Update to 7.5 problem(s)?

     gzip                     x86_64 1.5-10.el7                       base    130 k
     httpd                    x86_64 2.4.6-80.el7.centos              base    2.7 M
     httpd-tools              x86_64 2.4.6-80.el7.centos              base     89 k
     hwdata                   x86_64 0.252-8.8.el7                    base    2.3 M
     info                     x86_64 5.1-5.el7                        base    233 k
     initscripts              x86_64 9.49.41-1.el7                    base    437 k
     iproute                  x86_64 4.11.0-14.el7                    base    763 k
     iprutils                 x86_64 2.4.15.1-1.el7                   base    243 k
     iptables                 x86_64 1.4.21-24.el7                    base    431 k
     irqbalance               x86_64 3:1.0.7-11.el7                   base     45 k
     iwl100-firmware          noarch 39.31.5.1-62.el7                 base    155 k
     iwl1000-firmware         noarch 1:39.31.5.1-62.el7               base    218 k
     iwl105-firmware          noarch 18.168.6.1-62.el7                base    239 k
     iwl135-firmware          noarch 18.168.6.1-62.el7                base    248 k
     iwl2000-firmware         noarch 18.168.6.1-62.el7                base    241 k
     iwl2030-firmware         noarch 18.168.6.1-62.el7                base    250 k
     iwl3160-firmware         noarch 22.0.7.0-62.el7                  base    1.6 M
     iwl3945-firmware         noarch 15.32.2.9-62.el7                 base     93 k
     iwl4965-firmware         noarch 228.61.2.24-62.el7               base    106 k
     iwl5000-firmware         noarch 8.83.5.1_1-62.el7                base    299 k
     iwl5150-firmware         noarch 8.24.2.2-62.el7                  base    151 k
     iwl6000-firmware         noarch 9.221.4.1-62.el7                 base    172 k
     iwl6000g2a-firmware      noarch 17.168.5.3-62.el7                base    314 k
     iwl6000g2b-firmware      noarch 17.168.5.2-62.el7                base    315 k
     iwl6050-firmware         noarch 41.28.5.1-62.el7                 base    247 k
     iwl7260-firmware         noarch 22.0.7.0-62.el7                  base    1.1 M
     iwl7265-firmware         noarch 22.0.7.0-62.el7                  base    5.5 M
     kernel-headers           x86_64 3.10.0-862.2.3.el7               updates 7.1 M
     kernel-tools             x86_64 3.10.0-862.2.3.el7               updates 6.2 M
     kernel-tools-libs        x86_64 3.10.0-862.2.3.el7               updates 6.1 M
     kexec-tools              x86_64 2.0.15-13.el7                    base    341 k
     kmod                     x86_64 20-21.el7                        base    121 k
     kmod-libs                x86_64 20-21.el7                        base     50 k
     kpartx                   x86_64 0.4.9-119.el7                    base     75 k
     krb5-libs                x86_64 1.15.1-19.el7                    updates 747 k
     krb5-workstation         x86_64 1.15.1-19.el7                    updates 814 k
     libacl                   x86_64 2.2.51-14.el7                    base     27 k
     libattr                  i686   2.4.46-13.el7                    base     18 k
     libattr                  x86_64 2.4.46-13.el7                    base     18 k
     libbasicobjects          x86_64 0.1.1-29.el7                     base     25 k
     libblkid                 x86_64 2.23.2-52.el7                    base    178 k
     libcgroup                x86_64 0.41-15.el7                      base     65 k
     libcollection            x86_64 0.7.0-29.el7                     base     41 k
     libcom_err               x86_64 1.42.9-11.el7                    base     41 k
     libcurl                  x86_64 7.29.0-46.el7                    base    220 k
     libdb                    i686   5.3.21-24.el7                    base    731 k
     libdb                    x86_64 5.3.21-24.el7                    base    720 k
     libdb-devel              x86_64 5.3.21-24.el7                    base     38 k
     libdb-utils              x86_64 5.3.21-24.el7                    base    132 k
     libdhash                 x86_64 0.5.0-29.el7                     base     28 k
     libdrm                   x86_64 2.4.83-2.el7                     base    151 k
     liberation-fonts-common  noarch 1:1.07.2-16.el7                  base     27 k
     liberation-mono-fonts    noarch 1:1.07.2-16.el7                  base    227 k
     libgcc                   i686   4.8.5-28.el7                     base    108 k
     libgcc                   x86_64 4.8.5-28.el7                     base    101 k
     libgomp                  x86_64 4.8.5-28.el7                     base    156 k
     libgphoto2               x86_64 2.5.15-1.el7                     base    1.4 M
     libgudev1                x86_64 219-57.el7                       base     92 k
     libini_config            x86_64 1.3.1-29.el7                     base     63 k
     libipa_hbac              x86_64 1.16.0-19.el7                    base    137 k
     libkadm5                 x86_64 1.15.1-19.el7                    updates 175 k
     libldb                   x86_64 1.2.2-1.el7                      base    131 k
     libmount                 x86_64 2.23.2-52.el7                    base    180 k
     libnfsidmap              x86_64 0.25-19.el7                      base     50 k
     libpath_utils            x86_64 0.2.1-29.el7                     base     28 k
     libpcap                  x86_64 14:1.5.3-11.el7                  base    138 k
     libpciaccess             x86_64 0.14-1.el7                       base     26 k
     libproxy                 x86_64 0.4.11-11.el7                    base     64 k
     libpwquality             x86_64 1.2.3-5.el7                      base     85 k
     libref_array             x86_64 0.1.5-29.el7                     base     26 k
     libselinux               i686   2.5-12.el7                       base    166 k
     libselinux               x86_64 2.5-12.el7                       base    162 k
     libselinux-python        x86_64 2.5-12.el7                       base    235 k
     libselinux-utils         x86_64 2.5-12.el7                       base    151 k
     libsemanage              x86_64 2.5-11.el7                       base    150 k
     libsemanage-python       x86_64 2.5-11.el7                       base    112 k
     libsepol                 i686   2.5-8.1.el7                      base    293 k
     libsepol                 x86_64 2.5-8.1.el7                      base    297 k
     libsmbclient             x86_64 4.7.1-6.el7                      base    132 k
     libss                    x86_64 1.42.9-11.el7                    base     45 k
     libsss_autofs            x86_64 1.16.0-19.el7                    base    138 k
     libsss_certmap           x86_64 1.16.0-19.el7                    base    165 k
     libsss_idmap             x86_64 1.16.0-19.el7                    base    141 k
     libsss_nss_idmap         x86_64 1.16.0-19.el7                    base    147 k
     libsss_sudo              x86_64 1.16.0-19.el7                    base    137 k
     libstdc++                i686   4.8.5-28.el7                     base    316 k
     libstdc++                x86_64 4.8.5-28.el7                     base    304 k
     libtalloc                x86_64 2.1.10-1.el7                     base     33 k
     libtdb                   x86_64 1.3.15-1.el7                     base     48 k
     libteam                  x86_64 1.27-4.el7                       base     47 k
     libtevent                x86_64 0.9.33-2.el7                     base     37 k
     libusbx                  x86_64 1.0.21-1.el7                     base     61 k
     libuser                  x86_64 0.60-9.el7                       base    400 k
     libuuid                  x86_64 2.23.2-52.el7                    base     81 k
     libwbclient              x86_64 4.7.1-6.el7                      base    107 k
     linux-firmware           noarch 20180220-62.git6d51311.el7       base     57 M
     logrotate                x86_64 3.8.6-15.el7                     base     69 k
     lsof                     x86_64 4.87-5.el7                       base    331 k
     lz4                      x86_64 1.7.5-2.el7                      base     98 k
     mailx                    x86_64 12.5-19.el7                      base    245 k
     mesa-libEGL              x86_64 17.2.3-8.20171019.el7            base     96 k
     mesa-libGL               x86_64 17.2.3-8.20171019.el7            base    156 k
     mesa-libgbm              x86_64 17.2.3-8.20171019.el7            base     38 k
     mesa-libglapi            x86_64 17.2.3-8.20171019.el7            base     43 k
     microcode_ctl            x86_64 2:2.1-29.el7                     base    1.3 M
     mod_ssl                  x86_64 1:2.4.6-80.el7.centos            base    111 k
     mozjs17                  x86_64 17.0.0-20.el7                    base    1.4 M
     net-snmp-libs            x86_64 1:5.7.2-32.el7                   base    748 k
     nethserver-backup-data   noarch 1.3.4-1.ns7                      nethserver-updates
                                                                               52 k
     nethserver-dc            x86_64 1.5.1-1.ns7                      nethserver-updates
                                                                               14 M
     nethserver-openvpn       noarch 1.6.10-1.ns7                     nethserver-updates
                                                                               87 k
     nethserver-restore-data  noarch 1.2.4-1.ns7                      nethserver-updates
                                                                              336 k
     nfs-utils                x86_64 1:1.3.0-0.54.el7                 base    407 k
     nmap-ncat                x86_64 2:6.40-13.el7                    base    205 k
     nspr                     x86_64 4.17.0-1.el7                     base    126 k
     nss                      x86_64 3.34.0-4.el7                     base    841 k
     nss-softokn              x86_64 3.34.0-2.el7                     base    311 k
     nss-softokn-freebl       i686   3.34.0-2.el7                     base    206 k
     nss-softokn-freebl       x86_64 3.34.0-2.el7                     base    220 k
     nss-sysinit              x86_64 3.34.0-4.el7                     base     61 k
     nss-tools                x86_64 3.34.0-4.el7                     base    513 k
     nss-util                 x86_64 3.34.0-2.el7                     base     78 k
     numactl                  x86_64 2.0.9-7.el7                      base     66 k
     numactl-libs             x86_64 2.0.9-7.el7                      base     29 k
     nut                      x86_64 2.7.2-4.el7                      epel    1.6 M
     nut-client               x86_64 2.7.2-4.el7                      epel    206 k
     openldap                 x86_64 2.4.44-13.el7                    base    355 k
     openldap-clients         x86_64 2.4.44-13.el7                    base    189 k
     openssh                  x86_64 7.4p1-16.el7                     base    510 k
     openssh-clients          x86_64 7.4p1-16.el7                     base    655 k
     openssh-server           x86_64 7.4p1-16.el7                     base    458 k
     openssl                  x86_64 1:1.0.2k-12.el7                  base    492 k
     openssl-libs             x86_64 1:1.0.2k-12.el7                  base    1.2 M
     pam                      i686   1.1.8-22.el7                     base    717 k
     pam                      x86_64 1.1.8-22.el7                     base    720 k
     parted                   x86_64 3.1-29.el7                       base    608 k
     patch                    x86_64 2.7.1-10.el7_5                   updates 110 k
     pciutils                 x86_64 3.5.1-3.el7                      base     93 k
     pciutils-libs            x86_64 3.5.1-3.el7                      base     46 k
     perl-DBD-MySQL           x86_64 4.023-6.el7                      base    140 k
     perl-Getopt-Long         noarch 2.40-3.el7                       base     56 k
     perl-HTTP-Daemon         noarch 6.01-7.el7                       base     21 k
     perl-IO-Socket-IP        noarch 0.21-5.el7                       base     36 k
     perl-IO-Socket-SSL       noarch 1.94-7.el7                       base    115 k
     perl-version             x86_64 3:0.99.07-3.el7                  base     84 k
     php                      x86_64 5.4.16-45.el7                    base    1.4 M
     php-bcmath               x86_64 5.4.16-45.el7                    base     58 k
     php-cli                  x86_64 5.4.16-45.el7                    base    2.7 M
     php-common               x86_64 5.4.16-45.el7                    base    565 k
     php-gd                   x86_64 5.4.16-45.el7                    base    128 k
     php-intl                 x86_64 5.4.16-45.el7                    base     97 k
     php-ldap                 x86_64 5.4.16-45.el7                    base     53 k
     php-mbstring             x86_64 5.4.16-45.el7                    base    505 k
     php-mysql                x86_64 5.4.16-45.el7                    base    101 k
     php-pdo                  x86_64 5.4.16-45.el7                    base     99 k
     php-process              x86_64 5.4.16-45.el7                    base     56 k
     php-pspell               x86_64 5.4.16-45.el7                    base     42 k
     php-xml                  x86_64 5.4.16-45.el7                    base    126 k
     plymouth                 x86_64 0.8.9-0.31.20140113.el7.centos   base    116 k
     plymouth-core-libs       x86_64 0.8.9-0.31.20140113.el7.centos   base    107 k
     plymouth-scripts         x86_64 0.8.9-0.31.20140113.el7.centos   base     39 k
     policycoreutils          x86_64 2.5-22.el7                       base    867 k
     policycoreutils-python   x86_64 2.5-22.el7                       base    454 k
     polkit                   x86_64 0.112-14.el7                     base    167 k
     procps-ng                x86_64 3.3.10-17.el7                    base    289 k
     pytalloc                 x86_64 2.1.10-1.el7                     base     17 k
     python                   x86_64 2.7.5-68.el7                     base     93 k
     python-backports-ssl_match_hostname
                              noarch 3.5.0.1-1.el7                    base     13 k
     python-firewall          noarch 0.4.4.4-14.el7                   base    328 k
     python-libs              x86_64 2.7.5-68.el7                     base    5.6 M
     python-perf              x86_64 3.10.0-862.2.3.el7               updates 6.2 M
     python-slip              noarch 0.4.0-4.el7                      base     31 k
     python-slip-dbus         noarch 0.4.0-4.el7                      base     32 k
     python-sssdconfig        noarch 1.16.0-19.el7                    base    163 k
     python-tdb               x86_64 1.3.15-1.el7                     base     19 k
     python-urllib3           noarch 1.10.2-5.el7                     base    102 k
     python2-cryptography     x86_64 1.7.2-2.el7                      base    502 k
     quota                    x86_64 1:4.01-17.el7                    base    179 k
     quota-nls                noarch 1:4.01-17.el7                    base     90 k
     rdma-core                i686   15-6.el7                         base     48 k
     rdma-core                x86_64 15-6.el7                         base     48 k
     rpcbind                  x86_64 0.2.0-44.el7                     base     59 k
     rpm                      x86_64 4.11.3-32.el7                    base    1.2 M
     rpm-build-libs           x86_64 4.11.3-32.el7                    base    105 k
     rpm-libs                 x86_64 4.11.3-32.el7                    base    276 k
     rpm-python               x86_64 4.11.3-32.el7                    base     82 k
     rsync                    x86_64 3.1.2-4.el7                      base    403 k
     rsyslog                  x86_64 8.24.0-16.el7                    base    606 k
     samba                    x86_64 4.7.1-6.el7                      base    661 k
     samba-client             x86_64 4.7.1-6.el7                      base    608 k
     samba-client-libs        x86_64 4.7.1-6.el7                      base    4.8 M
     samba-common             noarch 4.7.1-6.el7                      base    205 k
     samba-common-libs        x86_64 4.7.1-6.el7                      base    162 k
     samba-common-tools       x86_64 4.7.1-6.el7                      base    463 k
     samba-libs               x86_64 4.7.1-6.el7                      base    275 k
     sane-backends-libs       x86_64 1.0.24-11.el7                    base     95 k
     screen                   x86_64 4.1.0-0.25.20120314git3c2946.el7 base    552 k
     selinux-policy           noarch 3.13.1-192.el7_5.3               updates 453 k
     selinux-policy-targeted  noarch 3.13.1-192.el7_5.3               updates 6.6 M
     setools-libs             x86_64 3.3.8-2.el7                      base    619 k
     setup                    noarch 2.8.71-9.el7                     base    166 k
     shared-mime-info         x86_64 1.8-4.el7                        base    312 k
     smartmontools            x86_64 1:6.5-1.el7                      base    460 k
     sssd                     x86_64 1.16.0-19.el7                    base    128 k
     sssd-ad                  x86_64 1.16.0-19.el7                    base    254 k
     sssd-client              x86_64 1.16.0-19.el7                    base    195 k
     sssd-common              x86_64 1.16.0-19.el7                    base    1.4 M
     sssd-common-pac          x86_64 1.16.0-19.el7                    base    198 k
     sssd-ipa                 x86_64 1.16.0-19.el7                    base    343 k
     sssd-krb5                x86_64 1.16.0-19.el7                    base    170 k
     sssd-krb5-common         x86_64 1.16.0-19.el7                    base    202 k
     sssd-ldap                x86_64 1.16.0-19.el7                    base    239 k
     sssd-libwbclient         x86_64 1.16.0-19.el7                    base    130 k
     sssd-proxy               x86_64 1.16.0-19.el7                    base    163 k
     strace                   x86_64 4.12-6.el7                       base    459 k
     sudo                     x86_64 1.8.19p2-13.el7                  base    1.1 M
     systemd                  x86_64 219-57.el7                       base    5.0 M
     systemd-libs             i686   219-57.el7                       base    407 k
     systemd-libs             x86_64 219-57.el7                       base    402 k
     systemd-sysv             x86_64 219-57.el7                       base     79 k
     systemtap-sdt-devel      x86_64 3.2-4.el7                        base     72 k
     tar                      x86_64 2:1.26-34.el7                    base    845 k
     tcpdump                  x86_64 14:4.9.2-3.el7                   base    421 k
     tdb-tools                x86_64 1.3.15-1.el7                     base     31 k
     teamd                    x86_64 1.27-4.el7                       base    112 k
     tuned                    noarch 2.9.0-1.el7                      base    244 k
     tzdata                   noarch 2018e-3.el7                      updates 482 k
     unbound                  x86_64 1.6.6-1.el7                      base    673 k
     unbound-libs             x86_64 1.6.6-1.el7                      base    405 k
     util-linux               x86_64 2.23.2-52.el7                    base    2.0 M
     vim-minimal              x86_64 2:7.4.160-4.el7                  base    437 k
     virt-what                x86_64 1.18-4.el7                       base     29 k
     wpa_supplicant           x86_64 1:2.6-9.el7                      base    1.2 M
     xfsprogs                 x86_64 4.5.0-15.el7                     base    896 k
     yum                      noarch 3.4.3-158.el7.centos             base    1.2 M
     yum-plugin-changelog     noarch 1.1.31-45.el7                    base     33 k
     yum-plugin-fastestmirror noarch 1.1.31-45.el7                    base     33 k
     yum-utils                noarch 1.1.31-45.el7                    base    119 k
    Installing for dependencies:
     libwayland-client        x86_64 1.14.0-2.el7                     base     32 k
     libwayland-server        x86_64 1.14.0-2.el7                     base     38 k
     lz4                      i686   1.7.5-2.el7                      base    111 k

    Transaction Summary
    ================================================================================
    Install    1 Package  (+3 Dependent packages)
    Upgrade  310 Packages

    Total download size: 295 M
    Is this ok [y/d/N]:

Can I update? Or should I wait to do it?
Thank you all!

Weā€™re next to the beta Announcements. Iā€™d wait for itā€¦

See also this post: Testing NethServer 7.5.1804 alpha - #62 by davidep

Hello!

unfortunately, the update was performed on a production Nethserver with version 7. Almost everything works, only IPsec tunnels are no longer established. Can someone help me?

Yes, of course!
Please provide us more info and logs content!

Are you sure that the VPN was working before the update?

Also take a look to upstream release notes related to IPSec (libreswan):

Hi!

The VPN ran, until the update, continuously stable.
Here is the information from yum regarding the update:

https://privatebin.net/?7a0354ef76f7c249#aggzLWlNJwYAvsetPgaKJ8N1gQqIjQm3xEQDYLSvwb8=

This is the configuration of the VPN tunnel (with anonymized IP addresses):

conn xyz_ipsec-tunnel
    authby=secret
    auto=start
    compress=no
    dpdaction=restart
    dpddelay=30
    dpdtimeout=120
    ike=aes256-sha1;modp1024
    ikelifetime=10800s
    left=%enp1s0
    leftid=1.2.3.4
    leftsourceip=2.3.4.5
    leftsubnets={ 2.3.4.0/24 }
    pfs=no
    phase2alg=aes256-sha1;modp1024
    right=6.7.8.9
    rightid=6.7.8.9
    rightsubnets={ 3.4.5.0/22 7.6.5.0/24 5.2.3.0/24 3.8.6.5.0/24 1.8.3.4.0/24 9.3.2.1.0/24 }
    salifetime=3600s

The corresponding entries in the log (/var/log/secure):

May 18 11:06:24 auenland pluto[1164]: FIPS Product: NO
May 18 11:06:24 auenland pluto[1164]: FIPS Kernel: NO
May 18 11:06:24 auenland pluto[1164]: FIPS Mode: NO
May 18 11:06:24 auenland pluto[1164]: NSS DB directory: sql:/etc/ipsec.d
May 18 11:06:24 auenland pluto[1164]: Initializing NSS
May 18 11:06:24 auenland pluto[1164]: Opening NSS database "sql:/etc/ipsec.d" read-only
May 18 11:06:24 auenland pluto[1164]: NSS initialized
May 18 11:06:24 auenland pluto[1164]: NSS crypto library initialized
May 18 11:06:24 auenland pluto[1164]: FIPS HMAC integrity support [enabled]
May 18 11:06:24 auenland pluto[1164]: FIPS mode disabled for pluto daemon
May 18 11:06:24 auenland pluto[1164]: FIPS HMAC integrity verification self-test passed
May 18 11:06:24 auenland pluto[1164]: libcap-ng support [enabled]
May 18 11:06:24 auenland pluto[1164]: Linux audit support [enabled]
May 18 11:06:24 auenland pluto[1164]: Linux audit activated
May 18 11:06:24 auenland pluto[1164]: Starting Pluto (Libreswan Version 3.23 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:1164
May 18 11:06:24 auenland pluto[1164]: core dump dir: /run/pluto
May 18 11:06:24 auenland pluto[1164]: secrets file: /etc/ipsec.secrets
May 18 11:06:24 auenland pluto[1164]: leak-detective enabled
May 18 11:06:24 auenland pluto[1164]: NSS crypto [enabled]
May 18 11:06:24 auenland pluto[1164]: XAUTH PAM support [enabled]
May 18 11:06:24 auenland pluto[1164]: NAT-Traversal support  [enabled]
May 18 11:06:24 auenland pluto[1164]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
May 18 11:06:24 auenland pluto[1164]: Encryption algorithms:
May 18 11:06:24 auenland pluto[1164]:  AES_CCM_16          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
May 18 11:06:24 auenland pluto[1164]:  AES_CCM_12          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
May 18 11:06:24 auenland pluto[1164]:  AES_CCM_8           IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
May 18 11:06:24 auenland pluto[1164]:  3DES_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
May 18 11:06:24 auenland pluto[1164]:  CAMELLIA_CTR        IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
May 18 11:06:24 auenland pluto[1164]:  CAMELLIA_CBC        IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (camellia)
May 18 11:06:24 auenland pluto[1164]:  AES_GCM_16          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
May 18 11:06:24 auenland pluto[1164]:  AES_GCM_12          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
May 18 11:06:24 auenland pluto[1164]:  AES_GCM_8           IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
May 18 11:06:24 auenland pluto[1164]:  AES_CTR             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
May 18 11:06:24 auenland pluto[1164]:  AES_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
May 18 11:06:24 auenland pluto[1164]:  SERPENT_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (serpent)
May 18 11:06:24 auenland pluto[1164]:  TWOFISH_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (twofish)
May 18 11:06:24 auenland pluto[1164]:  TWOFISH_SSH         IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
May 18 11:06:24 auenland pluto[1164]:  CAST_CBC            IKEv1:     ESP     IKEv2:     ESP           {*128}  (cast)
May 18 11:06:24 auenland pluto[1164]:  NULL_AUTH_AES_GMAC  IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}  (aes_gmac)
May 18 11:06:24 auenland pluto[1164]:  NULL                IKEv1:     ESP     IKEv2:     ESP           []
May 18 11:06:24 auenland pluto[1164]: Hash algorithms:
May 18 11:06:24 auenland pluto[1164]:  MD5                 IKEv1: IKE         IKEv2:
May 18 11:06:24 auenland pluto[1164]:  SHA1                IKEv1: IKE         IKEv2:             FIPS  (sha)
May 18 11:06:24 auenland pluto[1164]:  SHA2_256            IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
May 18 11:06:24 auenland pluto[1164]:  SHA2_384            IKEv1: IKE         IKEv2:             FIPS  (sha384)
May 18 11:06:24 auenland pluto[1164]:  SHA2_512            IKEv1: IKE         IKEv2:             FIPS  (sha512)
May 18 11:06:24 auenland pluto[1164]: PRF algorithms:
May 18 11:06:24 auenland pluto[1164]:  HMAC_MD5            IKEv1: IKE         IKEv2: IKE               (md5)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA1           IKEv1: IKE         IKEv2: IKE         FIPS  (sha sha1)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA2_256       IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA2_384       IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 sha2_384)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA2_512       IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 sha2_512)
May 18 11:06:24 auenland pluto[1164]: Integrity algorithms:
May 18 11:06:24 auenland pluto[1164]:  HMAC_MD5_96         IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (md5 hmac_md5)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA1_96        IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA2_512_256   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA2_384_192   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
May 18 11:06:24 auenland pluto[1164]:  HMAC_SHA2_256_128   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
May 18 11:06:24 auenland pluto[1164]:  AES_XCBC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_xcbc)
May 18 11:06:24 auenland pluto[1164]:  AES_CMAC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac)
May 18 11:06:24 auenland pluto[1164]:  NONE                IKEv1:     ESP     IKEv2:     ESP     FIPS  (null)
May 18 11:06:24 auenland pluto[1164]: DH algorithms:
May 18 11:06:24 auenland pluto[1164]:  MODP1024            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh2)
May 18 11:06:24 auenland pluto[1164]:  MODP1536            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh5)
May 18 11:06:24 auenland pluto[1164]:  MODP2048            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
May 18 11:06:24 auenland pluto[1164]:  MODP3072            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
May 18 11:06:24 auenland pluto[1164]:  MODP4096            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
May 18 11:06:24 auenland pluto[1164]:  MODP6144            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
May 18 11:06:24 auenland pluto[1164]:  MODP8192            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
May 18 11:06:24 auenland pluto[1164]:  DH19                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
May 18 11:06:24 auenland pluto[1164]:  DH20                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
May 18 11:06:24 auenland pluto[1164]:  DH21                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
May 18 11:06:24 auenland pluto[1164]:  DH22                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH
May 18 11:06:24 auenland pluto[1164]:  DH23                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
May 18 11:06:24 auenland pluto[1164]:  DH24                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
May 18 11:06:24 auenland pluto[1164]: starting up 4 crypto helpers
May 18 11:06:24 auenland pluto[1164]: started thread for crypto helper 0
May 18 11:06:24 auenland pluto[1164]: started thread for crypto helper 1
May 18 11:06:24 auenland pluto[1164]: started thread for crypto helper 2
May 18 11:06:24 auenland pluto[1164]: started thread for crypto helper 3
May 18 11:06:24 auenland pluto[1164]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-693.21.1.el7.x86_64
May 18 11:06:24 auenland pluto[1164]: | selinux support is NOT enabled.
May 18 11:06:24 auenland pluto[1164]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
May 18 11:06:24 auenland pluto[1164]: watchdog: sending probes every 100 secs
May 18 11:06:25 auenland pluto[1164]: added connection description "xyz_ipsec-tunnel/1x1"
May 18 11:06:25 auenland pluto[1164]: added connection description "xyz_ipsec-tunnel/1x2"
May 18 11:06:25 auenland pluto[1164]: added connection description "xyz_ipsec-tunnel/1x3"
May 18 11:06:25 auenland pluto[1164]: added connection description "xyz_ipsec-tunnel/1x4"
May 18 11:06:25 auenland pluto[1164]: added connection description "xyz_ipsec-tunnel/1x5"
May 18 11:06:25 auenland pluto[1164]: added connection description "xyz_ipsec-tunnel/1x6"
May 18 11:06:25 auenland pluto[1164]: listening for IKE messages
May 18 11:06:25 auenland pluto[1164]: adding interface tunrw/tunrw 10.1.1.1:500
May 18 11:06:25 auenland pluto[1164]: adding interface tunrw/tunrw 10.1.1.1:4500
May 18 11:06:25 auenland pluto[1164]: adding interface enp2s0/enp2s0 192.168.78.254:500
May 18 11:06:25 auenland pluto[1164]: adding interface enp2s0/enp2s0 192.168.78.254:4500
May 18 11:06:25 auenland pluto[1164]: adding interface enp1s0/enp1s0 1.2.3.4:500
May 18 11:06:25 auenland pluto[1164]: adding interface enp1s0/enp1s0 1.2.3.4:4500
May 18 11:06:25 auenland pluto[1164]: adding interface enp0s31f6/enp0s31f6 2.3.4.5:500
May 18 11:06:25 auenland pluto[1164]: adding interface enp0s31f6/enp0s31f6 2.3.4.5:4500
May 18 11:06:25 auenland pluto[1164]: adding interface lo/lo 127.0.0.1:500
May 18 11:06:25 auenland pluto[1164]: adding interface lo/lo 127.0.0.1:4500
May 18 11:06:25 auenland pluto[1164]: adding interface lo/lo ::1:500
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface lo:500 fd 26
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface lo:4500 fd 25
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface lo:500 fd 24
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface enp0s31f6:4500 fd 23
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface enp0s31f6:500 fd 22
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface enp1s0:4500 fd 21
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface enp1s0:500 fd 20
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface enp2s0:4500 fd 19
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface enp2s0:500 fd 18
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface tunrw:4500 fd 17
May 18 11:06:25 auenland pluto[1164]: | setup callback for interface tunrw:500 fd 16
May 18 11:06:25 auenland pluto[1164]: loading secrets from "/etc/ipsec.secrets"
May 18 11:06:25 auenland pluto[1164]: loading secrets from "/etc/ipsec.d/tunnels.secrets"
May 18 11:06:25 auenland pluto[1164]: initiating all conns with alias='xyz_ipsec-tunnel'
May 18 11:06:25 auenland pluto[1164]: "xyz_ipsec-tunnel/1x6": We cannot identify ourselves with either end of this connection.  6.7.8.9 or 0.0.0.0 are not usable
May 18 11:06:25 auenland pluto[1164]: "xyz_ipsec-tunnel/1x5": We cannot identify ourselves with either end of this connection.  6.7.8.9 or 0.0.0.0 are not usable
May 18 11:06:25 auenland pluto[1164]: "xyz_ipsec-tunnel/1x4": We cannot identify ourselves with either end of this connection.  6.7.8.9 or 0.0.0.0 are not usable
May 18 11:06:25 auenland pluto[1164]: "xyz_ipsec-tunnel/1x3": We cannot identify ourselves with either end of this connection.  6.7.8.9 or 0.0.0.0 are not usable
May 18 11:06:25 auenland pluto[1164]: "xyz_ipsec-tunnel/1x2": We cannot identify ourselves with either end of this connection.  6.7.8.9 or 0.0.0.0 are not usable
May 18 11:06:25 auenland pluto[1164]: "xyz_ipsec-tunnel/1x1": We cannot identify ourselves with either end of this connection.  6.7.8.9 or 0.0.0.0 are not usable
May 18 11:06:25 auenland pluto[1164]: packet from 6.7.8.9:500: ignoring unknown Vendor ID payload [8299031757a36082c6a621de0005045d]
May 18 11:06:25 auenland pluto[1164]: packet from 6.7.8.9:500: initial Main Mode message received on 1.2.3.4:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW

The command ipsec status shows me the loaded tunnels, but does not connect to the VPN server.

CentOS switched from libreswan 3.20 to 3.23.
You can find the changelog here https://download.libreswan.org/CHANGES , but I didnā€™t find any relevant information in it (or at least Iā€™m not expert enough to catch it).

The logs states that the ipsec daemon canā€™t find configured IPs.
So your machines does not have the listed IP address or probably the right part is presenting itself with another IP?

Just as quick and dirty hack, you can try to revert to old version of libreswan:

rpm -e --nodeps libreswan
yum install http://mirror.centos.org/centos-7/7.4.1708/updates/x86_64/Packages/libreswan-3.20-5.el7_4.x86_64.rpm
signal-event nethserver-ipsec-tunnels-save

If it works, something changes inside the libreswan library, otherwise this is not related to the upgrade.

Hey everyone!

We have fixed the problem ourselves by editing the ipsec.conf

Nethserver tries to set the ā€œleftā€-IP-Address dynamically by the name of the interface. This doesnā€™t seem to work, as you can see in the output of the ipsec status command that itā€™s not resolving the correct ip address.

We cannot identify ourselves with either end of this connection. 6.7.8.9 or 0.0.0.0 are not usable

The second ip address ā€œ0.0.0.0ā€ should be the ip address of our left interface ā€œ1.2.3.4ā€.
After editing the configuration file and setting ā€œleftā€ hard to ā€œ1.2.3.4ā€ the connection works again as usual.

Since this wasnā€™t a problem before in Nethserver 7.4.1708 where the same configuration worked without problems, it seems to be a problem now.

Regards,
Max

Thank you for the work!

Just one more think, could you please post the configuration file before and after the fix? Iā€™m going to reproduce the issue and fill a bug.

Hi

here is a copy of the old and not working configuration file:

conn xyz_ipsec-tunnel
    authby=secret
    auto=start
    compress=no
    dpdaction=restart
    dpddelay=30
    dpdtimeout=120
    ike=aes256-sha1;modp1024
    ikelifetime=10800s
    left=%enp1s0
    leftid=1.2.3.4
    leftsourceip=2.3.4.5
    leftsubnets={ 2.3.4.0/24 }
    pfs=no
    phase2alg=aes256-sha1;modp1024
    right=6.7.8.9
    rightid=6.7.8.9
    rightsubnets={ 3.4.5.0/22 7.6.5.0/24 5.2.3.0/24 3.8.6.5.0/24 1.8.3.4.0/24 9.3.2.1.0/24 }
    salifetime=3600s

and here is a copy of the working one:

conn xyz_ipsec-tunnel
    authby=secret
    auto=start
    compress=no
    dpdaction=restart
    dpddelay=30
    dpdtimeout=120
    ike=aes256-sha1;modp1024
    ikelifetime=10800s
    left=1.2.3.4
    leftid=1.2.3.4
    leftsourceip=2.3.4.5
    leftsubnets={ 2.3.4.0/24 }
    pfs=no
    phase2alg=aes256-sha1;modp1024
    right=6.7.8.9
    rightid=6.7.8.9
    rightsubnets={ 3.4.5.0/22 7.6.5.0/24 5.2.3.0/24 3.8.6.5.0/24 1.8.3.4.0/24 9.3.2.1.0/24 }
    salifetime=3600s

TL;DR:

changed:

left=%enp1s0

to

left=1.2.3.4

Regards

1 Like

You can set a permanent workaround using this commands:

db vpn setprop xyz_ipsec Custom_left <your_ip>
signal-event nethserver-ipsec-tunnels-save

This is a regression of libreswan :face_with_symbols_over_mouth:, we are searching a workaround for everyone.

Weā€™re next to the beta Announcements. Iā€™d wait for itā€¦

See also this post: Testing NethServer 7.5.1804 alpha

All right, Iā€™ll wait.
Thank you @davidep and all the Community!

Iā€™ve created a new issue: https://github.com/NethServer/dev/issues/5501

You can find an RPM with the fix here: https://github.com/NethServer/dev/issues/5501

It will not work only in a very uncommon limit case: if the IP of red interface canā€™t be found and the system has more than one red configured.
In this case, the only workaround is to use the Custom_left property.

You can test it with:

yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-ipsec-tunnels-1.1.1-1.3.pr4.gb50e2f8.ns7.noarch.rpm

If you have time, please try it and let us know if it works.

This is my case, and I need to comment. I donā€™t know why, but after a successful backup (after the beta upgrade), I resize my vdisk from 50GB to 500GB and now I canā€™t create more backups.
(TLDR: I found the problem was caused by a badly mounted shared folder for the backups)

I really want to return to 7.4 stable. So I hope that using a backup can help me to no re capture all my user-groups.

I delete some of my shared folders so I can produce a small backup and retry to backup, but I canā€™t, each time that I try a backup it fails with this kind of message:

  • I create shared folders in my ubuntu computer (that works the first time) and fails
  • I create a shared folder on a synolgy device and the error prevails

last-backup.log on my pc

Reading globbing filelist /tmp/VSw4GktNFu
Local and Remote metadata are synchronized, no sync needed.
Last full backup left a partial set, restarting.
Last full backup date: Sat May 26 16:40:11 2018
RESTART: The first volume failed to upload before termination.
         Restart is impossible...starting backup from beginning.
Reading globbing filelist /tmp/VSw4GktNFu
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
Attempt 1 failed. IOError: [Errno 13] Permission denied: '/mnt/backup/ads/duplicity-full.20180526T224911Z.vol1.difftar.gz'
Attempt 2 failed. IOError: [Errno 13] Permission denied: '/mnt/backup/ads/duplicity-full.20180526T224911Z.vol1.difftar.gz'
Attempt 3 failed. IOError: [Errno 13] Permission denied: '/mnt/backup/ads/duplicity-full.20180526T224911Z.vol1.difftar.gz'
Attempt 4 failed. IOError: [Errno 13] Permission denied: '/mnt/backup/ads/duplicity-full.20180526T224911Z.vol1.difftar.gz'
Giving up after 5 attempts. IOError: [Errno 13] Permission denied: '/mnt/backup/ads/duplicity-full.20180526T224911Z.vol1.difftar.gz'

last-backup.log on synology

2018-05-25 17:05:42 - ERROR - Backup failed, see /var/log/last-backup.log for details - 13056
2018-05-25 17:05:42 - ERROR - Action backup-data-duplicity failed - 1
2018-05-26 16:26:02 - START - Backup data started
2018-05-26 16:26:11 - STEP - pre-backup-done done
2018-05-26 16:28:43 - ERROR - Backup failed, see /var/log/last-backup.log for details - 13056
2018-05-26 16:28:43 - ERROR - Action backup-data-duplicity failed - 1
2018-05-26 16:40:01 - START - Backup data started
2018-05-26 16:40:10 - STEP - pre-backup-done done
2018-05-26 16:42:41 - ERROR - Backup failed, see /var/log/last-backup.log for details - 13056
2018-05-26 16:42:41 - ERROR - Action backup-data-duplicity failed - 1
2018-05-26 16:49:01 - START - Backup data started
2018-05-26 16:49:11 - STEP - pre-backup-done done
2018-05-26 16:51:42 - ERROR - Backup failed, see /var/log/last-backup.log for details - 13056
2018-05-26 16:51:42 - ERROR - Action backup-data-duplicity failed - 1
(END)

last-backup.log on synology, using a new folder:

image

Maybe the ā€œbackupā€ module can be reinitialized; maybe something it broken.

another issues:

  • I delete a 10GB shared folder named ā€œsetupā€ (from my own); but the ā€œdisk usageā€ module stills show that folder. If I use a terminal to see the folders on ibay there is only one that I still preserve

#ls -la  /var/lib/nethserver/ibay/

total 4.0K
drwxrwxr-x   3 root root                      21 May 26 16:48 .
drwxr-xr-x.  8 root root                      89 May 22 12:04 ..
drwxrwsr-x  36 root domain admins@avion.lan 4.0K May 24 11:05 avion

/update: found something more weird, this folder shows a mounted folder that I donā€™t use anymore, that was used after my first successful backup, and when it fails was when I try to use other folders (synology):

image
How can I umount/delete this folder on NS?, maybe is the cause of my headaches.

# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc ...
devtmpfs on /dev ...
...
//192.168.21.22/nhsbak on /mnt/backup type cifs (rw,relatime,vers=1.0,cache=strict,username=bakuser,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.21.22,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=61440,wsize=65536,echo_interval=60,actimeo=1)
tmpfs on...

After an ā€œumount /mnt/backupā€ the shared folder is no moreā€¦ trying another backup. ā€¦

/update#2: SUCCESS, that mounted was the guilty party; for some unknown reason; the mounted shared folder prevails between reboots. (I reboot yesterday a lot of times just to get a backup)

Now, trying to get a 7.4 stable NS; need to learn how to do a disaster-recovery.