Bug 1322083 - IPsec - some IPv6 tunnels do not start after reboot
Summary: IPsec - some IPv6 tunnels do not start after reboot
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-29 18:39 UTC by Otto Sabart
Modified: 2016-04-01 17:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-01 17:36:22 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Otto Sabart 2016-03-29 18:39:44 UTC
Description of problem:
We have two hp-dl360g6 machines with the exactly same HW configuration.

We have following IPsec tunnels configured on both sides:

$ cat /etc/ipsec.secrets
172.18.10.11 172.18.10.21 : PSK "redhat"
172.18.10.12 172.18.10.22 : PSK "redhat"
172.18.10.13 172.18.10.23 : PSK "redhat"
172.18.10.14 172.18.10.24 : PSK "redhat"
fd40::11 fd40::21 : PSK "redhat"
fd40::12 fd40::22 : PSK "redhat"
fd40::13 fd40::23 : PSK "redhat"
fd40::14 fd40::24 : PSK "redhat"


$ cat /etc/ipsec.conf
version 2.0

config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off

conn tra
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.11
        right=172.18.10.21
        esp=3des-md5
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trb
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.12
        right=172.18.10.22
        esp=3des-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trc
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.13
        right=172.18.10.23
        esp=aes128-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trd
        type=transport
        connaddrfamily=ipv4
        authby=secret
        left=172.18.10.14
        right=172.18.10.24
        esp=aes256-sha2_256
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsa
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::11
        right=fd40::21
        esp=3des-md5
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsb
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::12
        right=fd40::22
        esp=3des-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsc
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::13
        right=fd40::23
        esp=aes128-sha1
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start

conn trsd
        type=transport
        connaddrfamily=ipv6
        authby=secret
        left=fd40::14
        right=fd40::24
        esp=aes256-sha2_256
        keyexchange=ike
        ike=3des-sha1
        pfs=no
        auto=start


$ ip a l dev bnx2_1:
3: bnx2_1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:55:1a:87:46 brd ff:ff:ff:ff:ff:ff
    inet 172.18.10.10/24 brd 172.18.10.255 scope global bnx2_1
       valid_lft forever preferred_lft forever
    inet 172.18.10.11/24 brd 172.18.10.255 scope global secondary bnx2_1:0
       valid_lft forever preferred_lft forever
    inet 172.18.10.12/24 brd 172.18.10.255 scope global secondary bnx2_1:1
       valid_lft forever preferred_lft forever
    inet 172.18.10.13/24 brd 172.18.10.255 scope global secondary bnx2_1:2
       valid_lft forever preferred_lft forever
    inet 172.18.10.14/24 brd 172.18.10.255 scope global secondary bnx2_1:3
       valid_lft forever preferred_lft forever
    inet6 fd40::14/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::13/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::12/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::11/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fd40::10/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::226:55ff:fe1a:8746/64 scope link
       valid_lft forever preferred_lft forever


_IPv4_ tunnels always work, but _IPv6_ tunnels do not. Sometimes work only one or two IPv6 tunnels, sometimes IPv6 tunnels do not work at all.


Version-Release number of selected component (if applicable):
Problem was reproduced on libreswan-3.12-10.1.el7_1 and on latest libreswan found in Brew:

$ yum info libreswan
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Installed Packages
Name        : libreswan
Arch        : x86_64
Version     : 3.12
Release     : 10.1.el7_1
Size        : 4.5 M
Repo        : installed
From repo   : beaker-Server


$ yum info libreswan
Installed Packages
Name        : libreswan
Arch        : x86_64
Version     : 3.15
Release     : 5.el7_1
Size        : 4.6 M
Repo        : installed
From repo   : /libreswan-3.15-5.el7_1.x86_64


$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

$ uname -a
Linux hp-dl360g6-01.rhts.eng.brq.redhat.com 3.10.0-369.el7.x86_64 #1 SMP Fri Mar 25 10:26:40 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:
80%


Steps to Reproduce:
1. provision of stable RHEL7.2
2. installation of 3.10.0-369.el7.x86_64 CI kernel
3. configuration of IPsec and IP addresses on network interfaces
4. enable ipsec.service
5. reboot both machines


Actual results:
$ ping6 -I fd40::12 fd40::22
PING fd40::22(fd40::22) from fd40::12 : 56 data bytes
^C
--- fd40::22 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms


$ ping6 -I fd40::11 fd40::21
PING fd40::21(fd40::21) from fd40::11 : 56 data bytes
^C
--- fd40::21 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms


$ ping6 -I fd40::13 fd40::23
PING fd40::23(fd40::23) from fd40::13 : 56 data bytes
^C
--- fd40::23 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms


$ ping6 -I fd40::14 fd40::24
PING fd40::24(fd40::24) from fd40::14 : 56 data bytes
^C
--- fd40::24 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms


$ netperf -L fd40::12 -H fd40::22
-> not working


Sometimes, it helps to restart ipsec service (must be restarted on both sides):
$ ipsec restart

Expected results:
Working IPv6 IPsec tunnels after boot.


Additional info:
Some suspicious messages in dmesg:
[   31.704968] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_1: link becomes ready
[   32.004397] bnx2 0000:02:00.0 bnx2_0: NIC Copper Link is Up, 1000 Mbps full duplex
[   32.006056] , receive & transmit flow control ON
[   32.007270] IPv6: ADDRCONF(NETDEV_CHANGE): bnx2_0: link becomes ready
[   35.205659] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_0)]Requested DCBX mode 5 is beyond advertised capabilities
[   35.333670] bnx2x: [bnx2x_dcbnl_set_dcbx:2350(bnx2x_1)]Requested DCBX mode 5 is beyond advertised capabilities
[   36.124534] sha512_ssse3: Using SSSE3 optimized SHA-512 implementation
[   36.258617] AVX instructions are not detected.
[   36.453929] AVX instructions are not detected.
[   36.470093] AVX instructions are not detected.
[   36.725867] AVX instructions are not detected.
[   36.760492] AVX instructions are not detected.
[   36.843968] AVX or AES-NI instructions are not detected.
[   36.862027] AVX or AES-NI instructions are not detected.
[   36.918472] AVX or AES-NI instructions are not detected.
[   36.933383] AVX or AES-NI instructions are not detected.
[   36.959786] AVX instructions are not detected.
[   36.983193] AVX instructions are not detected.
[   37.010419] PCLMULQDQ-NI instructions are not detected.
[   37.107624] AVX instructions are not detected.
[   37.131658] AVX instructions are not detected.
[   37.161166] AVX instructions are not detected.
[   37.556586] NET: Registered protocol family 15
[   37.578437] IPv4 over IPsec tunneling driver
[   39.200630] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
[   40.570419] alg: No test for authenc(hmac(md5),cbc(des3_ede)) (authenc(hmac(md5-generic),cbc(des3_ede-generic)))
[   40.616448] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-ssse3),cbc(des3_ede-generic)))



I can provision and prepare our machines, so you can reproduce this problem by yourself. Just let me know via e-mail.

Comment 2 Paul Wouters 2016-03-31 00:10:54 UTC
looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1216946

possibly your ipsec.conf did not get updated to include entries in /etc/ipsec.d/ and therefore the new file /etc/ipsec.d/v6neighbor-hole.conf is not loaded?

Or you are not running the latest version which has v6neighbor-hole.conf ?

Comment 3 Otto Sabart 2016-03-31 15:27:10 UTC
Yes, you are right.

We forgot to add following line into our ipsec.conf:
include /etc/ipsec.d/*.conf

so,... v6neighbor-hole.conf is not loaded.

I am going to retest this issue and I let you know.


Thank you!

Comment 4 Otto Sabart 2016-04-01 17:36:22 UTC
Can't reproduce this problem anymore. With v6-neighbor-hole.conf loaded everything works just fine.

Thanks!


Note You need to log in before you can comment on or make changes to this bug.