1372279 – ipsec auto --down CONNECTION returns error for tunnels

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1372279 - ipsec auto --down CONNECTION returns error for tunnels

Summary: ipsec auto --down CONNECTION returns error for tunnels

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-01 10:23 UTC by Jaroslav Aster
Modified:	2017-08-01 12:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:	3.20-3
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 12:31:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2101	0	normal	SHIPPED_LIVE	libreswan bug fix and enhancement update	2017-08-01 16:07:26 UTC

Description Jaroslav Aster 2016-09-01 10:23:13 UTC

Description of problem:

ipsec auto --down CONNECTION returns error for tunnels.


Version-Release number of selected component (if applicable):

libreswan-3.15-6.el7


How reproducible:

100%


Steps to Reproduce:

1, configuration for both, initiator and responder

# cat /etc/ipsec.conf 
config setup
    protostack=netkey
    plutodebug=all

conn test
    left=LEFT_IP
    leftsubnets={172.29.28.0/24, 172.29.27.0/24}
    right=RIGHT_IP
    rightsubnets=172.29.29.0/24
    authby=secret
    auto=add
    type=tunnel

# cat /etc/ipsec.secrets 
: PSK "redhat"

2,

I: # service ipsec start 

R: # service ipsec start

I: # ipsec auto --up test

# ipsec auto --up test
000 initiating all conns with alias='test'
002 "test/2x1" #1: initiating Main Mode
104 "test/2x1" #1: STATE_MAIN_I1: initiate
003 "test/2x1" #1: received Vendor ID payload [Dead Peer Detection]
003 "test/2x1" #1: received Vendor ID payload [FRAGMENTATION]
003 "test/2x1" #1: received Vendor ID payload [RFC 3947]
002 "test/2x1" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "test/2x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "test/2x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "test/2x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "test/2x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "test/2x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "test/2x1" #1: received Vendor ID payload [CAN-IKEv2]
002 "test/2x1" #1: Main mode peer ID is ID_IPV4_ADDR: 'RIGHT_IP'
002 "test/2x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "test/2x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "test/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:28677a16 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
002 "test/2x1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:c4a367bc proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
117 "test/1x1" #2: STATE_QUICK_I1: initiate
117 "test/2x1" #3: STATE_QUICK_I1: initiate
002 "test/1x1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "test/1x1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9c718cf1 <0x9e2071b8 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
002 "test/2x1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "test/2x1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x048fcacb <0x87133f3e xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

# echo $?
0

# ipsec auto --down test
021 no connection named "test"
000 terminating all conns with alias='test'
002 "test/2x1": terminating SAs using this connection
002 "test/2x1" #3: deleting state #3 (STATE_QUICK_I2)
005 "test/2x1" #3: ESP traffic information: in=0B out=0B
002 "test/2x1" #1: deleting state #1 (STATE_MAIN_I4)
002 "test/1x1": terminating SAs using this connection
002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2)
005 "test/1x1" #2: ESP traffic information: in=0B out=0B

# echo $?
21


Actual results:

ipsec auto --down test fails and returns non-zero return code.


Expected results:

ipsec auto --down test does not fail and return zero return code.

Comment 1 Paul Wouters 2016-09-01 18:45:13 UTC

Note this seems to be a side-effect of using connection aliases, as regular connections dont give that error:

root@thinkpad:/home/paul# ipsec auto --down private-or-clear#193.110.157.131/32
002 "private-or-clear#193.110.157.131/32"[1] 100.64.0.1/32=== ...193.110.157.131: terminating SAs using this connection
005 "private-or-clear#193.110.157.131/32" #2: ESP traffic information: in=84B out=84B
002 "private-or-clear#193.110.157.131/32" #1: deleting state (STATE_PARENT_I3)
root@thinkpad:/home/paul# echo $?
0

Comment 4 Ondrej Moriš 2017-05-24 10:57:21 UTC

OLD (libreswan-3.15-8.el7)
==========================
:: [  BEGIN   ] :: Running 'ipsec auto --down test'
021 no connection named "test"
000 terminating all conns with alias='test'
002 "test/1x1": terminating SAs using this connection
002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2)
005 "test/1x1" #2: ESP traffic information: in=0B out=0B
002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager
002 "test/1x1" #2: down-client output: nm-libreswan-helper[???,26235]: <warn>  Could not call the plugin: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.NetworkManager.libreswan was not provided by any .service files
002 "test/1x1" #1: deleting state #1 (STATE_MAIN_I4)
:: [   FAIL   ] :: Command 'ipsec auto --down test' (Expected 0, got 21)

NEW (libreswan-3.20-2.el7)
==========================
:: [  BEGIN   ] :: Running 'ipsec auto --down test'
000 no such connection found, looking for all conns with alias='test'
002 "test/1x1": terminating SAs using this connection
002 "test/1x1" #2: deleting state (STATE_QUICK_I2)
005 "test/1x1" #2: ESP traffic information: in=0B out=0B
002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager
002 "test/1x1" #2: down-client output: /usr/libexec/ipsec/_updown.netkey: line 345: /usr/libexec/nm-libreswan-service-helper: No such file or directory
002 "test/1x1" #1: deleting state (STATE_MAIN_I4)
:: [   PASS   ] :: Command 'ipsec auto --down test' (Expected 0, got 0)

See TJ#1870062 for more details.

Comment 13 errata-xmlrpc 2017-08-01 12:31:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2101

Note You need to log in before you can comment on or make changes to this bug.