Bug 1421084

Summary: [trello QECbJRfG]The traffic is not encryped after enable ipsec
Product: OpenShift Container Platform Reporter: Yan Du <yadu>
Component: NetworkingAssignee: Dan Williams <dcbw>
Status: CLOSED EOL QA Contact: Meng Bo <bmeng>
Severity: low Docs Contact:
Priority: low    
Version: 3.5.0CC: aos-bugs, atragler, bbennett, cdc, eparis, mleitner, rkhan, sukulkar, yadu
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-21 16:03:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
nodes network info none

Comment 5 Dan Williams 2017-04-05 04:21:42 UTC
Ah, looking back over the logs, I think I see the issue.

You want to encrypt the actual node networks, not the SDN network.

So:

# echo 192.168.2.0/24 >> /etc/ipsec.d/policies/private 
# echo 192.168.2.1/32 >> /etc/ipsec.d/policies/clear

or whatever the node network config is.

I re-read the docs and realize that this wasn't clear, I should update them to make it so.

Does using those subnets change things?

Comment 6 Yan Du 2017-04-10 05:31:04 UTC
Hi, Dan

I tried to config /etc/ipsec.d/policies/private and /etc/ipsec.d/policies/clear with the node network, and after restart ipsec, the whole network was broken like:
# oc get node
Unable to connect to the server: dial tcp 10.8.174.54:8443: i/o timeout

Attach the nodes' network information.

Comment 7 Yan Du 2017-04-10 05:31:44 UTC
Created attachment 1270373 [details]
nodes network info