Re: [ovs-discuss] OVS GRE tunnel to Other hardware

Tue, 08 Jan 2013 09:39:09 -0800 

gretap fixed my GRE tunneling issue, thank you...

However, ipsec between the two systems is now “broken”.   If the ipsec
tunnel is shutdown and the GRE tunnels are up, we can route without
problem.  If the ipsec tunnel is up, GRE packets from the iproute2 box
(cash) appear to be ipsec encapsulated, packets from Tango (OVS) seem to
arrive without ipsec encapsulation.

On boot, the ipsec tunnel is started and tested by a script.   If the
ipsec tunnel passes for both directions the GRE tunnel is brought up on
either side (see below)
I've also attempted to bring GRE up after IPSEC by hand with the same
results.


With IPSEC showing “up” and the GRE tunnel in place:

root@Tango: ping -s 1000 10.10.10.2  
From 10.10.10.1 Destination Host Unreachable
etc
GRE packets show up at cash with a size of 64 not the 1000 bytes sent,
negotiation or some arp request?


root@Tango: ping -s 1000 2.2.2.2
reply good, packets are ipsec encapsulated as I expect

root@Cash: ping -s 1000 1.1.1.1
reply good, as above

root@Cash: ping -s 10.10.10.1
From 10.10.10.2 Destination Host Unreachable
GRE Packets show up at Tango along with some ipsec encapsulated more so
than Tango.


Any thoughts of problems with the below configuration?  Are the gre
packets being routed before being considered for IPSec wrapping?  


Review of “working” GRE config with IPSEC configs added:

Host: Tango  (OVS)
IP external: 1.1.1.1  (ext0)
IP internal: 10.1.1.1 (int0)
LAN 10.1.1.0/24
TUN ID: 10.10.10.1/24


Host: Cash (iproute2)
IP external: 2.2.2.2 (eth0)
IP internal: 10.2.2.2 (eth1)
LAN 10.2.2.0/24
TUN ID: 10.10.10.2/24

----
Tango setup:
ovs-vsctl add-br ext0
ovs-vsctl add-br int0
ovs-vsctl add-port ext0 eth0
ovs-vsctl add-port int0 eth1

ovs-vsctl add-br gre_cash
ip link set gre_cash up multicast on mtu 1396
ip addr add 10.10.10.1/24 peer 10.10.10.2/24 dev gre_cash
ovs-vsctl add-port gre_cash gre0 -- set interface gre0 type=gre
options:remote_ip=2.2.2.2,local_ip=1.1.1.1

Tango Ipsec (StrongSwan, PSK)

conn tango-cash
        right=1.1.1.1
        left=2.2.2.2
        keyingtries=%forever
        type=tunnel
        auth=esp
        authby=secret
        auto=add


Cash setup:  *note gretap as type

ip link add gre_tango type gretap remote 1.1.1.1 local 2.2.2.2 ttl 255
ip link set gre_tango up multicast on mtu 1396
ip addr add 10.10.10.2 peer 10.10.10.1 dev gre_tango

Cash ipsec (StrongSwan, PSK)
conn itm-cc
        right=2.2.2.2
        left=1.1.1.1
        keyingtries=%forever
        type=tunnel
        auth=esp
        authby=secret
        auto=add


_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to