[ovs-discuss] ovs-ipsec

Mark Gray mark.d.gray at redhat.com
Fri Jul 23 12:00:28 UTC 2021


On 23/07/2021 12:28, adial at mac.com wrote:
> Hi,
> 
> Rather than simply having an ipsec tunnel with nat traversal, the goal is to have an ovs-ipsec tunnel.
> 
> Unless I’m misunderstanding, I was under the impression that ovs could create and maintain ipec tunnels from within ovs-ipsec and just relies on libreswan or strongwan daemons as implementation.

Yes, that is exactly what happens and, by default IIRC, newer versions
of Libreswan should detect NAT and enable NAT traversal. I presume
Strongswan is the same. However, I have not tried it. The "Reporter" of
the bugzilla link that I sent, has tried it.
> 
> If I attempt your suggestion, can the tunnel created from within libreswan or strongwan directly still be controlled and maintained from ovs-ipsec?

I wasn't suggesting anything in particular but just asking if you had
tried it through OVS and what commands did you run and what was your
test setup.

> 
> Thank you.
> On Jul 23, 2021, 1:51 AM -0600, Mark Gray <mark.d.gray at redhat.com>, wrote:
>> On 23/07/2021 00:57, Allen Dial via discuss wrote:
>>> Hello,
>>>
>>>
>>> I am wondering if anyone knows how to setup ovs-ipsec using NAT traversal, the documentation shows that one can use ovs-ipsec provided both sides of the tunnel have accessible public IP addresses, but I am interested in setting up two switches where only one side has a public ip and the other is behind NAT. The situation is such that I cannot do port forwarding on the router either. NAT traversal is a common practice in ipsec for implementations outside of OVS, but I don't know if that functionality has made it to OVS.
>>>
>>>
>>> As there are no instructions for this type of topology in the documentation, I am hoping there is someone on this list that has accomplished it.
>>
>>
>> Libreswan should support NAT-traversal. I have not personally tried it
>> but this bug was raised suggesting that there may be a problem with it:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1935599
>>
>> Have you tried something like this setup? Are you using Libreswan or
>> Strongswan?
>>
>>>
>>>
>>> Thank you,
>>> Allen
>>>
>>>
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>>
>>
> 



More information about the discuss mailing list