Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1372279

Summary: ipsec auto --down CONNECTION returns error for tunnels
Product: Red Hat Enterprise Linux 7 Reporter: Jaroslav Aster <jaster>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: omoris, ovasik, pwouters, tis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.20-3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:31:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaroslav Aster 2016-09-01 10:23:13 UTC 
Description of problem:

ipsec auto --down CONNECTION returns error for tunnels.


Version-Release number of selected component (if applicable):

libreswan-3.15-6.el7


How reproducible:

100%


Steps to Reproduce:

1, configuration for both, initiator and responder

# cat /etc/ipsec.conf 
config setup
    protostack=netkey
    plutodebug=all

conn test
    left=LEFT_IP
    leftsubnets={172.29.28.0/24, 172.29.27.0/24}
    right=RIGHT_IP
    rightsubnets=172.29.29.0/24
    authby=secret
    auto=add
    type=tunnel

# cat /etc/ipsec.secrets 
: PSK "redhat"

2,

I: # service ipsec start 

R: # service ipsec start

I: # ipsec auto --up test

# ipsec auto --up test
000 initiating all conns with alias='test'
002 "test/2x1" #1: initiating Main Mode
104 "test/2x1" #1: STATE_MAIN_I1: initiate
003 "test/2x1" #1: received Vendor ID payload [Dead Peer Detection]
003 "test/2x1" #1: received Vendor ID payload [FRAGMENTATION]
003 "test/2x1" #1: received Vendor ID payload [RFC 3947]
002 "test/2x1" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "test/2x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "test/2x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "test/2x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "test/2x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "test/2x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "test/2x1" #1: received Vendor ID payload [CAN-IKEv2]
002 "test/2x1" #1: Main mode peer ID is ID_IPV4_ADDR: 'RIGHT_IP'
002 "test/2x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "test/2x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "test/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:28677a16 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
002 "test/2x1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:c4a367bc proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
117 "test/1x1" #2: STATE_QUICK_I1: initiate
117 "test/2x1" #3: STATE_QUICK_I1: initiate
002 "test/1x1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "test/1x1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9c718cf1 <0x9e2071b8 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
002 "test/2x1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "test/2x1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x048fcacb <0x87133f3e xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

# echo $?
0

# ipsec auto --down test
021 no connection named "test"
000 terminating all conns with alias='test'
002 "test/2x1": terminating SAs using this connection
002 "test/2x1" #3: deleting state #3 (STATE_QUICK_I2)
005 "test/2x1" #3: ESP traffic information: in=0B out=0B
002 "test/2x1" #1: deleting state #1 (STATE_MAIN_I4)
002 "test/1x1": terminating SAs using this connection
002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2)
005 "test/1x1" #2: ESP traffic information: in=0B out=0B

# echo $?
21


Actual results:

ipsec auto --down test fails and returns non-zero return code.


Expected results:

ipsec auto --down test does not fail and return zero return code.
Comment 1 Paul Wouters 2016-09-01 18:45:13 UTC 
Note this seems to be a side-effect of using connection aliases, as regular connections dont give that error:

root@thinkpad:/home/paul# ipsec auto --down private-or-clear#193.110.157.131/32
002 "private-or-clear#193.110.157.131/32"[1] 100.64.0.1/32=== ...193.110.157.131: terminating SAs using this connection
005 "private-or-clear#193.110.157.131/32" #2: ESP traffic information: in=84B out=84B
002 "private-or-clear#193.110.157.131/32" #1: deleting state (STATE_PARENT_I3)
root@thinkpad:/home/paul# echo $?
0
Comment 4 Ondrej Moriš 2017-05-24 10:57:21 UTC 
OLD (libreswan-3.15-8.el7)
==========================
:: [  BEGIN   ] :: Running 'ipsec auto --down test'
021 no connection named "test"
000 terminating all conns with alias='test'
002 "test/1x1": terminating SAs using this connection
002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2)
005 "test/1x1" #2: ESP traffic information: in=0B out=0B
002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager
002 "test/1x1" #2: down-client output: nm-libreswan-helper[???,26235]: <warn>  Could not call the plugin: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.NetworkManager.libreswan was not provided by any .service files
002 "test/1x1" #1: deleting state #1 (STATE_MAIN_I4)
:: [   FAIL   ] :: Command 'ipsec auto --down test' (Expected 0, got 21)

NEW (libreswan-3.20-2.el7)
==========================
:: [  BEGIN   ] :: Running 'ipsec auto --down test'
000 no such connection found, looking for all conns with alias='test'
002 "test/1x1": terminating SAs using this connection
002 "test/1x1" #2: deleting state (STATE_QUICK_I2)
005 "test/1x1" #2: ESP traffic information: in=0B out=0B
002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager
002 "test/1x1" #2: down-client output: /usr/libexec/ipsec/_updown.netkey: line 345: /usr/libexec/nm-libreswan-service-helper: No such file or directory
002 "test/1x1" #1: deleting state (STATE_MAIN_I4)
:: [   PASS   ] :: Command 'ipsec auto --down test' (Expected 0, got 0)

See TJ#1870062 for more details.
Comment 13 errata-xmlrpc 2017-08-01 12:31:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2101