[ovs-discuss] VXLAN over IPSec - what's wrong

Sebastian Pitei sebastian at pitei.eu
Sun Oct 7 17:03:26 UTC 2018


Hi Qiuyu,

Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process:

-a packet arrives on the physical interface.
-OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN.
-using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary.
-Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet.

-----Original Message-----
From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com> 
Sent: Thursday, September 20, 2018 1:13 AM
To: Sebastian Pitei <sebastian at pitei.eu>
Cc: ovs-discuss at openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong

Hi Sebastian,

If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon.

There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec.

Best,
Qiuyu
On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei <sebastian at pitei.eu> wrote:
>
> Hi everyone,
>
> I'm trying to build a simple OVS setup as follows:
> -two OVS switches (on separate machines), both having one physical port (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
> -each br0 has a manually set IPv6 address that's being used as source and destination for the VXLAN tunnel.
>
> [Scenario 1]
> -VXLAN comes up, traffic flows from the physical interface to the 
> VXLAN tunnel and vice-versa
>
> [Scenario 2]
> -I've added strongswan and configured host-to-host IPSec encryption, but unfortunately traffic is not passing between briges.
>
> Am I missing something? Is there another way to do this? I'm pasting 
> below my configuration, maybe it helps
>
> [bridge-config]
>     Bridge "br0"
>         Controller "tcp:[fd00::100]"
>         fail_mode: secure
>         Port "br0"
>             Interface "br0"
>                 type: internal
>         Port "vxlan0"
>             Interface "vxlan0"
>                 type: vxlan
>                 options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"}
>         Port "enp0s10"
>             Interface "enp0s10"
>     ovs_version: "2.9.0"
>
> [openflow-flows]
> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, 
> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0  cookie=0x0, 
> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100, 
> in_port=vxlan0 actions=output:enp0s10
>
> [strongswan_ipsec.conf]
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         authby=secret
>         mobike=no
>
> conn host-host
>         left=fd00::10
>         leftid=fd00::10
>         right=fd00::11
>         rightid=fd00::11
>         auto=route
>
>
> Thx,
> Seb
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss



More information about the discuss mailing list