1421084 – [trello QECbJRfG]The traffic is not encryped after enable ipsec

Bug 1421084 - [trello QECbJRfG]The traffic is not encryped after enable ipsec

Summary: [trello QECbJRfG]The traffic is not encryped after enable ipsec

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Dan Williams
QA Contact:	Meng Bo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-10 10:14 UTC by Yan Du
Modified:	2019-02-21 16:03 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-02-21 16:03:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
nodes network info (5.58 KB, text/plain) 2017-04-10 05:31 UTC, Yan Du	no flags	Details
View All

Comment 5 Dan Williams 2017-04-05 04:21:42 UTC

Ah, looking back over the logs, I think I see the issue.

You want to encrypt the actual node networks, not the SDN network.

So:

# echo 192.168.2.0/24 >> /etc/ipsec.d/policies/private 
# echo 192.168.2.1/32 >> /etc/ipsec.d/policies/clear

or whatever the node network config is.

I re-read the docs and realize that this wasn't clear, I should update them to make it so.

Does using those subnets change things?

Comment 6 Yan Du 2017-04-10 05:31:04 UTC

Hi, Dan

I tried to config /etc/ipsec.d/policies/private and /etc/ipsec.d/policies/clear with the node network, and after restart ipsec, the whole network was broken like:
# oc get node
Unable to connect to the server: dial tcp 10.8.174.54:8443: i/o timeout

Attach the nodes' network information.

Comment 7 Yan Du 2017-04-10 05:31:44 UTC

Created attachment 1270373 [details]
nodes network info

Note You need to log in before you can comment on or make changes to this bug.