When running on Fedora, it may be necessary to allow ESP and IKE traffic through the host firewall. If not, this will result in ICMP host unreachable messages:
13:52:10.000695 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 13:52:10.000721 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 13:52:10.000864 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 13:52:10.000874 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 This commit updates the documentation to reflect this. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2002278 Signed-off-by: Mark Gray <mark.d.g...@redhat.com> --- Documentation/tutorials/ovn-ipsec.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index 3adef68bb697..fa35eb84b316 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -80,6 +80,19 @@ database to false:: $ ovn-nbctl set nb_global . ipsec=false +.. note:: + + On Fedora, you may need to install firewall rules to allow ESP and IKE + traffic:: + + # systemctl start firewalld + # firewall-cmd --add-service ipsec + + Or to make permanent:: + + # systemctl enable firewalld + # firewall-cmd --permanent --add-service ipsec + Troubleshooting --------------- -- 2.27.0 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
