Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1322083

Summary: IPsec - some IPv6 tunnels do not start after reboot
Product: Red Hat Enterprise Linux 7 Reporter: Otto Sabart <osabart>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: aokuliar, jhladky, osabart, rkhan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-01 17:36:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Otto Sabart 2016-03-29 18:39:44 UTC
Description of problem:
We have two hp-dl360g6 machines with the exactly same HW configuration.

We have following IPsec tunnels configured on both sides:

$ cat /etc/ipsec.secrets
172.18.10.11 172.18.10.21 : PSK "redhat"
172.18.10.12 172.18.10.22 : PSK "redhat"
172.18.10.13 172.18.10.23 : PSK "redhat"
172.18.10.14 172.18.10.24 : PSK "redhat"
fd40::11 fd40::21 : PSK "redhat"
fd40::12 fd40::22 : PSK "redhat"
fd40::13 fd40::23 : PSK "redhat"
fd40::14 fd40::24 : PSK "redhat"


$ cat /etc/ipsec.conf
version 2.0

config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off

conn tra
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.11
        right=172.18.10.21
        esp=3des-md5
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trb
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.12
        right=172.18.10.22
        esp=3des-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trc
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.13
        right=172.18.10.23
        esp=aes128-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trd
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.14
        right=172.18.10.24
        esp=aes256-sha2_256
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsa
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::11
        right=fd40::21
        esp=3des-md5
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsb
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::12
        right=fd40::22
        esp=3des-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsc
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::13
        right=fd40::23
        esp=aes128-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsd
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::14
        right=fd40::24
        esp=aes256-sha2_256
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start


$ ip a l dev bnx2_1:
3: bnx2_1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:55:1a:87:46 brd ff:ff:ff:ff:ff:ff
    inet 172.18.10.10/24 brd 172.18.10.255 scope global bnx2_1
       valid_lft forever preferred_lft forever
    inet 172.18.10.11/24 brd 172.18.10.255 scope global secondary bnx2_1:0
       valid_lft forever preferred_lft forever
    inet 172.18.10.12/24 brd 172.18.10.255 scope global secondary bnx2_1:1
       valid_lft forever preferred_lft forever
    inet 172.18.10.13/24 brd 172.18.10.255 scope global secondary bnx2_1:2
       valid_lft forever preferred_lft forever
    inet 172.18.10.14/24 brd 172.18.10.255 scope global secondary bnx2_1:3
       valid_lft forever preferred_lft forever
    inet6 fd40::14/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::13/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::12/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::11/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::10/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::226:55ff:fe1a:8746/64 scope link
       valid_lft forever preferred_lft forever


_IPv4_ tunnels always work, but _IPv6_ tunnels do not. Sometimes work only one or two IPv6 tunnels, sometimes IPv6 tunnels do not work at all.


Version-Release number of selected component (if applicable):
Problem was reproduced on libreswan-3.12-10.1.el7_1 and on latest libreswan found in Brew:

$ yum info libreswan
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Installed Packages
Name        : libreswan
Arch        : x86_64
Version     : 3.12
Release     : 10.1.el7_1
Size        : 4.5 M
Repo        : installed
From repo   : beaker-Server


$ yum info libreswan
Installed Packages
Name        : libreswan
Arch        : x86_64
Version     : 3.15
Release     : 5.el7_1
Size        : 4.6 M
Repo        : installed
From repo   : /libreswan-3.15-5.el7_1.x86_64


$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

$ uname -a
Linux hp-dl360g6-01.rhts.eng.brq.redhat.com 3.10.0-369.el7.x86_64 #1 SMP Fri Mar 25 10:26:40 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:
80%


Steps to Reproduce:
1. provision of stable RHEL7.2
2. installation of 3.10.0-369.el7.x86_64 CI kernel
3. configuration of IPsec and IP addresses on network interfaces
4. enable ipsec.service
5. reboot both machines


Actual results:
$ ping6 -I fd40::12 fd40::22
PING fd40::22(fd40::22) from fd40::12 : 56 data bytes
^C
--- fd40::22 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms


$ ping6 -I fd40::11 fd40::21
PING fd40::21(fd40::21) from fd40::11 : 56 data bytes
^C
--- fd40::21 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms


$ ping6 -I fd40::13 fd40::23
PING fd40::23(fd40::23) from fd40::13 : 56 data bytes
^C
--- fd40::23 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms


$ ping6 -I fd40::14 fd40::24
PING fd40::24(fd40::24) from fd40::14 : 56 data bytes
^C
--- fd40::24 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms


$ netperf -L fd40::12 -H fd40::22
-> not working


Sometimes, it helps to restart ipsec service (must be restarted on both sides):
$ ipsec restart

Expected results:
Working IPv6 IPsec tunnels after boot.


Additional info:
Some suspicious messages in dmesg:
[   31.704968] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_1: link becomes ready
[   32.004397] bnx2 0000:02:00.0 bnx2_0: NIC Copper Link is Up, 1000 Mbps full duplex
[   32.006056] , receive & transmit flow control ON
[   32.007270] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_0: link becomes ready
[   35.205659] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_0)]Requested DCBX mode 5 is beyond advertised capabilities
[   35.333670] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_1)]Requested DCBX mode 5 is beyond advertised capabilities
[   36.124534] sha512_ssse3: Using SSSE3 optimized SHA-512 implementation
[   36.258617] AVX instructions are not detected.
[   36.453929] AVX instructions are not detected.
[   36.470093] AVX instructions are not detected.
[   36.725867] AVX instructions are not detected.
[   36.760492] AVX instructions are not detected.
[   36.843968] AVX or AES-NI instructions are not detected.
[   36.862027] AVX or AES-NI instructions are not detected.
[   36.918472] AVX or AES-NI instructions are not detected.
[   36.933383] AVX or AES-NI instructions are not detected.
[   36.959786] AVX instructions are not detected.
[   36.983193] AVX instructions are not detected.
[   37.010419] PCLMULQDQ-NI instructions are not detected.
[   37.107624] AVX instructions are not detected.
[   37.131658] AVX instructions are not detected.
[   37.161166] AVX instructions are not detected.
[   37.556586] NET: Registered protocol family 15
[   37.578437] IPv4 over IPsec tunneling driver
[   39.200630] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
[   40.570419] alg: No test for authenc(hmac(md5),cbc(des3_ede)) (authenc(hmac(md5-generic),cbc(des3_ede-generic)))
[   40.616448] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-ssse3),cbc(des3_ede-generic)))



I can provision and prepare our machines, so you can reproduce this problem by yourself. Just let me know via e-mail.

Comment 2 Paul Wouters 2016-03-31 00:10:54 UTC
looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1216946

possibly your ipsec.conf did not get updated to include entries in /etc/ipsec.d/ and therefore the new file /etc/ipsec.d/v6neighbor-hole.conf is not loaded?

Or you are not running the latest version which has v6neighbor-hole.conf ?

Comment 3 Otto Sabart 2016-03-31 15:27:10 UTC
Yes, you are right.

We forgot to add following line into our ipsec.conf:
include /etc/ipsec.d/*.conf

so,... v6neighbor-hole.conf is not loaded.

I am going to retest this issue and I let you know.


Thank you!

Comment 4 Otto Sabart 2016-04-01 17:36:22 UTC
Can't reproduce this problem anymore. With v6-neighbor-hole.conf loaded everything works just fine.

Thanks!