Skip to main content
NetApp Knowledge Base

After reboot only one client able to maintain IPSEC tunnel at a specific time due to Libreswan configuration issue

  1. Last updated
  2. Save as PDF
Views:
92
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9 and later
  • IPSEC
  • Libreswan
  • NFS

Issue

  • Multiple clients configured for IPSEC and IPSEC tunnel failing to establish after client reboot.
  • Only one client is able establish IPSEC tunnel i.e. when client reboot, IPSEC tunnel is failing to establish with below error on client:

[root@libreswan_client ~]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating v2 parent SA
133 "mytunnel" #1: STATE_PARENT_I1: initiate
002 "mytunnel" #1: local IKE proposals for mytunnel (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_384_192;DH=ECP_384
133 "mytunnel" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "mytunnel" #1: WARNING: connection mytunnel PSK length of 19 bytes is too short for sha2_384 PRF in FIPS mode (24 bytes required)
002 "mytunnel" #1: local ESP/AH proposals for mytunnel (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
134 "mytunnel" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha384_192 prf=sha2_384 group=DH20}
002 "mytunnel" #2: IKE SA authentication request rejected: AUTHENTICATION_FAILED

  • Client1 is rebooted, IPsec connection and mount works fine.
  • But when client2 is rebooted, it's not able to establish IPsec communication and mount is hung with no errors.
  • Below command run to re-establish IPsec connection and mount works:

::>security ipsec policy modify -vserver vs912 -is-enabled true -name <Policy_Name>

  • The next time if client1 is rebooted, it fails to establish IPSEC tunnel with same error.
  • If security ipsec policy modify command is run for establishing IPsec communication for client1,  client1 starts functioning fine but client2 will now fails to establish connection if rebooted.
  • Client side IPSEC configuration shows the following. 

sudo cat /etc/ipsec.d/ipsec.conf
conn mytunnel
        left=10.216.41.46
        leftid=@client_side_identity
        right=10.216.41.176
        rightid=@ontap_side_identity
        ikev2=insist
        ike=aes_256-sha384;dh20
        phase2alg=aes_gcm256-null
        authby=secret
        type=transport
        auto=add

  • ONTAP shows the following configuration.

cdot_vsim9_9_11::*> security ipsec policy show -vserver vs912 -fields local-identity,remote-identity
vserver name                local-identity remote-identity
------- ------------------- -------------- ---------------
vs912   10.216.41.46_policy ontap_side_identity client_side_identity   --> For client1
vs912   10.216.41.79_policy ontap_side_identity client_side_identity   --> For client2

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.