1954423 – Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers

Bug 1954423 - Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers [NEEDINFO]

Summary: Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:	1958968
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-28 07:21 UTC by Nir Yechiel
Modified:	2021-11-10 01:34 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libreswan-4.4-1.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 18:49:51 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:
Flags:	majopela: needinfo? (dueno)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-5257	0	None	None	None	2021-11-09 18:56:13 UTC
Red Hat Product Errata	RHBA-2021:4299	0	None	None	None	2021-11-09 18:50:02 UTC

Description Nir Yechiel 2021-04-28 07:21:55 UTC

Description of problem:

Two OCP clusters are connected via Submariner with Libreswan. However, some of the connections fail to reach active state and traffic associated with such connections is not passing through the IPsec tunnel.


Jan 26 08:12:44.992601: "submariner-cable-pkomarov-cluster-a-10-1-64-160-0-2": queuing pending IPsec SA negotiating with 18.225.31.220 IKE SA #1 "submariner-cable-pkomarov-cluster-a-10-1-64-160-0-0"
Jan 26 08:12:44.993698: added IKEv2 connection "submariner-cable-pkomarov-cluster-a-10-1-64-160-1-0"
Jan 26 08:12:44.994191: "submariner-cable-pkomarov-cluster-a-10-1-64-160-0-1" #2: IKE_AUTH response contained the error notification TS_UNACCEPTABLE


More info can be found here: https://github.com/submariner-io/submariner/issues/1081

Comment 1 Ondrej Moriš 2021-05-11 08:00:55 UTC

Nir, do you have a reproducer for this issue? I inspected github issue from the description but unfortunately I do not see any hints to test this problem. 

Also, since this bug report does not follow the standard bug template I have a couple of questions before we can do anything:

 * What version of libreswan is used?
 * Is the problem always reproducible?
 * If there is no reproducer without OCP and Submariner - are you able to test it if we provide a package for testing?

Comment 2 Sridhar Gaddam 2021-05-19 07:58:02 UTC

(In reply to Ondrej Moriš from comment #1)
> Nir, do you have a reproducer for this issue? I inspected github issue from
> the description but unfortunately I do not see any hints to test this
> problem. 
> 
> Also, since this bug report does not follow the standard bug template I have
> a couple of questions before we can do anything:
> 
>  * What version of libreswan is used?

It was seen with libreswan-4.3-3.el8.x86_64

>  * Is the problem always reproducible?

We have seen this issue with NAT-T (onPrem Cluster behind NAT Router trying to connect to an AWS Cluster). 
I think when this problem was reproduced the NAT router was also modifying the Source Port of the traffic.

>  * If there is no reproducer without OCP and Submariner - are you able to
> test it if we provide a package for testing?

Sure, if you can provide us a libreswan package for RHEL 8.4, we can give it a try. Thanks.

Comment 8 Noam Manos 2021-06-01 13:39:48 UTC

In submariner 0.9 (registry-proxy.engineering.redhat.com/rh-osbs/rhacm2-tech-preview-submariner-gateway-rhel8:v0.9-56) it is working good:

$ oc exec $active_gateway_pod -n submariner-operator -- bash -c "ipsec status"

000 using kernel interface: xfrm
000  
000 interface br-ex UDP 10.8.8.118:4502
000 interface lo UDP [::1]:500
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface ovn-k8s-mp0 UDP 10.210.2.2:4500
000 interface ovn-k8s-mp0 UDP 10.210.2.2:500
000 interface ovn-k8s-gw0 UDP 169.254.0.1:4500
000 interface ovn-k8s-gw0 UDP 169.254.0.1:500
000 interface br-ex UDP 10.8.8.118:4500
000 interface br-ex UDP 10.8.8.118:500
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=4.4, pluto_vendorid=OE-Libreswan-4.4, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug: base
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10, <unset-subnet>
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "submariner-cable-default-cl2-10-2-3-225-0-0": 172.40.0.0/16===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===172.32.0.0/16; erouted; eroute owner: #7
000 "submariner-cable-default-cl2-10-2-3-225-0-0":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   conn_prio: 16,16; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   newest ISAKMP SA: #0; newest IPsec SA: #7; conn serial: $1;
000 "submariner-cable-default-cl2-10-2-3-225-0-0":   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000 "submariner-cable-default-cl2-10-2-3-225-0-1": 172.40.0.0/16===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===10.200.0.0/14; erouted; eroute owner: #5
000 "submariner-cable-default-cl2-10-2-3-225-0-1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   conn_prio: 16,14; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   newest ISAKMP SA: #0; newest IPsec SA: #5; conn serial: $2;
000 "submariner-cable-default-cl2-10-2-3-225-0-1":   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000 "submariner-cable-default-cl2-10-2-3-225-1-0": 10.208.0.0/14===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===172.32.0.0/16; erouted; eroute owner: #3
000 "submariner-cable-default-cl2-10-2-3-225-1-0":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   conn_prio: 14,16; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   newest ISAKMP SA: #0; newest IPsec SA: #3; conn serial: $3;
000 "submariner-cable-default-cl2-10-2-3-225-1-0":   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000 "submariner-cable-default-cl2-10-2-3-225-1-1": 10.208.0.0/14===10.8.8.118:4502[+S?C]...66.187.232.127:4502[10.2.3.225,+S?C]===10.200.0.0/14; erouted; eroute owner: #4
000 "submariner-cable-default-cl2-10-2-3-225-1-1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   our auth:secret, their auth:secret
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   sec_label:unset;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   v2-auth-hash-policy: none;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   conn_prio: 14,14; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   our idtype: ID_IPV4_ADDR; our id=10.8.8.118; their idtype: ID_IPV4_ADDR; their id=10.2.3.225
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   newest ISAKMP SA: #2; newest IPsec SA: #4; conn serial: $4;
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "submariner-cable-default-cl2-10-2-3-225-1-1":   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<N/A>
000  
000 Total IPsec connections: loaded 4, active 4
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(5), authenticated(5), anonymous(0)
000  
000 #6: "submariner-cable-default-cl2-10-2-3-225-0-0":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23723s; isakmp#2; idle;
000 #6: "submariner-cable-default-cl2-10-2-3-225-0-0" esp.5be41900.232.127 esp.702fd2aa.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 
000 #7: "submariner-cable-default-cl2-10-2-3-225-0-0":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23000s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #7: "submariner-cable-default-cl2-10-2-3-225-0-0" esp.534e127c.232.127 esp.8b53cec.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 
000 #5: "submariner-cable-default-cl2-10-2-3-225-0-1":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23722s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #5: "submariner-cable-default-cl2-10-2-3-225-0-1" esp.c13709d5.232.127 esp.449dfb9d.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 
000 #3: "submariner-cable-default-cl2-10-2-3-225-1-0":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23722s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #3: "submariner-cable-default-cl2-10-2-3-225-1-0" esp.2f612583.232.127 esp.ec2daa5e.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 
000 #2: "submariner-cable-default-cl2-10-2-3-225-1-1":4502 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 23722s; newest ISAKMP; idle;
000 #4: "submariner-cable-default-cl2-10-2-3-225-1-1":4502 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 23722s; newest IPSEC; eroute owner; isakmp#2; idle;
000 #4: "submariner-cable-default-cl2-10-2-3-225-1-1" esp.2502a7e2.232.127 esp.65ea681c.8.118 tun.0.232.127 tun.0.8.118 Traffic: ESPin=206KB ESPout=206KB! ESPmax=0B 
000  
000 Bare Shunt list:
000

Comment 9 Sridhar Gaddam 2021-06-02 07:47:27 UTC

Thanks for validating and sharing your observations Noam. Based on the logs above, the connections are successfully established and I acknowledge that it's limited testing.
Since the updated Libreswan image has useful fixes, IMHO it might be worth getting an official Libreswan image and start validating it. What do you say @mangelajo, @nyechiel?

Comment 10 Miguel Angel Ajo 2021-06-02 13:42:30 UTC

Daiki, if you believe it's possible to backport this to RHEL 8.4 it would be great. We don't have 100% certainty that this is fixing the issue we saw, although so far it's looking good.

I don't know about the fix, if it's a simple one, let's consider it.

Comment 18 errata-xmlrpc 2021-11-09 18:49:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4299

Note You need to log in before you can comment on or make changes to this bug.