[ovs-discuss] GRE over IPsec
sonia verma
soniaverma9727 at gmail.com
Fri Feb 14 13:12:30 UTC 2014
Thanks Ansis for the reply.
1. Yes I have cross checked and found that the pid are in the same ovs run
directory and after that still I am facing the same issue.
2. Also in the ovs-dpctl show command there is no gre_system interface .
3. I am not having the two rules that you have mentioned as a bug in
ovs-1.10 and newer releases.
Also Ansis could that be an issue that I have build the openvswitch from
the source code and installed the openvswitch-ipsec from the debian package
as Gurucharan was pointing.
Can you please provide some configuration guide or steps about how to
implement gre over ipsec in openvswitch as I haven't found anything helpful
regarding this on the internet.
Thanks....
Sonia
On Fri, Feb 14, 2014 at 12:56 AM, Ansis Atteka <aatteka at vmware.com> wrote:
> 1. Previously you said that you saw following error messages:
>
> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the
> ovs-monitor-ipsec daemon
> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network device
> gre0 (Invalid argument)
>
> If pid files are in the same OVS run directory then you should not see
> them any more. Is this the case?
>
> 2. ipsec_gre tunnel not showing up in ovs-dpctl output is an expected
> change, I believe, it was introduced in 1.10 as part of flow based
> tunneling. However you should still see gre_system port that is shared with
> ipsec_gre ports.
>
> 3. Also there was an IPsec bug in 1.10 (and in newer releases) that we
> fixed recently. The problem was that two iptables rules were missing. Can
> you verify if you have them?
>
> iptables -A INPUT -t mangle -p esp -j MARK --set-mark 1/1
> iptables -A INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
>
> 4. If all of above is configured correctly, then can you verify, if you
> see IPsec configuration in the kernel? Do "ip xfrm policy" and "ip xfrm
> state" commands and search for the peer's IP address. If it does not have a
> trace of peer's IP address, then please make sure that you have valid
> configuration in OVSDB (take a look at ovs-vswitchd.conf.db man page).
>
> 5. Also, if this is the first time you are trying to set up OVS+IPsec,
> then I would recommend to start with PSKs and only then with PKI. Starting
> with PSKs will rule out any certificate issues. Later you can do the switch
> to PKI, if deemed so.
>
> Ansis
>
> ------------------------------
> *From: *"sonia verma" <soniaverma9727 at gmail.com>
> *To: *"Ansis Atteka" <aatteka at vmware.com>
> *Cc: *discuss at openvswitch.org
> *Sent: *Thursday, February 13, 2014 10:49:48 AM
>
> *Subject: *Re: [ovs-discuss] GRE over IPsec
>
> Sorry Ansis for the late reply .
>
> As you said I checked and found that the ovs-monitor-ipsec.pid file is in
> the same ovs run directory just like all other pid files.
>
> But the error still persists and the interface is still not getting shown
> at the kernel level.
>
> Please help me regarding this.
>
> Thanks
>
>
> On Thu, Feb 13, 2014 at 1:03 AM, Ansis Atteka <aatteka at vmware.com> wrote:
>
>> ovs-monitor-ipsec package dependends on raccon package. Once both of them
>> are installed, ovs-monitor-ipsec will automatically provision racoon with
>> necessary configuration through /etc/ipsec.conf file.
>>
>> ------------------------------
>> *From: *"sonia verma" <soniaverma9727 at gmail.com>
>> *To: *"Ansis Atteka" <aatteka at vmware.com>
>> *Cc: *discuss at openvswitch.org
>> *Sent: *Wednesday, February 12, 2014 11:27:23 AM
>> *Subject: *Re: [ovs-discuss] GRE over IPsec
>>
>>
>> Thanks Gurucharan and Ansis for the quick reply.
>>
>> YES I did installed the IPsec daemon from the debian package for my
>> system but I installed the ovs-vswitchd
>> daemon from the source code for my system.
>>
>> Does this mean that either I have to install the openvswitch and its
>> ipsec daemon from debian package or from their respective source codes?
>>
>> Also , I will make sure that the ovs-monitor-ipsec pid file is in the ovs
>> run dir.
>>
>> One more thing I want to clarify is that does the openvswitch ipsec
>> package will take care of the ipsec functionality in openvswitch
>> automatically or do I have to make some configuration for this in the
>> racoon daemon?
>>
>> Please help me regargding this.I will let you know whether this worked or
>> not.
>>
>> Thanks
>>
>>
>> On Wed, Feb 12, 2014 at 10:42 PM, Ansis Atteka <aatteka at vmware.com>wrote:
>>
>>>
>>> ----- Original Message -----
>>> From: "sonia verma" gmail.com<https://urldefense.proofpoint.com/v1/url?u=http://gmail.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=IlCAyXRsc21DvT9iRFg4BjX%2BdulWDS2nfIKsR1BQny4%3D%0A&s=c63e6f7240c2b6629fbe72b8815867d0c2615d2f8a308989a2ddc5e4fb1e3bde>
>>> >
>>> To: discuss at openvswitch.org
>>> Sent: Wednesday, February 12, 2014 3:28:04 AM
>>> Subject: [ovs-discuss] GRE over IPsec
>>>
>>> Hi All,
>>>
>>> I have been able to implement GRE tunneling on OpenvSwitch and now I
>>> want to implement GRE over IPsec on OpenvSwitch.
>>> For this, I have installed the OpenvSwitch-IPsec package on my system
>>> and I'm running the ovs-monitor-ipsec demon.
>>>
>>> But when I'm using the following command:
>>> ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre
>>> options:remote_ip=10.10.10.2 .
>>> The ipsec_gre interface is not getting shown at the kernel level.
>>> I checked it using the following command:
>>> ovs-dpctl show br0
>>>
>>> When I see the OpenvSwitch logs,it is giving following error:
>>>
>>> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the
>>> ovs-monitor-ipsec daemon
>>> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network
>>> device gre0 (Invalid argument)
>>>
>>> [Ansis]: Make sure that ovs-monitor-ipsec.pid file is in the ovs run
>>> directory (just like all other ovs pid files).
>>>
>>> I haven't been able to figure why this error is coming , as the demon is
>>> running in the background.
>>> Also I didn't found found any relevant document related to GRE over
>>> IPsec which will show how the openvswitch-ipsec demon will commiunicate
>>> with racoon in order to implement ipsec functionality on OpenvSwitch with
>>> the configuration required in order to implement this.
>>>
>>> How should I configure racoon to implement IPsec functionality?
>>> Do I need to do some more configuration regarding ipsec on openvswitch?
>>>
>>> Please help me regarding this issue.Any help would be appreciated.
>>>
>>> Thanks
>>>
>>>
>>>
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org
>>>
>>> https://urldefense.proofpoint.com/v1/url?u=http://openvswitch.org/mailman/listinfo/discuss&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=rq7%2B0leIjGyTFuBcuv6Ke3fmaNeGmTLpmxFfwo9mHfU%3D%0A&s=97fe6496618575e64a00a40955541585c2313eb887ca1b136c6da693a5201783
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20140214/1796b18d/attachment.html>
More information about the discuss
mailing list