IPsec mesh troubleshooting

Troubleshooting for IPsec mesh network issues.

Prerequisites

Every node in the cluster must have at least two network interfaces. One is a management interface and the other interface provides secure networking for the pods. Provide the IP address of the management interface in cluster/hosts and other interface name (data plane interface) in the Calico and IPsec configurations in cluster/config.yaml.
Calico networks must be enabled in IP-in-IP mode. Calico tunnel MTU must be set correctly.
The IPsec package that is used for encryption must be installed on all the nodes in the cluster. The IPsec package that is used for RHEL is libreswan and on Ubuntu and SLES is strongswan.

Note: All nodes in the cluster must run the same operating system.

Configuration

Ensure that the following Calico configurations are provided in config.yaml.
```
network_type: calico
calico_ipip_mode: Always
calico_tunnel_mtu: 1390
calico_ip_autodetection_method: interface=eth0
```
- calico_ipip_mode must be Always. IPIP tunnelling must be enabled for IPsec.
- calico_tunnel_mtu must be at least 60 bytes less than the interface MTU. If the eth0 interface mtu is 1450 bytes, the calico_tunnel_mtu must be set to at most 1390 bytes.
- calico_ip_autodetection_method must be configured to choose the data plane interface.
Check the IPsec configuration in config.yaml.
```
ipsec_mesh:
  enable: true
  interface: eth0
  subnets: [10.24.10.0/24]
  exclude_ips: [10.24.10.1/32, 10.24.10.2, 10.24.10.192/28]
  cipher_suite: aes128gcm16!
```
- interface must be the same interface that is set in the calico_ip_autodetection_method parameter.
- subnets are the address ranges. Packets that are destined to such subnet ranges are encrypted. The IP address of the data plane interface must fall in one of the provided subnet ranges.
- exclude_ips are IP addresses that are excluded from the IPsec subnet. Traffic to these IP addresses is not encrypted.
- cipher_suite: aes128gcm16! is the list of Encapsulating Security Payload (ESP) encryption or authentication algorithms to be used. The default cipher suite that is used is aes128gcm16!. Ensure that this module is available and loaded in your operating system on all the hosts. You can also change it to any cipher suite of your choice.

Post installation

On RHEL

Check the libreswan configuration.

cat /etc/ipsec.conf
cat /etc/ipsec.d/ipsec-libreswan.conf

Check the status of the IPsec process.
```
ipsec status
```
If the IPsec status does not display established connections, check /var/log/messages for an error related to IPsec. Enable libreswan logging by enabling plutodebug in the file /etc/ipsec.conf.
```
# /etc/ipsec.conf - libreswan IPsec configuration file

config setup
       ...
       ...
       plutodebug = all       # <<<<<<<<<<<<
```

On Ubuntu/SLES

Check the strongswan configuration.
```
cat /etc/ipsec.conf
```
Check the status of the IPsec process.
```
ipsec status
service strongswan status
```
If the IPsec status does not display established connections, check /var/log/syslog for an error related to IPsec.

Enable strongswan logging by enabling charondebug in the file /etc/ipsec.conf.
```
# /etc/ipsec.conf - libreswan IPsec configuration file

config setup
       ...
       ...
       charondebug="ike 2, knl 2, cfg 2"       # <<<<<<<<<<<<
```