Merge pull request #44577 from kelbrown20/ipsec-update-for-install-2068283

stevsmit · web-flow · commit 47fc42966c07 · 2022-05-05T11:19:36.000-04:00
BZ2068283 - Adding clarification for IPsec
diff --git a/modules/installation-network-user-infra.adoc b/modules/installation-network-user-infra.adoc
@@ -209,7 +209,7 @@ the Cluster Version Operator on port `9099`.
 |`10256`
 |openshift-sdn
 
-.3+|UDP
+.5+|UDP
 |`4789`
 |VXLAN
 
@@ -219,10 +219,20 @@ the Cluster Version Operator on port `9099`.
 |`9000`-`9999`
 |Host level services, including the node exporter on ports `9100`-`9101`.
 
+|`500`
+|IPsec IKE packets
+
+|`4500`
+|IPsec NAT-T packets
+
 |TCP/UDP
 |`30000`-`32767`
 |Kubernetes node port
 
+|ESP
+|N/A
+|IPsec Encapsulating Security Payload (ESP)
+
 |===
 
 .Ports used for all-machine to control plane communications
diff --git a/modules/nw-ovn-ipsec-traffic.adoc b/modules/nw-ovn-ipsec-traffic.adoc
@@ -19,3 +19,30 @@ The following traffic flows are not encrypted:
 The encrypted and unencrypted flows are illustrated in the following diagram:
 
 image::nw-ipsec-encryption.png[IPsec encrypted and unencrypted traffic flows]
+
+== Network connectivity requirements when IPsec is enabled
+
+You must configure the network connectivity between machines to allow {product-title} cluster
+components to communicate. Each machine must be able to resolve the hostnames
+of all other machines in the cluster.
+
+.Ports used for all-machine to all-machine communications
+[cols="2a,2a,5a",options="header"]
+|===
+
+|Protocol
+|Port
+|Description
+
+.2+|UDP
+|`500`
+|IPsec IKE packets
+
+|`4500`
+|IPsec NAT-T packets
+
+|ESP
+|N/A
+|IPsec Encapsulating Security Payload (ESP)
+
+|===
