Bug 1916373: upi: allow IPsec ports

2026-02-05 06:46:36 +01:00 · 2021-01-14 14:15:34 -05:00
parent b3dae7f473
commit 618d4ef474
3 changed files with 149 additions and 0 deletions
--- a/upi/aws/cloudformation/03_cluster_security.yaml
+++ b/upi/aws/cloudformation/03_cluster_security.yaml
@@ -134,6 +134,62 @@ Resources:
      ToPort: 6081
      IpProtocol: udp

+  MasterIngressIpsecIke:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt MasterSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
+      Description: IPsec IKE packets
+      FromPort: 500
+      ToPort: 500
+      IpProtocol: udp
+
+  MasterIngressIpsecNat:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt MasterSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
+      Description: IPsec NAT-T packets
+      FromPort: 4500
+      ToPort: 4500
+      IpProtocol: udp
+
+  MasterIngressIpsecEsp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt MasterSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
+      Description: IPsec ESP packets
+      IpProtocol: esp
+
+  MasterIngressWorkerIpsecIke:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt MasterSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
+      Description: IPsec IKE packets
+      FromPort: 500
+      ToPort: 500
+      IpProtocol: udp
+
+  MasterIngressWorkerIpsecNat:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt MasterSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
+      Description: IPsec NAT-T packets
+      FromPort: 4500
+      ToPort: 4500
+      IpProtocol: udp
+
+  MasterIngressWorkerIpsecEsp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt MasterSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
+      Description: IPsec ESP packets
+      IpProtocol: esp
+
  MasterIngressInternal:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
@@ -274,6 +330,62 @@ Resources:
      ToPort: 6081
      IpProtocol: udp

+  WorkerIngressIpsecIke:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt WorkerSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
+      Description: IPsec IKE packets
+      FromPort: 500
+      ToPort: 500
+      IpProtocol: udp
+
+  WorkerIngressIpsecNat:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt WorkerSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
+      Description: IPsec NAT-T packets
+      FromPort: 4500
+      ToPort: 4500
+      IpProtocol: udp
+
+  WorkerIngressIpsecEsp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt WorkerSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
+      Description: IPsec ESP packets
+      IpProtocol: esp
+
+  WorkerIngressMasterIpsecIke:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt WorkerSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
+      Description: IPsec IKE packets
+      FromPort: 500
+      ToPort: 500
+      IpProtocol: udp
+
+  WorkerIngressMasterIpsecNat:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt WorkerSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
+      Description: IPsec NAT-T packets
+      FromPort: 4500
+      ToPort: 4500
+      IpProtocol: udp
+
+  WorkerIngressMasterIpsecEsp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt WorkerSecurityGroup.GroupId
+      SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
+      Description: IPsec ESP packets
+      IpProtocol: esp
+
  WorkerIngressInternal:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
--- a/upi/gcp/03_firewall.py
+++ b/upi/gcp/03_firewall.py
@@ -94,6 +94,11 @@ def GenerateConfig(context):
            'allowed': [{
                'IPProtocol': 'udp',
                'ports': ['4789', '6081']
+            },{
+                'IPProtocol': 'udp',
+                'ports': ['500', '4500']
+            },{
+                'IPProtocol': 'esp',
            },{
                'IPProtocol': 'tcp',
                'ports': ['9000-9999']
--- a/upi/openstack/security-groups.yaml
+++ b/upi/openstack/security-groups.yaml
@@ -93,6 +93,22 @@
      port_range_min: 6081
      port_range_max: 6081

+  - name: 'Create master-sg rule "IPsec IKE"'
+    os_security_group_rule:
+      security_group: "{{ os_sg_master }}"
+      protocol: udp
+      remote_ip_prefix: "{{ os_subnet_range }}"
+      port_range_min: 500
+      port_range_max: 500
+
+  - name: 'Create master-sg rule "IPsec NAT-T"'
+    os_security_group_rule:
+      security_group: "{{ os_sg_master }}"
+      protocol: udp
+      remote_ip_prefix: "{{ os_subnet_range }}"
+      port_range_min: 4500
+      port_range_max: 4500
+
  - name: 'Create master-sg rule "ovndb"'
    os_security_group_rule:
      security_group: "{{ os_sg_master }}"
@@ -230,6 +246,22 @@
      port_range_min: 6081
      port_range_max: 6081

+  - name: 'Create worker-sg rule "IPsec IKE"'
+    os_security_group_rule:
+      security_group: "{{ os_sg_worker }}"
+      protocol: udp
+      remote_ip_prefix: "{{ os_subnet_range }}"
+      port_range_min: 500
+      port_range_max: 500
+
+  - name: 'Create worker-sg rule "IPsec NAT-T"'
+    os_security_group_rule:
+      security_group: "{{ os_sg_worker }}"
+      protocol: udp
+      remote_ip_prefix: "{{ os_subnet_range }}"
+      port_range_min: 4500
+      port_range_max: 4500
+
  - name: 'Create worker-sg rule "worker ingress internal (TCP)"'
    os_security_group_rule:
      security_group: "{{ os_sg_worker }}"