Bug 1935599
Summary: | [OVS IPsec] NAT-T doesn't work | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | qding | ||||
Component: | openvswitch2.13 | Assignee: | Mohammad Heib <mheib> | ||||
Status: | ASSIGNED --- | QA Contact: | qding | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | FDP 21.B | CC: | ctrautma, jhsiao, mheib, qding, ralongi | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | Type: | Bug | |||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
qding
2021-03-05 08:51:19 UTC
Created attachment 1760842 [details]
log for "journalctl -u ipsec"
Please see the attachment for log
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp or udp port 500 or udp port 4500 dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:00:37.861975 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 530: (tos 0x0, ttl 64, id 51250, offset 0, flags [DF], proto UDP (17), length 516) 10.1.1.1.500 > 10.1.1.2.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]: (sa: len=92 (p: #1 protoid=isakmp transform=10 len=92 (t: #1 type=encr id=#20 (type=keylen value=0100)) (t: #2 type=prf id=#5 ) (t: #3 type=dh id=modp2048 ) (t: #4 type=dh id=modp3072 ) (t: #5 type=dh id=modp4096 ) (t: #6 type=dh id=modp8192 ) (t: #7 type=dh id=#19 ) (t: #8 type=dh id=#20 ) (t: #9 type=dh id=#21 ) (t: #10 type=dh id=#31 ))) (v2ke: len=256 group=modp2048) (nonce: len=32 data=(4f513f1642b8953c07bb...fedac6335f91031578c9758aa9b6019de764effa)) (n: prot_id=#0 type=16430(status)) (n: prot_id=#0 type=16388(nat_detection_source_ip)) (n: prot_id=#0 type=16389(nat_detection_destination_ip)) 09:00:37.863832 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 474: (tos 0x0, ttl 64, id 23069, offset 0, flags [DF], proto UDP (17), length 460) 10.1.1.2.500 > 10.1.1.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]: (sa: len=36 (p: #1 protoid=isakmp transform=3 len=36 (t: #1 type=encr id=#20 (type=keylen value=0100)) (t: #2 type=prf id=#5 ) (t: #3 type=dh id=modp2048 ))) (v2ke: len=256 group=modp2048) (nonce: len=32 data=(566881890770f9b6f6d5...d1c930729ba38f146064c0dc4ee5db735b9f72dd)) (n: prot_id=#0 type=16430(status)) (n: prot_id=#0 type=16388(nat_detection_source_ip)) (n: prot_id=#0 type=16389(nat_detection_destination_ip)) 09:00:37.865072 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 247: (tos 0x0, ttl 64, id 51253, offset 0, flags [DF], proto UDP (17), length 233) 10.1.1.1.4500 > 10.1.1.2.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[I]: (v2e: len=169) 09:00:37.866209 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 111: (tos 0x0, ttl 64, id 23071, offset 0, flags [DF], proto UDP (17), length 97) 10.1.1.2.4500 > 10.1.1.1.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[R]: (v2e: len=33) ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# Hi @qding, thank you for reporting this BUG, I think the pluto daemon failed to initiate the connection. can you please attach the output of the commands below: # ipsec status # ipsec auto --start <connection name you can find it in /etc/ipsec.conf i think it's tun123-1 ) thank you so much ad sorry about the previous comment :) Hello Mohamad, Thank you for investigating the issue and I'm sorry for the late feedback because I have too many tests recently and the machines are not available. There is one important thing that I have to mention that I'm not sure my configurations are correct for OVS NAT-T and I have no idea that if OVS really supports the feature. Just see that with the configurations IPsec tunnel does not work. Please see the log below. [root@dell-per730-04 ~]# uname -r 4.18.0-367.el8.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch python3-openvswitch2.16-2.16.0-53.el8fdp.x86_64 openvswitch2.16-2.16.0-53.el8fdp.x86_64 openvswitch2.16-ipsec-2.16.0-53.el8fdp.x86_64 [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp or udp port 500 or udp port 4500 dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 05:05:21.987340 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 530: (tos 0x0, ttl 64, id 60467, offset 0, flags [DF], proto UDP (17), length 516) 10.1.1.2.500 > 10.1.1.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]: (sa: len=92 (p: #1 protoid=isakmp transform=10 len=92 (t: #1 type=encr id=#20 (type=keylen value=0100)) (t: #2 type=prf id=#5 ) (t: #3 type=dh id=modp2048 ) (t: #4 type=dh id=modp3072 ) (t: #5 type=dh id=modp4096 ) (t: #6 type=dh id=modp8192 ) (t: #7 type=dh id=#19 ) (t: #8 type=dh id=#20 ) (t: #9 type=dh id=#21 ) (t: #10 type=dh id=#31 ))) (v2ke: len=256 group=modp2048) (nonce: len=32 data=(923541f5187b133691f7...b16dc7dae181dc4dacfe6a2ee8cb2f537caf78a7)) (n: prot_id=#0 type=16430(status)) (n: prot_id=#0 type=16388(nat_detection_source_ip)) (n: prot_id=#0 type=16389(nat_detection_destination_ip)) 05:05:21.989124 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 474: (tos 0x0, ttl 64, id 41348, offset 0, flags [DF], proto UDP (17), length 460) 10.1.1.1.500 > 10.1.1.2.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]: (sa: len=36 (p: #1 protoid=isakmp transform=3 len=36 (t: #1 type=encr id=#20 (type=keylen value=0100)) (t: #2 type=prf id=#5 ) (t: #3 type=dh id=modp2048 ))) (v2ke: len=256 group=modp2048) (nonce: len=32 data=(15b844a247f0abb446bb...c7e8f6008ce558e29ce28f94ff0a9fe9d0cd943d)) (n: prot_id=#0 type=16430(status)) (n: prot_id=#0 type=16388(nat_detection_source_ip)) (n: prot_id=#0 type=16389(nat_detection_destination_ip)) 05:05:21.990539 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 247: (tos 0x0, ttl 64, id 60469, offset 0, flags [DF], proto UDP (17), length 233) 10.1.1.2.4500 > 10.1.1.1.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[I]: (v2e: len=169) 05:05:21.991876 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 163: (tos 0x0, ttl 64, id 41349, offset 0, flags [DF], proto UDP (17), length 149) 10.1.1.1.4500 > 10.1.1.2.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[R]: (v2e: len=85) 05:05:21.992446 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 111: (tos 0x0, ttl 64, id 60471, offset 0, flags [DF], proto UDP (17), length 97) 10.1.1.2.4500 > 10.1.1.1.4500: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa inf2[I]: (v2e: len=33) 05:05:21.992612 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 103: (tos 0x0, ttl 64, id 41350, offset 0, flags [DF], proto UDP (17), length 89) 10.1.1.1.4500 > 10.1.1.2.4500: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa inf2[R]: (v2e: len=25) ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# ipsec status 000 using kernel interface: xfrm 000 000 interface eno1 UDP [2620:52:0:4958:1618:77ff:fe35:5b1b]:500 000 interface lo UDP [::1]:500 000 interface lo UDP 127.0.0.1:4500 000 interface lo UDP 127.0.0.1:500 000 interface eno1 UDP 10.73.88.41:4500 000 interface eno1 UDP 10.73.88.41:500 000 interface br-nat UDP 192.168.1.1:4500 000 interface br-nat UDP 192.168.1.1:500 000 interface ovsbr0 UDP 172.16.31.1:4500 000 interface ovsbr0 UDP 172.16.31.1:500 000 000 fips mode=disabled; 000 SElinux=enabled 000 seccomp=disabled 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset> 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec 000 pluto_version=4.5, pluto_vendorid=OE-Libreswan-4.5, audit-log=yes 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept 000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to=<unset> 000 secctx-attr-type=32001 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH31, bits=256 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "tun123-1": 192.168.1.1<192.168.1.1>:47/0...10.1.1.2<10.1.1.2>:47/0; prospective erouted; eroute owner: #0 000 "tun123-1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "tun123-1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "tun123-1": our auth:secret, their auth:secret 000 "tun123-1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset; 000 "tun123-1": sec_label:unset; 000 "tun123-1": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "tun123-1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500; 000 "tun123-1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "tun123-1": policy: IKEv2+PSK+ENCRYPT+PFS+IKE_FRAG_ALLOW+ESN_NO; 000 "tun123-1": v2-auth-hash-policy: none; 000 "tun123-1": conn_prio: 32,32; interface: br-nat; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "tun123-1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "tun123-1": our idtype: ID_IPV4_ADDR; our id=192.168.1.1; their idtype: ID_IPV4_ADDR; their id=10.1.1.2 000 "tun123-1": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "tun123-1": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1; 000 "tun123-1": IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 000 "tun123-1": ESP algorithms: AES_GCM_16_256-NONE 000 000 Total IPsec connections: loaded 1, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 Bare Shunt list: 000 [root@dell-per730-04 ~]# ipsec auto --start tun123-1 002 "tun123-1": terminating SAs using this connection 003 ERROR: "tun123-1": ERROR: netlink XFRM_MSG_DELPOLICY response for flow %discard(discard): No such file or directory (errno 2) 002 "tun123-1": added IKEv2 connection 181 "tun123-1" #7: initiating IKEv2 connection 181 "tun123-1" #7: sent IKE_SA_INIT request 182 "tun123-1" #7: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=MODP2048} 003 "tun123-1" #7: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED 036 "tun123-1" #7: encountered fatal error in state STATE_V2_PARENT_I2 002 "tun123-1" #7: deleting state (STATE_V2_PARENT_I2) aged 0.00631s and NOT sending notification 002 "tun123-1" #7: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS [root@dell-per730-04 ~]# |