RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1891128 - [Rebase] rebase libreswan to 4.3
Summary: [Rebase] rebase libreswan to 4.3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libreswan
Version: 8.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 8.0
Assignee: Daiki Ueno
QA Contact: Ondrej Moriš
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-23 20:30 UTC by Paul Wouters
Modified: 2021-05-18 15:38 UTC (History)
3 users (show)

Fixed In Version: libreswan-4.3-1.el8
Doc Type: Enhancement
Doc Text:
.`libreswan` rebased to 4.3 The `libreswan` packages have been upgraded to version 4.3. Notable changes over the previous version include: * IKE and ESP over TCP support (RFC 8229) * IKEv2 Labeled IPsec support * IKEv2 leftikeport/rightikeport support * Experimental support for Intermediate Exchange * Extended Redirect support for loadbalancing * Default IKE lifetime changed from 1 h to 8 h for increased interoperability * `:RSA` sections in the `ipsec.secrets` file are no longer required * Fixed Windows 10 rekeying * Fixed sending certificate for ECDSA authentication * Fixes for MOBIKE and NAT-T
Clone Of:
Environment:
Last Closed: 2021-05-18 15:38:31 UTC
Type: Component Upgrade
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Paul Wouters 2020-10-23 20:30:07 UTC 
Rebase to libreswan 4.1 for various features / bugfixes
Comment 1 Ondrej Moriš 2020-11-02 14:48:03 UTC 
Are there any notable new or removed features and bugfixes we should focus on during the testing? I briefly scanned changelog and noticed IKE/ESP over TPC, support for leftikeport= and rightikeport=, FIPS changes and change of default NSS DB location. Is there anything else you want to highlight for the testing? 

Also, does ITM6 (Dec 14) sound reasonable for delivering the code?
Comment 2 Paul Wouters 2020-11-03 03:54:14 UTC 
Note that for RHEL8 we keep the /etc/ipsec.d location for the NSS DB.

Other than the ones you mention I would also look closely at:

* pluto: Support for rereading configured certificates from NSS 
I just noticed we don't have an upstream test case for this yet :) So I will add it. Basically it is updating the cert, then use:

paul@thinkpad:~/libreswan (main *=)$ sudo ipsec whack --rereadcerts
000 "vpn.nohats.ca": certificate leftcert=letoams.nohats.ca has been reloaded
000 "ssw.nohats.ca": certificate leftcert=client5.nohats.ca has been reloaded

* IKEv2: Add load-balance support (multiple targets) to redirect

That one might also be good to test. But we can use the upstream redirect test cases for that, just like for ikeport and TCP

And double check the labeled ipsec works properly - we don't have an upstream test working with targeted selinux policy yet. (want to port yours to upstream?)
Comment 9 Ondrej Moriš 2021-03-02 12:58:48 UTC 
Paul, I noticed that the following was present in the default ipsec.conf in RHEL-8.3:

        # NAT-TRAVERSAL support                                                                                                                                
        # exclude networks used on server side by adding %v4:!a.b.c.0/24                                                                                       
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are                                                                                       
        # using 25/8 as "private" address space on their wireless networks.                                                                                    
        # This range has never been announced via BGP (at least up to 2015)                                                                                    
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

But it is no longer present in the default config in libreswan-4.3. Don't we need it anymore?
Comment 10 Paul Wouters 2021-03-02 14:11:30 UTC 
That value was only used for IKEv1 in combination with the vhost keyword in: rightsubnet=vhost:%priv,%no

Furthermore, it was really only used for VPN servers using Transport Mode with NAT where you did not get an address assigned, eg L2TP/IPsec.

For these reasons, it was removed from upstream. We could put it back, if you want to ensure backwards compatibility.
Or we can add a release note for it so that people still using L2TP/IPsec on a VPN server can put it back.

I don't believe this setup is very common anymore.
Comment 19 errata-xmlrpc 2021-05-18 15:38:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1803
Note You need to log in before you can comment on or make changes to this bug.