[ovs-dev] [PATCH ovn] ipsec: Update documentation for Fedora

Mark Gray mark.d.gray at redhat.com
Thu Oct 14 13:21:34 UTC 2021


When running on Fedora, it may be necessary to allow ESP and IKE traffic
through the host firewall. If not, this will result in ICMP host
unreachable messages:

13:52:10.000695 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156
13:52:10.000721 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156
13:52:10.000864 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184
13:52:10.000874 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184

This commit updates the documentation to reflect this.

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2002278
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
---
 Documentation/tutorials/ovn-ipsec.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst
index 3adef68bb697..fa35eb84b316 100644
--- a/Documentation/tutorials/ovn-ipsec.rst
+++ b/Documentation/tutorials/ovn-ipsec.rst
@@ -80,6 +80,19 @@ database to false::
 
     $ ovn-nbctl set nb_global . ipsec=false
 
+.. note::
+
+   On Fedora, you may need to install firewall rules to allow ESP and IKE
+   traffic::
+
+       # systemctl start firewalld
+       # firewall-cmd --add-service ipsec
+
+   Or to make permanent::
+
+       # systemctl enable firewalld
+       # firewall-cmd --permanent --add-service ipsec
+
 Troubleshooting
 ---------------
 
-- 
2.27.0



More information about the dev mailing list