[ovs-discuss] Not getting traffic through ipsec_gre

Bolesław Tokarski boleslaw.tokarski at gmail.com
Wed Jul 6 08:26:33 UTC 2016


Hello, Jesse,

Thank you for the advice on using normal GRE interfaces in OVS. I am yet to
try this approach.

However, my apologies for not giving all the background - I am running the
ovs-monitor-ipsec script, which I ported from Debian. Not many changes were
required (racoon init script execution, script location, the script's init
script), and I believe that what the script is supposed to do, it is
already doing. As I mentioned, the commands listed produced a functional
IPSec connection on both sides and registered the tunnel in ovs-vswitchd.

As mentioned in the last log message, even the traffic seems to go through
to OVS on the other side, but then it's just silently dropped. If you can
point me how I can debug OVS behaviour wrt. dropped packets between ports
and the reasons, that would be of much help.

Thank you again for the advice, will put this on my list of things to
verify.

Best regards,
Bolesław Tokarski

2016-07-06 1:42 GMT+02:00 Jesse Gross <jesse at kernel.org>:

> On Tue, Jul 5, 2016 at 4:04 PM, Bolesław Tokarski
> <boleslaw.tokarski at gmail.com> wrote:
> > Hello,
> >
> > For some reason machine receiving traffic through ipsec_gre is not
> putting
> > it through to the LOCAL interface.
> >
> > I have a basic test setup:
> >
> > hostA - ip network - hostB
> >
> > Both hosts have just a single eth0 interface. I managed to get a regular
> gre
> > tunnel working (thanks to Mathy Vanvoorden's blogpost) with - hostA:
> >
> > ovs-vsctl add-br insecure
> > ip link set insecure up
> > ip addr add 192.168.10.1/24 broadcast 192.168.10.255 dev insecure
> > ovs-vsctl add-port insecure gre0 -- set interface gre0 type=gre
> > options:remote_ip=2.2.2.2
> >
> > hostB:
> >
> > ovs-vsctl add-br insecure
> > ip link set insecure up
> > ip addr add 192.168.10.2/24 broadcast 192.168.10.255 dev insecure
> > ovs-vsctl add-port insecure gre0 — set interface gre0 type=gre
> > options:remote_ip=1.1.1.1
> >
> > on hostB.
> >
> > Now, I am able to ping both hostA and hostB between each other using the
> > 192.168.10.1 and 192.168.10.2 IP addresses.
> >
> > However, changing this to ipsec_gre causes some problems - hostA:
> >
> > ovs-vsctl add-br secure
> > ip link set secure up
> > ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev secure
> > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre
> > options:remote_ip=2.2.2.2 options:psk=secret
> >
> > hostB:
> >
> > ovs-vsctl add-br secure
> > ip link set secure up
> > ip addr add 192.168.20.2/24 broadcast 192.168.20.255 dev secure
> > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre
> > options:remote_ip=1.1.1.1 options:psk=secret
> >
> > Pinging the machines between each with the internal IPs gives no
> response.
> > On the machine attempting ping, tcpdump shows arp requests on the
> "secure"
> > interface, ESP outgoing packets on eth0. On the machine receiving I see
> > incoming ESP packets on eth0, and nothing on the "secure" interface.
> >
> > I checked the logs and I can confirm that ipsec session was initiated
> > successfully. Increasing the ovs-vswitchd log verbosity to DEBUG I could
> > even spot packets arp packets on the receiving machine:
> >
> > 2016-07-05T22:24:12.771Z|34809|dpif(revalidator35)|DBG|system at ovs-system
> :
> > flow_dump
> >
> recirc_id(0),dp_hash(0/0),skb_priority(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=2.2.2.2,tos=0x0,ttl=63,flags()),in_port(1),skb_mark(0),eth(src=11:22:33:44:55:66,dst=ff:ff:ff:ff:ff:f
> > f),eth_type(0x0806),arp(sip=
> 192.168.20.1/255.255.255.255,tip=192.168.20.2/255.255.255.255,op=1/0xff,sha=22:33:44:55:66:77/00:00:00:00:00:00,tha=00:00:00:00:00:00/00:00:00:00:00:00
> ),
> > packets:13, bytes:546, used:0.476s, actions:3
> >
> > So, iiuc, it means that the ARP request got through the ipsec tunnel and
> was
> > received by vswitchd on the other side, but for some reason, vswitchd did
> > not put the request to the "secure" interface.
> >
> > I think it is some bug, but I can't rule out that this is an expected
> > behaviour. Please point me out if you notice anything missing from my
> setup.
> >
> > The machines are running OpenSUSE 42.1, with kernel 4.1.21, ipsec-tools
> > 0.8.0 and openvswitch 2.3.1.
>
> Interfaces with type ipsec_gre require running the ovs-monitor-ipsec
> script to function but this is only available for Debian. However, you
> can just use normal GRE interfaces in OVS and then configure IPsec by
> hand.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160706/c4abead2/attachment-0002.html>


More information about the discuss mailing list