1471763 – RFE: libreswan MOBIKE support (RFC-4555)

Bug 1471763 - RFE: libreswan MOBIKE support (RFC-4555)

Summary: RFE: libreswan MOBIKE support (RFC-4555)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	Ondrej Moriš
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:	1460790
Blocks:	1490342
TreeView+	depends on / blocked

Reported:	2017-07-17 12:13 UTC by Paul Wouters
Modified:	2018-04-10 17:23 UTC (History)
CC List:	6 users (show)
Fixed In Version:	libreswan-3.22-5.el7
Doc Type:	Enhancement
Doc Text:	_libreswan_ now supports IKEv2 MOBIKE This update introduces support for the IKEv2 Mobility and Multihoming (MOBIKE) protocol (RFC 4555) using the XFRM_MIGRATE mechanism through the "mobike=yes\|no" option. MOBIKE enables seamless switching of networks, for example, Wi-Fi, LTE, and so on, without disturbing the IPsec tunnel.
Clone Of:
Environment:
Last Closed:	2018-04-10 17:22:34 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0932	0	None	None	None	2018-04-10 17:23:18 UTC

Description Paul Wouters 2017-07-17 12:13:30 UTC

This document describes the MOBIKE protocol, a mobility and
   multihoming extension to Internet Key Exchange (IKEv2).  MOBIKE
   allows the IP addresses associated with IKEv2 and tunnel mode IPsec
   Security Associations to change.  A mobile Virtual Private Network
   (VPN) client could use MOBIKE to keep the connection with the VPN
   gateway active while moving from one address to another.  Similarly,
   a multihomed host could use MOBIKE to move the traffic to a different
   interface if, for instance, the one currently being used stops
   working.

This support requires a few recent fixes in the kernel. See associated bug for this status

Comment 6 Ondrej Moriš 2017-12-12 12:58:36 UTC

(In reply to Paul Wouters from comment #4)
> I will upload the test cases for testing, as these are not yet in public
> master upstream

Paul, I just get to this - do you have those test cases or any hint to test mobike support? I see that upstream test cases got updated with mobike=no but there are no mobike=yes test cases in master so far. BTW: ipsec.conf man page does not mention mobike option at all at the moment (3.22-2.el7).

Comment 7 Ondrej Moriš 2017-12-13 15:17:23 UTC

Moreover, from BZ#1460790#c4 I got an impression that MOBIKE libreswan client support is not yet done, or is it? I would like to use the following testing approach - libreswan server with mobike=yes, libreswan client from laptop having both wired and wireless connection with IPsec tunnel to server using wireless, then bringing down wireless connection should keep tunnel on using wired connection. Does it make sense?

Comment 8 Paul Wouters 2017-12-13 17:02:05 UTC

the client support is not yet in upstream or this build. Actually, the server side isn't in a public tree yet either and that one contains the test cases (using strongswan as client)

I'll see if mobike lands in master today or tomorrow. If not, I will attach the test cases here.

Note that you also need a patched kernel for this to work, as the mobike fixes have not yet been put into the rhel-7.5.0 kernel either

Comment 12 errata-xmlrpc 2018-04-10 17:22:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0932

Note You need to log in before you can comment on or make changes to this bug.