[ovs-discuss] Is it possible to protect CAPWAP tunnel through IPSec?
Rajesh Kumar G
crimsonbloat at gmail.com
Thu May 5 18:21:39 UTC 2011
I was trying to see if the performance degrade that is observed with
GRE+IPSec as mentioned in this mail thread
can be overcome by trying CAPWAP tunnel instead. Is there any fix for the
GRE+IPSec performance degrade yet? I observed the degrade in
openvswitch-1.1.0 released code also.
by the way, I should mention that I was able to make GRE+IPSec work by
manually setting up SA/SP as following,
add HostA HostB esp 0x201 -E 3des-cbc
add HostB HostA esp 0x201 -E 3des-cbc
spdadd HostA/32 HostB/32 gre -P out ipsec
spdadd HostB/32 HostA/32 gre -P in ipsec
and reverse on the other host. This is what made me think the same can work
Thanks for the info,
On Thu, May 5, 2011 at 9:40 PM, Jesse Gross <jesse at nicira.com> wrote:
> On Thu, May 5, 2011 at 7:39 AM, Rajesh Kumar G <crimsonbloat at gmail.com>
> > Hi,
> > Greetings,
> > I would like to know if it is possible to protect an OVS CAPWAP tunnel
> > IPSec? If Yes, what should be the SA, SP created to make the traffic hit
> > that?
> When Open vSwitch sets up IPsec tunnels itself it changes the behavior
> of the tunneling code to make it compatible with IPsec. However, this
> does not happen if you configure IPsec manually yourself. Is there a
> reason that you are using CAPWAP instead of GRE? We have not found
> any uses yet for CAPWAP over IPsec, which is why it is not
> implemented. GRE is more standard and should work fine with the OVS
> IPsec support.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss