[ovs-discuss] OVS GRE over IPsec using ipsec_gre tunnels
Mike Bennett
mbennett at google.com
Wed Nov 12 23:26:21 UTC 2014
hi --
I'm trying to understand how to configure ipsec_gre tunnels on OVS (linux).
I have gotten (I *hope*) the hard part done of getting the IPsec
associations set up, where I see messages from racoon similar to:
INFO: IPsec-SA established: ESP/Transport 1.1.1.1[500]->2.2.2.2[500]
spi=111(0x...)
Now, I'm a little confused as to how to build OpenFlow flows for these
ports *after* packets come from the local side of the ipsec_gre tunnel --
does this emit GRE packets I have to push into local interfaces of type GRE
to capture? The ipsec_gre interface isn't something I can make an ip link
from (iiuc), so it's difficult to grab pcaps from it to see what's going on.
Related, in my (non-OVS) router configuration, I see discrete endpoints for
IPsec and another for the GRE tunnel contained inside IPsec. In the OVS
options for ipsec_gre, I seem to only be able to set *one* remote_ip. How
do I set the 'gre' source IP address in addition to the IPsec source ip for
packets I send over the tunnel?
If anyone has an example of a GRE-over-IPsec configuration using ipsec_gre
and would be willing to share the flow table and interface configuration,
it would very appreciated! I can't seem to find a complete example anywhere.
Thanks very much!
-mike
====
For version reference:
# ovs-vsctl show
6217769e-dc46-45ae-bca2-a5eefb460826
Bridge pop
fail_mode: secure
Port "pop-gre1"
Interface "pop-gre1"
type: ipsec_gre
options: {psk=xyzzy, remote_ip="2.2.2.2"}
Port pop
Interface pop
type: internal
Port "pop-eth1"
Interface "pop-eth1"
ovs_version: "2.0.2"
# ovs-vsctl -V
ovs-vsctl (Open vSwitch) 2.0.2
Compiled Aug 15 2014 14:31:02
# ovs-dpctl show
system at ovs-system:
lookups: hit:49 missed:109 lost:0
flows: 0
port 0: ovs-system (internal)
port 1: pop (internal)
port 2: pop-eth1
port 3: gre_system (gre: df_default=false, ttl=0)
# racoon -V
@(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Compiled with:
- OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)
- IPv6 support
- Dead Peer Detection
- IKE fragmentation
- Hybrid authentication
- NAT Traversal
- Admin port
- Monotonic clock
# /etc/init.d/openvswitch-ipsec status
* Checking status of ovs-monitor-ipsec
[ OK ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20141112/07f88523/attachment-0002.html>
More information about the discuss
mailing list