[ovs-discuss] GRE over IPsec

sonia verma soniaverma9727 at gmail.com
Sat Feb 15 17:53:34 UTC 2014 

Sorry,the tunnel is working and the packets are getting encapsulated in the
gre header but the encapsulation of the packets is not getting place.I have
done the ipsec configuration in the /etc/ipsec-tools.conf file and the
ovs-monitor-ipsec daemon is running in the background.Do I have to some
more configuration regarding ipsec or am I misssing something.

Thanks....

Sonia


On Sat, Feb 15, 2014 at 10:17 PM, sonia verma <soniaverma9727 at gmail.com>wrote:

> Hi Ansis,
>
> Thanks for the help....
>
> Now the gre_system interface is showing in the ovs-dpctl command.Although
>  I have been able to setup the tunnel but the tunnel is not working .As I
> apply sniffer on the tunnel end-points I don't see any any packets going
> through the tunnel.
>
> I have setup the tunnel using the following command:
> ovs-vsctl add-port br0 gre0  -- set interface gre0 type=ipsec_gre
> options:remote_ip=10.10.10.2 options:psk=/etc/racoon/psk.txt
>
> I have also applied the two iptables rule that you specified me as they
> were missing in the iptables.Also the two commands that you specified me to
> check my peers configuration i.e. ip xfrm policy showed the peers
> configuration  but the ip xfrm policy didn't showed any result.
>
> Also, i have applied the security policies rule in the
> /etc/ipsec-tools.conf file.But all went in vain.
>
> Please help me regarding this.....
>
> Thanks.....
>
> Sonia
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Feb 14, 2014 at 6:42 PM, sonia verma <soniaverma9727 at gmail.com>wrote:
>
>> Thanks Ansis for the reply.
>>
>> 1. Yes I have cross checked and found that the pid are in the same ovs
>> run directory and after that still I am facing the same issue.
>>
>> 2. Also in the ovs-dpctl show command there is no gre_system interface .
>>
>> 3. I am not having the two rules that you have mentioned as a bug in
>> ovs-1.10 and newer releases.
>>
>>  Also Ansis could that be an issue that I have build the openvswitch from
>> the source code and installed the openvswitch-ipsec from the debian package
>> as Gurucharan was pointing.
>>
>> Can you please provide some configuration guide or steps about how to
>> implement gre over ipsec in openvswitch as I haven't found anything helpful
>> regarding this on the internet.
>>
>> Thanks....
>>
>> Sonia
>>
>>
>> On Fri, Feb 14, 2014 at 12:56 AM, Ansis Atteka <aatteka at vmware.com>wrote:
>>
>>> 1. Previously you said that you saw following error messages:
>>>
>>> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the
>>> ovs-monitor-ipsec daemon
>>> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network
>>> device gre0 (Invalid argument)
>>>
>>> If pid files are in the same OVS run directory then you should not see
>>> them any more. Is this the case?
>>>
>>> 2. ipsec_gre tunnel not showing up in ovs-dpctl output is an expected
>>> change, I believe, it was introduced in 1.10 as part of flow based
>>> tunneling. However you should still see gre_system port that is shared with
>>> ipsec_gre ports.
>>>
>>> 3. Also there was an IPsec bug in 1.10 (and in newer releases) that we
>>> fixed recently. The problem was that two iptables rules were missing. Can
>>> you verify if you have them?
>>>
>>> iptables -A INPUT -t mangle -p esp -j MARK --set-mark 1/1
>>> iptables -A INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
>>>
>>> 4. If all of above is configured correctly, then can you verify, if you
>>> see IPsec configuration in the kernel? Do "ip xfrm policy" and "ip xfrm
>>> state" commands and search for the peer's IP address. If it does not have a
>>> trace of peer's IP address, then please make sure that you have valid
>>> configuration in OVSDB (take a look at ovs-vswitchd.conf.db man page).
>>>
>>> 5. Also, if this is the first time you are trying to set up OVS+IPsec,
>>> then I would recommend to start with PSKs and only then with PKI. Starting
>>> with PSKs will rule out any certificate issues. Later you can do the switch
>>> to PKI, if deemed so.
>>>
>>> Ansis
>>>
>>> ------------------------------
>>> *From: *"sonia verma" <soniaverma9727 at gmail.com>
>>> *To: *"Ansis Atteka" <aatteka at vmware.com>
>>> *Cc: *discuss at openvswitch.org
>>> *Sent: *Thursday, February 13, 2014 10:49:48 AM
>>>
>>> *Subject: *Re: [ovs-discuss] GRE over IPsec
>>>
>>> Sorry Ansis for the late reply .
>>>
>>> As you said I checked and found that the ovs-monitor-ipsec.pid file is
>>> in the same ovs run directory just like all other pid files.
>>>
>>> But the error still persists and the interface is still not getting
>>> shown at the kernel level.
>>>
>>> Please help me regarding this.
>>>
>>> Thanks
>>>
>>>
>>> On Thu, Feb 13, 2014 at 1:03 AM, Ansis Atteka <aatteka at vmware.com>wrote:
>>>
>>>> ovs-monitor-ipsec package dependends on raccon package. Once both of
>>>> them are installed, ovs-monitor-ipsec will automatically provision racoon
>>>> with necessary configuration through /etc/ipsec.conf file.
>>>>
>>>> ------------------------------
>>>> *From: *"sonia verma" <soniaverma9727 at gmail.com>
>>>> *To: *"Ansis Atteka" <aatteka at vmware.com>
>>>> *Cc: *discuss at openvswitch.org
>>>> *Sent: *Wednesday, February 12, 2014 11:27:23 AM
>>>> *Subject: *Re: [ovs-discuss] GRE over IPsec
>>>>
>>>>
>>>> Thanks Gurucharan and Ansis for the quick reply.
>>>>
>>>> YES I did installed the IPsec daemon from the debian package for my
>>>> system but I installed the ovs-vswitchd
>>>>  daemon from the source code for my system.
>>>>
>>>> Does this mean that either I have to install the openvswitch and its
>>>> ipsec daemon  from debian package or from their respective source codes?
>>>>
>>>> Also , I will make sure that the ovs-monitor-ipsec pid file is in the
>>>> ovs run dir.
>>>>
>>>> One more thing I want to clarify is that does the openvswitch ipsec
>>>> package will take care of the ipsec functionality in openvswitch
>>>> automatically or do I have to make some configuration for this in the
>>>> racoon daemon?
>>>>
>>>> Please help me regargding this.I will let you know whether this worked
>>>> or not.
>>>>
>>>> Thanks
>>>>
>>>>
>>>> On Wed, Feb 12, 2014 at 10:42 PM, Ansis Atteka <aatteka at vmware.com>wrote:
>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "sonia verma" gmail.com<https://urldefense.proofpoint.com/v1/url?u=http://gmail.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=IlCAyXRsc21DvT9iRFg4BjX%2BdulWDS2nfIKsR1BQny4%3D%0A&s=c63e6f7240c2b6629fbe72b8815867d0c2615d2f8a308989a2ddc5e4fb1e3bde>
>>>>> >
>>>>> To: discuss at openvswitch.org
>>>>> Sent: Wednesday, February 12, 2014 3:28:04 AM
>>>>> Subject: [ovs-discuss] GRE over IPsec
>>>>>
>>>>> Hi All,
>>>>>
>>>>> I have been able to implement GRE tunneling on OpenvSwitch and now I
>>>>> want to implement GRE over IPsec on OpenvSwitch.
>>>>> For this, I have installed the OpenvSwitch-IPsec package on my system
>>>>> and I'm running the ovs-monitor-ipsec demon.
>>>>>
>>>>> But when I'm using the following command:
>>>>> ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre
>>>>> options:remote_ip=10.10.10.2 .
>>>>> The ipsec_gre interface is not getting shown at the kernel level.
>>>>> I checked it using the following command:
>>>>> ovs-dpctl show br0
>>>>>
>>>>> When I see the OpenvSwitch logs,it is giving following error:
>>>>>
>>>>> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the
>>>>> ovs-monitor-ipsec daemon
>>>>> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network
>>>>> device gre0 (Invalid argument)
>>>>>
>>>>> [Ansis]: Make sure that ovs-monitor-ipsec.pid file is in the ovs run
>>>>> directory (just like all other ovs pid files).
>>>>>
>>>>> I haven't been able to figure why this error is coming , as the demon
>>>>> is running in the background.
>>>>> Also I didn't found found any relevant document related to GRE over
>>>>> IPsec which will show how the openvswitch-ipsec demon will commiunicate
>>>>> with racoon in order to implement ipsec functionality on OpenvSwitch with
>>>>> the configuration required in order to implement this.
>>>>>
>>>>> How should I configure racoon to implement IPsec functionality?
>>>>> Do I need to do some more configuration regarding ipsec on openvswitch?
>>>>>
>>>>> Please help me regarding this issue.Any help would be appreciated.
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> discuss mailing list
>>>>> discuss at openvswitch.org
>>>>>
>>>>> https://urldefense.proofpoint.com/v1/url?u=http://openvswitch.org/mailman/listinfo/discuss&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=rq7%2B0leIjGyTFuBcuv6Ke3fmaNeGmTLpmxFfwo9mHfU%3D%0A&s=97fe6496618575e64a00a40955541585c2313eb887ca1b136c6da693a5201783
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20140215/ac8024cd/attachment-0008.html>

More information about the discuss mailing list