[ovs-discuss] VXLAN over IPSec - what's wrong

Qiuyu Xiao qiuyu.xiao.qyx at gmail.com
Mon Oct 8 13:33:33 UTC 2018 

Then the IPsec configuration should be correct. If the VXLAN set up is also correct, the VXLAN traffic should also be encrypted since the outer IP header uses “fd00::10” and “fd00::11”. Did you test VXLAN setup without IPsec enabled?

-Qiuyu

> On Oct 8, 2018, at 9:27 AM, Sebastian Pitei <sebastian at pitei.eu> wrote:
> 
> Hi Qiuyu,
> 
> Yes, if I try to ping from fd::10 to fd::11 the ICMP gets through and is encrypted.
> 
> Seb
> -----Original Message-----
> From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com> 
> Sent: Monday, October 8, 2018 4:01 PM
> To: Sebastian Pitei <sebastian at pitei.eu>
> Cc: ovs-discuss at openvswitch.org
> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
> 
> Your understanding is correct. Your previous configuration file seems to encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one host from another, will the ICMP traffic be encrypted?
> 
> -Qiuyu
> 
>> On Oct 7, 2018, at 1:05 PM, Sebastian Pitei <sebastian at pitei.eu> wrote:
>> 
>> P.S.: does the above make sense? Is there a flaw in my logic?
>> 
>> P.P.S: this week I should also get some physical boxes to test the setup, maybe it will provide different results, as I've been testing this whole setup inside VirtualBox and VMware Workstation Pro.
>> 
>> Thx,
>> Seb
>> 
>> -----Original Message-----
>> From: Sebastian Pitei
>> Sent: Sunday, October 7, 2018 8:03 PM
>> To: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
>> Cc: ovs-discuss at openvswitch.org
>> Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
>> 
>> Hi Qiuyu,
>> 
>> Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process:
>> 
>> -a packet arrives on the physical interface.
>> -OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN.
>> -using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary.
>> -Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet.
>> 
>> -----Original Message-----
>> From: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
>> Sent: Thursday, September 20, 2018 1:13 AM
>> To: Sebastian Pitei <sebastian at pitei.eu>
>> Cc: ovs-discuss at openvswitch.org
>> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
>> 
>> Hi Sebastian,
>> 
>> If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon.
>> 
>> There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec.
>> 
>> Best,
>> Qiuyu
>> On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei <sebastian at pitei.eu> wrote:
>>> 
>>> Hi everyone,
>>> 
>>> I'm trying to build a simple OVS setup as follows:
>>> -two OVS switches (on separate machines), both having one physical port (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
>>> -each br0 has a manually set IPv6 address that's being used as source and destination for the VXLAN tunnel.
>>> 
>>> [Scenario 1]
>>> -VXLAN comes up, traffic flows from the physical interface to the 
>>> VXLAN tunnel and vice-versa
>>> 
>>> [Scenario 2]
>>> -I've added strongswan and configured host-to-host IPSec encryption, but unfortunately traffic is not passing between briges.
>>> 
>>> Am I missing something? Is there another way to do this? I'm pasting 
>>> below my configuration, maybe it helps
>>> 
>>> [bridge-config]
>>>   Bridge "br0"
>>>       Controller "tcp:[fd00::100]"
>>>       fail_mode: secure
>>>       Port "br0"
>>>           Interface "br0"
>>>               type: internal
>>>       Port "vxlan0"
>>>           Interface "vxlan0"
>>>               type: vxlan
>>>               options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"}
>>>       Port "enp0s10"
>>>           Interface "enp0s10"
>>>   ovs_version: "2.9.0"
>>> 
>>> [openflow-flows]
>>> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, 
>>> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0  cookie=0x0, 
>>> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
>>> in_port=vxlan0 actions=output:enp0s10
>>> 
>>> [strongswan_ipsec.conf]
>>> 
>>> conn %default
>>>       ikelifetime=60m
>>>       keylife=20m
>>>       rekeymargin=3m
>>>       keyingtries=1
>>>       keyexchange=ikev2
>>>       authby=secret
>>>       mobike=no
>>> 
>>> conn host-host
>>>       left=fd00::10
>>>       leftid=fd00::10
>>>       right=fd00::11
>>>       rightid=fd00::11
>>>       auto=route
>>> 
>>> 
>>> Thx,
>>> Seb
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> 
>

More information about the discuss mailing list