Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1421084 - [trello QECbJRfG]The traffic is not encryped after enable ipsec
Summary: [trello QECbJRfG]The traffic is not encryped after enable ipsec
Keywords:
Status: CLOSED EOL
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: Dan Williams
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-10 10:14 UTC by Yan Du
Modified: 2019-02-21 16:03 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-21 16:03:40 UTC
Target Upstream Version:


Attachments (Terms of Use)
nodes network info (5.58 KB, text/plain)
2017-04-10 05:31 UTC, Yan Du
no flags Details

Comment 5 Dan Williams 2017-04-05 04:21:42 UTC
Ah, looking back over the logs, I think I see the issue.

You want to encrypt the actual node networks, not the SDN network.

So:

# echo 192.168.2.0/24 >> /etc/ipsec.d/policies/private 
# echo 192.168.2.1/32 >> /etc/ipsec.d/policies/clear

or whatever the node network config is.

I re-read the docs and realize that this wasn't clear, I should update them to make it so.

Does using those subnets change things?

Comment 6 Yan Du 2017-04-10 05:31:04 UTC
Hi, Dan

I tried to config /etc/ipsec.d/policies/private and /etc/ipsec.d/policies/clear with the node network, and after restart ipsec, the whole network was broken like:
# oc get node
Unable to connect to the server: dial tcp 10.8.174.54:8443: i/o timeout

Attach the nodes' network information.

Comment 7 Yan Du 2017-04-10 05:31:44 UTC
Created attachment 1270373 [details]
nodes network info


Note You need to log in before you can comment on or make changes to this bug.