On Tue, Jul 5, 2016 at 4:04 PM, Bolesław Tokarski <[email protected]> wrote: > Hello, > > For some reason machine receiving traffic through ipsec_gre is not putting > it through to the LOCAL interface. > > I have a basic test setup: > > hostA - ip network - hostB > > Both hosts have just a single eth0 interface. I managed to get a regular gre > tunnel working (thanks to Mathy Vanvoorden's blogpost) with - hostA: > > ovs-vsctl add-br insecure > ip link set insecure up > ip addr add 192.168.10.1/24 broadcast 192.168.10.255 dev insecure > ovs-vsctl add-port insecure gre0 -- set interface gre0 type=gre > options:remote_ip=2.2.2.2 > > hostB: > > ovs-vsctl add-br insecure > ip link set insecure up > ip addr add 192.168.10.2/24 broadcast 192.168.10.255 dev insecure > ovs-vsctl add-port insecure gre0 — set interface gre0 type=gre > options:remote_ip=1.1.1.1 > > on hostB. > > Now, I am able to ping both hostA and hostB between each other using the > 192.168.10.1 and 192.168.10.2 IP addresses. > > However, changing this to ipsec_gre causes some problems - hostA: > > ovs-vsctl add-br secure > ip link set secure up > ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev secure > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre > options:remote_ip=2.2.2.2 options:psk=secret > > hostB: > > ovs-vsctl add-br secure > ip link set secure up > ip addr add 192.168.20.2/24 broadcast 192.168.20.255 dev secure > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre > options:remote_ip=1.1.1.1 options:psk=secret > > Pinging the machines between each with the internal IPs gives no response. > On the machine attempting ping, tcpdump shows arp requests on the "secure" > interface, ESP outgoing packets on eth0. On the machine receiving I see > incoming ESP packets on eth0, and nothing on the "secure" interface. > > I checked the logs and I can confirm that ipsec session was initiated > successfully. Increasing the ovs-vswitchd log verbosity to DEBUG I could > even spot packets arp packets on the receiving machine: > > 2016-07-05T22:24:12.771Z|34809|dpif(revalidator35)|DBG|system@ovs-system: > flow_dump > recirc_id(0),dp_hash(0/0),skb_priority(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=2.2.2.2,tos=0x0,ttl=63,flags()),in_port(1),skb_mark(0),eth(src=11:22:33:44:55:66,dst=ff:ff:ff:ff:ff:f > f),eth_type(0x0806),arp(sip=192.168.20.1/255.255.255.255,tip=192.168.20.2/255.255.255.255,op=1/0xff,sha=22:33:44:55:66:77/00:00:00:00:00:00,tha=00:00:00:00:00:00/00:00:00:00:00:00), > packets:13, bytes:546, used:0.476s, actions:3 > > So, iiuc, it means that the ARP request got through the ipsec tunnel and was > received by vswitchd on the other side, but for some reason, vswitchd did > not put the request to the "secure" interface. > > I think it is some bug, but I can't rule out that this is an expected > behaviour. Please point me out if you notice anything missing from my setup. > > The machines are running OpenSUSE 42.1, with kernel 4.1.21, ipsec-tools > 0.8.0 and openvswitch 2.3.1.
Interfaces with type ipsec_gre require running the ovs-monitor-ipsec script to function but this is only available for Debian. However, you can just use normal GRE interfaces in OVS and then configure IPsec by hand. _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
