From c2780da321ce5af83091a389fc7ef839540dc0a4 Mon Sep 17 00:00:00 2001 From: Kelly Brown Date: Wed, 13 Apr 2022 15:44:40 -0400 Subject: [PATCH] BZ2068283 - Adding clarification for IPsec --- modules/installation-network-user-infra.adoc | 12 ++++++++- modules/nw-ovn-ipsec-traffic.adoc | 27 ++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/modules/installation-network-user-infra.adoc b/modules/installation-network-user-infra.adoc index ec0a872b2b..f1aa82ad9f 100644 --- a/modules/installation-network-user-infra.adoc +++ b/modules/installation-network-user-infra.adoc @@ -209,7 +209,7 @@ the Cluster Version Operator on port `9099`. |`10256` |openshift-sdn -.3+|UDP +.5+|UDP |`4789` |VXLAN @@ -219,10 +219,20 @@ the Cluster Version Operator on port `9099`. |`9000`-`9999` |Host level services, including the node exporter on ports `9100`-`9101`. +|`500` +|IPsec IKE packets + +|`4500` +|IPsec NAT-T packets + |TCP/UDP |`30000`-`32767` |Kubernetes node port +|ESP +|N/A +|IPsec Encapsulating Security Payload (ESP) + |=== .Ports used for all-machine to control plane communications diff --git a/modules/nw-ovn-ipsec-traffic.adoc b/modules/nw-ovn-ipsec-traffic.adoc index c64004f3fe..a22f5d122e 100644 --- a/modules/nw-ovn-ipsec-traffic.adoc +++ b/modules/nw-ovn-ipsec-traffic.adoc @@ -19,3 +19,30 @@ The following traffic flows are not encrypted: The encrypted and unencrypted flows are illustrated in the following diagram: image::nw-ipsec-encryption.png[IPsec encrypted and unencrypted traffic flows] + +== Network connectivity requirements when IPsec is enabled + +You must configure the network connectivity between machines to allow {product-title} cluster +components to communicate. Each machine must be able to resolve the hostnames +of all other machines in the cluster. + +.Ports used for all-machine to all-machine communications +[cols="2a,2a,5a",options="header"] +|=== + +|Protocol +|Port +|Description + +.2+|UDP +|`500` +|IPsec IKE packets + +|`4500` +|IPsec NAT-T packets + +|ESP +|N/A +|IPsec Encapsulating Security Payload (ESP) + +|===