[ovs-discuss] Ipsec tunnel is not encrypted

Ansis ansisatteka at gmail.com
Fri Jul 5 21:27:31 UTC 2019


On Fri, 5 Jul 2019 at 12:26, <marcosabreu at inf.ufg.br> wrote:
>
> I try to create a Ipsec tunnel between 2 hosts. The tunnel was create
> and i can communicate between hosts. But, when i capture packets using
> tcpdump, i see that the traffic is not encrypted.
>
> My topology:
>
> +--------------+                                     +--------------+
> |     vm0      | 10.250.204.11/24                    |     vm1      |
> 10.250.204.21/24
> +--------------+                                     +--------------+
>     (vm_port0)                                          (vm_port0)
>         |                                                   |
>         |                                                   |
>         |                                                   |
>         |                                                   |
>   10.250.204.10/24                                   10.250.204.20/24
> +--------------+                                   +--------------+
> |    remibr0    |                                  |    remibr0    |
> +--------------+                                   +---------------+
> |     eth1      |----------------------------------|      eth1     |
> +--------------+                                   +---------------+
>   10.16.0.138/16                                      10.16.0.247/16
>
> The commands that i run:
>
> ovs-vsctl add-br remibr0
> ovs-vsctl add-port remibr0 vxlan0 -- set Interface vxlan0 type=vxlan
> options:remote_ip=10.16.0.247 options:psk=test123
> ovs-vsctl add-port remibr0 vi0 -- set Interface vi0 type=internal
> ifconfig vi0 10.250.204.20/24 up
>
> My ovs-vsctl show:
>
> Bridge "remibr0"
>          Port "vxlan0"
>              Interface "vxlan0"
>                  type: vxlan
>                  options: {key="test123", remote_ip="10.16.0.247"}

As Ben pointed out, use OVS 2.11 or later (`ps -Af | grep
ovs-monitor-ipsec` is the ultimate test to see if you have the OVS's
IPsec daemon running. Without it, IPsec integration will not work).

Also, `ovs-vsctl show` command does not correctly represent the output
you should see after executing the commands you mentioned few lines
higher - options:psk is not set but the options:key is set.  You must
set options:psk for IPsec.

>          Port "sw1-p1"
>              Interface "sw1-p1"
>          Port "remibr0"
>              Interface "remibr0"
>                  type: internal
>      ovs_version: "2.10.1"
>
> Someone knows if i messed up in some steep or i'm confused about concepts?
>
> Thanks!
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss


More information about the discuss mailing list