[ovs-discuss] ipsec_gre not working in OpenWRT
José Miguel Guzmán
jmguzman at whitestack.com
Fri Dec 8 12:52:24 UTC 2017
Hi Guys
I am trying to enable ipsec_gre tunnelling between two openwrt.
I created a physical and internal bridge, based on
http://docs.openvswitch.org/en/latest/howto/userspace-tunneling/ (although
I am using kernel space tunnelling)
# Creates Internal Bridge
ovs-vsctl --may-exist add-br br-int \
-- set Bridge br-int datapath_type=$DATAPATH \
-- br-set-external-id br-int bridge-id br-int \
-- set bridge br-int fail-mode=standalone
ovs-vsctl add-port br-int gre0 -- set interface gre0 type=$PROTOCOL
options:remote_ip=$THERE options:psk=test123
ifconfig br-int $TUN_HERE mtu 1400 up
# Creates physical Bridge
ovs-vsctl --may-exist add-br br-phy \
-- set Bridge br-phy datapath_type=$DATAPATH \
-- br-set-external-id br-phy bridge-id br-phy \
-- set bridge br-phy fail-mode=standalone \
other_config:hwaddr=$BRIDGEID
ovs-vsctl --timeout 10 add-port br-phy $DEV
ifconfig $DEV 0.0.0.0 mtu 2000
ifconfig br-phy $HERE mtu 2000 up
Everything works fine when $PROTOCOL is gre.
I can see decapsulated packages coming from the gre_sys interface, and
being received by br-int
I can actually ping between br-int (1.1.1.1 <=> 1.1.1.2)
But if PROTOCOL is ipsec_gre, it doesnt work
ovs-monitor-ipsec is running, and configuring security associations between
the two hosts.
I can see ESP traffic through br-phy
I can see packets being received in the gre_sys interface (meaning SA is
ok), but receiving switch is failing to reply ARP
*root at cpe5:~/TEST# tcpdump -i gre_sys -n -nn*
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre_sys, link-type EN10MB (Ethernet), capture size 262144 bytes
09:32:24.807643 ARP, Request who-has 1.1.1.2 tell 1.1.1.1, length 28
09:32:25.807685 ARP, Request who-has 1.1.1.2 tell 1.1.1.1, length 28
The only difference I see when compare gre with ipsec_gree, is that there
is some missing flows for tunneling when in ipsec_gre mode
In gre mode, I see
*root at cpe5:~# ovs-appctl dpctl/dump-flows*
# There flows are installed in both cases
recirc_id(0),in_port(4),eth(src=d8:58:d7:00:2e:c9,dst=d8:58:d7:00:2e:c6),eth_type(0x0800),ipv4(frag=no),
packets:8, bytes:1032, used:0.430s, actions:3
recirc_id(0),in_port(4),eth(src=d8:58:d7:00:2e:c9,dst=d8:58:d7:00:2e:c6),eth_type(0x0806),
packets:1, bytes:60, used:2.420s, actions:3
recirc_id(0),in_port(3),eth(src=d8:58:d7:00:2e:c6,dst=d8:58:d7:00:2e:c9),eth_type(0x0800),ipv4(frag=no),
packets:8, bytes:1032, used:0.430s, actions:4
recirc_id(0),in_port(3),eth(src=d8:58:d7:00:2e:c6,dst=d8:58:d7:00:2e:c9),eth_type(0x0806),
packets:0, bytes:0, used:never, actions:4
# There flows get installed only in GRE mode. They are missing when
IPSEC_GRE is in use
recirc_id(0),in_port(1),eth(src=1a:6b:2d:47:f3:43,dst=5a:a4:e4:d9:25:43),eth_type(0x0806),
packets:0, bytes:0, used:never,
actions:set(tunnel(dst=192.168.222.204,ttl=64,flags(df))),2
recirc_id(0),in_port(1),eth(src=1a:6b:2d:47:f3:43,dst=5a:a4:e4:d9:25:43),eth_type(0x0800),ipv4(tos=0/0x3,frag=no),
packets:7, bytes:686, used:0.430s,
actions:set(tunnel(dst=192.168.222.204,ttl=64,flags(df))),2
recirc_id(0),tunnel(src=192.168.222.204,dst=192.168.222.205,ttl=64,flags(-df-csum)),in_port(2),skb_mark(0),eth(src=5a:a4:e4:d9:25:43,dst=1a:6b:2d:47:f3:43),eth_type(0x0806),
packets:0, bytes:0, used:never, actions:1
recirc_id(0),tunnel(src=192.168.222.204,dst=192.168.222.205,ttl=64,flags(-df-csum)),in_port(2),skb_mark(0),eth(src=5a:a4:e4:d9:25:43,dst=1a:6b:2d:47:f3:43),eth_type(0x0800),ipv4(frag=no),
packets:7, bytes:686, used:0.430s, actions:1
In vswitch.log I see messages warning received packet on unassociated
datapath port 2
*2017-12-08T11:30:00.598Z|00093|dpif(handler6)|DBG|system at ovs-system: miss
upcall:*
recirc_id(0),dp_hash(0),skb_priority(0),tunnel(src=192.168.222.204,dst=192.168.222.205,ttl=64,flags(0)),in_port(2),skb_mark(0),ct_state(0),ct_mark(0),eth(src=ee:9f:69:e6:40:4f,dst=33:33:00:00:00:16),eth_type(0x86dd),ipv6(src=fe80::ec9f:69ff:fee6:404f,dst=ff02::16,label=0,proto=58,tclass=0,hlimit=1,frag=no),
icmpv6(type=143,code=0)
icmp6,vlan_tci=0x0000,dl_src=ee:9f:69:e6:40:4f,dl_dst=33:33:00:00:00:16,ipv6_src=fe80::ec9f:69ff:fee6:404f,ipv6_dst=ff02::16,ipv6_label=0x00000,nw_tos=0,nw_ecn=0,nw_ttl=1,icmp_type=143,icmp_code=0,nd_target=::,nd_sll=00:00:00:00:00:00,nd_tll=00:00:00:00:00:00
icmp6_csum:94ca
*2017-12-08T11:30:00.598Z|00094|tunnel(handler6)|WARN|receive tunnel port
not found *(icmp6,tun_src=192.168.222.204,tun_dst=192.168.222.205,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_flags=0,in_port=2,vlan_tci=0x0000,dl_src=ee:9f:69:e6:40:4f,dl_dst=33:33:00:00:00:16,
ipv6_src=fe80::ec9f:69ff:fee6:404f,ipv6_dst=ff02::16,ipv6_label=0x00000,nw_tos=0,nw_ecn=0,nw_ttl=1,icmp_type=143,icmp_code=0,nd_target=::,nd_sll=00:00:00:00:00:00,nd_tll=00:00:00:00:00:00)
*2017-12-08T11:30:00.598Z|00095|netlink_socket(handler6)|DBG|nl_sock_transact_multiple__
(No error information): nl(len:212, type=23(ovs_flow),
flags=401[REQUEST][ATOMIC], seq=52, pid=2530427498,genl(cmd=1,version=1)*
*2017-12-08T11:30:00.598Z|00096|dpif(handler6)|DBG|system at ovs-system:
put[create] ufid:f9c9f3d5-72ae-4e10-b832-389d0a452e58 *
recirc_id(0),dp_hash(0),skb_priority(0),tunnel(src=192.168.222.204,dst=192.168.222.205,ttl=64,flags(0)),in_port(2),skb_mark(0),ct_state(0),ct_mark(0),eth(src=ee:9f:69:e6:40:4f,dst=33:33:00:00:00:16),eth_type(0x86dd),ipv6(src=fe80::ec9f:69ff:fee6:404f,dst=ff02::16,label=0,proto=58,tclass=0,hlimit=1,frag=no),icmpv6(type=143,code=0)
*2017-12-08T11:30:00.599Z|00097|ofproto_dpif_upcall(handler6)|INFO|received
packet on unassociated datapath port 2*
Do you guys have any idea what else should I look, to troubleshoot this?
I would really appreciate ANY guidance.
Thanks a lot
JM
--
*José Miguel Guzmán*Senior Network Consultant
Latin America & Caribbean
+1 (650) 248-2490 <+16502482490>
+56 (9) 9064-2780 <+56990642780>
jmguzman at whitestack.com
jmguzmanc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20171208/fef88553/attachment-0001.html>
More information about the discuss
mailing list