Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-59008

NetworkManager creating additional routes when used as a part of OpenShift and NMState

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6
    • None
    • No
    • None
    • rhel-sst-network-management
    • ssg_networking
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      While trying to follow the documentation here Configuring IPsec encryption for external traffic to create an external IPsec tunnel I am unable to create a working tunnel from the OCP SNO cluster to an external site. 

      What is the impact of this issue to you?

      We are working on a POC with a Telco customer to create remote (edge) SNO clusters that will connect back to a main datacenter to be managed by ACM over a secure IPSec connection. We are unable to proceed with the PoC at this time, due to the network routing not being correct. 

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      Steps to reproduce

      1. See attached files for configurations used to test in my lab
      2. Create IPsec server using configuration files
      3. Create IPSec client in OpenShift using included YAML files
      4. Try to access remote network

      Expected results

      Expected to be able to connect to servers/services on remote external network.

      Actual results

      Routing is not properly set up, specifically, the routing table seems to be incorrect. For example, not that in the output below the remote IPSec server is at 162.0.177.100, however the route that exists to get to that endpoint is going OVER the VPN tunnel (172.16.11.101)

      ip route
      default via 192.168.80.1 dev br-ex proto dhcp src 192.168.80.198 metric 48 
      10.128.0.0/23 dev ovn-k8s-mp0 proto kernel scope link src 10.128.0.2 
      10.128.0.0/14 via 10.128.0.1 dev ovn-k8s-mp0 
      162.0.177.100 dev br-ex proto static scope link src 172.16.11.101 metric 50 
      169.254.169.0/29 dev br-ex proto kernel scope link src 169.254.169.2 
      169.254.169.1 dev br-ex src 192.168.80.198 
      169.254.169.3 via 10.128.0.1 dev ovn-k8s-mp0 
      172.16.0.0/16 via 162.0.177.100 dev br-ex proto static src 172.16.11.101 metric 50 
      172.30.0.0/16 via 169.254.169.4 dev br-ex src 169.254.169.2 mtu 1400 
      192.168.80.0/24 dev br-ex proto kernel scope link src 192.168.80.198 metric 48  

      See additional discussion about this issue here: https://redhat-internal.slack.com/archives/C04MH2B47HB/p1726230419554639

        1. ipsec_config.yaml
          0.6 kB
        2. client_access.conf
          0.4 kB
        3. access_vpn.conf
          1 kB

              nm-team Network Management Team
              mdeneve@redhat.com Mark DeNeve
              Mark DeNeve
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: