-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.14
-
Critical
-
Yes
-
Approved
-
False
-
This is a clone of issue OCPBUGS-17380. The following is the description of the original issue:
—
Description of problem:
Enable IPSec pre/post install on OVN IC cluster
$ oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'
network.operator.openshift.io/cluster patched
ovn-ipsec containers complaining:
ovs-monitor-ipsec | ERR | Failed to import certificate into NSS.
b'certutil: unable to open "/etc/openvswitch/keys/ipsec-cacert.pem" for reading (-5950, 2).\n'
$ oc rsh ovn-ipsec-d7rx9
Defaulted container "ovn-ipsec" out of: ovn-ipsec, ovn-keys (init)
sh-5.1# certutil -L -d /var/lib/ipsec/nss Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPIovs_certkey_db961f9a-7de4-4f1d-a2fb-a8306d4079c5 u,u,u
sh-5.1# cat /var/log/openvswitch/libreswan.log
Aug 4 15:12:46.808394: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
Aug 4 15:12:46.837350: FIPS Mode: NO
Aug 4 15:12:46.837370: NSS crypto library initialized
Aug 4 15:12:46.837387: FIPS mode disabled for pluto daemon
Aug 4 15:12:46.837390: FIPS HMAC integrity support [disabled]
Aug 4 15:12:46.837541: libcap-ng support [enabled]
Aug 4 15:12:46.837550: Linux audit support [enabled]
Aug 4 15:12:46.837576: Linux audit activated
Aug 4 15:12:46.837580: Starting Pluto (Libreswan Version 4.9 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS (IPsec profile) (NSS-KDF) DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:147
Aug 4 15:12:46.837583: core dump dir: /run/pluto
Aug 4 15:12:46.837585: secrets file: /etc/ipsec.secrets
Aug 4 15:12:46.837587: leak-detective enabled
Aug 4 15:12:46.837589: NSS crypto [enabled]
Aug 4 15:12:46.837591: XAUTH PAM support [enabled]
Aug 4 15:12:46.837604: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
Aug 4 15:12:46.837664: NAT-Traversal support [enabled]
Aug 4 15:12:46.837803: Encryption algorithms:
Aug 4 15:12:46.837814: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
Aug 4 15:12:46.837820: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b
Aug 4 15:12:46.837826: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a
Aug 4 15:12:46.837831: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des
Aug 4 15:12:46.837837: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP
Aug 4 15:12:46.837843: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia
Aug 4 15:12:46.837849: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c
Aug 4 15:12:46.837855: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b
Aug 4 15:12:46.837861: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a
Aug 4 15:12:46.837867: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr
Aug 4 15:12:46.837872: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes
Aug 4 15:12:46.837878: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac
Aug 4 15:12:46.837883: NULL [] IKEv1: ESP IKEv2: ESP
Aug 4 15:12:46.837889: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305
Aug 4 15:12:46.837892: Hash algorithms:
Aug 4 15:12:46.837896: MD5 IKEv1: IKE IKEv2: NSS
Aug 4 15:12:46.837901: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha
Aug 4 15:12:46.837906: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256
Aug 4 15:12:46.837910: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384
Aug 4 15:12:46.837915: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512
Aug 4 15:12:46.837919: IDENTITY IKEv1: IKEv2: FIPS
Aug 4 15:12:46.837922: PRF algorithms:
Aug 4 15:12:46.837927: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5
Aug 4 15:12:46.837931: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1
Aug 4 15:12:46.837936: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256
Aug 4 15:12:46.837950: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384
Aug 4 15:12:46.837955: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512
Aug 4 15:12:46.837959: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc
Aug 4 15:12:46.837962: Integrity algorithms:
Aug 4 15:12:46.837966: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5
Aug 4 15:12:46.837984: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1
Aug 4 15:12:46.837995: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512
Aug 4 15:12:46.837999: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384
Aug 4 15:12:46.838005: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Aug 4 15:12:46.838008: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Aug 4 15:12:46.838014: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Aug 4 15:12:46.838018: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
Aug 4 15:12:46.838023: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
Aug 4 15:12:46.838026: DH algorithms:
Aug 4 15:12:46.838031: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0
Aug 4 15:12:46.838035: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5
Aug 4 15:12:46.838039: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14
Aug 4 15:12:46.838044: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
Aug 4 15:12:46.838048: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
Aug 4 15:12:46.838053: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
Aug 4 15:12:46.838057: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
Aug 4 15:12:46.838061: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
Aug 4 15:12:46.838066: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
Aug 4 15:12:46.838070: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
Aug 4 15:12:46.838074: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
Aug 4 15:12:46.838077: IPCOMP algorithms:
Aug 4 15:12:46.838081: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
Aug 4 15:12:46.838085: LZS IKEv1: IKEv2: ESP AH FIPS
Aug 4 15:12:46.838089: LZJH IKEv1: IKEv2: ESP AH FIPS
Aug 4 15:12:46.838093: testing CAMELLIA_CBC:
Aug 4 15:12:46.838096: Camellia: 16 bytes with 128-bit key
Aug 4 15:12:46.838162: Camellia: 16 bytes with 128-bit key
Aug 4 15:12:46.838201: Camellia: 16 bytes with 256-bit key
Aug 4 15:12:46.838243: Camellia: 16 bytes with 256-bit key
Aug 4 15:12:46.838280: testing AES_GCM_16:
Aug 4 15:12:46.838284: empty string
Aug 4 15:12:46.838319: one block
Aug 4 15:12:46.838352: two blocks
Aug 4 15:12:46.838385: two blocks with associated data
Aug 4 15:12:46.838424: testing AES_CTR:
Aug 4 15:12:46.838428: Encrypting 16 octets using AES-CTR with 128-bit key
Aug 4 15:12:46.838464: Encrypting 32 octets using AES-CTR with 128-bit key
Aug 4 15:12:46.838502: Encrypting 36 octets using AES-CTR with 128-bit key
Aug 4 15:12:46.838541: Encrypting 16 octets using AES-CTR with 192-bit key
Aug 4 15:12:46.838576: Encrypting 32 octets using AES-CTR with 192-bit key
Aug 4 15:12:46.838613: Encrypting 36 octets using AES-CTR with 192-bit key
Aug 4 15:12:46.838651: Encrypting 16 octets using AES-CTR with 256-bit key
Aug 4 15:12:46.838687: Encrypting 32 octets using AES-CTR with 256-bit key
Aug 4 15:12:46.838724: Encrypting 36 octets using AES-CTR with 256-bit key
Aug 4 15:12:46.838763: testing AES_CBC:
Aug 4 15:12:46.838766: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Aug 4 15:12:46.838801: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Aug 4 15:12:46.838841: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Aug 4 15:12:46.838881: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Aug 4 15:12:46.838928: testing AES_XCBC:
Aug 4 15:12:46.838932: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Aug 4 15:12:46.839126: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Aug 4 15:12:46.839291: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Aug 4 15:12:46.839444: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Aug 4 15:12:46.839600: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Aug 4 15:12:46.839756: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Aug 4 15:12:46.839937: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Aug 4 15:12:46.840373: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Aug 4 15:12:46.840529: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Aug 4 15:12:46.840698: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Aug 4 15:12:46.840990: testing HMAC_MD5:
Aug 4 15:12:46.840997: RFC 2104: MD5_HMAC test 1
Aug 4 15:12:46.841200: RFC 2104: MD5_HMAC test 2
Aug 4 15:12:46.841390: RFC 2104: MD5_HMAC test 3
Aug 4 15:12:46.841582: testing HMAC_SHA1:
Aug 4 15:12:46.841585: CAVP: IKEv2 key derivation with HMAC-SHA1
Aug 4 15:12:46.842055: 8 CPU cores online
Aug 4 15:12:46.842062: starting up 7 helper threads
Aug 4 15:12:46.842128: started thread for helper 0
Aug 4 15:12:46.842174: helper(1) seccomp security disabled for crypto helper 1
Aug 4 15:12:46.842188: started thread for helper 1
Aug 4 15:12:46.842219: helper(2) seccomp security disabled for crypto helper 2
Aug 4 15:12:46.842236: started thread for helper 2
Aug 4 15:12:46.842258: helper(3) seccomp security disabled for crypto helper 3
Aug 4 15:12:46.842269: started thread for helper 3
Aug 4 15:12:46.842296: helper(4) seccomp security disabled for crypto helper 4
Aug 4 15:12:46.842311: started thread for helper 4
Aug 4 15:12:46.842323: helper(5) seccomp security disabled for crypto helper 5
Aug 4 15:12:46.842346: started thread for helper 5
Aug 4 15:12:46.842369: helper(6) seccomp security disabled for crypto helper 6
Aug 4 15:12:46.842376: started thread for helper 6
Aug 4 15:12:46.842390: using Linux xfrm kernel support code on #1 SMP PREEMPT_DYNAMIC Thu Jul 20 09:11:28 EDT 2023
Aug 4 15:12:46.842393: helper(7) seccomp security disabled for crypto helper 7
Aug 4 15:12:46.842707: selinux support is NOT enabled.
Aug 4 15:12:46.842728: systemd watchdog not enabled - not sending watchdog keepalives
Aug 4 15:12:46.843813: seccomp security disabled
Aug 4 15:12:46.848083: listening for IKE messages
Aug 4 15:12:46.848252: Kernel supports NIC esp-hw-offload
Aug 4 15:12:46.848534: adding UDP interface ovn-k8s-mp0 10.129.0.2:500
Aug 4 15:12:46.848624: adding UDP interface ovn-k8s-mp0 10.129.0.2:4500
Aug 4 15:12:46.848654: adding UDP interface br-ex 169.254.169.2:500
Aug 4 15:12:46.848681: adding UDP interface br-ex 169.254.169.2:4500
Aug 4 15:12:46.848713: adding UDP interface br-ex 10.0.0.8:500
Aug 4 15:12:46.848740: adding UDP interface br-ex 10.0.0.8:4500
Aug 4 15:12:46.848767: adding UDP interface lo 127.0.0.1:500
Aug 4 15:12:46.848793: adding UDP interface lo 127.0.0.1:4500
Aug 4 15:12:46.848824: adding UDP interface lo [::1]:500
Aug 4 15:12:46.848853: adding UDP interface lo [::1]:4500
Aug 4 15:12:46.851160: loading secrets from "/etc/ipsec.secrets"
Aug 4 15:12:46.851214: no secrets filename matched "/etc/ipsec.d/*.secrets"
Aug 4 15:12:47.053369: loading secrets from "/etc/ipsec.secrets"
sh-4.4# tcpdump -i any esp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes^C
0 packets capturedsh-5.1# ovn-nbctl --no-leader-only get nb_global . ipsec
false
Version-Release number of selected component (if applicable):
openshift/cluster-network-operator#1874
How reproducible:
Always
Steps to Reproduce:
1.Install OVN cluster and enable IPSec in runtime 2. 3.
Actual results:
no esp packets seen across the nodes
Expected results:
esp traffic should be seen across the nodes
Additional info:
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- is depended on by
-
-
- Closed
-
- links to
-
RHSA-2023:5006
OpenShift Container Platform 4.14.z security update
