Bug 1935339

Summary: virtual_private setting is missing in the default config [rhel-8.5.0]
Product: Red Hat Enterprise Linux 8 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: libreswanAssignee: Daiki Ueno <dueno>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: lmiksik, omoris
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreswan-4.4-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1934186 Environment:
Last Closed: 2021-11-09 18:49:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934186, 1936492, 1958968    
Bug Blocks:    

Comment 3 Ondrej Moriš 2021-03-16 15:24:37 UTC 
See parent bug for AC. 

Successfully verified with libreswan-4.3-3.el8 on RHEL-8.5.0-20210313.n.0:

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.5 Beta (Ootpa)

# rpm -q libreswan
libreswan-4.3-3.el8.x86_64

# cat /etc/ipsec.conf 
# /etc/ipsec.conf - Libreswan 4.0 configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/

config setup
	# If logfile= is unset, syslog is used to send log messages too.
	# Note that on busy VPN servers, the amount of logging can trigger
	# syslogd (or journald) to rate limit messages.
	#logfile=/var/log/pluto.log
	#
	# Debugging should only be used to find bugs, not configuration issues!
	# "base" regular debug, "tmi" is excessive (!) and "private" will log
	# sensitive key material (not available in FIPS mode). The "cpu-usage"
	# value logs timing information and should not be used with other
	# debug options as it will defeat getting accurate timing information.
	# Default is "none"
	# plutodebug="base"
	# plutodebug="tmi"
	#plutodebug="none"
	#
	# Some machines use a DNS resolver on localhost with broken DNSSEC
	# support. This can be tested using the command:
	# dig +dnssec DNSnameOfRemoveServer
	# If that fails but omitting '+dnssec' works, the system's resolver is
	# broken and you might need to disable DNSSEC.
	# dnssec-enable=no
	#
	# To enable IKE and IPsec over TCP for VPN server. Requires at least
	# Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291)
	# listen-tcp=yes
	# To enable IKE and IPsec over TCP for VPN client, also specify
	# tcp-remote-port=4500 in the client's conn section.
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

# if it exists, include system wide crypto-policy defaults
include /etc/crypto-policies/back-ends/libreswan.config

# It is best to add your IPsec connections as separate files
# in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
Comment 7 errata-xmlrpc 2021-11-09 18:49:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4299