[ovs-discuss] Issue porting openvswitch-ipsec on XCP-ng

Benjamin benjamin.reis at vates.fr
Mon Sep 9 09:20:40 UTC 2019


Hello everyone,

I'm Benjamin, a french developer working at Vates (the editor of XCP-ng 
a XenServer fork).
I've been working in the network area of XCP-ng in order to create a SDN 
Controller controlling openvswitch on several hosts.

Everything is working great as for now!

I am using openvswitch v2.11.0.
However I'm trying to add IPSEC support into XCP-ng and I'm facing an issue.

I've successfully installed libreswan version 3.26, and the 
openvswitch-ipsec service from rhel and the python script ovs-monitor-ipsec.
I'm using Pre-Shared Key for IPSEC.

When I attempt to create tunnels, everything seems to go smoothly:
- there's no error in ovs-vswitchd.log nor in ovs-monitor-ipsec.log
- ovs-appctl -t ovs-monitor-ipsec tunnels/show shows me the tunnels with 
correct configurations and active connections.

But there's no traffic passing on the tunnels created by openvswitch and 
since there's no helpful log I don't know how to investigate the issue.
I hoped you could point me in the right direction.

Here's what appears in ovs-vswitchd.log after tunnels creation:

2019-09-09T08:16:49.311Z|00018|tunnel(handler7)|WARN|receive tunnel port 
not found 
(pkt_mark=0x1,udp,tun_id=0x3,tun_src=192.168.5.28,tun_dst=192.168.5.27,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_flags=key,in_port=4,vlan_tci=0x0000,dl_src=b2:bc:3c:29:bd:fd,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=16,nw_ecn=0,nw_ttl=128,tp_src=68,tp_dst=67)
2019-09-09T08:16:49.311Z|00019|ofproto_dpif_upcall(handler7)|INFO|Dropped 
1 log messages in last 214 seconds (most recently, 214 seconds ago) due 
to excessive rate
2019-09-09T08:16:49.311Z|00020|ofproto_dpif_upcall(handler7)|INFO|received 
packet on unassociated datapath port 4
2019-09-09T08:16:49.914Z|00003|tunnel(revalidator6)|WARN|receive tunnel 
port not found 
(pkt_mark=0x1,udp,tun_id=0x3,tun_src=192.168.5.28,tun_dst=192.168.5.27,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_flags=key,in_port=4,vlan_tci=0x0000,dl_src=b2:bc:3c:29:bd:fd,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=16,nw_ecn=0,nw_ttl=128,tp_src=68,tp_dst=67)

There's plenty of errors like this after the tunnels are created and I 
attempt to ping through the tunnels.

Does that ring a bell to anyone?

Do not hesitate to ask me anything that can help debug this issue.

Thank you,
Benjamin Reis


More information about the discuss mailing list