diff --git a/roles/openshift_node/tasks/install.yml b/roles/openshift_node/tasks/install.yml
index 01af33851..4607fc8a3 100644
--- a/roles/openshift_node/tasks/install.yml
+++ b/roles/openshift_node/tasks/install.yml
@@ -112,21 +112,8 @@
     name: "crio"
     enabled: yes
 
-- name: Enable ipsec service
-  systemd:
-    name: "ipsec"
-    enabled: yes
-
-- name: add nssdir to ipsec.conf
-  ansible.builtin.lineinfile:
-    path: /etc/ipsec.conf
-    insertafter: 'config setup'
-    line: "\tnssdir=/var/lib/ipsec/nss"
-
-- name: create nssdir
-  file:
-    path: /var/lib/ipsec/nss
-    state: directory
+# handle ipsec installation
+- import_tasks: ipsec.yml
 
 # persistent storage in journal is needed for MachineConfig to work
 - name: Enable persistent storage on journal
diff --git a/roles/openshift_node/tasks/ipsec.yml b/roles/openshift_node/tasks/ipsec.yml
new file mode 100644
index 000000000..6f5d7e37f
--- /dev/null
+++ b/roles/openshift_node/tasks/ipsec.yml
@@ -0,0 +1,28 @@
+---
+- name: Enable ipsec service
+  systemd:
+    name: "ipsec"
+    enabled: yes
+
+- name: add nssdir to ipsec.conf
+  ansible.builtin.lineinfile:
+    path: /etc/ipsec.conf
+    insertafter: 'config setup'
+    line: "\tnssdir=/var/lib/ipsec/nss"
+
+- name: create nssdir
+  file:
+    path: /var/lib/ipsec/nss
+    state: directory
+
+- name: set nss selinux context
+  command: semanage fcontext -a -t ipsec_key_file_t /var/lib/ipsec/nss
+
+- name: restore nss selinux context so it will be active
+  command: restorecon -r /var/lib/ipsec/nss
+
+- name: initialize nss db
+  command: ipsec initnss --nssdir /var/lib/ipsec/nss
+
+- name: make sure proper selinux label on nss db
+  command: chcon -R -t ipsec_key_file_t /var/lib/ipsec/nss