Bug 1954423
| Summary: | Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Nir Yechiel <nyechiel> |
| Component: | libreswan | Assignee: | Daiki Ueno <dueno> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.4 | CC: | dueno, jan.public, majopela, mangelajo, nmanos, omoris, sgaddam |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libreswan-4.4-1.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 18:49:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1958968 | ||
| Bug Blocks: | |||
|
Description
Nir Yechiel
2021-04-28 07:21:55 UTC
Nir, do you have a reproducer for this issue? I inspected github issue from the description but unfortunately I do not see any hints to test this problem. Also, since this bug report does not follow the standard bug template I have a couple of questions before we can do anything: * What version of libreswan is used? * Is the problem always reproducible? * If there is no reproducer without OCP and Submariner - are you able to test it if we provide a package for testing? (In reply to Ondrej Moriš from comment #1) > Nir, do you have a reproducer for this issue? I inspected github issue from > the description but unfortunately I do not see any hints to test this > problem. > > Also, since this bug report does not follow the standard bug template I have > a couple of questions before we can do anything: > > * What version of libreswan is used? It was seen with libreswan-4.3-3.el8.x86_64 > * Is the problem always reproducible? We have seen this issue with NAT-T (onPrem Cluster behind NAT Router trying to connect to an AWS Cluster). I think when this problem was reproduced the NAT router was also modifying the Source Port of the traffic. > * If there is no reproducer without OCP and Submariner - are you able to > test it if we provide a package for testing? Sure, if you can provide us a libreswan package for RHEL 8.4, we can give it a try. Thanks. In submariner 0.9 (registry-proxy.engineering.redhat.com/rh-osbs/rhacm2-tech-preview-submariner-gateway-rhel8:v0.9-56) it is working good:
$ oc exec $active_gateway_pod -n submariner-operator -- bash -c "ipsec status"
000 using kernel interface: xfrm
000
000 interface br-ex UDP 10.8.8.118:4502
000 interface lo UDP [::1]:500
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface ovn-k8s-mp0 UDP 10.210.2.2:4500
000 interface ovn-k8s-mp0 UDP 10.210.2.2:500
000 interface ovn-k8s-gw0 UDP 169.254.0.1:4500
000 interface ovn-k8s-gw0 UDP 169.254.0.1:500
000 interface br-ex UDP 10.8.8.118:4500
000 interface br-ex UDP 10.8.8.118:500
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=4.4, pluto_vendorid=OE-Libreswan-4.4, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug: base
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10, <unset-subnet>
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "submariner-cable-default-cl2-10-2-3-225-0-0": 172.40.0.0/16===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===172.32.0.0/16; erouted; eroute owner: #7
000 "submariner-cable-default-cl2-10-2-3-225-0-0": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-0-0": our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-0-0": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": conn_prio: 16,16; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-0-0": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-0-0": newest ISAKMP SA: #0; newest IPsec SA: #7; conn serial: $1;
000 "submariner-cable-default-cl2-10-2-3-225-0-0": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000 "submariner-cable-default-cl2-10-2-3-225-0-1": 172.40.0.0/16===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===10.200.0.0/14; erouted; eroute owner: #5
000 "submariner-cable-default-cl2-10-2-3-225-0-1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-0-1": our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-0-1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": conn_prio: 16,14; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-0-1": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-0-1": newest ISAKMP SA: #0; newest IPsec SA: #5; conn serial: $2;
000 "submariner-cable-default-cl2-10-2-3-225-0-1": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000 "submariner-cable-default-cl2-10-2-3-225-1-0": 10.208.0.0/14===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===172.32.0.0/16; erouted; eroute owner: #3
000 "submariner-cable-default-cl2-10-2-3-225-1-0": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-1-0": our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-1-0": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": conn_prio: 14,16; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-1-0": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-1-0": newest ISAKMP SA: #0; newest IPsec SA: #3; conn serial: $3;
000 "submariner-cable-default-cl2-10-2-3-225-1-0": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000 "submariner-cable-default-cl2-10-2-3-225-1-1": 10.208.0.0/14===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===10.200.0.0/14; erouted; eroute owner: #4
000 "submariner-cable-default-cl2-10-2-3-225-1-1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-1-1": our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-1-1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": conn_prio: 14,14; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-1-1": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-1-1": newest ISAKMP SA: #2; newest IPsec SA: #4; conn serial: $4;
000 "submariner-cable-default-cl2-10-2-3-225-1-1": IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "submariner-cable-default-cl2-10-2-3-225-1-1": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 4, active 4
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(5), authenticated(5), anonymous(0)
000
000 #6: "submariner-cable-default-cl2-10-2-3-225-0-0":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23723s; isakmp#2; idle;
000 #6: "submariner-cable-default-cl2-10-2-3-225-0-0" esp.5be41900.232.127 esp.702fd2aa.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #7: "submariner-cable-default-cl2-10-2-3-225-0-0":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23000s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #7: "submariner-cable-default-cl2-10-2-3-225-0-0" esp.534e127c.232.127 esp.8b53cec.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #5: "submariner-cable-default-cl2-10-2-3-225-0-1":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23722s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #5: "submariner-cable-default-cl2-10-2-3-225-0-1" esp.c13709d5.232.127 esp.449dfb9d.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #3: "submariner-cable-default-cl2-10-2-3-225-1-0":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23722s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #3: "submariner-cable-default-cl2-10-2-3-225-1-0" esp.2f612583.232.127 esp.ec2daa5e.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #2: "submariner-cable-default-cl2-10-2-3-225-1-1":4502 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 23722s; newest ISAKMP; idle;
000 #4: "submariner-cable-default-cl2-10-2-3-225-1-1":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23722s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #4: "submariner-cable-default-cl2-10-2-3-225-1-1" esp.2502a7e2.232.127 esp.65ea681c.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=206KB ESPout=206KB! ESPmax=0B
000
000 Bare Shunt list:
000
Thanks for validating and sharing your observations Noam. Based on the logs above, the connections are successfully established and I acknowledge that it's limited testing. Since the updated Libreswan image has useful fixes, IMHO it might be worth getting an official Libreswan image and start validating it. What do you say @mangelajo, @nyechiel? Daiki, if you believe it's possible to backport this to RHEL 8.4 it would be great. We don't have 100% certainty that this is fixing the issue we saw, although so far it's looking good. I don't know about the fix, if it's a simple one, let's consider it. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4299 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |