[ovs-discuss] ipsec_gre broken after ovs v1.4 - inconsistent pkt mark?

Jesse Gross jesse at nicira.com
Wed Jan 1 15:49:45 UTC 2014 

The meaning of the mark is very simple: 1 means IPsec, 0 is
unencrypted. I would have expected the scripts to set this up
automatically but the logic is not very complicated.

On Tue, Dec 31, 2013 at 4:26 PM, Daniel Hiltgen <daniel at netkine.com> wrote:
> Thanks for the pointer!  As a quick experiment, I just manually did:
>
> iptables -t mangle -A PREROUTING -p gre -j MARK --set-mark 1
>
> and that fixed it.  ipsec_gre packets are flowing again.
>
> Ansis, (or others) is this the recommended way to get ipsec_gre working, or
> was the intention that the marks would be unique per tunnel, or something
> else?  I would have thought the ovs-monitor-ipsec script would take care of
> setting this up if it was that simple, so I'm guessing there's more here
> than just that.  Can I safely assume the mark is always going to be 1?  Is
> there a new option when establishing the gre link to set the mark for the
> tunnel so I can make my config deterministic, or is that implicitly handled
> by setting up flow tables maybe?  Any documentation on the details of how
> this is intended to work would be greatly appreciated.
>
> Thanks!
> Daniel
>
>
>
> On Mon, Dec 30, 2013 at 2:46 PM, Jesse Gross <jesse at nicira.com> wrote:
>>
>> On Fri, Dec 27, 2013 at 5:50 PM, Daniel Hiltgen <daniel at netkine.com>
>> wrote:
>> > I'm on ubuntu, and had ipsec gre tunnels working with ovs version 1.4,
>> > but
>> > recently upgraded to 1.10, and now my ipsec tunnels aren't working.
>> > Regular
>> > gre tunnels work fine.  (I also tried ovs 2.0.1 built from source but I
>> > see
>> > the same behavior.)
>> >
>> > The racoon logs imply the ipsec connection is working properly.
>> >
>> > In the ovs-vswitchd.log file I see errors like the following:
>> >
>> > 2013-12-27T21:41:26.907Z|00001|tunnel(miss_handler)|WARN|receive tunnel
>> > port
>> > not found (192.168.122.192->10.4.10.32, key=0, dp port=2, pkt mark=0)
>> >
>> > 2013-12-27T21:41:26.907Z|00002|ofproto_dpif_upcall(miss_handler)|INFO|received
>> > packet on unassociated datapath port 2
>>
>> Ansis, this requires iptables to set the mark, right? Do the scripts
>> set that up automatically?
>
>

More information about the discuss mailing list