Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
We have two hp-dl360g6 machines with the exactly same HW configuration.
We have following IPsec tunnels configured on both sides:
$ cat /etc/ipsec.secrets
172.18.10.11 172.18.10.21 : PSK "redhat"
172.18.10.12 172.18.10.22 : PSK "redhat"
172.18.10.13 172.18.10.23 : PSK "redhat"
172.18.10.14 172.18.10.24 : PSK "redhat"
fd40::11 fd40::21 : PSK "redhat"
fd40::12 fd40::22 : PSK "redhat"
fd40::13 fd40::23 : PSK "redhat"
fd40::14 fd40::24 : PSK "redhat"
$ cat /etc/ipsec.conf
version 2.0
config setup
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
conn tra
type=transport
connaddrfamily=ipv4
authby=secret
left=172.18.10.11
right=172.18.10.21
esp=3des-md5
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
conn trb
type=transport
connaddrfamily=ipv4
authby=secret
left=172.18.10.12
right=172.18.10.22
esp=3des-sha1
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
conn trc
type=transport
connaddrfamily=ipv4
authby=secret
left=172.18.10.13
right=172.18.10.23
esp=aes128-sha1
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
conn trd
type=transport
connaddrfamily=ipv4
authby=secret
left=172.18.10.14
right=172.18.10.24
esp=aes256-sha2_256
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
conn trsa
type=transport
connaddrfamily=ipv6
authby=secret
left=fd40::11
right=fd40::21
esp=3des-md5
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
conn trsb
type=transport
connaddrfamily=ipv6
authby=secret
left=fd40::12
right=fd40::22
esp=3des-sha1
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
conn trsc
type=transport
connaddrfamily=ipv6
authby=secret
left=fd40::13
right=fd40::23
esp=aes128-sha1
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
conn trsd
type=transport
connaddrfamily=ipv6
authby=secret
left=fd40::14
right=fd40::24
esp=aes256-sha2_256
keyexchange=ike
ike=3des-sha1
pfs=no
auto=start
$ ip a l dev bnx2_1:
3: bnx2_1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:26:55:1a:87:46 brd ff:ff:ff:ff:ff:ff
inet 172.18.10.10/24 brd 172.18.10.255 scope global bnx2_1
valid_lft forever preferred_lft forever
inet 172.18.10.11/24 brd 172.18.10.255 scope global secondary bnx2_1:0
valid_lft forever preferred_lft forever
inet 172.18.10.12/24 brd 172.18.10.255 scope global secondary bnx2_1:1
valid_lft forever preferred_lft forever
inet 172.18.10.13/24 brd 172.18.10.255 scope global secondary bnx2_1:2
valid_lft forever preferred_lft forever
inet 172.18.10.14/24 brd 172.18.10.255 scope global secondary bnx2_1:3
valid_lft forever preferred_lft forever
inet6 fd40::14/64 scope global
valid_lft forever preferred_lft forever
inet6 fd40::13/64 scope global
valid_lft forever preferred_lft forever
inet6 fd40::12/64 scope global
valid_lft forever preferred_lft forever
inet6 fd40::11/64 scope global
valid_lft forever preferred_lft forever
inet6 fd40::10/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::226:55ff:fe1a:8746/64 scope link
valid_lft forever preferred_lft forever
_IPv4_ tunnels always work, but _IPv6_ tunnels do not. Sometimes work only one or two IPv6 tunnels, sometimes IPv6 tunnels do not work at all.
Version-Release number of selected component (if applicable):
Problem was reproduced on libreswan-3.12-10.1.el7_1 and on latest libreswan found in Brew:
$ yum info libreswan
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Installed Packages
Name : libreswan
Arch : x86_64
Version : 3.12
Release : 10.1.el7_1
Size : 4.5 M
Repo : installed
From repo : beaker-Server
$ yum info libreswan
Installed Packages
Name : libreswan
Arch : x86_64
Version : 3.15
Release : 5.el7_1
Size : 4.6 M
Repo : installed
From repo : /libreswan-3.15-5.el7_1.x86_64
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
$ uname -a
Linux hp-dl360g6-01.rhts.eng.brq.redhat.com 3.10.0-369.el7.x86_64 #1 SMP Fri Mar 25 10:26:40 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
How reproducible:
80%
Steps to Reproduce:
1. provision of stable RHEL7.2
2. installation of 3.10.0-369.el7.x86_64 CI kernel
3. configuration of IPsec and IP addresses on network interfaces
4. enable ipsec.service
5. reboot both machines
Actual results:
$ ping6 -I fd40::12 fd40::22
PING fd40::22(fd40::22) from fd40::12 : 56 data bytes
^C
--- fd40::22 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
$ ping6 -I fd40::11 fd40::21
PING fd40::21(fd40::21) from fd40::11 : 56 data bytes
^C
--- fd40::21 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
$ ping6 -I fd40::13 fd40::23
PING fd40::23(fd40::23) from fd40::13 : 56 data bytes
^C
--- fd40::23 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
$ ping6 -I fd40::14 fd40::24
PING fd40::24(fd40::24) from fd40::14 : 56 data bytes
^C
--- fd40::24 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
$ netperf -L fd40::12 -H fd40::22
-> not working
Sometimes, it helps to restart ipsec service (must be restarted on both sides):
$ ipsec restart
Expected results:
Working IPv6 IPsec tunnels after boot.
Additional info:
Some suspicious messages in dmesg:
[ 31.704968] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_1: link becomes ready
[ 32.004397] bnx2 0000:02:00.0 bnx2_0: NIC Copper Link is Up, 1000 Mbps full duplex
[ 32.006056] , receive & transmit flow control ON
[ 32.007270] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_0: link becomes ready
[ 35.205659] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_0)]Requested DCBX mode 5 is beyond advertised capabilities
[ 35.333670] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_1)]Requested DCBX mode 5 is beyond advertised capabilities
[ 36.124534] sha512_ssse3: Using SSSE3 optimized SHA-512 implementation
[ 36.258617] AVX instructions are not detected.
[ 36.453929] AVX instructions are not detected.
[ 36.470093] AVX instructions are not detected.
[ 36.725867] AVX instructions are not detected.
[ 36.760492] AVX instructions are not detected.
[ 36.843968] AVX or AES-NI instructions are not detected.
[ 36.862027] AVX or AES-NI instructions are not detected.
[ 36.918472] AVX or AES-NI instructions are not detected.
[ 36.933383] AVX or AES-NI instructions are not detected.
[ 36.959786] AVX instructions are not detected.
[ 36.983193] AVX instructions are not detected.
[ 37.010419] PCLMULQDQ-NI instructions are not detected.
[ 37.107624] AVX instructions are not detected.
[ 37.131658] AVX instructions are not detected.
[ 37.161166] AVX instructions are not detected.
[ 37.556586] NET: Registered protocol family 15
[ 37.578437] IPv4 over IPsec tunneling driver
[ 39.200630] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
[ 40.570419] alg: No test for authenc(hmac(md5),cbc(des3_ede)) (authenc(hmac(md5-generic),cbc(des3_ede-generic)))
[ 40.616448] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-ssse3),cbc(des3_ede-generic)))
I can provision and prepare our machines, so you can reproduce this problem by yourself. Just let me know via e-mail.
looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1216946
possibly your ipsec.conf did not get updated to include entries in /etc/ipsec.d/ and therefore the new file /etc/ipsec.d/v6neighbor-hole.conf is not loaded?
Or you are not running the latest version which has v6neighbor-hole.conf ?
Yes, you are right.
We forgot to add following line into our ipsec.conf:
include /etc/ipsec.d/*.conf
so,... v6neighbor-hole.conf is not loaded.
I am going to retest this issue and I let you know.
Thank you!
Description of problem: We have two hp-dl360g6 machines with the exactly same HW configuration. We have following IPsec tunnels configured on both sides: $ cat /etc/ipsec.secrets 172.18.10.11 172.18.10.21 : PSK "redhat" 172.18.10.12 172.18.10.22 : PSK "redhat" 172.18.10.13 172.18.10.23 : PSK "redhat" 172.18.10.14 172.18.10.24 : PSK "redhat" fd40::11 fd40::21 : PSK "redhat" fd40::12 fd40::22 : PSK "redhat" fd40::13 fd40::23 : PSK "redhat" fd40::14 fd40::24 : PSK "redhat" $ cat /etc/ipsec.conf version 2.0 config setup protostack=netkey nat_traversal=yes virtual_private= oe=off conn tra type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.11 right=172.18.10.21 esp=3des-md5 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trb type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.12 right=172.18.10.22 esp=3des-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trc type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.13 right=172.18.10.23 esp=aes128-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trd type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.14 right=172.18.10.24 esp=aes256-sha2_256 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsa type=transport connaddrfamily=ipv6 authby=secret left=fd40::11 right=fd40::21 esp=3des-md5 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsb type=transport connaddrfamily=ipv6 authby=secret left=fd40::12 right=fd40::22 esp=3des-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsc type=transport connaddrfamily=ipv6 authby=secret left=fd40::13 right=fd40::23 esp=aes128-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsd type=transport connaddrfamily=ipv6 authby=secret left=fd40::14 right=fd40::24 esp=aes256-sha2_256 keyexchange=ike ike=3des-sha1 pfs=no auto=start $ ip a l dev bnx2_1: 3: bnx2_1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:26:55:1a:87:46 brd ff:ff:ff:ff:ff:ff inet 172.18.10.10/24 brd 172.18.10.255 scope global bnx2_1 valid_lft forever preferred_lft forever inet 172.18.10.11/24 brd 172.18.10.255 scope global secondary bnx2_1:0 valid_lft forever preferred_lft forever inet 172.18.10.12/24 brd 172.18.10.255 scope global secondary bnx2_1:1 valid_lft forever preferred_lft forever inet 172.18.10.13/24 brd 172.18.10.255 scope global secondary bnx2_1:2 valid_lft forever preferred_lft forever inet 172.18.10.14/24 brd 172.18.10.255 scope global secondary bnx2_1:3 valid_lft forever preferred_lft forever inet6 fd40::14/64 scope global valid_lft forever preferred_lft forever inet6 fd40::13/64 scope global valid_lft forever preferred_lft forever inet6 fd40::12/64 scope global valid_lft forever preferred_lft forever inet6 fd40::11/64 scope global valid_lft forever preferred_lft forever inet6 fd40::10/64 scope global valid_lft forever preferred_lft forever inet6 fe80::226:55ff:fe1a:8746/64 scope link valid_lft forever preferred_lft forever _IPv4_ tunnels always work, but _IPv6_ tunnels do not. Sometimes work only one or two IPv6 tunnels, sometimes IPv6 tunnels do not work at all. Version-Release number of selected component (if applicable): Problem was reproduced on libreswan-3.12-10.1.el7_1 and on latest libreswan found in Brew: $ yum info libreswan Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Installed Packages Name : libreswan Arch : x86_64 Version : 3.12 Release : 10.1.el7_1 Size : 4.5 M Repo : installed From repo : beaker-Server $ yum info libreswan Installed Packages Name : libreswan Arch : x86_64 Version : 3.15 Release : 5.el7_1 Size : 4.6 M Repo : installed From repo : /libreswan-3.15-5.el7_1.x86_64 $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) $ uname -a Linux hp-dl360g6-01.rhts.eng.brq.redhat.com 3.10.0-369.el7.x86_64 #1 SMP Fri Mar 25 10:26:40 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux How reproducible: 80% Steps to Reproduce: 1. provision of stable RHEL7.2 2. installation of 3.10.0-369.el7.x86_64 CI kernel 3. configuration of IPsec and IP addresses on network interfaces 4. enable ipsec.service 5. reboot both machines Actual results: $ ping6 -I fd40::12 fd40::22 PING fd40::22(fd40::22) from fd40::12 : 56 data bytes ^C --- fd40::22 ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 5999ms $ ping6 -I fd40::11 fd40::21 PING fd40::21(fd40::21) from fd40::11 : 56 data bytes ^C --- fd40::21 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms $ ping6 -I fd40::13 fd40::23 PING fd40::23(fd40::23) from fd40::13 : 56 data bytes ^C --- fd40::23 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms $ ping6 -I fd40::14 fd40::24 PING fd40::24(fd40::24) from fd40::14 : 56 data bytes ^C --- fd40::24 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms $ netperf -L fd40::12 -H fd40::22 -> not working Sometimes, it helps to restart ipsec service (must be restarted on both sides): $ ipsec restart Expected results: Working IPv6 IPsec tunnels after boot. Additional info: Some suspicious messages in dmesg: [ 31.704968] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_1: link becomes ready [ 32.004397] bnx2 0000:02:00.0 bnx2_0: NIC Copper Link is Up, 1000 Mbps full duplex [ 32.006056] , receive & transmit flow control ON [ 32.007270] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_0: link becomes ready [ 35.205659] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_0)]Requested DCBX mode 5 is beyond advertised capabilities [ 35.333670] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_1)]Requested DCBX mode 5 is beyond advertised capabilities [ 36.124534] sha512_ssse3: Using SSSE3 optimized SHA-512 implementation [ 36.258617] AVX instructions are not detected. [ 36.453929] AVX instructions are not detected. [ 36.470093] AVX instructions are not detected. [ 36.725867] AVX instructions are not detected. [ 36.760492] AVX instructions are not detected. [ 36.843968] AVX or AES-NI instructions are not detected. [ 36.862027] AVX or AES-NI instructions are not detected. [ 36.918472] AVX or AES-NI instructions are not detected. [ 36.933383] AVX or AES-NI instructions are not detected. [ 36.959786] AVX instructions are not detected. [ 36.983193] AVX instructions are not detected. [ 37.010419] PCLMULQDQ-NI instructions are not detected. [ 37.107624] AVX instructions are not detected. [ 37.131658] AVX instructions are not detected. [ 37.161166] AVX instructions are not detected. [ 37.556586] NET: Registered protocol family 15 [ 37.578437] IPv4 over IPsec tunneling driver [ 39.200630] alg: No test for fips(ansi_cprng) (fips_ansi_cprng) [ 40.570419] alg: No test for authenc(hmac(md5),cbc(des3_ede)) (authenc(hmac(md5-generic),cbc(des3_ede-generic))) [ 40.616448] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-ssse3),cbc(des3_ede-generic))) I can provision and prepare our machines, so you can reproduce this problem by yourself. Just let me know via e-mail.