[ovs-discuss] Not getting traffic through ipsec_gre

Jesse Gross jesse at kernel.org
Thu Jul 7 18:56:15 UTC 2016


On Thu, Jul 7, 2016 at 10:55 AM, Bolesław Tokarski
<boleslaw.tokarski at gmail.com> wrote:
> Hello,
>
> I installed Ubuntu 16.04 on the hostB to check the behaviour between the two
> OSes.
>
> The setup is the same as with two hosts running OpenSUSE:
>
>
>>> >
>>> > hostA:
>>> >
>>> > ovs-vsctl add-br secure
>>> > ip link set secure up
>>> > ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev secure
>>> > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre
>>> > options:remote_ip=2.2.2.2 options:psk=secret
>>> >
>>> > hostB:
>>> >
>>> > ovs-vsctl add-br secure
>>> > ip link set secure up
>>> > ip addr add 192.168.20.2/24 broadcast 192.168.20.255 dev secure
>>> > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre
>>> > options:remote_ip=1.1.1.1 options:psk=secret
>>> >
>
>
> As mentioned, both sides manage to negotiate IPsec connection, set the
> interfaces up, etc.
>
> Now, when I ping from hostA to hostB, I can see ARP request going out the
> "secure" interface, through eth0 as an ESP packet, to eth0 on hostB,
> decyphered and arriving at "secure" on hostB.
>
> Then, there's an ARP reply from hostB, going through eth0 as ESP on hostB,
> arriving at eth0 on hostA.
>
> I can even see the response in ovs-dpctl dump-flows on hostA. However,
> nothing is received on the "secure" interface on hostA.
>
> Is there something I can do to debug further? Maybe there's a missing return
> flow rule that does not get automatically setup on OpenSUSE while it is on
> Ubuntu? Is there some known issue with the particular OVS/kernel versions
> that OpenSUSE runs (ovs 2.3.1, kernel 4.1.26-21)? Or maybe there's a
> mismatch between the OVS and kernel datapath module? OpenSUSE seems to ship
> the one from the kernel.

Did you also port the iptables rules that are setup by the init script
on Debian? If those are missing then that would likely cause the
behavior that you are describing since OVS would consider the incoming
traffic to be an attempt to inject unauthenticated traffic into the
secure port.



More information about the discuss mailing list