Provide an option to enforce NAT-T UDP encapsulation (encapsulation=true or forceencaps=true depending on the chosen backend). This may be required in environments where firewalls drop ESP traffic but where NAT-T detection fails because packets are not subject to NAT.
Signed-off-by: Andreas Karis <ak.ka...@gmail.com> --- Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++ NEWS | 3 +++ controller/encaps.c | 15 +++++++++++++++ tests/ovn-ipsec.at | 3 +++ 4 files changed, 40 insertions(+) diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index 305dd566d..0ae84f803 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -93,6 +93,24 @@ database to false:: # systemctl enable firewalld # firewall-cmd --permanent --add-service ipsec +Enabling OVN IPsec +------------------ + +In specific situations, it may be required to enforce NAT-T (RFC3948) UDP +encapsulation unconditionally and to bypass the normal NAT detection mechanism. +For example, this may be required in environments where firewalls drop ESP +traffic, but where NAT-T detection (RFC3947) fails because packets otherwise +are not subject to NAT. +In such scenarios, UDP encapsulation can be enforced with the following. + +For libreswan backends:: + + $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true + +For strongswan backends:: + + $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true + Troubleshooting --------------- @@ -119,6 +137,7 @@ For example:: Remote name: host_2 CA cert: /path/to/cacert.pem PSK: None + Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced Ofport: 2 <--- Whether ovs-vswitchd has assigned Ofport number to this Tunnel Port CFM state: Disabled <--- Whether CFM declared this tunnel healthy diff --git a/NEWS b/NEWS index 21782cc66..ae7fb5715 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ Post v22.06.0 ------------- - ovn-controller: Add configuration knob, through OVS external-id "ovn-encap-df_default" to enable or disable tunnel DF flag. + - Added nb_global IPsec options ipsec_encapsulation=true (libreswan) + and ipsec_forceencaps=true (openswan) to unconditionally enforce + NAT-T UDP encapsulation. OVN v22.06.0 - XX XXX XXXX -------------------------- diff --git a/controller/encaps.c b/controller/encaps.c index a06aa258c..21d64bb09 100644 --- a/controller/encaps.c +++ b/controller/encaps.c @@ -207,6 +207,21 @@ tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, if (sbg->ipsec) { set_local_ip = true; smap_add(&options, "remote_name", new_chassis_id); + + /* Force NAT-T traversal via configuration */ + /* Two ipsec backends are supported: libreswan and openswan */ + /* libreswan param: encapsulation ; openswan param: forceencaps */ + bool encapsulation; + bool forceencaps; + encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", + false); + forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", false); + if (encapsulation) { + smap_add(&options, "ipsec_encapsulation", "yes"); + } + if (forceencaps) { + smap_add(&options, "ipsec_forceencaps", "yes"); + } } if (set_local_ip) { diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at index 4c600a9f2..10ef97878 100644 --- a/tests/ovn-ipsec.at +++ b/tests/ovn-ipsec.at @@ -44,15 +44,18 @@ ovs-vsctl \ # Enable IPsec ovn-nbctl set nb_global . ipsec=true +ovn-nbctl set nb_global . options:ipsec_encapsulation=true check ovn-nbctl --wait=hv sync AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) AT_CLEANUP -- 2.35.3 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev