Hide Forgot
Description of problem: ipsec auto --down CONNECTION returns error for tunnels. Version-Release number of selected component (if applicable): libreswan-3.15-6.el7 How reproducible: 100% Steps to Reproduce: 1, configuration for both, initiator and responder # cat /etc/ipsec.conf config setup protostack=netkey plutodebug=all conn test left=LEFT_IP leftsubnets={172.29.28.0/24, 172.29.27.0/24} right=RIGHT_IP rightsubnets=172.29.29.0/24 authby=secret auto=add type=tunnel # cat /etc/ipsec.secrets : PSK "redhat" 2, I: # service ipsec start R: # service ipsec start I: # ipsec auto --up test # ipsec auto --up test 000 initiating all conns with alias='test' 002 "test/2x1" #1: initiating Main Mode 104 "test/2x1" #1: STATE_MAIN_I1: initiate 003 "test/2x1" #1: received Vendor ID payload [Dead Peer Detection] 003 "test/2x1" #1: received Vendor ID payload [FRAGMENTATION] 003 "test/2x1" #1: received Vendor ID payload [RFC 3947] 002 "test/2x1" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) 002 "test/2x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 106 "test/2x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "test/2x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected 002 "test/2x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 108 "test/2x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "test/2x1" #1: received Vendor ID payload [CAN-IKEv2] 002 "test/2x1" #1: Main mode peer ID is ID_IPV4_ADDR: 'RIGHT_IP' 002 "test/2x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 004 "test/2x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048} 002 "test/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:28677a16 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} 002 "test/2x1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:c4a367bc proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} 117 "test/1x1" #2: STATE_QUICK_I1: initiate 117 "test/2x1" #3: STATE_QUICK_I1: initiate 002 "test/1x1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "test/1x1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9c718cf1 <0x9e2071b8 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive} 002 "test/2x1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "test/2x1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x048fcacb <0x87133f3e xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive} # echo $? 0 # ipsec auto --down test 021 no connection named "test" 000 terminating all conns with alias='test' 002 "test/2x1": terminating SAs using this connection 002 "test/2x1" #3: deleting state #3 (STATE_QUICK_I2) 005 "test/2x1" #3: ESP traffic information: in=0B out=0B 002 "test/2x1" #1: deleting state #1 (STATE_MAIN_I4) 002 "test/1x1": terminating SAs using this connection 002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2) 005 "test/1x1" #2: ESP traffic information: in=0B out=0B # echo $? 21 Actual results: ipsec auto --down test fails and returns non-zero return code. Expected results: ipsec auto --down test does not fail and return zero return code.
Note this seems to be a side-effect of using connection aliases, as regular connections dont give that error: root@thinkpad:/home/paul# ipsec auto --down private-or-clear#193.110.157.131/32 002 "private-or-clear#193.110.157.131/32"[1] 100.64.0.1/32=== ...193.110.157.131: terminating SAs using this connection 005 "private-or-clear#193.110.157.131/32" #2: ESP traffic information: in=84B out=84B 002 "private-or-clear#193.110.157.131/32" #1: deleting state (STATE_PARENT_I3) root@thinkpad:/home/paul# echo $? 0
OLD (libreswan-3.15-8.el7) ========================== :: [ BEGIN ] :: Running 'ipsec auto --down test' 021 no connection named "test" 000 terminating all conns with alias='test' 002 "test/1x1": terminating SAs using this connection 002 "test/1x1" #2: deleting state #2 (STATE_QUICK_I2) 005 "test/1x1" #2: ESP traffic information: in=0B out=0B 002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager 002 "test/1x1" #2: down-client output: nm-libreswan-helper[???,26235]: <warn> Could not call the plugin: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.NetworkManager.libreswan was not provided by any .service files 002 "test/1x1" #1: deleting state #1 (STATE_MAIN_I4) :: [ FAIL ] :: Command 'ipsec auto --down test' (Expected 0, got 21) NEW (libreswan-3.20-2.el7) ========================== :: [ BEGIN ] :: Running 'ipsec auto --down test' 000 no such connection found, looking for all conns with alias='test' 002 "test/1x1": terminating SAs using this connection 002 "test/1x1" #2: deleting state (STATE_QUICK_I2) 005 "test/1x1" #2: ESP traffic information: in=0B out=0B 002 "test/1x1" #2: down-client output: sending disconnect signal to NetworkManager 002 "test/1x1" #2: down-client output: /usr/libexec/ipsec/_updown.netkey: line 345: /usr/libexec/nm-libreswan-service-helper: No such file or directory 002 "test/1x1" #1: deleting state (STATE_MAIN_I4) :: [ PASS ] :: Command 'ipsec auto --down test' (Expected 0, got 0) See TJ#1870062 for more details.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2101