[ovs-discuss] Issue porting openvswitch-ipsec on XCP-ng

Ansis ansisatteka at gmail.com
Wed Sep 25 18:45:28 UTC 2019

On Mon, 9 Sep 2019 at 02:36, Benjamin <benjamin.reis at vates.fr> wrote:
> Hello everyone,
> I'm Benjamin, a french developer working at Vates (the editor of XCP-ng
> a XenServer fork).
> I've been working in the network area of XCP-ng in order to create a SDN
> Controller controlling openvswitch on several hosts.
> Everything is working great as for now!
> I am using openvswitch v2.11.0.
> However I'm trying to add IPSEC support into XCP-ng and I'm facing an issue.
> I've successfully installed libreswan version 3.26, and the
> openvswitch-ipsec service from rhel and the python script ovs-monitor-ipsec.
> I'm using Pre-Shared Key for IPSEC.
> When I attempt to create tunnels, everything seems to go smoothly:
> - there's no error in ovs-vswitchd.log nor in ovs-monitor-ipsec.log
> - ovs-appctl -t ovs-monitor-ipsec tunnels/show shows me the tunnels with
> correct configurations and active connections.

Share your ovs-appctl output here.

> But there's no traffic passing on the tunnels created by openvswitch and
> since there's no helpful log I don't know how to investigate the issue.
> I hoped you could point me in the right direction.

Did the plain tunnel work in your setup? E.g. if you are using geneve
with ipsec simply try plain geneve.
> Here's what appears in ovs-vswitchd.log after tunnels creation:
> 2019-09-09T08:16:49.311Z|00018|tunnel(handler7)|WARN|receive tunnel port
> not found
> (pkt_mark=0x1,udp,tun_id=0x3,tun_src=,tun_dst=,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_flags=key,in_port=4,vlan_tci=0x0000,dl_src=b2:bc:3c:29:bd:fd,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=,nw_dst=,nw_tos=16,nw_ecn=0,nw_ttl=128,tp_src=68,tp_dst=67)
> 2019-09-09T08:16:49.311Z|00019|ofproto_dpif_upcall(handler7)|INFO|Dropped
> 1 log messages in last 214 seconds (most recently, 214 seconds ago) due
> to excessive rate
> 2019-09-09T08:16:49.311Z|00020|ofproto_dpif_upcall(handler7)|INFO|received
> packet on unassociated datapath port 4
> 2019-09-09T08:16:49.914Z|00003|tunnel(revalidator6)|WARN|receive tunnel
> port not found
> (pkt_mark=0x1,udp,tun_id=0x3,tun_src=,tun_dst=,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_flags=key,in_port=4,vlan_tci=0x0000,dl_src=b2:bc:3c:29:bd:fd,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=,nw_dst=,nw_tos=16,nw_ecn=0,nw_ttl=128,tp_src=68,tp_dst=67)
> There's plenty of errors like this after the tunnels are created and I
> attempt to ping through the tunnels.
> Does that ring a bell to anyone?

IIRC, I have seen that "receive tunnel port not found" in following cases:
1. skb mark not being set and ovs user space is confused which tunnel
is that (this is specific to IPsec).
2. openvswitch kernel module does not support particular tunnel flavor
even in plain (this is not specific to IPsec).

Probably checking ofport value for tunnel in OVSDB's Interface table
would help to pinpoint which case it is.

> Do not hesitate to ask me anything that can help debug this issue.
> Thank you,
> Benjamin Reis
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

More information about the discuss mailing list