[ovs-discuss] VXLAN over IPSec - what's wrong

Sebastian Pitei sebastian at pitei.eu
Mon Oct 8 13:27:18 UTC 2018 

Hi Qiuyu,

Yes, if I try to ping from fd::10 to fd::11 the ICMP gets through and is encrypted.

Seb
-----Original Message-----
From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com> 
Sent: Monday, October 8, 2018 4:01 PM
To: Sebastian Pitei <sebastian at pitei.eu>
Cc: ovs-discuss at openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong

Your understanding is correct. Your previous configuration file seems to encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one host from another, will the ICMP traffic be encrypted?

-Qiuyu

> On Oct 7, 2018, at 1:05 PM, Sebastian Pitei <sebastian at pitei.eu> wrote:
> 
> P.S.: does the above make sense? Is there a flaw in my logic?
> 
> P.P.S: this week I should also get some physical boxes to test the setup, maybe it will provide different results, as I've been testing this whole setup inside VirtualBox and VMware Workstation Pro.
> 
> Thx,
> Seb
> 
> -----Original Message-----
> From: Sebastian Pitei
> Sent: Sunday, October 7, 2018 8:03 PM
> To: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
> Cc: ovs-discuss at openvswitch.org
> Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
> 
> Hi Qiuyu,
> 
> Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process:
> 
> -a packet arrives on the physical interface.
> -OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN.
> -using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary.
> -Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet.
> 
> -----Original Message-----
> From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
> Sent: Thursday, September 20, 2018 1:13 AM
> To: Sebastian Pitei <sebastian at pitei.eu>
> Cc: ovs-discuss at openvswitch.org
> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
> 
> Hi Sebastian,
> 
> If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon.
> 
> There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec.
> 
> Best,
> Qiuyu
> On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei <sebastian at pitei.eu> wrote:
>> 
>> Hi everyone,
>> 
>> I'm trying to build a simple OVS setup as follows:
>> -two OVS switches (on separate machines), both having one physical port (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
>> -each br0 has a manually set IPv6 address that's being used as source and destination for the VXLAN tunnel.
>> 
>> [Scenario 1]
>> -VXLAN comes up, traffic flows from the physical interface to the 
>> VXLAN tunnel and vice-versa
>> 
>> [Scenario 2]
>> -I've added strongswan and configured host-to-host IPSec encryption, but unfortunately traffic is not passing between briges.
>> 
>> Am I missing something? Is there another way to do this? I'm pasting 
>> below my configuration, maybe it helps
>> 
>> [bridge-config]
>>    Bridge "br0"
>>        Controller "tcp:[fd00::100]"
>>        fail_mode: secure
>>        Port "br0"
>>            Interface "br0"
>>                type: internal
>>        Port "vxlan0"
>>            Interface "vxlan0"
>>                type: vxlan
>>                options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"}
>>        Port "enp0s10"
>>            Interface "enp0s10"
>>    ovs_version: "2.9.0"
>> 
>> [openflow-flows]
>> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, 
>> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0  cookie=0x0, 
>> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
>> in_port=vxlan0 actions=output:enp0s10
>> 
>> [strongswan_ipsec.conf]
>> 
>> conn %default
>>        ikelifetime=60m
>>        keylife=20m
>>        rekeymargin=3m
>>        keyingtries=1
>>        keyexchange=ikev2
>>        authby=secret
>>        mobike=no
>> 
>> conn host-host
>>        left=fd00::10
>>        leftid=fd00::10
>>        right=fd00::11
>>        rightid=fd00::11
>>        auto=route
>> 
>> 
>> Thx,
>> Seb
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>

More information about the discuss mailing list