Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1975039

Summary: [OVS IPsec] no ESP in packets for RHEL9 in sefl-signed/CA-signed certificate mode
Product: Red Hat Enterprise Linux Fast Datapath Reporter: qding
Component: openvswitch2.15Assignee: Mohammad Heib <mheib>
Status: CLOSED MIGRATED QA Contact: qding
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 21.ECC: akaris, ctrautma, fleitner, jhsiao, mheib, qding, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-03-11 18:16:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description qding 2021-06-23 02:15:50 UTC 
Description of problem:

With RHEL-9, when SELinux in Enforcing mode, it will fail to start service openvswitch-ipsec. So I run the test when SELinux in Perssive mode, but it still has problem that there is no ESP in packets for both sefl-signed and CA-signed certificate mode

Version-Release number of selected component (if applicable):
RHEL-9.0.0-20210617.1 
openvswitch-selinux-extra-policy-1.0-29.el9fdp.noarch.rpm
openvswitch2.15-2.15.0-16.el9fdp.x86_64.rpm
selinux-policy-34.1.8-1.el9.noarch

How reproducible: always

Additional info:

beaker job: https://beaker.engineering.redhat.com/jobs/5494202
Comment 7 Mohammad Heib 2022-02-14 08:57:30 UTC 
Hi Qding,

thank you for adding the commands outputs above.
i submitted a patch upstream which suppose to fix the issue and tried it on rhel9 and everything seems to be fine.
i just want to make sure that you are not facing a different issue so please add the output of those commands below:

    # certutil -L -d /var/lib/ipsec/nss/
    # certutil -L -d /etc/ipsec.d/
    
    and this command needs the IPsec interface name which can be found in /etc/ipsec.conf
      i assume based on your logs above that the name is 'tun123-in-1' please make sure that you have it in /etc/ipsec.conf
     
     # ipsec auto --start tun123-in-1

upstream fix:
    https://patchwork.ozlabs.org/project/openvswitch/patch/20220214083947.30774-1-mheib@redhat.com/

Thanks
Comment 8 qding 2022-02-17 10:03:16 UTC 
[root@dell-per730-05 ~]# uname -r
5.14.0-58.el9.x86_64
[root@dell-per730-05 ~]# rpm -qa | grep openvswitch
kernel-kernel-networking-openvswitch-ipsec-1.0-41.noarch
openvswitch-selinux-extra-policy-1.0-31.el9fdp.noarch
openvswitch2.16-2.16.0-43.el9fdp.x86_64
python3-openvswitch2.16-2.16.0-43.el9fdp.x86_64
openvswitch2.16-ipsec-2.16.0-43.el9fdp.x86_64
[root@dell-per730-05 ~]# ovs-vsctl show
f611de56-024d-4a65-acda-6df129267057
    Bridge ovsbr0
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port tun123
            Interface tun123
                type: vxlan
                options: {local_ip="192.168.123.1", remote_cert="/tmp/keys/h2-cert.pem", remote_ip="192.168.123.2"}
    ovs_version: "2.16.3"
[root@dell-per730-05 ~]# certutil -L -d /var/lib/ipsec/nss/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

[root@dell-per730-05 ~]# certutil -L -d /etc/ipsec.d/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ovs_certkey_h1                                               u,u,u
ovs_cert_h2                                                  P,P,P
[root@dell-per730-05 ~]# ipsec auto --start tun123-in-1
036 "tun123-in-1": failed to add connection: left certificate 'ovs_certkey_h1' not found in the NSS database
000 initiating all conns with alias='tun123-in-1'
021 no connection named "tun123-in-1"
[root@dell-per730-05 ~]# 
[root@dell-per730-05 ~]# cat /etc/ipsec.conf
# Generated by ovs-monitor-ipsec...do not modify by hand!


config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun123-in-1
    left=192.168.123.1
    right=192.168.123.2
    leftid=@h1
    rightid=@h2
    leftcert="ovs_certkey_h1"
    rightcert="ovs_cert_h2"
    leftrsasigkey=%cert
    leftprotoport=udp/4789
    rightprotoport=udp

conn tun123-out-1
    left=192.168.123.1
    right=192.168.123.2
    leftid=@h1
    rightid=@h2
    leftcert="ovs_certkey_h1"
    rightcert="ovs_cert_h2"
    leftrsasigkey=%cert
    leftprotoport=udp
    rightprotoport=udp/4789

[root@dell-per730-05 ~]#
Comment 11 Andreas Karis 2022-06-01 12:56:27 UTC 
I also hit this here in Fedora 35 so I'd just like to say thank you as the suggested solution worked.

I ran into this issue on fedora 35 and this definitely unblocked me. Given that the patch hasn't merged upstream, yet, I applied the patch manually:
~~~
vi /usr/share/openvswitch/scripts/ovs-monitor-ipsec
~~~

And replace these lines:
~~~
-        ipsec_d = args.ipsec_d if args.ipsec_d else "/etc/ipsec.d"
+        ipsec_d = args.ipsec_d if args.ipsec_d else "/var/lib/ipsec/nss"
~~~

Thanks!