Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipsec: libreswan: Reduce chances for crossing streams.
Normally ovs-monitor-ipsec will start all the connections it manages. This is required, because we do not generally know if the other side of the tunnel is going to initiate the IPsec connection or not. For example, the other side might not belong to an OVS setup, so it may not be managed by the other instance of ovs-monitor-ipsec. There are also issues in Libreswan that may cause the other side to to fail the connection initiation in a way that it will not try again. However, in many cases the other side is managed by ovs-monitor-ipsec. And in that scenario there is a high chance the both sides will try to initiate the connection at the same time. This is known as crossing streams. Unfortunately, Libreswan, 4.x in particular, doesn't handle this well and either crashes or ends up in a state where connections reported as active, but no traffic can actually go through. For tunnels, where we create separate incoming and outgoing connections (geneve), we may start (add + up) the outgoing connection and only add the incoming one. This would give the other side some time to initiate, avoiding the crossing streams and giving Libreswan a higher chance to survive. We still have to try to bring the incoming connections up at some point if they do not become active. Reconciliation logic will take care of this. Next time we check the active connections, we'll try to reconcile and will bring all the loaded but not active connections up. So, we're loosing at most 15 seconds if something goes wrong. This change greatly improves stability with Libreswan 4.x. It's still not enough to enable the ping test for it, but hopefully enough for real world setups to not hit the Libreswan issues often. GRE connections will still be started from both sides. We do already have some issues in case users name their tunnels with -in- or -out- in the name, so it's not a new problem, but if the regex accidentally matches on such a GRE tunnel, we'll again loose at most 15 seconds before they will be brought up during reconciliation. So, should not be a big deal. Note: ipsec auto in Libreswan < 5 accepts --asynchronous together with --add, even thought the --asynchronous flag is only for up/down/start, but Libreswan 5 fails the command, so we need to add it conditionally. Signed-off-by: Ilya Maximets <[email protected]>
- Loading branch information