Hide Forgot
Description of problem: We have two hp-dl360g6 machines with the exactly same HW configuration. We have following IPsec tunnels configured on both sides: $ cat /etc/ipsec.secrets 172.18.10.11 172.18.10.21 : PSK "redhat" 172.18.10.12 172.18.10.22 : PSK "redhat" 172.18.10.13 172.18.10.23 : PSK "redhat" 172.18.10.14 172.18.10.24 : PSK "redhat" fd40::11 fd40::21 : PSK "redhat" fd40::12 fd40::22 : PSK "redhat" fd40::13 fd40::23 : PSK "redhat" fd40::14 fd40::24 : PSK "redhat" $ cat /etc/ipsec.conf version 2.0 config setup protostack=netkey nat_traversal=yes virtual_private= oe=off conn tra type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.11 right=172.18.10.21 esp=3des-md5 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trb type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.12 right=172.18.10.22 esp=3des-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trc type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.13 right=172.18.10.23 esp=aes128-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trd type=transport connaddrfamily=ipv4 authby=secret left=172.18.10.14 right=172.18.10.24 esp=aes256-sha2_256 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsa type=transport connaddrfamily=ipv6 authby=secret left=fd40::11 right=fd40::21 esp=3des-md5 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsb type=transport connaddrfamily=ipv6 authby=secret left=fd40::12 right=fd40::22 esp=3des-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsc type=transport connaddrfamily=ipv6 authby=secret left=fd40::13 right=fd40::23 esp=aes128-sha1 keyexchange=ike ike=3des-sha1 pfs=no auto=start conn trsd type=transport connaddrfamily=ipv6 authby=secret left=fd40::14 right=fd40::24 esp=aes256-sha2_256 keyexchange=ike ike=3des-sha1 pfs=no auto=start $ ip a l dev bnx2_1: 3: bnx2_1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:26:55:1a:87:46 brd ff:ff:ff:ff:ff:ff inet 172.18.10.10/24 brd 172.18.10.255 scope global bnx2_1 valid_lft forever preferred_lft forever inet 172.18.10.11/24 brd 172.18.10.255 scope global secondary bnx2_1:0 valid_lft forever preferred_lft forever inet 172.18.10.12/24 brd 172.18.10.255 scope global secondary bnx2_1:1 valid_lft forever preferred_lft forever inet 172.18.10.13/24 brd 172.18.10.255 scope global secondary bnx2_1:2 valid_lft forever preferred_lft forever inet 172.18.10.14/24 brd 172.18.10.255 scope global secondary bnx2_1:3 valid_lft forever preferred_lft forever inet6 fd40::14/64 scope global valid_lft forever preferred_lft forever inet6 fd40::13/64 scope global valid_lft forever preferred_lft forever inet6 fd40::12/64 scope global valid_lft forever preferred_lft forever inet6 fd40::11/64 scope global valid_lft forever preferred_lft forever inet6 fd40::10/64 scope global valid_lft forever preferred_lft forever inet6 fe80::226:55ff:fe1a:8746/64 scope link valid_lft forever preferred_lft forever _IPv4_ tunnels always work, but _IPv6_ tunnels do not. Sometimes work only one or two IPv6 tunnels, sometimes IPv6 tunnels do not work at all. Version-Release number of selected component (if applicable): Problem was reproduced on libreswan-3.12-10.1.el7_1 and on latest libreswan found in Brew: $ yum info libreswan Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Installed Packages Name : libreswan Arch : x86_64 Version : 3.12 Release : 10.1.el7_1 Size : 4.5 M Repo : installed From repo : beaker-Server $ yum info libreswan Installed Packages Name : libreswan Arch : x86_64 Version : 3.15 Release : 5.el7_1 Size : 4.6 M Repo : installed From repo : /libreswan-3.15-5.el7_1.x86_64 $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) $ uname -a Linux hp-dl360g6-01.rhts.eng.brq.redhat.com 3.10.0-369.el7.x86_64 #1 SMP Fri Mar 25 10:26:40 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux How reproducible: 80% Steps to Reproduce: 1. provision of stable RHEL7.2 2. installation of 3.10.0-369.el7.x86_64 CI kernel 3. configuration of IPsec and IP addresses on network interfaces 4. enable ipsec.service 5. reboot both machines Actual results: $ ping6 -I fd40::12 fd40::22 PING fd40::22(fd40::22) from fd40::12 : 56 data bytes ^C --- fd40::22 ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 5999ms $ ping6 -I fd40::11 fd40::21 PING fd40::21(fd40::21) from fd40::11 : 56 data bytes ^C --- fd40::21 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms $ ping6 -I fd40::13 fd40::23 PING fd40::23(fd40::23) from fd40::13 : 56 data bytes ^C --- fd40::23 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms $ ping6 -I fd40::14 fd40::24 PING fd40::24(fd40::24) from fd40::14 : 56 data bytes ^C --- fd40::24 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms $ netperf -L fd40::12 -H fd40::22 -> not working Sometimes, it helps to restart ipsec service (must be restarted on both sides): $ ipsec restart Expected results: Working IPv6 IPsec tunnels after boot. Additional info: Some suspicious messages in dmesg: [ 31.704968] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_1: link becomes ready [ 32.004397] bnx2 0000:02:00.0 bnx2_0: NIC Copper Link is Up, 1000 Mbps full duplex [ 32.006056] , receive & transmit flow control ON [ 32.007270] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_0: link becomes ready [ 35.205659] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_0)]Requested DCBX mode 5 is beyond advertised capabilities [ 35.333670] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_1)]Requested DCBX mode 5 is beyond advertised capabilities [ 36.124534] sha512_ssse3: Using SSSE3 optimized SHA-512 implementation [ 36.258617] AVX instructions are not detected. [ 36.453929] AVX instructions are not detected. [ 36.470093] AVX instructions are not detected. [ 36.725867] AVX instructions are not detected. [ 36.760492] AVX instructions are not detected. [ 36.843968] AVX or AES-NI instructions are not detected. [ 36.862027] AVX or AES-NI instructions are not detected. [ 36.918472] AVX or AES-NI instructions are not detected. [ 36.933383] AVX or AES-NI instructions are not detected. [ 36.959786] AVX instructions are not detected. [ 36.983193] AVX instructions are not detected. [ 37.010419] PCLMULQDQ-NI instructions are not detected. [ 37.107624] AVX instructions are not detected. [ 37.131658] AVX instructions are not detected. [ 37.161166] AVX instructions are not detected. [ 37.556586] NET: Registered protocol family 15 [ 37.578437] IPv4 over IPsec tunneling driver [ 39.200630] alg: No test for fips(ansi_cprng) (fips_ansi_cprng) [ 40.570419] alg: No test for authenc(hmac(md5),cbc(des3_ede)) (authenc(hmac(md5-generic),cbc(des3_ede-generic))) [ 40.616448] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-ssse3),cbc(des3_ede-generic))) I can provision and prepare our machines, so you can reproduce this problem by yourself. Just let me know via e-mail.
looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1216946 possibly your ipsec.conf did not get updated to include entries in /etc/ipsec.d/ and therefore the new file /etc/ipsec.d/v6neighbor-hole.conf is not loaded? Or you are not running the latest version which has v6neighbor-hole.conf ?
Yes, you are right. We forgot to add following line into our ipsec.conf: include /etc/ipsec.d/*.conf so,... v6neighbor-hole.conf is not loaded. I am going to retest this issue and I let you know. Thank you!
Can't reproduce this problem anymore. With v6-neighbor-hole.conf loaded everything works just fine. Thanks!