ONTAP Rest API Discussions

Cannot get current IPsec policy.

MOHANRAJB
410 Views

Created a new IPsec policy with API - 'security/ipsec/policies'

body

{'ipspace.name': 'Default',
'local_endpoint': {'address': '10.23.43.23',
'netmask': '24',
'port': '201-201'},
'name': 'ipsec_policy_psk',
'remote_endpoint': {'address': '10.23.43.26',
'netmask': '24',
'port': '201-201'},
'secret_key': 'DFRGTUJGNHFKDKS4553223',
'svm.name': 'svm4'}

but when trying to get this IPsec policy using the query, it returns empty records.

{'ipspace.name': 'Default',
 'name': 'ipsec_policy_psk',
 'svm.name': 'svm4'}

 If I remove the ipspace.name in the query, I can get the IPsec policy good.

is this bug?

 

Thanks,

Mohan

7 REPLIES 7

RobertBlackhart
350 Views

This does sound like a bug. Can you provide the HTTP request/response to make it a little more clear? I think what you're sending is something like this:

 

curl -iku <username>:<password> 'https://<mgmt_ip>/api/security/ipsec/policies?ipspace.name=Default&name=ipsec_policy_pstk&svm.name=svm4'

 

Does that look right?

MOHANRAJB
340 Views

Sorry I had to delete the last post which was not clear, adding the curl call here.

with Ipspace

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&ipspace.name=Default&fields=ipspace&return_records=true&return_timeout=15"

 Response

{  "records": [],  "num_records": 0
}

 
without IPspace

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&fields=&return_records=true&return_timeout=15"

Response

{  "records": [    {
      "name": "ipsec_policy_psk",      "svm": {        "name": "svm4"
      }
    }
  ],
  "num_records": 1
}

 hope this helps

RobertBlackhart
336 Views

Thanks for the clarification. In the second query (the one that returned a record), you have fields= and nothing after the equal sign. Is that a typo? If you set that to fields=ipspace, do you get the ipspace name populated in the response?

MOHANRAJB
335 Views

ipspace key is never returned with fields: ipspace and also ipspace not returned for fields: *

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&fields=ipspace&return_records=true&return_timeout=15" -H  "accept: application/json"

response

{  "records": [    {
      
      "name": "ipsec_policy_psk",      "svm": {        "name": "svm4"
      }
    }
  ],
  "num_records": 1
}

with fields: **

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&fields=**&return_records=true&return_timeout=15"

response

{  "records": [    {
      
      "name": "ipsec_policy_psk",      "scope": "svm",      "svm": {        
        "name": "svm4"
      },
      "local_endpoint": {        "address": "10.23.43.23",        "netmask": "24",        "port": "201-201"
      },
      "remote_endpoint": {        "address": "10.23.43.30",        "netmask": "24",        "port": "205-205"
      },
      "protocol": "tcp",      "action": "esp_transport",      "enabled": true,      "authentication_method": "psk"
    }
  ],
  "num_records": 1
}


 

RobertBlackhart
322 Views

Given that it's never returned, I think that explains why the query returns 0 records when you query on it. The question now is, why isn't it set/returned?

 

I tried repeating your steps on my test cluster and I found that I could reproduce the same issue. Here are my logs:

~/$ curl -iku <user>:<pass> https://<mgmt_ip>/api/security/ipsec/policies -X POST -d '{"ipspace": {"name": "Default"}, "name": "ipsec_policy_psk", "local_endpoint": {"address": "10.23.43.23", "netmask": "24", "port": "201-201"}, "remote_endpoint": {"address": "10.23.43.26", "netmask": "24", "port": "201-201"}, "secret_key": "DFRGTUJGNHFKDKS4553223", "svm": {"name": "svm1"}}'
HTTP/1.1 201 Created
Date: Tue, 13 Dec 2022 13:29:24 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Location: /api/security/ipsec/policies/3e429290-7aea-11ed-ab9f-005056bb057f
Content-Length: 3
Content-Type: application/hal+json
Vary: Origin

{
}~/$
~/$ curl -iku <user>:<pass> https://<mgmt_ip>/api/security/ipsec/policies
HTTP/1.1 200 OK
Date: Tue, 13 Dec 2022 13:30:17 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Content-Length: 366
Content-Type: application/hal+json
Vary: Accept-Encoding,Origin

{
  "records": [
    {
      "uuid": "3e429290-7aea-11ed-ab9f-005056bb057f",
      "name": "ipsec_policy_psk",
      "_links": {
        "self": {
          "href": "/api/security/ipsec/policies/3e429290-7aea-11ed-ab9f-005056bb057f"
        }
      }
    }
  ],
  "num_records": 1,
  "_links": {
    "self": {
      "href": "/api/security/ipsec/policies"
    }
  }
}~/$
~/$ curl -iku <user>:<pass> https://<mgmt_ip>/api/security/ipsec/policies?fields=ipspace
HTTP/1.1 200 OK
Date: Tue, 13 Dec 2022 13:30:49 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Content-Length: 381
Content-Type: application/hal+json
Vary: Accept-Encoding,Origin

{
  "records": [
    {
      "uuid": "3e429290-7aea-11ed-ab9f-005056bb057f",
      "name": "ipsec_policy_psk",
      "_links": {
        "self": {
          "href": "/api/security/ipsec/policies/3e429290-7aea-11ed-ab9f-005056bb057f"
        }
      }
    }
  ],
  "num_records": 1,
  "_links": {
    "self": {
      "href": "/api/security/ipsec/policies?fields=ipspace"
    }
  }
}~/$

mycluster::> security ipsec policy show
        Policy                                           Cipher
Vserver Name       Local IP Subnet    Remote IP Subnet   Suite          Action
------- ---------- ------------------ ------------------ -------------- -------
svm1
        ipsec_policy_psk
                   10.23.43.23/24     10.23.43.26/24     SUITEB_GCM256  ESP_TRA

mycluster::> security ipsec policy show -instance

                                    Vserver: svm1
                                Policy Name: ipsec_policy_psk
                           Local IP Subnets: 10.23.43.23/24
                          Remote IP Subnets: 10.23.43.26/24
                                Local Ports: 201-201
                               Remote Ports: 201-201
                                  Protocols: any
                                     Action: ESP_TRA
                               Cipher Suite: SUITEB_GCM256
          IKE Security Association Lifetime: 86400
        IPsec Security Association Lifetime: 28800
IPsec Security Association Lifetime (bytes): 0
                          Is Policy Enabled: true
                             Local Identity: -
                            Remote Identity: -
                      Authentication Method: PSK
             Certificate for Local Identity: -

mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*> debug smdb table ipsec_policy_rest show
uuid                                 name             scope ipspace.uuid ipspace.name svm.uuid                             svm.name local_endpoint.address local_endpoint.netmask local_endpoint.family local_endpoint.port remote_endpoint.address remote_endpoint.netmask remote_endpoint.family remote_endpoint.port protocol local_identity remote_identity action        enabled authentication-method certificate.name certificate.uuid certificate._links.self.href
------------------------------------ ---------------- ----- ------------ ------------ ------------------------------------ -------- ---------------------- ---------------------- --------------------- ------------------- ----------------------- ----------------------- ---------------------- -------------------- -------- -------------- --------------- ------------- ------- --------------------- ---------------- ---------------- ----------------------------
3e429290-7aea-11ed-ab9f-005056bb057f ipsec_policy_psk svm   -            -            b7a850a3-7ae4-11ed-ab9f-005056bb057f svm1     10.23.43.23            24                     -                     201-201             10.23.43.26             24                      -                      201-201              any      -              -               ESP_TRANSPORT true    PSK                   -                -                -

mycluster::*>

 

I think the next step would be to file a ticket with support and you can track any fix timeline or workaround that way.

MOHANRAJB
321 Views

Thanks Robert, please share the ticket number if you are creating a ticket. Thanks.

RobertBlackhart
316 Views

Sorry, I am unable to create a ticket with support. I can try to provide help here, but support is meant to interact with customers.

Public