[ovs-discuss] Issue porting openvswitch-ipsec on XCP-ng

Ben Pfaff blp at ovn.org
Wed Sep 25 16:05:10 UTC 2019


Ansis (added to this message) knows the most about IPsec.  If he has
the time for it, I imagine he can help you figure this out.

On Mon, Sep 09, 2019 at 09:20:40AM +0000, Benjamin wrote:
> Hello everyone,
> 
> I'm Benjamin, a french developer working at Vates (the editor of XCP-ng a
> XenServer fork).
> I've been working in the network area of XCP-ng in order to create a SDN
> Controller controlling openvswitch on several hosts.
> 
> Everything is working great as for now!
> 
> I am using openvswitch v2.11.0.
> However I'm trying to add IPSEC support into XCP-ng and I'm facing an issue.
> 
> I've successfully installed libreswan version 3.26, and the
> openvswitch-ipsec service from rhel and the python script ovs-monitor-ipsec.
> I'm using Pre-Shared Key for IPSEC.
> 
> When I attempt to create tunnels, everything seems to go smoothly:
> - there's no error in ovs-vswitchd.log nor in ovs-monitor-ipsec.log
> - ovs-appctl -t ovs-monitor-ipsec tunnels/show shows me the tunnels with
> correct configurations and active connections.
> 
> But there's no traffic passing on the tunnels created by openvswitch and
> since there's no helpful log I don't know how to investigate the issue.
> I hoped you could point me in the right direction.
> 
> Here's what appears in ovs-vswitchd.log after tunnels creation:
> 
> 2019-09-09T08:16:49.311Z|00018|tunnel(handler7)|WARN|receive tunnel port not
> found (pkt_mark=0x1,udp,tun_id=0x3,tun_src=192.168.5.28,tun_dst=192.168.5.27,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_flags=key,in_port=4,vlan_tci=0x0000,dl_src=b2:bc:3c:29:bd:fd,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=16,nw_ecn=0,nw_ttl=128,tp_src=68,tp_dst=67)
> 2019-09-09T08:16:49.311Z|00019|ofproto_dpif_upcall(handler7)|INFO|Dropped 1
> log messages in last 214 seconds (most recently, 214 seconds ago) due to
> excessive rate
> 2019-09-09T08:16:49.311Z|00020|ofproto_dpif_upcall(handler7)|INFO|received
> packet on unassociated datapath port 4
> 2019-09-09T08:16:49.914Z|00003|tunnel(revalidator6)|WARN|receive tunnel port
> not found (pkt_mark=0x1,udp,tun_id=0x3,tun_src=192.168.5.28,tun_dst=192.168.5.27,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_flags=key,in_port=4,vlan_tci=0x0000,dl_src=b2:bc:3c:29:bd:fd,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=16,nw_ecn=0,nw_ttl=128,tp_src=68,tp_dst=67)
> 
> There's plenty of errors like this after the tunnels are created and I
> attempt to ping through the tunnels.
> 
> Does that ring a bell to anyone?
> 
> Do not hesitate to ask me anything that can help debug this issue.
> 
> Thank you,
> Benjamin Reis
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss


More information about the discuss mailing list