[ovs-discuss] Is it possible to protect CAPWAP tunnel through IPSec?
Rajesh Kumar G
crimsonbloat at gmail.com
Thu May 5 14:39:15 UTC 2011
Hi,
Greetings,
I would like to know if it is possible to protect an OVS CAPWAP tunnel using
IPSec? If Yes, what should be the SA, SP created to make the traffic hit
that?
My setup is,
Host
A
Host B
OVS - VPORT-CAPWAP
<-------------------------------------------------------> VPORT-CAPWAP -
OVS
I tried with the following SA,SP configuration,
On Host A
----------------
# SA
add HostA HostB esp 0x201 -E 3des-cbc
<key>;
add HostB HostA esp 0x201 -E 3des-cbc
<key>;
# SP
spdadd HostA/32[58881] HostB/32[58882] udp -P out ipsec
esp/transport//require;
On Host B
---------------
# SA
add HostB HostA esp 0x201 -E 3des-cbc
<key>;
add HostA HostB esp 0x201 -E 3des-cbc
<key>;
# Security policies
spdadd HostB/32[58881] HostA/32[58882] udp -P out ipsec
esp/transport//require;
But the traffic passing through the CAPWAP port does not seem to hit the SP.
But instead of OVS if I use netcat to listen on UDP port 58882 and transmit
using netcat with source port 58881 it is hitting the SP and in encapsulated
with IPSec, as in
on Host B
--------------
#nc -u -l 58882
On Host A
---------------
# nc -u -p 58881 HostB 58882
Why is the UDP packets generated by CAPWAP vport not hitting the IPSec SPs?
whereas the packets generated by a user space program hits those? Is there
any other way to make this work by using different kind of SA/SP
configuration?
Thanks,
-Rajesh.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20110505/2b495aca/attachment-0001.html>
More information about the discuss
mailing list