Bug #3449

IPsec daemon blocked after upgrade

Added by Davide Principi 11 months ago. Updated 9 months ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-ipsec
Target version:v6.10
Security class: Resolution:
Affected version:v6.10 NEEDINFO:No

Description

Steps to reproduce

- Install and configure an IPsec tunnel on ns6
- Run the upgrade tool

Expected behavior

The IPsec tunnel is still up after upgrade

Actual behavior

The "ipsec" service does not start. Errors

    Nov 09 13:40:33 mail.example.it pluto[17074]: NSS Password file "/etc/ipsec.d/nsspassword" for token "NSS
    Nov 09 13:40:33 mail.example.it pluto[17074]: authentication of "NSS Certificate DB" failed

Workaround

(confirmed) old configuration files from ns6 are still present after upgrade. We must clean up them, before installing the new RPM.

mv cert*.* key*.* nsspassword* migration/

also `ipsec.conf` and `ipsec.secrets` must be removed.

Associated revisions

Revision cb9f2a25
Added by Davide Principi 11 months ago

Fix ipsec startup error

Old ns6 configuration prevents ipsec to start correctly on ns7.

Refs #3449

History

#1 Updated by Davide Principi 11 months ago

Check and fix ipsec.secrets after post-upgrade:

[root@mail ~]# rpm -V libreswan
S.5....T.  c /etc/ipsec.secrets
[root@mail ~]# echo 'include /etc/ipsec.d/*.secrets' > /etc/ipsec.secrets 
[root@mail ~]# rpm -V libreswan
.......T.  c /etc/ipsec.secrets
rm -f /etc/ipsec.d/*.db

#2 Updated by Davide Principi 11 months ago

  • Assignee deleted (Davide Principi)

In nethserver-testing 6.10

- nethserver-upgrade-tool-1.0.0-1.11.gbc26615.ns6.x86_64.rpm

#3 Updated by Davide Principi 11 months ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

#4 Updated by Davide Principi 11 months ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#5 Updated by Davide Principi 9 months ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

VERIFIED

#6 Updated by Davide Principi 9 months ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates 6.10:
- nethserver-upgrade-tool-1.1.0-1.ns6.x86_64.rpm

Also available in: Atom PDF