Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-27915

Deleting nmstate nncp object for IPsec policy doesn't remove associated IPsec SA

XMLWordPrintable

    • Important
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      nmstate operator was deployed to configure IPSec transport tunnel

Following are rpm versions

sh-5.1# rpm -qa | grep -i "nmst\|libre"
libref_array-0.1.5-53.el9.x86_64
libreport-filesystem-2.15.2-6.el9.noarch
librepo-1.14.5-1.el9.x86_64
nmstate-2.2.23-1.el9_2.x86_64
libreswan-4.9-4.el9_2.x86_64
NetworkManager-libreswan-1.2.14-3.el9_2.x86_64

      Version-Release number of selected component (if applicable):

      4.15.0-0.nightly-2024-01-24-103216    

      How reproducible:

          Always

      Steps to Reproduce:

          1.Enable IPSec mode Full on OCP
    2.Deploy nmstate operator
    2.Create nncp object for ipsec policy

[anusaxen@anusaxen ~]$ cat try.yaml 
kind: NodeNetworkConfigurationPolicy
apiVersion: nmstate.io/v1
metadata:
  name: "ipsec-policy1"
spec:
  nodeSelector:
    kubernetes.io/hostname: "ipsec-testpr65-8b2sk-worker-b-wlrwt"
  desiredState:
    interfaces:
    - name: pluto-VM 
      type: ipsec
      libreswan:
        left: 10.0.128.2
        leftid: '%fromcert'
        leftmodecfgclient: no
        leftrsasigkey: '%cert'
        leftcert: "10_0_128_2"
        right: 10.0.0.2
        rightid: '%fromcert'
        rightrsasigkey: '%cert'
        rightsubnet: 10.0.0.2/32
        ikev2: insist
        type: transport


    3. $ oc get nncp
NAME            STATUS      REASON
ipsec-policy1   Available   SuccessfullyConfigured


    4. oc debug on node and check ipsec status (tunnel up)
       
    000 #30: "2db7541a-0a33-4373-8a85-f64b796ff02a":500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27197s; REPLACE in 28217s; newest; idle;
000 #31: "2db7541a-0a33-4373-8a85-f64b796ff02a":500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27208s; REPLACE in 28217s; newest; eroute owner; IKE SA #30; idle;
000 #31: "2db7541a-0a33-4373-8a85-f64b796ff02a" esp.d7d3cac0@10.0.0.2 esp.3edc1329@10.0.128.2 Traffic: ESPin=64B ESPout=64B ESPmax=2^63B 

   5. oc delete nncp ipsec-policy1
   6. above tunnel IPSec SA remains up and traffic continues to be encrypted    

      Actual results:

          Tunnel is not terminated post nncp object deletion

      Expected results:

           Tunnel should be  terminated post nncp object deletion

      Additional info:

          restarting ipsec.service terminates the tunnel

       

            fge@redhat.com Gris Ge
            anusaxen Anurag Saxena
            Anurag Saxena Anurag Saxena
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: