Add IPsec bypass policy for ICMP for IPv4

This change added bypass policy to IPsec for ICMP on IPv4 system, so that pinging to hosts on the mgmt subnet (eg, mgmt. gateway) can go through. This is to aid debugging connectivity issues for system deployment. Note that ICMP has already bypassed in IPsec configuration on IPv6 system. Test Plan: PASS: IPv4 DX system deployment. After deployment, verify the ICMP bypass policy is added to IPsec by "swanctl --list-conn" on both controllers. PASS: Ping from one controller to the other, verify the other controller responses without packets loss. PASS: Disable IPsec on one of the controller (need to set heartbeat_failure_action service parameter to alarm first), ping from one controller to the other, verfiry the other controller responses without packets loss. Story: 2010940 Task: 51331 Change-Id: I26e5c3db07130cfc5936b4d13bf8f33d8394c650 Signed-off-by: Andy Ning <andy.ning@windriver.com>
2024-11-12 13:14:01 -05:00
parent 8940adf4a8
commit ecbd90a1c5
1 changed files with 13 additions and 0 deletions
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
@@ -300,6 +300,19 @@ class StrongswanPuppet(object):
                },
            }
            swanctl.add_connection('ndp', conn)
+        # Add bypass connection for ping for IPv4.
+        else:
+            conn = {
+                'children': {
+                    'icmpv4-bypass': {
+                        'mode': 'pass',
+                        'start_action': 'trap',
+                        'local_ts': '\"0.0.0.0/0[icmp]\"',
+                        'remote_ts': '\"0.0.0.0/0[icmp]\"',
+                    },
+                },
+            }
+            swanctl.add_connection('ping', conn)

        config = {
            'platform::strongswan::params::swanctl':