From debbcf23933780eb8c000673580f6127eba46e2e Mon Sep 17 00:00:00 2001 From: Periyasamy Palanisamy Date: Tue, 29 Apr 2025 15:01:57 +0200 Subject: [PATCH] Use auto=start only for IPsec out connections We noticed a cross streaming issue with Libreswan 5.2 creating duplicate child SAs on the node and no matching SA on the other end causing packet drops. To fix it, this commit makes wait-for-ipsec-connect.service updates openshift.conf with auto=start only for out connections. Signed-off-by: Periyasamy Palanisamy --- templates/common/_base/files/wait-for-ipsec-connect.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/templates/common/_base/files/wait-for-ipsec-connect.yaml b/templates/common/_base/files/wait-for-ipsec-connect.yaml index 6c847932bd..48bb813cf9 100644 --- a/templates/common/_base/files/wait-for-ipsec-connect.yaml +++ b/templates/common/_base/files/wait-for-ipsec-connect.yaml @@ -9,15 +9,18 @@ contents: exit 0 fi - # Modify existing IPsec connection entries with "auto=start" + # Modify existing IPsec out connection entries with "auto=start" # option and restart ipsec systemd service. This helps to # establish IKE SAs for the existing IPsec connections with # peer nodes. This option will be deleted from connections # once ovs-monitor-ipsec process spinned up on the node by # ovn-ipsec-host pod, but still it won't reestablish IKE SAs # again with peer nodes, so it shouldn't be a problem. + # We are updating only out connections with "auto=start" to + # avoid cross stream issue with Libreswan 5.2. + # The in connections use default auto=route parameter. if ! grep -q "auto=start" /etc/ipsec.d/openshift.conf; then - sed -i '/^.*conn ovn.*$/a\ auto=start' /etc/ipsec.d/openshift.conf + sed -i '/^.*conn ovn.*-out-1$/a\ auto=start' /etc/ipsec.d/openshift.conf fi chroot /proc/1/root ipsec restart