per730-04.rhts.eng.pek2.redhat.com pluto[15910]: "tun123-1" #19: STATE_V2_IPSEC_R: IPsec SA established transport mode {ESP=>0x54c5238d <0xb914dda5 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# ===================================== [root@dell-per730-05 ipsec]# ovs-vsctl show 145fd89e-dbf3-423c-a31c-e9dac201f2fd Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: gre options: {local_ip="192.168.123.2", remote_cert="/tmp/keys/h1-cert.pem", remote_ip="192.168.123.1"} ovs_version: "2.13.2" [root@dell-per730-05 ipsec]# [root@dell-per730-05 ipsec]# [root@dell-per730-05 ipsec]# ip add show p6p1 6: p6p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 3c:fd:fe:bb:1b:6c brd ff:ff:ff:ff:ff:ff inet 192.168.123.2/24 scope global p6p1 valid_lft forever preferred_lft forever inet6 2001:db8:123::2/64 scope global valid_lft forever preferred_lft forever [root@dell-per730-05 ipsec]# [root@dell-per730-05 ipsec]# systemctl status openvswitch --no-pager -l ● openvswitch.service - Open vSwitch Loaded: loaded (/usr/lib/systemd/system/openvswitch.service; disabled; vendor preset: disabled) Active: active (exited) since Tue 2021-01-26 00:59:46 EST; 12min ago Process: 21253 ExecStop=/bin/true (code=exited, status=0/SUCCESS) Process: 21526 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 21526 (code=exited, status=0/SUCCESS) CGroup: /system.slice/openvswitch.service Jan 26 00:59:46 dell-per730-05.rhts.eng.pek2.redhat.com systemd[1]: Starting Open vSwitch... Jan 26 00:59:46 dell-per730-05.rhts.eng.pek2.redhat.com systemd[1]: Started Open vSwitch. [root@dell-per730-05 ipsec]# [root@dell-per730-05 ipsec]# systemctl status openvswitch-ipsec --no-pager -l ● openvswitch-ipsec.service - OVS IPsec daemon Loaded: loaded (/usr/lib/systemd/system/openvswitch-ipsec.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-01-26 00:59:52 EST; 12min ago Process: 21535 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --ike-daemon=libreswan start-ovs-ipsec (code=exited, status=0/SUCCESS) Main PID: 21913 (ovs-monitor-ips) CGroup: /system.slice/openvswitch-ipsec.service ├─21912 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock └─21913 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock Jan 26 00:59:51 dell-per730-05.rhts.eng.pek2.redhat.com ovs-ctl[21535]: 2021-01-26T05:59:51Z | 1 | ovs-monitor-ipsec | INFO | Restarting LibreSwan Jan 26 00:59:51 dell-per730-05.rhts.eng.pek2.redhat.com ovs-monitor-ips[21549]: ovs| 1 | ovs-monitor-ipsec | INFO | Restarting LibreSwan Jan 26 00:59:51 dell-per730-05.rhts.eng.pek2.redhat.com ovs-ctl[21535]: Redirecting to: systemctl restart ipsec.service Jan 26 00:59:52 dell-per730-05.rhts.eng.pek2.redhat.com ovs-monitor-ips[21913]: ovs| 3 | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connecting... Jan 26 00:59:52 dell-per730-05.rhts.eng.pek2.redhat.com ovs-monitor-ips[21913]: ovs| 6 | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connected Jan 26 00:59:52 dell-per730-05.rhts.eng.pek2.redhat.com systemd[1]: openvswitch-ipsec.service: Supervising process 21913 which is not our child. We'll most likely not notice when it exits. Jan 26 00:59:52 dell-per730-05.rhts.eng.pek2.redhat.com systemd[1]: Started OVS IPsec daemon. Jan 26 01:00:03 dell-per730-05.rhts.eng.pek2.redhat.com ovs-monitor-ips[21913]: ovs| 12 | ovs-monitor-ipsec | INFO | Refreshing LibreSwan configuration Jan 26 01:00:03 dell-per730-05.rhts.eng.pek2.redhat.com ovs-monitor-ips[21913]: ovs| 14 | ovs-monitor-ipsec | INFO | Tunnel tun123 appeared in OVSDB Jan 26 01:00:03 dell-per730-05.rhts.eng.pek2.redhat.com ovs-monitor-ips[21913]: ovs| 16 | ovs-monitor-ipsec | INFO | Refreshing LibreSwan configuration [root@dell-per730-05 ipsec]# [root@dell-per730-05 ipsec]# systemctl status ipsec --no-pager -l ● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-01-26 00:59:57 EST; 12min ago Docs: man:ipsec(8) man:pluto(8) man:ipsec.conf(5) Process: 21930 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS) Process: 21926 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS) Process: 21924 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS) Process: 21921 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS) Process: 22204 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS) Process: 22201 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS) Process: 21939 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS) Process: 21937 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS) Main PID: 22217 (pluto) Status: "Startup completed." CGroup: /system.slice/ipsec.service └─22217 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork Jan 26 01:12:19 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: STATE_PARENT_I2: retransmission; will wait 16 seconds for response Jan 26 01:12:19 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: X509: temporary cert import operation failed Jan 26 01:12:19 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: cert verify failed with internal error Jan 26 01:12:19 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: X509: Certificate rejected for this connection Jan 26 01:12:19 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: X509: CERT payload bogus or revoked Jan 26 01:12:35 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: STATE_PARENT_I2: retransmission; will wait 32 seconds for response Jan 26 01:12:35 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: X509: temporary cert import operation failed Jan 26 01:12:35 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: cert verify failed with internal error Jan 26 01:12:35 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: X509: Certificate rejected for this connection Jan 26 01:12:35 dell-per730-05.rhts.eng.pek2.redhat.com pluto[22217]: "tun123-1" #20: X509: CERT payload bogus or revoked [root@dell-per730-05 ipsec]# [root@dell-per730-05 ipsec]# Version-Release number of selected component (if applicable): [root@dell-per730-04 ipsec]# uname -r 3.10.0-1160.15.1.el7.x86_64 [root@dell-per730-04 ipsec]# rpm -qa | grep openvswitch kernel-kernel-networking-openvswitch-ipsec-1.0-16.noarch openvswitch2.13-2.13.0-72.el7fdp.x86_64 openvswitch2.13-ipsec-2.13.0-72.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-18.el7fdp.noarch python3-openvswitch2.13-2.13.0-72.el7fdp.x86_64 [root@dell-per730-04 ipsec]# How reproducible: always Steps to Reproduce: setenforce Permissive nmcli dev set eno1np0 managed no ip add add 192.168.123.1/24 dev eno1np0 systemctl restart openvswitch systemctl restart openvswitch-ipsec mkdir -p keys pushd keys/ rm -rf * ovs-pki req -u h1 ovs-pki self-sign h1 popd scp dell-per730-05.rhts.eng.pek2.redhat.com:/root/keys/h2-cert.pem /root/keys/h2-cert.pem ovs-vsctl set Open_vSwitch . \ other_config:certificate=/root/keys/h1-cert.pem \ other_config:private_key=/root/keys/h1-privkey.pem ovs-vsctl add-br ovsbr0 ovs-vsctl del-port ovsbr0 tun123 ovs-vsctl add-port ovsbr0 tun123 -- \ set interface tun123 type=gre \ options:local_ip=192.168.123.1 \ options:remote_ip=192.168.123.2 \ options:remote_cert=/root/keys/h2-cert.pem ip link set ovsbr0 up ip add add 172.16.30.1/24 dev ovsbr0 Actual results: ping fail Expected results: ping successfully with ESP in packets Additional info: