[ovs-discuss] VXLAN over IPSec - what's wrong
Sebastian Pitei
sebastian at pitei.eu
Mon Oct 8 13:27:18 UTC 2018
Hi Qiuyu,
Yes, if I try to ping from fd::10 to fd::11 the ICMP gets through and is encrypted.
Seb
-----Original Message-----
From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Sent: Monday, October 8, 2018 4:01 PM
To: Sebastian Pitei <sebastian at pitei.eu>
Cc: ovs-discuss at openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Your understanding is correct. Your previous configuration file seems to encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one host from another, will the ICMP traffic be encrypted?
-Qiuyu
> On Oct 7, 2018, at 1:05 PM, Sebastian Pitei <sebastian at pitei.eu> wrote:
>
> P.S.: does the above make sense? Is there a flaw in my logic?
>
> P.P.S: this week I should also get some physical boxes to test the setup, maybe it will provide different results, as I've been testing this whole setup inside VirtualBox and VMware Workstation Pro.
>
> Thx,
> Seb
>
> -----Original Message-----
> From: Sebastian Pitei
> Sent: Sunday, October 7, 2018 8:03 PM
> To: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
> Cc: ovs-discuss at openvswitch.org
> Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
>
> Hi Qiuyu,
>
> Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process:
>
> -a packet arrives on the physical interface.
> -OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN.
> -using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary.
> -Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet.
>
> -----Original Message-----
> From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
> Sent: Thursday, September 20, 2018 1:13 AM
> To: Sebastian Pitei <sebastian at pitei.eu>
> Cc: ovs-discuss at openvswitch.org
> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
>
> Hi Sebastian,
>
> If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon.
>
> There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec.
>
> Best,
> Qiuyu
> On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei <sebastian at pitei.eu> wrote:
>>
>> Hi everyone,
>>
>> I'm trying to build a simple OVS setup as follows:
>> -two OVS switches (on separate machines), both having one physical port (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
>> -each br0 has a manually set IPv6 address that's being used as source and destination for the VXLAN tunnel.
>>
>> [Scenario 1]
>> -VXLAN comes up, traffic flows from the physical interface to the
>> VXLAN tunnel and vice-versa
>>
>> [Scenario 2]
>> -I've added strongswan and configured host-to-host IPSec encryption, but unfortunately traffic is not passing between briges.
>>
>> Am I missing something? Is there another way to do this? I'm pasting
>> below my configuration, maybe it helps
>>
>> [bridge-config]
>> Bridge "br0"
>> Controller "tcp:[fd00::100]"
>> fail_mode: secure
>> Port "br0"
>> Interface "br0"
>> type: internal
>> Port "vxlan0"
>> Interface "vxlan0"
>> type: vxlan
>> options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"}
>> Port "enp0s10"
>> Interface "enp0s10"
>> ovs_version: "2.9.0"
>>
>> [openflow-flows]
>> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
>> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
>> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
>> in_port=vxlan0 actions=output:enp0s10
>>
>> [strongswan_ipsec.conf]
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> authby=secret
>> mobike=no
>>
>> conn host-host
>> left=fd00::10
>> leftid=fd00::10
>> right=fd00::11
>> rightid=fd00::11
>> auto=route
>>
>>
>> Thx,
>> Seb
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
More information about the discuss
mailing list