At the time cluster installation with IPsec, IPsec is established using containerized deployment until ipsec os extension is rolled on the node. After ipsec os extension is rolled out (which installs libreswan and NetworkManager-libreswan), IPsec SAs are not established with other nodes until ipsec host deployment pod is running on the node. This may cause network disturbance for the east west traffic.

This is seen from CI run: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/63667/rehearse-63667-periodic-ci-openshift-release-master-nightly-4.19-e2e-aws-ovn-ipsec-upgrade/1921956144792735744

May 12 18:16:20.500114 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:21.042111 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:21.583910 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:22.659905 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:24.699813 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:28.700142 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:36.701029 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:48.823086 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:49.323331 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:49.824236 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:50.825922 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:52.704347 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:52.827625 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:54.865223 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:55.364789 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:55.864960 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:56.831288 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:56.865856 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:16:58.868487 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:02.869903 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:04.832222 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:10.878888 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:20.837645 ip-10-0-116-210 pluto[2464]: packet from 10.0.1.151:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:25.085680 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:25.585964 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:26.086953 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:26.880311 ip-10-0-116-210 pluto[2464]: packet from 10.0.94.102:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:27.087913 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:29.088855 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy
May 12 18:17:33.093551 ip-10-0-116-210 pluto[2464]: packet from 10.0.42.89:500: responding to IKE_SA_INIT request with Message ID 0 with unencrypted notification NO_PROPOSAL_CHOSEN, no suitable connection found with IKEv2 policy

    1.
    2.
    3.
    

EW traffic is broken for the node for more than a minute after kubelet started.    

Ensure IKE SAs are established before kubelet service using ipsec connections and certificates created by containerized deployment.