[ovs-discuss] Replacing IPsec-GRE tunnel ports

Ansis Atteka aatteka at nicira.com
Mon Nov 21 19:31:36 UTC 2016

On Thu, Nov 17, 2016 at 4:04 AM, Bolesław Tokarski
<boleslaw.tokarski at gmail.com> wrote:
> Hi,
> Thank you very much for the answer.
>> >
>> > I am yet to come across a good guide on how to set up an OVS IPsec-GRE
>> > tunnel port alternative. Most guides are either for site-to-site IPsec
>> > tunnels, or for OVS GRE tunnels.
>> Such guides in details wold be on strongSwan, racoon, OpenSwan or
>> libreswan project sites.
> Well, I did see a number of guides on setting up tunnels, not so much on
> putting the traffic forward to an OVS port. I saw what ends up in
> ipsec.conf, but I believe the traffic going the the ipsec tunnel ends up on
> a Unix socket and gets directed to ovs-monitor-ipsec or so... I might fully
> get the image, though.

No, the ovs-monitor-ipsec daemon is not doing the actual IPsec
forwarding, ovs-monitor-ipsec just configures strongSwan.

Also, strongSwan is not doing the actual IPsec forwarding - strongSwan
just configures XFRM module in Linux kernel.

It is XFRM module in Linux Kernel that does the actual IPsec forwarding.

>> However, if you are interested you can take a
>> peek at this link -
>> https://www.mail-archive.com/dev@openvswitch.org/msg46915.html - and
>> extract what the ovs-monitor-ipsec daemon would set in ipsec.conf and
>> ipsec.secrets file.
> I saw the patch on the mailing list before. I am experiencing some issues
> with racoon, it does not seem to handle SA expiry too well. I had a number
> of situations where I needed to recreate the OVS ports for it to catch up.
> How's StrongSwan doing? I guess you're using it in production?

I haven't followed racoon lately. Though strongSwan also has its own
bugs. However, most of those bugs that I have had encountered in
strongSwan were either already fixed in the latest strongSwan release
and it took some time for me to root cause them; OR strongSwan
maintainers fixed those bugs for me after I reported them on their bug
tracker.  Also, it is a pity that for I still have to edit ipsec.conf
file instead of being able to use Python Vici API that they provide.
At least this is still the case for Ubuntu 16.10.

And, no, I would not dare to say that I am using strongSwan in
production, because the patch I pointed you to *is not* even

>> If you are ok to skip this particular OVS 2.7 version, then I plan to
>> reintroduce ovs-monitor-ipsec daemon in the next one. It was abruptly
>> removed because it was decided that ovs-monitor-ipsec can't have a
>> hard coded bit of skb_mark because it interferes with OpenFlow
>> skb_mark match.
> Good to hear that. The ovs-monitor-ipsec daemon was quite easy to use and I
> even preferred to add OpenSUSE support to it than to set the tunnels up
> manually, which sounds bizarre, but hey - it worked.
> Best regards,
> Bolesław Tokarski

More information about the discuss mailing list