On Thu, Apr 01, 2021 at 07:48:19PM +0100, Mark Gray wrote:
> On 01/04/2021 19:29, Ilya Maximets wrote:
> > On 4/1/21 3:58 PM, Mark Gray wrote:
> >> This series fixes IPv6 support for Libreswan and introduces
> >> IPsec system tests for Libreswan.
> >>
> >> Mark Gray (5):
> >> ipsec: IPv6 default route support for Libreswan
> >> system-common-macros: clean up veth device on test failure
> >> ipsec: Allow custom file locations
> >> ipsec: Introduce IPsec system tests for Libreswan
> >> ipsec: Update ordering of imports
> >>
> >> ipsec/ovs-monitor-ipsec.in | 144 ++++++++++--
> >> tests/automake.mk | 3 +-
> >> tests/system-common-macros.at | 2 +-
> >> tests/system-ipsec.at | 406 +++++++++++++++++++++++++++++++++
> >> tests/system-kmod-testsuite.at | 1 +
> >> 5 files changed, 529 insertions(+), 27 deletions(-)
> >> create mode 100644 tests/system-ipsec.at
> >>
> >
> > Thanks! Applied to master.
> > First patch with the fix also backported down to 2.13.
> >
> > Best regards, Ilya Maximets.
> >
>
> Thanks Ilya.
>
> Flavio was having some issues with the system test patch which appears
> to have a flake. We have not received his Ack yet. I will follow-up with
> a fix if it doesn't work for him or you can revert.
It seems left side doesn't load the config fast enough, so the
replied proposal is none, AES_GCM_C_256-NONE-NONE-DISABLE. Then
the retransmission happens in 60 seconds by default, but the
script timeout is 30s. Obviously the timeout always wins failing
the test.
I used the following patch to test that and then the tunnel
succeeds on the second attempt retransmitting in 10s.
I got 0 failures in 100 tests.
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
index 89a36fe17..132db4dce 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -383,6 +383,7 @@ config setup
conn %%default
keyingtries=%%forever
type=transport
+ retransmit-timeout=10
auto=route
ike=aes_gcm256-sha2_256
esp=aes_gcm256
Another thing I tried is to add a simple sleep between the adding
the ports:
--- a/tests/system-ipsec.at
+++ b/tests/system-ipsec.at
@@ -166,6 +166,7 @@ dnl Set up IPsec tunnel on 'left' host
OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve \
options:remote_ip=10.1.1.2 options:psk=swordfish)
+sleep 1
dnl Set up IPsec tunnel on 'right' host
OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=geneve \
I got 0 failures in 100 tests with the above patch.
What would be a good way to tell if a tunnel port is ready? Perhaps
we could poll for status similar to what it is done at CHECK_ESP_TRAFFIC
to make sure both sides are ready.
Thanks,
--
fbl
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
