[ovs-discuss] ovs-ipsec

adial at mac.com adial at mac.com
Fri Jul 23 11:28:50 UTC 2021


Hi,

Rather than simply having an ipsec tunnel with nat traversal, the goal is to have an ovs-ipsec tunnel.

Unless I’m misunderstanding, I was under the impression that ovs could create and maintain ipec tunnels from within ovs-ipsec and just relies on libreswan or strongwan daemons as implementation.

If I attempt your suggestion, can the tunnel created from within libreswan or strongwan directly still be controlled and maintained from ovs-ipsec?

Thank you.
On Jul 23, 2021, 1:51 AM -0600, Mark Gray <mark.d.gray at redhat.com>, wrote:
> On 23/07/2021 00:57, Allen Dial via discuss wrote:
> > Hello,
> >
> >
> > I am wondering if anyone knows how to setup ovs-ipsec using NAT traversal, the documentation shows that one can use ovs-ipsec provided both sides of the tunnel have accessible public IP addresses, but I am interested in setting up two switches where only one side has a public ip and the other is behind NAT. The situation is such that I cannot do port forwarding on the router either. NAT traversal is a common practice in ipsec for implementations outside of OVS, but I don't know if that functionality has made it to OVS.
> >
> >
> > As there are no instructions for this type of topology in the documentation, I am hoping there is someone on this list that has accomplished it.
>
>
> Libreswan should support NAT-traversal. I have not personally tried it
> but this bug was raised suggesting that there may be a problem with it:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1935599
>
> Have you tried something like this setup? Are you using Libreswan or
> Strongswan?
>
> >
> >
> > Thank you,
> > Allen
> >
> >
> > _______________________________________________
> > discuss mailing list
> > discuss at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20210723/12dc52f2/attachment-0001.html>


More information about the discuss mailing list