[ovs-discuss] VXLAN over IPSec - what's wrong
Sebastian Pitei
sebastian at pitei.eu
Sun Oct 7 17:05:44 UTC 2018
P.S.: does the above make sense? Is there a flaw in my logic?
P.P.S: this week I should also get some physical boxes to test the setup, maybe it will provide different results, as I've been testing this whole setup inside VirtualBox and VMware Workstation Pro.
Thx,
Seb
-----Original Message-----
From: Sebastian Pitei
Sent: Sunday, October 7, 2018 8:03 PM
To: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Cc: ovs-discuss at openvswitch.org
Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Qiuyu,
Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process:
-a packet arrives on the physical interface.
-OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN.
-using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary.
-Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet.
-----Original Message-----
From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Sent: Thursday, September 20, 2018 1:13 AM
To: Sebastian Pitei <sebastian at pitei.eu>
Cc: ovs-discuss at openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Sebastian,
If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon.
There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec.
Best,
Qiuyu
On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei <sebastian at pitei.eu> wrote:
>
> Hi everyone,
>
> I'm trying to build a simple OVS setup as follows:
> -two OVS switches (on separate machines), both having one physical port (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
> -each br0 has a manually set IPv6 address that's being used as source and destination for the VXLAN tunnel.
>
> [Scenario 1]
> -VXLAN comes up, traffic flows from the physical interface to the
> VXLAN tunnel and vice-versa
>
> [Scenario 2]
> -I've added strongswan and configured host-to-host IPSec encryption, but unfortunately traffic is not passing between briges.
>
> Am I missing something? Is there another way to do this? I'm pasting
> below my configuration, maybe it helps
>
> [bridge-config]
> Bridge "br0"
> Controller "tcp:[fd00::100]"
> fail_mode: secure
> Port "br0"
> Interface "br0"
> type: internal
> Port "vxlan0"
> Interface "vxlan0"
> type: vxlan
> options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"}
> Port "enp0s10"
> Interface "enp0s10"
> ovs_version: "2.9.0"
>
> [openflow-flows]
> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
> in_port=vxlan0 actions=output:enp0s10
>
> [strongswan_ipsec.conf]
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> mobike=no
>
> conn host-host
> left=fd00::10
> leftid=fd00::10
> right=fd00::11
> rightid=fd00::11
> auto=route
>
>
> Thx,
> Seb
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
More information about the discuss
mailing list