Merge pull request #2400 from pperiyasamy/debug-ipsec

OCPBUGS-35417: Configure narrowing=yes for IPsec connections
openshift · Sep 12, 2024 · d936ce3 · d936ce3
2 parents 9beb4bf + e0bfa7e
commit d936ce3
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml
@@ -236,6 +236,20 @@ spec:
           ip x s flush
           ip x p flush
 
+          # Use /etc/ipsec.d/cno.conf file to write our own default IPsec connection parameters.
+          # The /etc/ipsec.d/openshift.conf file can not be used because it is managed by openvswitch.
+          touch /etc/ipsec.d/cno.conf
+          if ! grep -q "narrowing=yes" /etc/ipsec.d/cno.conf; then
+          cat <<EOF > /etc/ipsec.d/cno.conf
+          # Default IPsec connection parameters rendered by network operator.
+          # The narrowing=yes is needed to narrow down the proposals exchanged
+          # by two peers to a mutually acceptable set, otherwise it sometimes
+          # have traffic hit between peer nodes.
+          conn %default
+              narrowing=yes
+          EOF
+          fi
+
           # since pluto is on the host, we need to restart it after the flush
           chroot /proc/1/root ipsec restart