On Thu, Jul 7, 2016 at 10:55 AM, Bolesław Tokarski <[email protected]> wrote: > Hello, > > I installed Ubuntu 16.04 on the hostB to check the behaviour between the two > OSes. > > The setup is the same as with two hosts running OpenSUSE: > > >>> > >>> > hostA: >>> > >>> > ovs-vsctl add-br secure >>> > ip link set secure up >>> > ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev secure >>> > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre >>> > options:remote_ip=2.2.2.2 options:psk=secret >>> > >>> > hostB: >>> > >>> > ovs-vsctl add-br secure >>> > ip link set secure up >>> > ip addr add 192.168.20.2/24 broadcast 192.168.20.255 dev secure >>> > ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre >>> > options:remote_ip=1.1.1.1 options:psk=secret >>> > > > > As mentioned, both sides manage to negotiate IPsec connection, set the > interfaces up, etc. > > Now, when I ping from hostA to hostB, I can see ARP request going out the > "secure" interface, through eth0 as an ESP packet, to eth0 on hostB, > decyphered and arriving at "secure" on hostB. > > Then, there's an ARP reply from hostB, going through eth0 as ESP on hostB, > arriving at eth0 on hostA. > > I can even see the response in ovs-dpctl dump-flows on hostA. However, > nothing is received on the "secure" interface on hostA. > > Is there something I can do to debug further? Maybe there's a missing return > flow rule that does not get automatically setup on OpenSUSE while it is on > Ubuntu? Is there some known issue with the particular OVS/kernel versions > that OpenSUSE runs (ovs 2.3.1, kernel 4.1.26-21)? Or maybe there's a > mismatch between the OVS and kernel datapath module? OpenSUSE seems to ship > the one from the kernel.
Did you also port the iptables rules that are setup by the init script on Debian? If those are missing then that would likely cause the behavior that you are describing since OVS would consider the incoming traffic to be an attempt to inject unauthenticated traffic into the secure port. _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
