NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

ONTAP Rest API Discussions

Cannot get current IPsec policy.

MOHANRAJB
4,431 Views

Created a new IPsec policy with API - 'security/ipsec/policies'

body

{'ipspace.name': 'Default',
'local_endpoint': {'address': '10.23.43.23',
'netmask': '24',
'port': '201-201'},
'name': 'ipsec_policy_psk',
'remote_endpoint': {'address': '10.23.43.26',
'netmask': '24',
'port': '201-201'},
'secret_key': 'DFRGTUJGNHFKDKS4553223',
'svm.name': 'svm4'}

but when trying to get this IPsec policy using the query, it returns empty records.

{'ipspace.name': 'Default',
 'name': 'ipsec_policy_psk',
 'svm.name': 'svm4'}

 If I remove the ipspace.name in the query, I can get the IPsec policy good.

is this bug?

 

Thanks,

Mohan

7 REPLIES 7

RobertBlackhart
4,369 Views

This does sound like a bug. Can you provide the HTTP request/response to make it a little more clear? I think what you're sending is something like this:

 

curl -iku <username>:<password> 'https://<mgmt_ip>/api/security/ipsec/policies?ipspace.name=Default&name=ipsec_policy_pstk&svm.name=svm4'

 

Does that look right?

MOHANRAJB
4,359 Views

Sorry I had to delete the last post which was not clear, adding the curl call here.

with Ipspace

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&ipspace.name=Default&fields=ipspace&return_records=true&return_timeout=15"

 Response

{  "records": [],  "num_records": 0
}

 
without IPspace

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&fields=&return_records=true&return_timeout=15"

Response

{  "records": [    {
      "name": "ipsec_policy_psk",      "svm": {        "name": "svm4"
      }
    }
  ],
  "num_records": 1
}

 hope this helps

RobertBlackhart
4,355 Views

Thanks for the clarification. In the second query (the one that returned a record), you have fields= and nothing after the equal sign. Is that a typo? If you set that to fields=ipspace, do you get the ipspace name populated in the response?

MOHANRAJB
4,354 Views

ipspace key is never returned with fields: ipspace and also ipspace not returned for fields: *

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&fields=ipspace&return_records=true&return_timeout=15" -H  "accept: application/json"

response

{  "records": [    {
      
      "name": "ipsec_policy_psk",      "svm": {        "name": "svm4"
      }
    }
  ],
  "num_records": 1
}

with fields: **

curl -X GET "https://mgmt-ip/api/security/ipsec/policies?name=ipsec_policy_psk&svm.name=svm4&fields=**&return_records=true&return_timeout=15"

response

{  "records": [    {
      
      "name": "ipsec_policy_psk",      "scope": "svm",      "svm": {        
        "name": "svm4"
      },
      "local_endpoint": {        "address": "10.23.43.23",        "netmask": "24",        "port": "201-201"
      },
      "remote_endpoint": {        "address": "10.23.43.30",        "netmask": "24",        "port": "205-205"
      },
      "protocol": "tcp",      "action": "esp_transport",      "enabled": true,      "authentication_method": "psk"
    }
  ],
  "num_records": 1
}


 

RobertBlackhart
4,341 Views

Given that it's never returned, I think that explains why the query returns 0 records when you query on it. The question now is, why isn't it set/returned?

 

I tried repeating your steps on my test cluster and I found that I could reproduce the same issue. Here are my logs:

~/$ curl -iku <user>:<pass> https://<mgmt_ip>/api/security/ipsec/policies -X POST -d '{"ipspace": {"name": "Default"}, "name": "ipsec_policy_psk", "local_endpoint": {"address": "10.23.43.23", "netmask": "24", "port": "201-201"}, "remote_endpoint": {"address": "10.23.43.26", "netmask": "24", "port": "201-201"}, "secret_key": "DFRGTUJGNHFKDKS4553223", "svm": {"name": "svm1"}}'
HTTP/1.1 201 Created
Date: Tue, 13 Dec 2022 13:29:24 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Location: /api/security/ipsec/policies/3e429290-7aea-11ed-ab9f-005056bb057f
Content-Length: 3
Content-Type: application/hal+json
Vary: Origin

{
}~/$
~/$ curl -iku <user>:<pass> https://<mgmt_ip>/api/security/ipsec/policies
HTTP/1.1 200 OK
Date: Tue, 13 Dec 2022 13:30:17 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Content-Length: 366
Content-Type: application/hal+json
Vary: Accept-Encoding,Origin

{
  "records": [
    {
      "uuid": "3e429290-7aea-11ed-ab9f-005056bb057f",
      "name": "ipsec_policy_psk",
      "_links": {
        "self": {
          "href": "/api/security/ipsec/policies/3e429290-7aea-11ed-ab9f-005056bb057f"
        }
      }
    }
  ],
  "num_records": 1,
  "_links": {
    "self": {
      "href": "/api/security/ipsec/policies"
    }
  }
}~/$
~/$ curl -iku <user>:<pass> https://<mgmt_ip>/api/security/ipsec/policies?fields=ipspace
HTTP/1.1 200 OK
Date: Tue, 13 Dec 2022 13:30:49 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Content-Length: 381
Content-Type: application/hal+json
Vary: Accept-Encoding,Origin

{
  "records": [
    {
      "uuid": "3e429290-7aea-11ed-ab9f-005056bb057f",
      "name": "ipsec_policy_psk",
      "_links": {
        "self": {
          "href": "/api/security/ipsec/policies/3e429290-7aea-11ed-ab9f-005056bb057f"
        }
      }
    }
  ],
  "num_records": 1,
  "_links": {
    "self": {
      "href": "/api/security/ipsec/policies?fields=ipspace"
    }
  }
}~/$

mycluster::> security ipsec policy show
        Policy                                           Cipher
Vserver Name       Local IP Subnet    Remote IP Subnet   Suite          Action
------- ---------- ------------------ ------------------ -------------- -------
svm1
        ipsec_policy_psk
                   10.23.43.23/24     10.23.43.26/24     SUITEB_GCM256  ESP_TRA

mycluster::> security ipsec policy show -instance

                                    Vserver: svm1
                                Policy Name: ipsec_policy_psk
                           Local IP Subnets: 10.23.43.23/24
                          Remote IP Subnets: 10.23.43.26/24
                                Local Ports: 201-201
                               Remote Ports: 201-201
                                  Protocols: any
                                     Action: ESP_TRA
                               Cipher Suite: SUITEB_GCM256
          IKE Security Association Lifetime: 86400
        IPsec Security Association Lifetime: 28800
IPsec Security Association Lifetime (bytes): 0
                          Is Policy Enabled: true
                             Local Identity: -
                            Remote Identity: -
                      Authentication Method: PSK
             Certificate for Local Identity: -

mycluster::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

mycluster::*> debug smdb table ipsec_policy_rest show
uuid                                 name             scope ipspace.uuid ipspace.name svm.uuid                             svm.name local_endpoint.address local_endpoint.netmask local_endpoint.family local_endpoint.port remote_endpoint.address remote_endpoint.netmask remote_endpoint.family remote_endpoint.port protocol local_identity remote_identity action        enabled authentication-method certificate.name certificate.uuid certificate._links.self.href
------------------------------------ ---------------- ----- ------------ ------------ ------------------------------------ -------- ---------------------- ---------------------- --------------------- ------------------- ----------------------- ----------------------- ---------------------- -------------------- -------- -------------- --------------- ------------- ------- --------------------- ---------------- ---------------- ----------------------------
3e429290-7aea-11ed-ab9f-005056bb057f ipsec_policy_psk svm   -            -            b7a850a3-7ae4-11ed-ab9f-005056bb057f svm1     10.23.43.23            24                     -                     201-201             10.23.43.26             24                      -                      201-201              any      -              -               ESP_TRANSPORT true    PSK                   -                -                -

mycluster::*>

 

I think the next step would be to file a ticket with support and you can track any fix timeline or workaround that way.

MOHANRAJB
4,340 Views

Thanks Robert, please share the ticket number if you are creating a ticket. Thanks.

RobertBlackhart
4,335 Views

Sorry, I am unable to create a ticket with support. I can try to provide help here, but support is meant to interact with customers.

Public