From 46807c46213a209ddf40db899a8fd74ac8aaade3 Mon Sep 17 00:00:00 2001
From: Periyasamy Palanisamy <pepalani@redhat.com>
Date: Thu, 31 Jul 2025 09:59:53 +0530
Subject: [PATCH 1/2] IPsec E2E: Add pod to node traffic test

Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
---
 test/extended/networking/ipsec.go | 43 +++++++++++++++++++++++++------
 1 file changed, 35 insertions(+), 8 deletions(-)

diff --git a/test/extended/networking/ipsec.go b/test/extended/networking/ipsec.go
index e71d21638d33..285538449420 100644
--- a/test/extended/networking/ipsec.go
+++ b/test/extended/networking/ipsec.go
@@ -336,7 +336,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 			return nil
 		}
 
-		setupTestPods := func(config *testConfig, isHostNetwork bool) error {
+		setupTestPods := func(config *testConfig, isSrcPingPodInHostNetwork, isDstPingPodInHostNetwork bool) error {
 			tcpdumpImage, err := exutil.DetermineImageFromRelease(context.TODO(), oc, "network-tools")
 			o.Expect(err).NotTo(o.HaveOccurred())
 			createSync := errgroup.Group{}
@@ -348,7 +348,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 				}
 				srcPingPod := e2epod.CreateExecPodOrFail(context.TODO(), f.ClientSet, f.Namespace.Name, "ipsec-test-srcpod-", func(p *corev1.Pod) {
 					p.Spec.NodeName = config.srcNodeConfig.nodeName
-					p.Spec.HostNetwork = isHostNetwork
+					p.Spec.HostNetwork = isSrcPingPodInHostNetwork
 				})
 				config.srcNodeConfig.pingPod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), srcPingPod.Name, metav1.GetOptions{})
 				return err
@@ -361,7 +361,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 				}
 				dstPingPod := e2epod.CreateExecPodOrFail(context.TODO(), f.ClientSet, f.Namespace.Name, "ipsec-test-dstpod-", func(p *corev1.Pod) {
 					p.Spec.NodeName = config.dstNodeConfig.nodeName
-					p.Spec.HostNetwork = isHostNetwork
+					p.Spec.HostNetwork = isDstPingPodInHostNetwork
 				})
 				config.dstNodeConfig.pingPod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), dstPingPod.Name, metav1.GetOptions{})
 				return err
@@ -388,7 +388,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 
 		checkForGeneveOnlyPodTraffic := func(config *testConfig) {
 			g.GinkgoHelper()
-			err := setupTestPods(config, false)
+			err := setupTestPods(config, false, false)
 			o.Expect(err).NotTo(o.HaveOccurred())
 			defer func() {
 				// Don't cleanup test pods in error scenario.
@@ -410,7 +410,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 
 		checkForESPOnlyPodTraffic := func(config *testConfig) {
 			g.GinkgoHelper()
-			err := setupTestPods(config, false)
+			err := setupTestPods(config, false, false)
 			o.Expect(err).NotTo(o.HaveOccurred())
 			defer func() {
 				// Don't cleanup test pods in error scenario.
@@ -430,7 +430,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 
 		checkForNATTOnlyPodTraffic := func(config *testConfig) {
 			g.GinkgoHelper()
-			err := setupTestPods(config, false)
+			err := setupTestPods(config, false, false)
 			o.Expect(err).NotTo(o.HaveOccurred())
 			defer func() {
 				// Don't cleanup test pods in error scenario.
@@ -461,7 +461,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 
 		checkNodeTraffic := func(mode v1.IPsecMode) {
 			g.GinkgoHelper()
-			err := setupTestPods(config, true)
+			err := setupTestPods(config, true, true)
 			o.Expect(err).NotTo(o.HaveOccurred())
 			defer func() {
 				// Don't cleanup test pods in error scenario.
@@ -483,6 +483,30 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 			}
 		}
 
+		checkPodToNodeTraffic := func(mode v1.IPsecMode) {
+			g.GinkgoHelper()
+			err := setupTestPods(config, false, true)
+			o.Expect(err).NotTo(o.HaveOccurred())
+			defer func() {
+				// Don't cleanup test pods in error scenario.
+				if err != nil && !framework.TestContext.DeleteNamespaceOnFailure {
+					return
+				}
+				cleanupTestPods(config)
+			}()
+			if mode == v1.IPsecModeExternal {
+				err = pingAndCheckNodeTraffic(config.srcNodeConfig, config.dstNodeConfig, esp)
+				o.Expect(err).NotTo(o.HaveOccurred())
+				err = pingAndCheckNodeTraffic(config.srcNodeConfig, config.dstNodeConfig, icmp)
+				o.Expect(err).To(o.HaveOccurred())
+				err = nil
+				return
+			} else {
+				err = pingAndCheckNodeTraffic(config.srcNodeConfig, config.dstNodeConfig, icmp)
+				o.Expect(err).NotTo(o.HaveOccurred())
+			}
+		}
+
 		g.BeforeAll(func() {
 			// Set up the config object with existing IPsecConfig, setup testing config on
 			// the selected nodes.
@@ -617,8 +641,10 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 
 			g.By("validate traffic before changing IPsec configuration")
 			checkPodTraffic(config.ipsecCfg)
-			// N/S ipsec config is not in effect yet, so node traffic behaves as it were disabled
+			// N/S ipsec config is not in effect yet, so node to node and pod to node traffic behave
+			// as it were disabled
 			checkNodeTraffic(v1.IPsecModeDisabled)
+			checkPodToNodeTraffic(v1.IPsecModeDisabled)
 
 			// TODO: remove this block when https://issues.redhat.com/browse/RHEL-67307 is fixed.
 			if config.ipsecCfg.mode == v1.IPsecModeFull {
@@ -653,6 +679,7 @@ var _ = g.Describe("[sig-network][Feature:IPsec]", g.Ordered, func() {
 			checkPodTraffic(&ipsecConfig{mode: v1.IPsecModeFull,
 				encap: v1.Encapsulation(v1.EncapsulationAuto)})
 			checkNodeTraffic(v1.IPsecModeExternal)
+			checkPodToNodeTraffic(v1.IPsecModeExternal)
 		})
 	})
 })

From 871a44bdf6575e9caf7c442c6345b317dc8fcb43 Mon Sep 17 00:00:00 2001
From: Periyasamy Palanisamy <pepalani@redhat.com>
Date: Thu, 31 Jul 2025 14:10:17 +0530
Subject: [PATCH 2/2] Restrict ipsec nncp config to icmp protocol

This may recover from pod to host disruptions.

Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
---
 test/extended/networking/ipsec.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/test/extended/networking/ipsec.go b/test/extended/networking/ipsec.go
index 285538449420..d1cca441a7b9 100644
--- a/test/extended/networking/ipsec.go
+++ b/test/extended/networking/ipsec.go
@@ -86,6 +86,8 @@ spec:
         esp: aes_gcm256
         ikev2: insist
         type: transport
+        leftprotoport: icmp
+        rightprotoport: icmp
 `
 
 // properties of nsCertMachineConfigFile.