Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18871

IPSec enablement is broken on OVNK

    XMLWordPrintable

Details

    Description

      This is a clone of issue OCPBUGS-17380. The following is the description of the original issue:

      Description of problem:

      Enable IPSec pre/post install on OVN IC cluster
      
      $ oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'
      network.operator.openshift.io/cluster patched
      
      
      ovn-ipsec containers complaining:
      
      ovs-monitor-ipsec | ERR | Failed to import certificate into NSS.
      b'certutil:  unable to open "/etc/openvswitch/keys/ipsec-cacert.pem" for reading (-5950, 2).\n'
      
      
      
      $ oc rsh ovn-ipsec-d7rx9
      Defaulted container "ovn-ipsec" out of: ovn-ipsec, ovn-keys (init)
      sh-5.1# certutil -L -d /var/lib/ipsec/nss Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPIovs_certkey_db961f9a-7de4-4f1d-a2fb-a8306d4079c5             u,u,u 
      
      sh-5.1# cat /var/log/openvswitch/libreswan.log
      Aug  4 15:12:46.808394: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
      Aug  4 15:12:46.837350: FIPS Mode: NO
      Aug  4 15:12:46.837370: NSS crypto library initialized
      Aug  4 15:12:46.837387: FIPS mode disabled for pluto daemon
      Aug  4 15:12:46.837390: FIPS HMAC integrity support [disabled]
      Aug  4 15:12:46.837541: libcap-ng support [enabled]
      Aug  4 15:12:46.837550: Linux audit support [enabled]
      Aug  4 15:12:46.837576: Linux audit activated
      Aug  4 15:12:46.837580: Starting Pluto (Libreswan Version 4.9 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS (IPsec profile) (NSS-KDF) DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:147
      Aug  4 15:12:46.837583: core dump dir: /run/pluto
      Aug  4 15:12:46.837585: secrets file: /etc/ipsec.secrets
      Aug  4 15:12:46.837587: leak-detective enabled
      Aug  4 15:12:46.837589: NSS crypto [enabled]
      Aug  4 15:12:46.837591: XAUTH PAM support [enabled]
      Aug  4 15:12:46.837604: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
      Aug  4 15:12:46.837664: NAT-Traversal support  [enabled]
      Aug  4 15:12:46.837803: Encryption algorithms:
      Aug  4 15:12:46.837814:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
      Aug  4 15:12:46.837820:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
      Aug  4 15:12:46.837826:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
      Aug  4 15:12:46.837831:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
      Aug  4 15:12:46.837837:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP                      
      Aug  4 15:12:46.837843:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
      Aug  4 15:12:46.837849:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
      Aug  4 15:12:46.837855:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
      Aug  4 15:12:46.837861:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
      Aug  4 15:12:46.837867:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
      Aug  4 15:12:46.837872:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
      Aug  4 15:12:46.837878:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
      Aug  4 15:12:46.837883:   NULL               []             IKEv1:     ESP     IKEv2:     ESP                      
      Aug  4 15:12:46.837889:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
      Aug  4 15:12:46.837892: Hash algorithms:
      Aug  4 15:12:46.837896:   MD5                               IKEv1: IKE         IKEv2:                  NSS         
      Aug  4 15:12:46.837901:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
      Aug  4 15:12:46.837906:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
      Aug  4 15:12:46.837910:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
      Aug  4 15:12:46.837915:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
      Aug  4 15:12:46.837919:   IDENTITY                          IKEv1:             IKEv2:             FIPS             
      Aug  4 15:12:46.837922: PRF algorithms:
      Aug  4 15:12:46.837927:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
      Aug  4 15:12:46.837931:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
      Aug  4 15:12:46.837936:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
      Aug  4 15:12:46.837950:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
      Aug  4 15:12:46.837955:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
      Aug  4 15:12:46.837959:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
      Aug  4 15:12:46.837962: Integrity algorithms:
      Aug  4 15:12:46.837966:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
      Aug  4 15:12:46.837984:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
      Aug  4 15:12:46.837995:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
      Aug  4 15:12:46.837999:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
      Aug  4 15:12:46.838005:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
      Aug  4 15:12:46.838008:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH                   
      Aug  4 15:12:46.838014:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
      Aug  4 15:12:46.838018:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
      Aug  4 15:12:46.838023:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
      Aug  4 15:12:46.838026: DH algorithms:
      Aug  4 15:12:46.838031:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
      Aug  4 15:12:46.838035:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
      Aug  4 15:12:46.838039:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
      Aug  4 15:12:46.838044:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
      Aug  4 15:12:46.838048:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
      Aug  4 15:12:46.838053:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
      Aug  4 15:12:46.838057:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
      Aug  4 15:12:46.838061:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
      Aug  4 15:12:46.838066:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
      Aug  4 15:12:46.838070:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
      Aug  4 15:12:46.838074:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
      Aug  4 15:12:46.838077: IPCOMP algorithms:
      Aug  4 15:12:46.838081:   DEFLATE                           IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS             
      Aug  4 15:12:46.838085:   LZS                               IKEv1:             IKEv2:     ESP AH  FIPS             
      Aug  4 15:12:46.838089:   LZJH                              IKEv1:             IKEv2:     ESP AH  FIPS             
      Aug  4 15:12:46.838093: testing CAMELLIA_CBC:
      Aug  4 15:12:46.838096:   Camellia: 16 bytes with 128-bit key
      Aug  4 15:12:46.838162:   Camellia: 16 bytes with 128-bit key
      Aug  4 15:12:46.838201:   Camellia: 16 bytes with 256-bit key
      Aug  4 15:12:46.838243:   Camellia: 16 bytes with 256-bit key
      Aug  4 15:12:46.838280: testing AES_GCM_16:
      Aug  4 15:12:46.838284:   empty string
      Aug  4 15:12:46.838319:   one block
      Aug  4 15:12:46.838352:   two blocks
      Aug  4 15:12:46.838385:   two blocks with associated data
      Aug  4 15:12:46.838424: testing AES_CTR:
      Aug  4 15:12:46.838428:   Encrypting 16 octets using AES-CTR with 128-bit key
      Aug  4 15:12:46.838464:   Encrypting 32 octets using AES-CTR with 128-bit key
      Aug  4 15:12:46.838502:   Encrypting 36 octets using AES-CTR with 128-bit key
      Aug  4 15:12:46.838541:   Encrypting 16 octets using AES-CTR with 192-bit key
      Aug  4 15:12:46.838576:   Encrypting 32 octets using AES-CTR with 192-bit key
      Aug  4 15:12:46.838613:   Encrypting 36 octets using AES-CTR with 192-bit key
      Aug  4 15:12:46.838651:   Encrypting 16 octets using AES-CTR with 256-bit key
      Aug  4 15:12:46.838687:   Encrypting 32 octets using AES-CTR with 256-bit key
      Aug  4 15:12:46.838724:   Encrypting 36 octets using AES-CTR with 256-bit key
      Aug  4 15:12:46.838763: testing AES_CBC:
      Aug  4 15:12:46.838766:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
      Aug  4 15:12:46.838801:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
      Aug  4 15:12:46.838841:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
      Aug  4 15:12:46.838881:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
      Aug  4 15:12:46.838928: testing AES_XCBC:
      Aug  4 15:12:46.838932:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
      Aug  4 15:12:46.839126:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
      Aug  4 15:12:46.839291:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
      Aug  4 15:12:46.839444:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
      Aug  4 15:12:46.839600:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
      Aug  4 15:12:46.839756:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
      Aug  4 15:12:46.839937:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
      Aug  4 15:12:46.840373:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
      Aug  4 15:12:46.840529:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
      Aug  4 15:12:46.840698:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
      Aug  4 15:12:46.840990: testing HMAC_MD5:
      Aug  4 15:12:46.840997:   RFC 2104: MD5_HMAC test 1
      Aug  4 15:12:46.841200:   RFC 2104: MD5_HMAC test 2
      Aug  4 15:12:46.841390:   RFC 2104: MD5_HMAC test 3
      Aug  4 15:12:46.841582: testing HMAC_SHA1:
      Aug  4 15:12:46.841585:   CAVP: IKEv2 key derivation with HMAC-SHA1
      Aug  4 15:12:46.842055: 8 CPU cores online
      Aug  4 15:12:46.842062: starting up 7 helper threads
      Aug  4 15:12:46.842128: started thread for helper 0
      Aug  4 15:12:46.842174: helper(1) seccomp security disabled for crypto helper 1
      Aug  4 15:12:46.842188: started thread for helper 1
      Aug  4 15:12:46.842219: helper(2) seccomp security disabled for crypto helper 2
      Aug  4 15:12:46.842236: started thread for helper 2
      Aug  4 15:12:46.842258: helper(3) seccomp security disabled for crypto helper 3
      Aug  4 15:12:46.842269: started thread for helper 3
      Aug  4 15:12:46.842296: helper(4) seccomp security disabled for crypto helper 4
      Aug  4 15:12:46.842311: started thread for helper 4
      Aug  4 15:12:46.842323: helper(5) seccomp security disabled for crypto helper 5
      Aug  4 15:12:46.842346: started thread for helper 5
      Aug  4 15:12:46.842369: helper(6) seccomp security disabled for crypto helper 6
      Aug  4 15:12:46.842376: started thread for helper 6
      Aug  4 15:12:46.842390: using Linux xfrm kernel support code on #1 SMP PREEMPT_DYNAMIC Thu Jul 20 09:11:28 EDT 2023
      Aug  4 15:12:46.842393: helper(7) seccomp security disabled for crypto helper 7
      Aug  4 15:12:46.842707: selinux support is NOT enabled.
      Aug  4 15:12:46.842728: systemd watchdog not enabled - not sending watchdog keepalives
      Aug  4 15:12:46.843813: seccomp security disabled
      Aug  4 15:12:46.848083: listening for IKE messages
      Aug  4 15:12:46.848252: Kernel supports NIC esp-hw-offload
      Aug  4 15:12:46.848534: adding UDP interface ovn-k8s-mp0 10.129.0.2:500
      Aug  4 15:12:46.848624: adding UDP interface ovn-k8s-mp0 10.129.0.2:4500
      Aug  4 15:12:46.848654: adding UDP interface br-ex 169.254.169.2:500
      Aug  4 15:12:46.848681: adding UDP interface br-ex 169.254.169.2:4500
      Aug  4 15:12:46.848713: adding UDP interface br-ex 10.0.0.8:500
      Aug  4 15:12:46.848740: adding UDP interface br-ex 10.0.0.8:4500
      Aug  4 15:12:46.848767: adding UDP interface lo 127.0.0.1:500
      Aug  4 15:12:46.848793: adding UDP interface lo 127.0.0.1:4500
      Aug  4 15:12:46.848824: adding UDP interface lo [::1]:500
      Aug  4 15:12:46.848853: adding UDP interface lo [::1]:4500
      Aug  4 15:12:46.851160: loading secrets from "/etc/ipsec.secrets"
      Aug  4 15:12:46.851214: no secrets filename matched "/etc/ipsec.d/*.secrets"
      Aug  4 15:12:47.053369: loading secrets from "/etc/ipsec.secrets"
      
      sh-4.4# tcpdump -i any esp
      dropped privs to tcpdump
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes^C
      0 packets capturedsh-5.1# ovn-nbctl --no-leader-only get nb_global . ipsec
      false
       

      Version-Release number of selected component (if applicable):

      openshift/cluster-network-operator#1874 

      How reproducible:

      Always

      Steps to Reproduce:

      1.Install OVN cluster and enable IPSec in runtime
      2.
      3.
      

      Actual results:

      no esp packets seen across the nodes

      Expected results:

      esp traffic should be seen across the nodes

      Additional info:

       

      Attachments

        Issue Links

          Activity

            People

              ykashtan Yuval Kashtan
              openshift-crt-jira-prow OpenShift Prow Bot
              Anurag Saxena Anurag Saxena
              Qiong Wang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: