Understood,
I already have a working topology that sends external traffic to a vrf on
the physical network that provides internet access for VMs , tag=120. So I
could probably add a new logical switch for the IPSEC connection set a
bridge mapping to br-ipsec-aws (or something like that) and see if I can
route all the way through.
switch 4774aa10-e2ec-4ab4-80fa-b6d4196eb618 (localswitch)
port c2-localsw-lr0
type: router
router-port: c2-lr0-localswitch
port localswitch-local
type: localnet
parent:
tag: 120
addresses: ["unknown"]
port localswitch-lr0
type: router
router-port: c1-lr0-localswitch
switch 7aae50e1-3e2f-46d4-838d-c40adab6ba0b (customer2-sw0)
port c2-sw0-p2
addresses: ["b8:3f:d2:21:87:31 dynamic"]
port c2-sw0-p1
addresses: ["b8:3f:d2:21:87:12 dynamic"]
port c2-sw0-c2-lr0
type: router
router-port: c2-lr0-sw0-l3
switch dbcdca43-7c70-4f78-8db1-6a72e7c1276c (customer1-sw0)
port c1-sw0-p3
addresses: ["b8:3f:d2:21:87:11 dynamic"]
port c1-sw0-p1
addresses: ["b8:3f:d2:21:87:01 dynamic"]
port c1-sw0-c1-lr0
type: router
router-port: c1-lr0-sw0-l3
port c1-sw0-p2
addresses: ["b8:3f:d2:21:87:41 dynamic"]
router 8d0fc968-2b32-4b14-b409-bceec6d737bb (customer2-vpc-lr0)
port c2-lr0-localswitch
mac: "0a:22:00:22:00:22"
networks: ["172.16.0.2/20"]
gateway chassis: [bf79b7bc-b3bb-4c49-a7c0-56a9e16b2d03]
port c2-lr0-sw0-l3
mac: "0a:02:02:02:02:01"
networks: ["10.200.0.1/24"]
nat a384f167-80f4-4628-9caa-17136b6cd551
external ip: "204.52.31.3"
logical ip: "10.200.0.11"
type: "snat"
On Tue, Feb 14, 2023 at 4:57 PM Numan Siddique <num...@ovn.org> wrote:
> On Tue, Feb 14, 2023 at 6:40 PM Gavin McKee via discuss
> <ovs-discuss@openvswitch.org> wrote:
> >
> > Hi Numan,
> >
> > I'd be happy to start with static routes , as long as I can get the
> connectivity in place i.e. be able to connect a VM on a logical switch to a
> VM in a public cloud via IPSEC tunnel.
>
> so you're trying to connect an OVN deployment on one end and a public
> cloud on the other. Looks to me you may need to establish an IPSEC
> tunnel yourself. One end of the tunnel should be
> your gateway node in OVN deployment and other end your public cloud.
>
> For North/South gateway traffic to work with OVN, you need to
> configure ovn-bridge-mappings on the gateway node. OVN will create a
> patch port from br-int to the provider ovs bridge (lets say br-ex).
> And it is expected that br-ex would be attached with a physical nic
> which would provide connectivity to the external.
>
> Seems to me you need to establish the IPSEC tunnel in br-ex as this is
> out of OVN's scope.
>
> Thanks
> Numan
>
>
> >
> > Gav
> >
> > On Tue, Feb 14, 2023 at 3:28 PM Numan Siddique <num...@ovn.org> wrote:
> >>
> >> Looks like this would require BGP to exchange the routes ?
> >>
> >> I'm not sure. I may be wrong. Adding @Daniel Alvarez Sanchez if he
> >> has any comments as he worked on supporting BGP in Openstack with OVN.
> >>
> >> Thanks
> >> Numan
> >>
> >>
> >> On Tue, Feb 14, 2023 at 1:50 PM Gavin McKee via discuss
> >> <ovs-discuss@openvswitch.org> wrote:
> >> >
> >> > Satish,
> >> >
> >> > We are using the Mellanox Connect X6 card / possibly we can use
> bluefield2 card to do IPSEC hardware offload . So somehow we could build a
> tunnel to a server with StrongSwan IPSEC . The key thing is to tie this
> IPSEC interface into the OVN/OVS setup and somehow associate it with a
> customer's virtual router.
> >> >
> >> > Am I even thinking off this the correct way?
> >> >
> >> > Gav
> >> >
> >> >
> >> > On Tue, Feb 14, 2023 at 7:15 AM Satish Patel <satish....@gmail.com>
> wrote:
> >> >>
> >> >> Seems like OVN does support IPsec tunnel based on doc but may need
> to figure out how to integrate with your use case [1]
> >> >>
> >> >> [1] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html
> <https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html>
> >> >>
> >> >> On Tue, Feb 14, 2023 at 8:20 AM Gavin McKee via discuss <
> ovs-discuss@openvswitch.org> wrote:
> >> >>>
> >> >>> Hi ,
> >> >>>
> >> >>> Is it possible to connect an IPSEC tunnel from a Public cloud
> provider such as Azure, AWS / GCP to an OVN logical router ?
> >> >>>
> >> >>> I need to be able to route between a subnet in Azure / GCP and a
> subnet in OVN?
> >> >>>
> >> >>> Has anyone been able to achieve this , and if so can you provide an
> example configuration ?
> >> >>>
> >> >>> Gav
> >> >>>
> >> >>>
> >> >>> Disclaimer
> >> >>>
> >> >>> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
> >> >>>
> >> >>> _______________________________________________
> >> >>> discuss mailing list
> >> >>> disc...@openvswitch.org
> >> >>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> <https://mail.openvswitch.org/mailman/listinfo/ovs-discuss>
> >> >
> >> >
> >> >
> >> > Disclaimer
> >> >
> >> > The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
> >> >
> >> > _______________________________________________
> >> > discuss mailing list
> >> > disc...@openvswitch.org
> >> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> <https://mail.openvswitch.org/mailman/listinfo/ovs-discuss>
> >
> >
> >
> > Disclaimer
> >
> > The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
> >
> > _______________________________________________
> > discuss mailing list
> > disc...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> <https://mail.openvswitch.org/mailman/listinfo/ovs-discuss>
>
Disclaimer
The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby notified
that any disclosure, copying, distribution or taking action in relation of the
contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and may have been
automatically archived by Mimecast, a leader in email security and cyber
resilience. Mimecast integrates email defenses with brand protection, security
awareness training, web security, compliance and other essential capabilities.
Mimecast helps protect large and small organizations from malicious activity,
human error and technology failure; and to lead the movement toward building a
more resilient world. To find out more, visit our website.
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
