[ovs-discuss] Is it possible to protect CAPWAP tunnel through IPSec?

Rajesh Kumar G crimsonbloat at gmail.com
Thu May 5 18:21:39 UTC 2011

Hi Jesse,

I was trying to see if the performance degrade that is observed with
GRE+IPSec as mentioned in this mail thread


can be overcome by trying CAPWAP tunnel instead. Is there any fix for the
GRE+IPSec performance degrade yet? I observed the degrade in
openvswitch-1.1.0 released code also.

by the way, I should mention that I was able to make GRE+IPSec work by
manually setting up SA/SP as following,

# SA
add HostA HostB esp 0x201 -E 3des-cbc
add HostB HostA esp 0x201 -E 3des-cbc

# SP
spdadd HostA/32  HostB/32 gre -P out ipsec

spdadd HostB/32  HostA/32 gre -P in ipsec

and reverse on the other host. This is what made me think the same can work
with CAPWAP.

Thanks for the info,

On Thu, May 5, 2011 at 9:40 PM, Jesse Gross <jesse at nicira.com> wrote:

> On Thu, May 5, 2011 at 7:39 AM, Rajesh Kumar G <crimsonbloat at gmail.com>
> wrote:
> > Hi,
> >
> > Greetings,
> >
> > I would like to know if it is possible to protect an OVS CAPWAP tunnel
> using
> > IPSec? If Yes, what should be the SA, SP created to make the traffic hit
> > that?
> When Open vSwitch sets up IPsec tunnels itself it changes the behavior
> of the tunneling code to make it compatible with IPsec.  However, this
> does not happen if you configure IPsec manually yourself.  Is there a
> reason that you are using CAPWAP instead of GRE?  We have not found
> any uses yet for CAPWAP over IPsec, which is why it is not
> implemented.  GRE is more standard and should work fine with the OVS
> IPsec support.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20110505/1d390b42/attachment.html>

More information about the discuss mailing list