From ecbd90a1c5b1818511d332f1f0c2348b301effc5 Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Tue, 12 Nov 2024 13:14:01 -0500 Subject: [PATCH] Add IPsec bypass policy for ICMP for IPv4 This change added bypass policy to IPsec for ICMP on IPv4 system, so that pinging to hosts on the mgmt subnet (eg, mgmt. gateway) can go through. This is to aid debugging connectivity issues for system deployment. Note that ICMP has already bypassed in IPsec configuration on IPv6 system. Test Plan: PASS: IPv4 DX system deployment. After deployment, verify the ICMP bypass policy is added to IPsec by "swanctl --list-conn" on both controllers. PASS: Ping from one controller to the other, verify the other controller responses without packets loss. PASS: Disable IPsec on one of the controller (need to set heartbeat_failure_action service parameter to alarm first), ping from one controller to the other, verfiry the other controller responses without packets loss. Story: 2010940 Task: 51331 Change-Id: I26e5c3db07130cfc5936b4d13bf8f33d8394c650 Signed-off-by: Andy Ning --- .../sysinv/sysinv/ipsec_auth/client/config.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py index 870306377c..d86c8eaf4e 100644 --- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py +++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py @@ -300,6 +300,19 @@ class StrongswanPuppet(object): }, } swanctl.add_connection('ndp', conn) + # Add bypass connection for ping for IPv4. + else: + conn = { + 'children': { + 'icmpv4-bypass': { + 'mode': 'pass', + 'start_action': 'trap', + 'local_ts': '\"0.0.0.0/0[icmp]\"', + 'remote_ts': '\"0.0.0.0/0[icmp]\"', + }, + }, + } + swanctl.add_connection('ping', conn) config = { 'platform::strongswan::params::swanctl':