On Mon, Jun 6, 2022 at 12:54 PM Andreas Karis <ak.ka...@gmail.com> wrote:
>
> Provide options to enforce NAT-T UDP encapsulation. Options are
> encapsulation=true for libreswan and forceencaps=true for strongswan.
> This may be required in environments where firewalls drop ESP
> traffic but where NAT-T detection fails because packets are not
> subject to NAT.
>
> Signed-off-by: Andreas Karis <ak.ka...@gmail.com>
> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2041681
Thanks for v4. I applied this patch to the main branch. I updated
the NEWS item to reflect that ovs 2.18 will have the required support.
Numan
> ---
> Documentation/tutorials/ovn-ipsec.rst | 24 ++++++++++++++++++++++++
> NEWS | 4 ++++
> controller/encaps.c | 15 +++++++++++++++
> tests/ovn-ipsec.at | 3 +++
> 4 files changed, 46 insertions(+)
>
> diff --git a/Documentation/tutorials/ovn-ipsec.rst
> b/Documentation/tutorials/ovn-ipsec.rst
> index 305dd566d..aea7aa309 100644
> --- a/Documentation/tutorials/ovn-ipsec.rst
> +++ b/Documentation/tutorials/ovn-ipsec.rst
> @@ -93,6 +93,29 @@ database to false::
> # systemctl enable firewalld
> # firewall-cmd --permanent --add-service ipsec
>
> +Enforcing IPsec NAT-T UDP encapsulation
> +---------------------------------------
> +
> +In specific situations, it may be required to enforce NAT-T (RFC3948) UDP
> +encapsulation unconditionally and to bypass the normal NAT detection
> mechanism.
> +For example, this may be required in environments where firewalls drop ESP
> +traffic, but where NAT-T detection (RFC3947) fails because packets otherwise
> +are not subject to NAT.
> +In such scenarios, UDP encapsulation can be enforced with the following.
> +
> +For libreswan backends::
> +
> + $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true
> +
> +For strongswan backends::
> +
> + $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true
> +
> +.. note::
> +
> + Support for this feature is only availably when OVN is used together with
> + OVS releases that accept IPsec custom tunnel options.
> +
> Troubleshooting
> ---------------
>
> @@ -119,6 +142,7 @@ For example::
> Remote name: host_2
> CA cert: /path/to/cacert.pem
> PSK: None
> + Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced
> Ofport: 2 <--- Whether ovs-vswitchd has assigned Ofport
> number to this Tunnel Port
> CFM state: Disabled <--- Whether CFM declared this tunnel healthy
> diff --git a/NEWS b/NEWS
> index 21782cc66..3f474bfcb 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -2,6 +2,10 @@ Post v22.06.0
> -------------
> - ovn-controller: Add configuration knob, through OVS external-id
> "ovn-encap-df_default" to enable or disable tunnel DF flag.
> + - Added nb_global IPsec options ipsec_encapsulation=true (libreswan)
> + and ipsec_forceencaps=true (strongswan) to unconditionally enforce
> + NAT-T UDP encapsulation. Requires OVS support for IPsec custom tunnel
> + options.
>
> OVN v22.06.0 - XX XXX XXXX
> --------------------------
> diff --git a/controller/encaps.c b/controller/encaps.c
> index a06aa258c..9647ba507 100644
> --- a/controller/encaps.c
> +++ b/controller/encaps.c
> @@ -207,6 +207,21 @@ tunnel_add(struct tunnel_ctx *tc, const struct
> sbrec_sb_global *sbg,
> if (sbg->ipsec) {
> set_local_ip = true;
> smap_add(&options, "remote_name", new_chassis_id);
> +
> + /* Force NAT-T traversal via configuration */
> + /* Two ipsec backends are supported: libreswan and strongswan */
> + /* libreswan param: encapsulation; strongswan param: forceencaps */
> + bool encapsulation;
> + bool forceencaps;
> + encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation",
> + false);
> + forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps",
> false);
> + if (encapsulation) {
> + smap_add(&options, "ipsec_encapsulation", "yes");
> + }
> + if (forceencaps) {
> + smap_add(&options, "ipsec_forceencaps", "yes");
> + }
> }
>
> if (set_local_ip) {
> diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at
> index 4c600a9f2..10ef97878 100644
> --- a/tests/ovn-ipsec.at
> +++ b/tests/ovn-ipsec.at
> @@ -44,15 +44,18 @@ ovs-vsctl \
>
> # Enable IPsec
> ovn-nbctl set nb_global . ipsec=true
> +ovn-nbctl set nb_global . options:ipsec_encapsulation=true
>
> check ovn-nbctl --wait=hv sync
>
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d
> '"\n'], [0], [192.168.0.1])
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d
> '"\n'], [0], [192.168.0.2])
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr
> -d '\n'], [0], [hv1])
> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0
> options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d
> '"\n'], [0], [192.168.0.2])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d
> '"\n'], [0], [192.168.0.1])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr
> -d '\n'], [0], [hv2])
> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0
> options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
>
> AT_CLEANUP
>
> --
> 2.35.3
>
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
