On 23/07/2021 12:28, ad...@mac.com wrote: > Hi, > > Rather than simply having an ipsec tunnel with nat traversal, the goal is to > have an ovs-ipsec tunnel. > > Unless I’m misunderstanding, I was under the impression that ovs could create > and maintain ipec tunnels from within ovs-ipsec and just relies on libreswan > or strongwan daemons as implementation.
Yes, that is exactly what happens and, by default IIRC, newer versions of Libreswan should detect NAT and enable NAT traversal. I presume Strongswan is the same. However, I have not tried it. The "Reporter" of the bugzilla link that I sent, has tried it. > > If I attempt your suggestion, can the tunnel created from within libreswan or > strongwan directly still be controlled and maintained from ovs-ipsec? I wasn't suggesting anything in particular but just asking if you had tried it through OVS and what commands did you run and what was your test setup. > > Thank you. > On Jul 23, 2021, 1:51 AM -0600, Mark Gray <mark.d.g...@redhat.com>, wrote: >> On 23/07/2021 00:57, Allen Dial via discuss wrote: >>> Hello, >>> >>> >>> I am wondering if anyone knows how to setup ovs-ipsec using NAT traversal, >>> the documentation shows that one can use ovs-ipsec provided both sides of >>> the tunnel have accessible public IP addresses, but I am interested in >>> setting up two switches where only one side has a public ip and the other >>> is behind NAT. The situation is such that I cannot do port forwarding on >>> the router either. NAT traversal is a common practice in ipsec for >>> implementations outside of OVS, but I don't know if that functionality has >>> made it to OVS. >>> >>> >>> As there are no instructions for this type of topology in the >>> documentation, I am hoping there is someone on this list that has >>> accomplished it. >> >> >> Libreswan should support NAT-traversal. I have not personally tried it >> but this bug was raised suggesting that there may be a problem with it: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1935599 >> >> Have you tried something like this setup? Are you using Libreswan or >> Strongswan? >> >>> >>> >>> Thank you, >>> Allen >>> >>> >>> _______________________________________________ >>> discuss mailing list >>> disc...@openvswitch.org >>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >>> >> > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
