[ovs-discuss] VXLAN over IPSec - what's wrong
Sebastian Pitei
sebastian at pitei.eu
Sun Oct 7 17:03:26 UTC 2018
Hi Qiuyu,
Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process:
-a packet arrives on the physical interface.
-OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN.
-using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary.
-Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet.
-----Original Message-----
From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Sent: Thursday, September 20, 2018 1:13 AM
To: Sebastian Pitei <sebastian at pitei.eu>
Cc: ovs-discuss at openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Sebastian,
If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon.
There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec.
Best,
Qiuyu
On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei <sebastian at pitei.eu> wrote:
>
> Hi everyone,
>
> I'm trying to build a simple OVS setup as follows:
> -two OVS switches (on separate machines), both having one physical port (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
> -each br0 has a manually set IPv6 address that's being used as source and destination for the VXLAN tunnel.
>
> [Scenario 1]
> -VXLAN comes up, traffic flows from the physical interface to the
> VXLAN tunnel and vice-versa
>
> [Scenario 2]
> -I've added strongswan and configured host-to-host IPSec encryption, but unfortunately traffic is not passing between briges.
>
> Am I missing something? Is there another way to do this? I'm pasting
> below my configuration, maybe it helps
>
> [bridge-config]
> Bridge "br0"
> Controller "tcp:[fd00::100]"
> fail_mode: secure
> Port "br0"
> Interface "br0"
> type: internal
> Port "vxlan0"
> Interface "vxlan0"
> type: vxlan
> options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"}
> Port "enp0s10"
> Interface "enp0s10"
> ovs_version: "2.9.0"
>
> [openflow-flows]
> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
> in_port=vxlan0 actions=output:enp0s10
>
> [strongswan_ipsec.conf]
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> mobike=no
>
> conn host-host
> left=fd00::10
> leftid=fd00::10
> right=fd00::11
> rightid=fd00::11
> auto=route
>
>
> Thx,
> Seb
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
More information about the discuss
mailing list