[ovs-discuss] OVS GRE over IPsec using ipsec_gre tunnels

Mike Bennett mbennett at google.com
Wed Nov 12 23:26:21 UTC 2014

hi --

I'm trying to understand how to configure ipsec_gre tunnels on OVS (linux).
I have gotten (I *hope*) the hard part done of getting the IPsec
associations set up, where I see messages from racoon similar to:
 INFO: IPsec-SA established: ESP/Transport[500]->[500]

Now, I'm a little confused as to how to build OpenFlow flows for these
ports *after* packets come from the local side of the ipsec_gre tunnel --
does this emit GRE packets I have to push into local interfaces of type GRE
to capture? The ipsec_gre interface isn't something I can make an ip link
from (iiuc), so it's difficult to grab pcaps from it to see what's going on.

Related, in my (non-OVS) router configuration, I see discrete endpoints for
IPsec and another for the GRE tunnel contained inside IPsec. In the OVS
options for ipsec_gre, I seem to only be able to set *one* remote_ip. How
do I set the 'gre' source IP address in addition to the IPsec source ip for
packets I send over the tunnel?

If anyone has an example of a GRE-over-IPsec configuration using ipsec_gre
and would be willing to share the flow table and interface configuration,
it would very appreciated! I can't seem to find a complete example anywhere.

Thanks very much!


For version reference:

# ovs-vsctl show
    Bridge pop
        fail_mode: secure
        Port "pop-gre1"
            Interface "pop-gre1"
                type: ipsec_gre
                options: {psk=xyzzy, remote_ip=""}
        Port pop
            Interface pop
                type: internal
        Port "pop-eth1"
            Interface "pop-eth1"
    ovs_version: "2.0.2"

# ovs-vsctl -V
ovs-vsctl (Open vSwitch) 2.0.2
Compiled Aug 15 2014 14:31:02

# ovs-dpctl show
system at ovs-system:
        lookups: hit:49 missed:109 lost:0
        flows: 0
        port 0: ovs-system (internal)
        port 1: pop (internal)
        port 2: pop-eth1
        port 3: gre_system (gre: df_default=false, ttl=0)

# racoon -V
@(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

Compiled with:
- OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)
- IPv6 support
- Dead Peer Detection
- IKE fragmentation
- Hybrid authentication
- NAT Traversal
- Admin port
- Monotonic clock

# /etc/init.d/openvswitch-ipsec status
 * Checking status of ovs-monitor-ipsec
                                             [ OK ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20141112/07f88523/attachment-0002.html>

More information about the discuss mailing list