Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-89969

Duplicate Child SAs causing IPsec broken for OCP cluster

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • rhel-9.6
    • libreswan
    • No
    • Critical
    • 3
    • rhel-security-crypto-spades
    • ssg_security
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Crypto25August, Crypto25September, Crypto25October
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      While testing IPsec with 250/500 node cluster, seeing traffic over IPsec tunnels are broken, it happens with few pair of nodes, caused by duplicate child SAs present on one end and corresponding SA not found on the other side.

      Slack thread: https://redhat-internal.slack.com/archives/C08DNAFC85T/p1745906230814439

      Libreswan upstream issue: https://github.com/libreswan/libreswan/issues/2184

      What is the impact of this issue to you?

      This is a kind of regression issue in OCP 4.19.0 on a scaled cluster, was not seen with Libreswan 4.6 in previous OCP releases.

      Please provide the package NVR for which the bug is seen:

      Libreswan 5.12

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      pod to pod connectivity should always work on a IPsec enabled cluster.

      Actual results

      pod to pod connectivity connectivity is broken.

              dueno@redhat.com Daiki Ueno
              pepalani@redhat.com Periyasamy Palanisamy
              Daiki Ueno Daiki Ueno
              Ondrej Moris Ondrej Moris
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: