[ovs-discuss] Replacing IPsec-GRE tunnel ports

Bolesław Tokarski boleslaw.tokarski at gmail.com
Tue Nov 22 18:18:45 UTC 2016 

Hi, Ansis,

Huge thanks for looking into this. I did some investigations to try to
replicate what the script is doing - I managed to set an ipsec transport
connection between hosts up (suddenly it was much more obvious with
strongswan compared to racoon), and configured OVS to use gre tunnel
between the hosts. I only failed with packet marking, removed it for the
time being and I got communication running this way.

Anyway, the 1Mbps problem re-appeared for VLANs, so indeed it's not the
script's fault. The remaining parts are in the kernel, so I started to look
into this topic but... well, that's a deep thing.

To my amazement, I just tested the same setup with Racoon and VLANs, and
bandwidth is also capped at 1Mbps. I started to wonder what changed,
reverted to previous kernel (there was an upgrade in the time between),
reverted to the very same package and config used at that point, and I
still see I'm capped at 1Mbps. My best guess is that I never tested the
bandwidth of the previous setup with VLANs, either. That, something more
subtle, or I'm crazy.

So, I need to back off from my statement that it used to work on Racoon.

Anyway. OpenSUSE 42.1, kernel 4.1.34, OVS 2.3.3, strognswan 5.2.2. The
/etc/ipsec.conf looks like this:

config setup
    uniqueids=no

conn %default
    keyingtries=%forever
    type=transport
    keyexchange=ikev2
    auto=add
    ike=aes128gcm12-aesxcbc-modp1024
    esp=aes128gcm12-modp1024
    mobike=no

conn gre4-1
    left=3.3.3.3
    right=4.4.4.4
    rightcert=ovs-4.4.4.4.pem
    leftcert=/etc/openvswitch/cert.pem

the other party has a symmetrical config.

# ip xfrm policy
src 4.4.4.4/32 dst 3.3.3.3/32
        dir in priority 2819 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 3.3.3.3/32 dst 4.4.4.4/32
        dir out priority 2819 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main

# ip xfrm state
src 4.4.4.4 dst 3.3.3.3
        proto esp spi 0xc1436dcb reqid 1 mode transport
        replay-window 32
        aead rfc4106(gcm(aes)) 0xsomekey 96
        anti-replay context: seq 0x0, oseq 0xa48d, bitmap 0x00000000
        sel src 4.4.4.4/32 dst 3.3.3.3/32
src 3.3.3.3 dst 4.4.4.4
        proto esp spi 0xca5b77f8 reqid 1 mode transport
        replay-window 32
        aead rfc4106(gcm(aes)) 0xsomekey 96
        anti-replay context: seq 0xb6b7, oseq 0x0, bitmap 0xffffffff
        sel src 3.3.3.3/32 dst 4.4.4.4/32

I'll try to replicate that problem on a Ubuntu VM.

Best regards,
Bolesław Tokarski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20161122/fabfa3d7/attachment-0001.html>

More information about the discuss mailing list