On Thu, Nov 17, 2016 at 4:04 AM, Bolesław Tokarski <boleslaw.tokar...@gmail.com> wrote: > Hi, > > Thank you very much for the answer. > >> > >> > I am yet to come across a good guide on how to set up an OVS IPsec-GRE >> > tunnel port alternative. Most guides are either for site-to-site IPsec >> > tunnels, or for OVS GRE tunnels. >> >> Such guides in details wold be on strongSwan, racoon, OpenSwan or >> libreswan project sites. > > > Well, I did see a number of guides on setting up tunnels, not so much on > putting the traffic forward to an OVS port. I saw what ends up in > ipsec.conf, but I believe the traffic going the the ipsec tunnel ends up on > a Unix socket and gets directed to ovs-monitor-ipsec or so... I might fully > get the image, though.
No, the ovs-monitor-ipsec daemon is not doing the actual IPsec forwarding, ovs-monitor-ipsec just configures strongSwan. Also, strongSwan is not doing the actual IPsec forwarding - strongSwan just configures XFRM module in Linux kernel. It is XFRM module in Linux Kernel that does the actual IPsec forwarding. > >> >> However, if you are interested you can take a >> peek at this link - >> https://www.mail-archive.com/dev@openvswitch.org/msg46915.html - and >> extract what the ovs-monitor-ipsec daemon would set in ipsec.conf and >> ipsec.secrets file. > > > I saw the patch on the mailing list before. I am experiencing some issues > with racoon, it does not seem to handle SA expiry too well. I had a number > of situations where I needed to recreate the OVS ports for it to catch up. > How's StrongSwan doing? I guess you're using it in production? I haven't followed racoon lately. Though strongSwan also has its own bugs. However, most of those bugs that I have had encountered in strongSwan were either already fixed in the latest strongSwan release and it took some time for me to root cause them; OR strongSwan maintainers fixed those bugs for me after I reported them on their bug tracker. Also, it is a pity that for I still have to edit ipsec.conf file instead of being able to use Python Vici API that they provide. At least this is still the case for Ubuntu 16.10. And, no, I would not dare to say that I am using strongSwan in production, because the patch I pointed you to *is not* even up-streamed. > >> >> If you are ok to skip this particular OVS 2.7 version, then I plan to >> reintroduce ovs-monitor-ipsec daemon in the next one. It was abruptly >> removed because it was decided that ovs-monitor-ipsec can't have a >> hard coded bit of skb_mark because it interferes with OpenFlow >> skb_mark match. > > > Good to hear that. The ovs-monitor-ipsec daemon was quite easy to use and I > even preferred to add OpenSUSE support to it than to set the tunnels up > manually, which sounds bizarre, but hey - it worked. > > Best regards, > Bolesław Tokarski _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss