[ovs-discuss] Replacing IPsec-GRE tunnel ports

Bolesław Tokarski boleslaw.tokarski at gmail.com
Thu Nov 17 12:04:24 UTC 2016


Hi,

Thank you very much for the answer.

>
> > I am yet to come across a good guide on how to set up an OVS IPsec-GRE
> > tunnel port alternative. Most guides are either for site-to-site IPsec
> > tunnels, or for OVS GRE tunnels.
>
> Such guides in details wold be on strongSwan, racoon, OpenSwan or
> libreswan project sites.


Well, I did see a number of guides on setting up tunnels, not so much on
putting the traffic forward to an OVS port. I saw what ends up in
ipsec.conf, but I believe the traffic going the the ipsec tunnel ends up on
a Unix socket and gets directed to ovs-monitor-ipsec or so... I might fully
get the image, though.


> However, if you are interested you can take a
> peek at this link -
> https://www.mail-archive.com/dev@openvswitch.org/msg46915.html - and
> extract what the ovs-monitor-ipsec daemon would set in ipsec.conf and
> ipsec.secrets file.
>

I saw the patch on the mailing list before. I am experiencing some issues
with racoon, it does not seem to handle SA expiry too well. I had a number
of situations where I needed to recreate the OVS ports for it to catch up.
How's StrongSwan doing? I guess you're using it in production?


> If you are ok to skip this particular OVS 2.7 version, then I plan to
> reintroduce ovs-monitor-ipsec daemon in the next one. It was abruptly
> removed because it was decided that ovs-monitor-ipsec can't have a
> hard coded bit of skb_mark because it interferes with OpenFlow
> skb_mark match.
>

Good to hear that. The ovs-monitor-ipsec daemon was quite easy to use and I
even preferred to add OpenSUSE support to it than to set the tunnels up
manually, which sounds bizarre, but hey - it worked.

Best regards,
Bolesław Tokarski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20161117/cb4e2caf/attachment.html>


More information about the discuss mailing list