After reboot only one client able to maintain IPSEC tunnel at a specific time due to Libreswan configuration issue
Applies to
- ONTAP 9 and later
- IPSEC
- Libreswan
- NFS
Issue
- Multiple clients configured for IPSEC and IPSEC tunnel failing to establish after client reboot.
- Only one client is able establish IPSEC tunnel i.e. when client reboot, IPSEC tunnel is failing to establish with below error on client:
[root@libreswan_client ~]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating v2 parent SA
133 "mytunnel" #1: STATE_PARENT_I1: initiate
002 "mytunnel" #1: local IKE proposals for mytunnel (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_384_192;DH=ECP_384
133 "mytunnel" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "mytunnel" #1: WARNING: connection mytunnel PSK length of 19 bytes is too short for sha2_384 PRF in FIPS mode (24 bytes required)
002 "mytunnel" #1: local ESP/AH proposals for mytunnel (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
134 "mytunnel" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha384_192 prf=sha2_384 group=DH20}
002 "mytunnel" #2: IKE SA authentication request rejected: AUTHENTICATION_FAILED
- Client1 is rebooted, IPsec connection and mount works fine.
- But when client2 is rebooted, it's not able to establish IPsec communication and mount is hung with no errors.
- Below command run to re-establish IPsec connection and mount works:
::>security ipsec policy modify -vserver vs912 -is-enabled true -name <Policy_Name>
- The next time if client1 is rebooted, it fails to establish IPSEC tunnel with same error.
- If
security ipsec policy modify
command is run for establishing IPsec communication for client1, client1 starts functioning fine but client2 will now fails to establish connection if rebooted. - Client side IPSEC configuration shows the following.
sudo cat /etc/ipsec.d/ipsec.conf
conn mytunnel
left=10.216.41.46
leftid=@client_side_identity
right=10.216.41.176
rightid=@ontap_side_identity
ikev2=insist
ike=aes_256-sha384;dh20
phase2alg=aes_gcm256-null
authby=secret
type=transport
auto=add
- ONTAP shows the following configuration.
cdot_vsim9_9_11::*> security ipsec policy show -vserver vs912 -fields local-identity,remote-identity
vserver name local-identity remote-identity
------- ------------------- -------------- ---------------
vs912 10.216.41.46_policy ontap_side_identity client_side_identity --> For client1
vs912 10.216.41.79_policy ontap_side_identity client_side_identity --> For client2