Re: [ovs-discuss] GRE over IPsec
Hi Ansis, Thanks for the help Now the gre_system interface is showing in the ovs-dpctl command.Although I have been able to setup the tunnel but the tunnel is not working .As I apply sniffer on the tunnel end-points I don't see any any packets going through the tunnel. I have setup the tunnel using the following command: ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre options:remote_ip=10.10.10.2 options:psk=/etc/racoon/psk.txt I have also applied the two iptables rule that you specified me as they were missing in the iptables.Also the two commands that you specified me to check my peers configuration i.e. ip xfrm policy showed the peers configuration but the ip xfrm policy didn't showed any result. Also, i have applied the security policies rule in the /etc/ipsec-tools.conf file.But all went in vain. Please help me regarding this. Thanks. Sonia On Fri, Feb 14, 2014 at 6:42 PM, sonia verma wrote: > Thanks Ansis for the reply. > > 1. Yes I have cross checked and found that the pid are in the same ovs run > directory and after that still I am facing the same issue. > > 2. Also in the ovs-dpctl show command there is no gre_system interface . > > 3. I am not having the two rules that you have mentioned as a bug in > ovs-1.10 and newer releases. > > Also Ansis could that be an issue that I have build the openvswitch from > the source code and installed the openvswitch-ipsec from the debian package > as Gurucharan was pointing. > > Can you please provide some configuration guide or steps about how to > implement gre over ipsec in openvswitch as I haven't found anything helpful > regarding this on the internet. > > Thanks > > Sonia > > > On Fri, Feb 14, 2014 at 12:56 AM, Ansis Atteka wrote: > >> 1. Previously you said that you saw following error messages: >> >> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the >> ovs-monitor-ipsec daemon >> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network device >> gre0 (Invalid argument) >> >> If pid files are in the same OVS run directory then you should not see >> them any more. Is this the case? >> >> 2. ipsec_gre tunnel not showing up in ovs-dpctl output is an expected >> change, I believe, it was introduced in 1.10 as part of flow based >> tunneling. However you should still see gre_system port that is shared with >> ipsec_gre ports. >> >> 3. Also there was an IPsec bug in 1.10 (and in newer releases) that we >> fixed recently. The problem was that two iptables rules were missing. Can >> you verify if you have them? >> >> iptables -A INPUT -t mangle -p esp -j MARK --set-mark 1/1 >> iptables -A INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 >> >> 4. If all of above is configured correctly, then can you verify, if you >> see IPsec configuration in the kernel? Do "ip xfrm policy" and "ip xfrm >> state" commands and search for the peer's IP address. If it does not have a >> trace of peer's IP address, then please make sure that you have valid >> configuration in OVSDB (take a look at ovs-vswitchd.conf.db man page). >> >> 5. Also, if this is the first time you are trying to set up OVS+IPsec, >> then I would recommend to start with PSKs and only then with PKI. Starting >> with PSKs will rule out any certificate issues. Later you can do the switch >> to PKI, if deemed so. >> >> Ansis >> >> -- >> *From: *"sonia verma" >> *To: *"Ansis Atteka" >> *Cc: *discuss@openvswitch.org >> *Sent: *Thursday, February 13, 2014 10:49:48 AM >> >> *Subject: *Re: [ovs-discuss] GRE over IPsec >> >> Sorry Ansis for the late reply . >> >> As you said I checked and found that the ovs-monitor-ipsec.pid file is in >> the same ovs run directory just like all other pid files. >> >> But the error still persists and the interface is still not getting shown >> at the kernel level. >> >> Please help me regarding this. >> >> Thanks >> >> >> On Thu, Feb 13, 2014 at 1:03 AM, Ansis Atteka wrote: >> >>> ovs-monitor-ipsec package dependends on raccon package. Once both of >>> them are installed, ovs-monitor-ipsec will automatically provision racoon >>> with necessary configuration through /etc/ipsec.conf file. >>> >>> -- >>> *From: *"sonia verma" >>> *To: *"Ansis Atteka" >>> *Cc: *discuss@openvswitch.org >>> *Sent: *Wednesday, February 12, 2014 11:27:23 AM >>>
Re: [ovs-discuss] GRE over IPsec
Sorry,the tunnel is working and the packets are getting encapsulated in the gre header but the encapsulation of the packets is not getting place.I have done the ipsec configuration in the /etc/ipsec-tools.conf file and the ovs-monitor-ipsec daemon is running in the background.Do I have to some more configuration regarding ipsec or am I misssing something. Thanks Sonia On Sat, Feb 15, 2014 at 10:17 PM, sonia verma wrote: > Hi Ansis, > > Thanks for the help > > Now the gre_system interface is showing in the ovs-dpctl command.Although > I have been able to setup the tunnel but the tunnel is not working .As I > apply sniffer on the tunnel end-points I don't see any any packets going > through the tunnel. > > I have setup the tunnel using the following command: > ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre > options:remote_ip=10.10.10.2 options:psk=/etc/racoon/psk.txt > > I have also applied the two iptables rule that you specified me as they > were missing in the iptables.Also the two commands that you specified me to > check my peers configuration i.e. ip xfrm policy showed the peers > configuration but the ip xfrm policy didn't showed any result. > > Also, i have applied the security policies rule in the > /etc/ipsec-tools.conf file.But all went in vain. > > Please help me regarding this. > > Thanks. > > Sonia > > > > > > > > > > > > > > On Fri, Feb 14, 2014 at 6:42 PM, sonia verma wrote: > >> Thanks Ansis for the reply. >> >> 1. Yes I have cross checked and found that the pid are in the same ovs >> run directory and after that still I am facing the same issue. >> >> 2. Also in the ovs-dpctl show command there is no gre_system interface . >> >> 3. I am not having the two rules that you have mentioned as a bug in >> ovs-1.10 and newer releases. >> >> Also Ansis could that be an issue that I have build the openvswitch from >> the source code and installed the openvswitch-ipsec from the debian package >> as Gurucharan was pointing. >> >> Can you please provide some configuration guide or steps about how to >> implement gre over ipsec in openvswitch as I haven't found anything helpful >> regarding this on the internet. >> >> Thanks >> >> Sonia >> >> >> On Fri, Feb 14, 2014 at 12:56 AM, Ansis Atteka wrote: >> >>> 1. Previously you said that you saw following error messages: >>> >>> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the >>> ovs-monitor-ipsec daemon >>> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network >>> device gre0 (Invalid argument) >>> >>> If pid files are in the same OVS run directory then you should not see >>> them any more. Is this the case? >>> >>> 2. ipsec_gre tunnel not showing up in ovs-dpctl output is an expected >>> change, I believe, it was introduced in 1.10 as part of flow based >>> tunneling. However you should still see gre_system port that is shared with >>> ipsec_gre ports. >>> >>> 3. Also there was an IPsec bug in 1.10 (and in newer releases) that we >>> fixed recently. The problem was that two iptables rules were missing. Can >>> you verify if you have them? >>> >>> iptables -A INPUT -t mangle -p esp -j MARK --set-mark 1/1 >>> iptables -A INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 >>> >>> 4. If all of above is configured correctly, then can you verify, if you >>> see IPsec configuration in the kernel? Do "ip xfrm policy" and "ip xfrm >>> state" commands and search for the peer's IP address. If it does not have a >>> trace of peer's IP address, then please make sure that you have valid >>> configuration in OVSDB (take a look at ovs-vswitchd.conf.db man page). >>> >>> 5. Also, if this is the first time you are trying to set up OVS+IPsec, >>> then I would recommend to start with PSKs and only then with PKI. Starting >>> with PSKs will rule out any certificate issues. Later you can do the switch >>> to PKI, if deemed so. >>> >>> Ansis >>> >>> -- >>> *From: *"sonia verma" >>> *To: *"Ansis Atteka" >>> *Cc: *discuss@openvswitch.org >>> *Sent: *Thursday, February 13, 2014 10:49:48 AM >>> >>> *Subject: *Re: [ovs-discuss] GRE over IPsec >>> >>> Sorry Ansis for the late reply . >>> >>> As you said I checked and found th
Re: [ovs-discuss] GRE over IPsec
Thanks Ansis for the reply. 1. Yes I have cross checked and found that the pid are in the same ovs run directory and after that still I am facing the same issue. 2. Also in the ovs-dpctl show command there is no gre_system interface . 3. I am not having the two rules that you have mentioned as a bug in ovs-1.10 and newer releases. Also Ansis could that be an issue that I have build the openvswitch from the source code and installed the openvswitch-ipsec from the debian package as Gurucharan was pointing. Can you please provide some configuration guide or steps about how to implement gre over ipsec in openvswitch as I haven't found anything helpful regarding this on the internet. Thanks Sonia On Fri, Feb 14, 2014 at 12:56 AM, Ansis Atteka wrote: > 1. Previously you said that you saw following error messages: > > 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the > ovs-monitor-ipsec daemon > 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network device > gre0 (Invalid argument) > > If pid files are in the same OVS run directory then you should not see > them any more. Is this the case? > > 2. ipsec_gre tunnel not showing up in ovs-dpctl output is an expected > change, I believe, it was introduced in 1.10 as part of flow based > tunneling. However you should still see gre_system port that is shared with > ipsec_gre ports. > > 3. Also there was an IPsec bug in 1.10 (and in newer releases) that we > fixed recently. The problem was that two iptables rules were missing. Can > you verify if you have them? > > iptables -A INPUT -t mangle -p esp -j MARK --set-mark 1/1 > iptables -A INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 > > 4. If all of above is configured correctly, then can you verify, if you > see IPsec configuration in the kernel? Do "ip xfrm policy" and "ip xfrm > state" commands and search for the peer's IP address. If it does not have a > trace of peer's IP address, then please make sure that you have valid > configuration in OVSDB (take a look at ovs-vswitchd.conf.db man page). > > 5. Also, if this is the first time you are trying to set up OVS+IPsec, > then I would recommend to start with PSKs and only then with PKI. Starting > with PSKs will rule out any certificate issues. Later you can do the switch > to PKI, if deemed so. > > Ansis > > -- > *From: *"sonia verma" > *To: *"Ansis Atteka" > *Cc: *discuss@openvswitch.org > *Sent: *Thursday, February 13, 2014 10:49:48 AM > > *Subject: *Re: [ovs-discuss] GRE over IPsec > > Sorry Ansis for the late reply . > > As you said I checked and found that the ovs-monitor-ipsec.pid file is in > the same ovs run directory just like all other pid files. > > But the error still persists and the interface is still not getting shown > at the kernel level. > > Please help me regarding this. > > Thanks > > > On Thu, Feb 13, 2014 at 1:03 AM, Ansis Atteka wrote: > >> ovs-monitor-ipsec package dependends on raccon package. Once both of them >> are installed, ovs-monitor-ipsec will automatically provision racoon with >> necessary configuration through /etc/ipsec.conf file. >> >> -- >> *From: *"sonia verma" >> *To: *"Ansis Atteka" >> *Cc: *discuss@openvswitch.org >> *Sent: *Wednesday, February 12, 2014 11:27:23 AM >> *Subject: *Re: [ovs-discuss] GRE over IPsec >> >> >> Thanks Gurucharan and Ansis for the quick reply. >> >> YES I did installed the IPsec daemon from the debian package for my >> system but I installed the ovs-vswitchd >> daemon from the source code for my system. >> >> Does this mean that either I have to install the openvswitch and its >> ipsec daemon from debian package or from their respective source codes? >> >> Also , I will make sure that the ovs-monitor-ipsec pid file is in the ovs >> run dir. >> >> One more thing I want to clarify is that does the openvswitch ipsec >> package will take care of the ipsec functionality in openvswitch >> automatically or do I have to make some configuration for this in the >> racoon daemon? >> >> Please help me regargding this.I will let you know whether this worked or >> not. >> >> Thanks >> >> >> On Wed, Feb 12, 2014 at 10:42 PM, Ansis Atteka wrote: >> >>> >>> - Original Message - >>> From: "sonia verma" >>> gmail.com<https://urldefense.proofpoint.com/v1/url?u=http://gmail.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&
Re: [ovs-discuss] GRE over IPsec
Sorry Ansis for the late reply . As you said I checked and found that the ovs-monitor-ipsec.pid file is in the same ovs run directory just like all other pid files. But the error still persists and the interface is still not getting shown at the kernel level. Please help me regarding this. Thanks On Thu, Feb 13, 2014 at 1:03 AM, Ansis Atteka wrote: > ovs-monitor-ipsec package dependends on raccon package. Once both of them > are installed, ovs-monitor-ipsec will automatically provision racoon with > necessary configuration through /etc/ipsec.conf file. > > ------ > *From: *"sonia verma" > *To: *"Ansis Atteka" > *Cc: *discuss@openvswitch.org > *Sent: *Wednesday, February 12, 2014 11:27:23 AM > *Subject: *Re: [ovs-discuss] GRE over IPsec > > > Thanks Gurucharan and Ansis for the quick reply. > > YES I did installed the IPsec daemon from the debian package for my system > but I installed the ovs-vswitchd > daemon from the source code for my system. > > Does this mean that either I have to install the openvswitch and its ipsec > daemon from debian package or from their respective source codes? > > Also , I will make sure that the ovs-monitor-ipsec pid file is in the ovs > run dir. > > One more thing I want to clarify is that does the openvswitch ipsec > package will take care of the ipsec functionality in openvswitch > automatically or do I have to make some configuration for this in the > racoon daemon? > > Please help me regargding this.I will let you know whether this worked or > not. > > Thanks > > > On Wed, Feb 12, 2014 at 10:42 PM, Ansis Atteka wrote: > >> >> - Original Message - >> From: "sonia verma" >> gmail.com<https://urldefense.proofpoint.com/v1/url?u=http://gmail.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=IlCAyXRsc21DvT9iRFg4BjX%2BdulWDS2nfIKsR1BQny4%3D%0A&s=c63e6f7240c2b6629fbe72b8815867d0c2615d2f8a308989a2ddc5e4fb1e3bde> >> > >> To: discuss@openvswitch.org >> Sent: Wednesday, February 12, 2014 3:28:04 AM >> Subject: [ovs-discuss] GRE over IPsec >> >> Hi All, >> >> I have been able to implement GRE tunneling on OpenvSwitch and now I want >> to implement GRE over IPsec on OpenvSwitch. >> For this, I have installed the OpenvSwitch-IPsec package on my system and >> I'm running the ovs-monitor-ipsec demon. >> >> But when I'm using the following command: >> ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre >> options:remote_ip=10.10.10.2 . >> The ipsec_gre interface is not getting shown at the kernel level. >> I checked it using the following command: >> ovs-dpctl show br0 >> >> When I see the OpenvSwitch logs,it is giving following error: >> >> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the >> ovs-monitor-ipsec daemon >> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network device >> gre0 (Invalid argument) >> >> [Ansis]: Make sure that ovs-monitor-ipsec.pid file is in the ovs run >> directory (just like all other ovs pid files). >> >> I haven't been able to figure why this error is coming , as the demon is >> running in the background. >> Also I didn't found found any relevant document related to GRE over IPsec >> which will show how the openvswitch-ipsec demon will commiunicate with >> racoon in order to implement ipsec functionality on OpenvSwitch with the >> configuration required in order to implement this. >> >> How should I configure racoon to implement IPsec functionality? >> Do I need to do some more configuration regarding ipsec on openvswitch? >> >> Please help me regarding this issue.Any help would be appreciated. >> >> Thanks >> >> >> >> ___ >> discuss mailing list >> discuss@openvswitch.org >> >> https://urldefense.proofpoint.com/v1/url?u=http://openvswitch.org/mailman/listinfo/discuss&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=rq7%2B0leIjGyTFuBcuv6Ke3fmaNeGmTLpmxFfwo9mHfU%3D%0A&s=97fe6496618575e64a00a40955541585c2313eb887ca1b136c6da693a5201783 >> > > > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] GRE over IPsec
Thanks Gurucharan and Ansis for the quick reply. YES I did installed the IPsec daemon from the debian package for my system but I installed the ovs-vswitchd daemon from the source code for my system. Does this mean that either I have to install the openvswitch and its ipsec daemon from debian package or from their respective source codes? Also , I will make sure that the ovs-monitor-ipsec pid file is in the ovs run dir. One more thing I want to clarify is that does the openvswitch ipsec package will take care of the ipsec functionality in openvswitch automatically or do I have to make some configuration for this in the racoon daemon? Please help me regargding this.I will let you know whether this worked or not. Thanks On Wed, Feb 12, 2014 at 10:42 PM, Ansis Atteka wrote: > > - Original Message - > From: "sonia verma" gmail.com> > To: discuss@openvswitch.org > Sent: Wednesday, February 12, 2014 3:28:04 AM > Subject: [ovs-discuss] GRE over IPsec > > Hi All, > > I have been able to implement GRE tunneling on OpenvSwitch and now I want > to implement GRE over IPsec on OpenvSwitch. > For this, I have installed the OpenvSwitch-IPsec package on my system and > I'm running the ovs-monitor-ipsec demon. > > But when I'm using the following command: > ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre > options:remote_ip=10.10.10.2 . > The ipsec_gre interface is not getting shown at the kernel level. > I checked it using the following command: > ovs-dpctl show br0 > > When I see the OpenvSwitch logs,it is giving following error: > > 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the > ovs-monitor-ipsec daemon > 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network device > gre0 (Invalid argument) > > [Ansis]: Make sure that ovs-monitor-ipsec.pid file is in the ovs run > directory (just like all other ovs pid files). > > I haven't been able to figure why this error is coming , as the demon is > running in the background. > Also I didn't found found any relevant document related to GRE over IPsec > which will show how the openvswitch-ipsec demon will commiunicate with > racoon in order to implement ipsec functionality on OpenvSwitch with the > configuration required in order to implement this. > > How should I configure racoon to implement IPsec functionality? > Do I need to do some more configuration regarding ipsec on openvswitch? > > Please help me regarding this issue.Any help would be appreciated. > > Thanks > > > > ___ > discuss mailing list > discuss@openvswitch.org > > https://urldefense.proofpoint.com/v1/url?u=http://openvswitch.org/mailman/listinfo/discuss&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=rq7%2B0leIjGyTFuBcuv6Ke3fmaNeGmTLpmxFfwo9mHfU%3D%0A&s=97fe6496618575e64a00a40955541585c2313eb887ca1b136c6da693a5201783 > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] GRE over IPsec
Hi All, I have been able to implement GRE tunneling on OpenvSwitch and now I want to implement GRE over IPsec on OpenvSwitch. For this, I have installed the OpenvSwitch-IPsec package on my system and I'm running the ovs-monitor-ipsec demon. But when I'm using the following command: ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre options:remote_ip=10.10.10.2 . The ipsec_gre interface is not getting shown at the kernel level. I checked it using the following command: ovs-dpctl show br0 When I see the OpenvSwitch logs,it is giving following error: 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the ovs-monitor-ipsec daemon 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network device gre0 (Invalid argument) I haven't been able to figure why this error is coming , as the demon is running in the background. Also I didn't found found any relevant document related to GRE over IPsec which will show how the openvswitch-ipsec demon will commiunicate with racoon in order to implement ipsec functionality on OpenvSwitch with the configuration required in order to implement this. How should I configure racoon to implement IPsec functionality? Do I need to do some more configuration regarding ipsec on openvswitch? Please help me regarding this issue.Any help would be appreciated. Thanks ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] OVS in userspace
Hi Asadullah Thanks. I'll test and let you know the result later. However one more question. I want to know whether features such LACP,STP tha are included in features list at openvswitch.org operates at kernel space or at user space.<http://space.ch> ? Please help regarding this On Tue, Jan 28, 2014 at 11:36 AM, Asadullah Hussain wrote: > I guess a kernel space OVS instance is already running on your system. To > completely remove OVS from a linux system use the following commands: > > kill `cd /usr/local/var/run/openvswitch && cat ovsdb-server.pid > ovs-vswitchd.pid` > rmmod openvswitch > rm -rf /usr/local/etc/openvswitch > rm -rf /usr/local/var/run/openvswitch > > The "rmmod openvswitch" command should remove the kernel module. Then try > re-installing OVS without the kernel modules: > > > ./boot.sh > ./configure > make > make install > mkdir -p /usr/local/etc/openvswitch > ovsdb-tool create /usr/local/etc/openvswitch/conf.db > vswitchd/vswitch.ovsschema > ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \ > --remote=db:Open_vSwitch,Open_vSwitch,manager_options > \ > --private-key=db:Open_vSwitch,SSL,private_key \ > --certificate=db:Open_vSwitch,SSL,certificate \ > --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ > --pidfile --detach > > ovs-vsctl --no-wait init > ovs-vswitchd --pidfile --detach > > > On 27 January 2014 10:23, sonia verma wrote: > >> HI Asadullah >> >> Thanks >> I need to run OVS in userspace and i have succesfully installed OVS using >> instructions in INSTALL.USERSPACE. >> However whenever i start the switch,the kernel module openvswitch appears >> in lsmod. >> Can we start the OVS in userspace without loading its kernel module? >> >> >> >> >> Thanks >> >> >> On Mon, Jan 27, 2014 at 10:39 AM, Asadullah Hussain >> wrote: >> >>> To add a bridge in user space the following command is used: >>> >>> ovs-vsctl add-br br0 -- set bridge br0 datapath_type=netdev >>> >>> If "br0" appears in the network interface list then OVS is running in >>> userspace successfully: >>> >>> You can use "ifconfig" to confirm that. >>> >>> >>> On 27 January 2014 09:41, sonia verma wrote: >>> >>>> Hi Arun >>>> >>>> Thanks >>>> >>>> I'm able to install ovs in userspace after following the >>>> INSTALL.USERSPACE and I'm able to create bridge successfully by using >>>> ovs-vsctl add-br br0 command. >>>> >>>> But how to confirm whether it runs in userspace or not? >>>> >>>> Thanks >>>> >>>> >>>> On Mon, Jan 27, 2014 at 9:19 AM, Arun Sharma < >>>> arun.sha...@calsoftinc.com> wrote: >>>> >>>>> I hope you have referred >>>>> INSTALL.userspace<http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.userspace;hb=a3ea1821d67e7dc8af32d7a55b5857014ec4583f> >>>>> document >>>>> "Using Open vSwitch without kernel support" related to this? >>>>> >>>>> To be specific, " >>>>> On Linux, when a physical interface is in use by the userspace >>>>> datapath, packets received on the interface still also pass into the >>>>> kernel TCP/IP stack. This can cause surprising and incorrect >>>>> behavior. You can use "iptables" to avoid this behavior, by using it >>>>> to drop received packets. For example, to drop packets received on >>>>> eth0: >>>>> iptables -A INPUT -i eth0 -j DROP >>>>> iptables -A FORWARD -i eth0 -j DROP >>>>> " >>>>> >>>>> >>>>> From: sonia verma >>>>> Date: Sun, 26 Jan 2014 08:59:54 +0530 >>>>> To: "discuss@openvswitch.org" >>>>> Subject: [ovs-discuss] OVS in userspace >>>>> >>>>> Hi >>>>> >>>>> Is it possible to run ovs on userspace without loading its kernel >>>>> modules? >>>>> >>>>> Please help regarding this. >>>>> >>>>> Thanks >>>>> ___ discuss mailing list >>>>> discuss@openvswitch.org >>>>> http://openvswitch.org/mailman/listinfo/discuss >>>>> >>>> >>>> >>>> ___ >>>> discuss mailing list >>>> discuss@openvswitch.org >>>> http://openvswitch.org/mailman/listinfo/discuss >>>> >>>> >>> >>> >>> -- >>> Asadullah Hussain >>> >> >> > > > -- > Asadullah Hussain > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] OVS features
Hi all I want to know whether features such LACP,STP tha are included in features list at openvswitch.org operates at kernel space or at user space.ch. Thanks Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] Openflow 1.3 spec
Hi all I want to know about the openflow 1.3 features which openvswitch 1.11 can support. Can you help regarding this. Thanks.. sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] OVS in userspace
HI Asadullah Thanks I need to run OVS in userspace and i have succesfully installed OVS using instructions in INSTALL.USERSPACE. However whenever i start the switch,the kernel module openvswitch appears in lsmod. Can we start the OVS in userspace without loading its kernel module? Thanks On Mon, Jan 27, 2014 at 10:39 AM, Asadullah Hussain wrote: > To add a bridge in user space the following command is used: > > ovs-vsctl add-br br0 -- set bridge br0 datapath_type=netdev > > If "br0" appears in the network interface list then OVS is running in > userspace successfully: > > You can use "ifconfig" to confirm that. > > > On 27 January 2014 09:41, sonia verma wrote: > >> Hi Arun >> >> Thanks >> >> I'm able to install ovs in userspace after following the >> INSTALL.USERSPACE and I'm able to create bridge successfully by using >> ovs-vsctl add-br br0 command. >> >> But how to confirm whether it runs in userspace or not? >> >> Thanks >> >> >> On Mon, Jan 27, 2014 at 9:19 AM, Arun Sharma >> wrote: >> >>> I hope you have referred >>> INSTALL.userspace<http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.userspace;hb=a3ea1821d67e7dc8af32d7a55b5857014ec4583f> >>> document >>> "Using Open vSwitch without kernel support" related to this? >>> >>> To be specific, " >>> On Linux, when a physical interface is in use by the userspace >>> datapath, packets received on the interface still also pass into the >>> kernel TCP/IP stack. This can cause surprising and incorrect >>> behavior. You can use "iptables" to avoid this behavior, by using it >>> to drop received packets. For example, to drop packets received on >>> eth0: >>> iptables -A INPUT -i eth0 -j DROP >>> iptables -A FORWARD -i eth0 -j DROP >>> " >>> >>> >>> From: sonia verma >>> Date: Sun, 26 Jan 2014 08:59:54 +0530 >>> To: "discuss@openvswitch.org" >>> Subject: [ovs-discuss] OVS in userspace >>> >>> Hi >>> >>> Is it possible to run ovs on userspace without loading its kernel >>> modules? >>> >>> Please help regarding this. >>> >>> Thanks >>> ___ discuss mailing list >>> discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss >>> >> >> >> ___ >> discuss mailing list >> discuss@openvswitch.org >> http://openvswitch.org/mailman/listinfo/discuss >> >> > > > -- > Asadullah Hussain > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] OVS in userspace
Hi Arun Thanks I'm able to install ovs in userspace after following the INSTALL.USERSPACE and I'm able to create bridge successfully by using ovs-vsctl add-br br0 command. But how to confirm whether it runs in userspace or not? Thanks On Mon, Jan 27, 2014 at 9:19 AM, Arun Sharma wrote: > I hope you have referred > INSTALL.userspace<http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.userspace;hb=a3ea1821d67e7dc8af32d7a55b5857014ec4583f> > document > "Using Open vSwitch without kernel support" related to this? > > To be specific, " > On Linux, when a physical interface is in use by the userspace > datapath, packets received on the interface still also pass into the > kernel TCP/IP stack. This can cause surprising and incorrect > behavior. You can use "iptables" to avoid this behavior, by using it > to drop received packets. For example, to drop packets received on > eth0: > iptables -A INPUT -i eth0 -j DROP > iptables -A FORWARD -i eth0 -j DROP > " > > > From: sonia verma > Date: Sun, 26 Jan 2014 08:59:54 +0530 > To: "discuss@openvswitch.org" > Subject: [ovs-discuss] OVS in userspace > > Hi > > Is it possible to run ovs on userspace without loading its kernel modules? > > Please help regarding this. > > Thanks > ___ discuss mailing list > discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] OVS in userspace
Hi Is it possible to run ovs on userspace without loading its kernel modules? Please help regarding this. Thanks ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] Long support support for OVS
Hi all How does Long time support for OVS(1.9.3) differ from the general release of OVS i.e OVS-1.11. Please let me know. Thanks Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] L4-L7 with OVS
Hi Vasilly . I understand but do I need to enable anything onto OVS irrespective of the rules? Thanks On Fri, Jan 17, 2014 at 5:43 PM, Vasiliy Tolstov wrote: > 2014/1/17 sonia verma : > > Which version of Openflow supports L4 - L7 services i.e Openflow 1.0,1.2 > or > > 1.3. > > > Openflow does not dig into underline protocols such as l4-l7. You can > create rule for ovs to pass specific packets to controller and parse > it into controller (for example ryu). After parsing you can contruct > new packet and send it back to ovs. > > -- > Vasiliy Tolstov, > e-mail: v.tols...@selfip.ru > jabber: v...@selfip.ru > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] L4-L7 with OVS
Thanks I got it. One more question Vasilly. Which version of Openflow supports L4 - L7 services i.e Openflow 1.0,1.2 or 1.3. On Fri, Jan 17, 2014 at 5:05 PM, Vasiliy Tolstov wrote: > 2014/1/16 sonia verma : > > Hi Vasilly.. > > > > Thanks for the reply. > > I have installed ryu controller on my machine. > > Can you provide more help or forward any link regarding this. > > > You can check examples in https://github.com/osrg/ryu/tree/master/ryu/app > > -- > Vasiliy Tolstov, > e-mail: v.tols...@selfip.ru > jabber: v...@selfip.ru > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] L4 L7 using OVS
Hi ll I need to run L4 L7 application with OVS. I need to know whether currently OVS or openflow supports L4 L7 services or not. If yes than which version of openflow support L4 L7 services. Thanks Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] L4-L7 with OVS
Hi Vasilly.. Thanks for the reply. I have installed ryu controller on my machine. Can you provide more help or forward any link regarding this. On Thu, Jan 16, 2014 at 5:24 PM, Vasiliy Tolstov wrote: > 2014/1/16 sonia verma : > > Hi all.. > > > > I need to perform tasks related to L4-L7 protocols with OVS. > > I want to ask whether OVS supports L4-L7 protocols such firewall,openvpn > > etc. > > > > > > Thanks in advance. > > > Hi! All that you need - support all needed stuff in your openflow > controller and pass packets to it from ovs. For example ryu have good > library for packet parsing > > -- > Vasiliy Tolstov, > e-mail: v.tols...@selfip.ru > jabber: v...@selfip.ru > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] L4-L7 with OVS
Hi all.. I need to perform tasks related to L4-L7 protocols with OVS. I want to ask whether OVS supports L4-L7 protocols such firewall,openvpn etc. Thanks in advance. Regards.. Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] Clustering with OVS
Hi Ben.. I'm able to perform clustering with OVS using Opendaylight controller . However the issue that I'm facing is that I need to up-down the interfaces of OVS to automatically make the controller push rules onto OVS so as to forward packets as per need. Please help regarding this. Thanks On Fri, Dec 20, 2013 at 1:12 PM, Ben Pfaff wrote: > On Fri, Dec 20, 2013 at 01:02:24PM +0530, sonia verma wrote: > > Can you provide any command or link regarding this. > > Look at the "role request" support in include/openflow/nicira-ext.h. > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] Clustering with OVS
Hi Ben .. Thanks.. Can you provide any command or link regarding this. On Wed, Dec 18, 2013 at 10:33 PM, Ben Pfaff wrote: > On Wed, Dec 18, 2013 at 04:43:14PM +0530, sonia verma wrote: > > Does OF1.0 switches support the Cluster role negotiation with the > > Controller ? > > OpenFlow 1.0 doesn't, but OVS does via an extension. > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] Clustering with OVS
Hi all, Does OF1.0 switches support the Cluster role negotiation with the Controller ? Thanks Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] GRE tunnel
Hi All, I noticed that the gre0 interface I am using for encapsulating the packets in openvswitch is shown when I am using the ovs-vsctl show command but it is not shown when I am using the ovs-dpctl show command.Due to this the encapsulation of packets is not taking place as at the datapath level the interface is not a part of bridge. So why the interface gre0 is not shown at ovs-datapath level?Please help me regarding this. I am using the following command for creating the gre interface: *ovs-vsctl add-port br1 gre0 -- set interface gre0 type=gre options:remote_ip=10.10.10.2* I am using ubuntu 12.04 with kernel version 3.12.0. Thanks -- Forwarded message -- From: sonia verma Date: Thu, Dec 12, 2013 at 12:55 PM Subject: Re: [ovs-discuss] GRE tunnel To: kevin parker Hi Kevin, My set is as follows: Hypervisor1 ovs-vsctl add-br br0 ovs-vsctl add-port br0 eth0 ovs-vsctl add-br br1 ovs-vsctl add-port br1 eth1 ifconfig br0 10.10.10.1 netmask 255.255.255.0 up ifconfig br1 192.168.10.1 netmask 255.255.255.0 up ovs-vsctl add-port br1 gre0 -- set interface gre0 type=gre options:remote_ip=10.10.10.2 ip route add 192.168.20.0/24 via 10.10.10.2 dev br0 Hypervisor2 ovs-vsctl add-br br0 ovs-vsctl add-port br0 eth0 ovs-vsctl add-br br1 ovs-vsctl add-port br1 eth1 ifconfig br0 10.10.10.2 netmask 255.255.255.0 up ifconfig br1 192.168.20.1 netmask 255.255.255.0 up ovs-vsctl add-port br1 gre0 -- set interface gre0 type=gre options:remote_ip=10.10.10.1 ip route add 192.168.10.0/24 via 10.10.10.1 dev br0 Both the hypervisors are connected to each other through their eth0 interfaces. The host machines are connected to the respective hypervisors through eth1 interface. The host machine connected to the hypervisor1 has 192.168.10.10 ip with br1(192.168.10.1) as gateway. Similary host 2 connected to hypervisor2 has 192.168.20.10 ip with br1(192.168.20.1) as gateway. The flow on all the bridges is normal. Host1 is able to ping Host 2 via gre tunnel.But the wireshark capture on br0 of hypervisor1 as well as hypervisor2 does not show any gre header. Do I have to push rules on the ovs so as to enable gre header? If so how? Wheather openvswitch support GRE in userspace or in kernelspace? Thanks On Thu, Dec 12, 2013 at 12:06 PM, kevin parker wrote: > Can you post your setup details : > also output of ovs-vsctl show from both hypervisors > br0 ip on hypervisors > > If its all fine have you tried tcpdump > > > On Wed, Dec 11, 2013 at 4:25 PM, sonia verma wrote: > >> Hi Kevin, >> >> I assigned Ip to bridge without using tep0 but still its not working . >> Can you help regarding this? >> >> >> On Wed, Dec 11, 2013 at 3:23 PM, kevin parker >> wrote: >> >>> Hi, >>> I dont have any issue,i was trying to understand how it works.How >>> broadcast traffic reaches from port gre0 to interface eth0. >>> >>> Also do you have ip assigned to br0 and tep0 >>> as i said i dont use tep0 instead i have assigned ip directly to br0,you >>> only need tep0 if u dont have any ip assigned to bridge that connects >>> physical interface. >>> >>> >>> >>> On Tue, Dec 10, 2013 at 3:52 PM, sonia verma >>> wrote: >>> >>>> Hi Kevin >>>> >>>> I'm trying your setup in my lab. >>>> I'm able to ping my my tunnel endpoint but not able to ping remote end >>>> point. >>>> Can you help regarding this? >>>> Moreover what about your issue?Is it working fine. >>>> >>>> Also it will be helpful if you can forward any link regarding this so >>>> that it may be easy for me to debug. >>>> >>>> >>>> On Fri, Dec 6, 2013 at 4:51 PM, sonia verma >>>> wrote: >>>> >>>> >>>>> >>>>> -- Forwarded message -- >>>>> From: sonia verma >>>>> Date: Fri, Dec 6, 2013 at 3:58 PM >>>>> Subject: Re: [ovs-discuss] GRE tunnel >>>>> To: kevin parker >>>>> >>>>> >>>>> Hi Kevin >>>>> >>>>> Yes Kevin I assigned ip to tep0. I assigned the ip of hipervisor2 to >>>>> tep0 of hypervisor1 and vice-versa. >>>>> >>>>> Thanks for the reply.I will let you know whether it configuration >>>>> worked or not. >>>>> >>>>> Thanks >>>>> >>>>> Sonia >>>>> >>>>> >>>>> >>>>> On Fri, Dec 6, 2013 at 3:48 PM, kevin parker < >>>>> kevin.parker...@gmail.com> wrote: >>>>> >
[ovs-discuss] Fwd: GRE tunnel
-- Forwarded message -- From: sonia verma Date: Thu, Dec 12, 2013 at 12:55 PM Subject: Re: [ovs-discuss] GRE tunnel To: kevin parker Hi Kevin, My set is as follows: Hypervisor1 ovs-vsctl add-br br0 ovs-vsctl add-port br0 eth0 ovs-vsctl add-br br1 ovs-vsctl add-port br1 eth1 ifconfig br0 10.10.10.1 netmask 255.255.255.0 up ifconfig br1 192.168.10.1 netmask 255.255.255.0 up ovs-vsctl add-port br1 gre0 -- set interface gre0 type=gre options:remote_ip=10.10.10.2 ip route add 192.168.20.0/24 via 10.10.10.2 dev br0 Hypervisor2 ovs-vsctl add-br br0 ovs-vsctl add-port br0 eth0 ovs-vsctl add-br br1 ovs-vsctl add-port br1 eth1 ifconfig br0 10.10.10.2 netmask 255.255.255.0 up ifconfig br1 192.168.20.1 netmask 255.255.255.0 up ovs-vsctl add-port br1 gre0 -- set interface gre0 type=gre options:remote_ip=10.10.10.1 ip route add 192.168.10.0/24 via 10.10.10.1 dev br0 Both the hypervisors are connected to each other through their eth0 interfaces. The host machines are connected to the respective hypervisors through eth1 interface. The host machine connected to the hypervisor1 has 192.168.10.10 ip with br1(192.168.10.1) as gateway. Similary host 2 connected to hypervisor2 has 192.168.20.10 ip with br1(192.168.20.1) as gateway. The flow on all the bridges is normal. Host1 is able to ping Host 2 via gre tunnel.But the wireshark capture on br0 of hypervisor1 as well as hypervisor2 does not show any gre header. Do I have to push rules on the ovs so as to enable gre header? If so how? Wheather openvswitch support GRE in userspace or in kernelspace? Thanks On Thu, Dec 12, 2013 at 12:06 PM, kevin parker wrote: > Can you post your setup details : > also output of ovs-vsctl show from both hypervisors > br0 ip on hypervisors > > If its all fine have you tried tcpdump > > > On Wed, Dec 11, 2013 at 4:25 PM, sonia verma wrote: > >> Hi Kevin, >> >> I assigned Ip to bridge without using tep0 but still its not working . >> Can you help regarding this? >> >> >> On Wed, Dec 11, 2013 at 3:23 PM, kevin parker >> wrote: >> >>> Hi, >>> I dont have any issue,i was trying to understand how it works.How >>> broadcast traffic reaches from port gre0 to interface eth0. >>> >>> Also do you have ip assigned to br0 and tep0 >>> as i said i dont use tep0 instead i have assigned ip directly to br0,you >>> only need tep0 if u dont have any ip assigned to bridge that connects >>> physical interface. >>> >>> >>> >>> On Tue, Dec 10, 2013 at 3:52 PM, sonia verma >>> wrote: >>> >>>> Hi Kevin >>>> >>>> I'm trying your setup in my lab. >>>> I'm able to ping my my tunnel endpoint but not able to ping remote end >>>> point. >>>> Can you help regarding this? >>>> Moreover what about your issue?Is it working fine. >>>> >>>> Also it will be helpful if you can forward any link regarding this so >>>> that it may be easy for me to debug. >>>> >>>> >>>> On Fri, Dec 6, 2013 at 4:51 PM, sonia verma >>>> wrote: >>>> >>>> >>>>> >>>>> -- Forwarded message -- >>>>> From: sonia verma >>>>> Date: Fri, Dec 6, 2013 at 3:58 PM >>>>> Subject: Re: [ovs-discuss] GRE tunnel >>>>> To: kevin parker >>>>> >>>>> >>>>> Hi Kevin >>>>> >>>>> Yes Kevin I assigned ip to tep0. I assigned the ip of hipervisor2 to >>>>> tep0 of hypervisor1 and vice-versa. >>>>> >>>>> Thanks for the reply.I will let you know whether it configuration >>>>> worked or not. >>>>> >>>>> Thanks >>>>> >>>>> Sonia >>>>> >>>>> >>>>> >>>>> On Fri, Dec 6, 2013 at 3:48 PM, kevin parker < >>>>> kevin.parker...@gmail.com> wrote: >>>>> >>>>>> Hi i dont use tep0, >>>>>> >>>>>> Dont know whether it can be useful to you: >>>>>> >>>>>> my setup is simple >>>>>> >>>>>> Hypervisor1: Hypervisor2: >>>>>> >>>>>> kvmbr0(public ip) xenbr0(public ip) >>>>>> eth0 eth0 >>>>>> >>>>>> isolated isolated >>
[ovs-discuss] OVS with GRE
Hi all, I need to test GRE with OVS.I'm following below link for this http://blog.scottlowe.org/2013/05/07/using-gre-tunnels-with-open-vswitch/ but not able to ping between two VMs. Can you help regarding this... Thanks... Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] GRE tunnel
Hi Kevin I'm trying the below link for the same functionality http://linuxmantra.com/2013/08/gre-tunneling-with-open-vswitch.html I'm able to reach tep0 of Hypervisor1 from both the VMs but I wonder why I'm not able to reach tep0 of Hypervisor2 from VM1 and VM2. Could you help regarding this? It will be great if you share your set-up configuration with me so that We both may be able to look onto this. Thanks.. Sonia... On Fri, Dec 6, 2013 at 2:58 PM, kevin parker wrote: > Can any one please help me understand the invisible link that carries > traffic from gre0 through birdge with NIC attached. > > > On Thu, Dec 5, 2013 at 10:10 PM, kevin parker > wrote: > >> Hi All, >> I have a working GRE connected between one kvm host ovs 1.11 and >> xenserver ovs 1.4.6 >> >> I have created an *isolated* bridge and connected virtual interface to >> isolated bridge with private ip ,and then added *gre0* port by >> mentioning remote public IP. >> >> Everything is fine, dont have any issues :) >> >> For understanding it better >> >> tried tcpdump on isolated bridge i am not able find anything other than >> ARP request >> >> *tcpdump -i isolated -n not port 22 -v* >>> tcpdump: listening on isolated, link-type EN10MB (Ethernet), capture >>> size 65535 bytes >>> 21:31:06.304223 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has >>> 10.168.122.10 tell 10.168.122.200, length 28 >> >> >> so used dump-flows on ovs 1.4.6 >> ovs-dpctl dump-flows isolated|grep -v 'src=22' |grep -v 'dst=22' >> in_port(3),eth(src=ae:0a:5e:8a:cc:2b,dst=52:54:00:bb:86:99),eth_type(0x0800),ipv4(src=10.168.122.200,dst=10.168.122.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), >> packets:0, bytes:0, used:never, actions:*1* >> >> in_port(1),eth(src=52:54:00:bb:86:99,dst=ae:0a:5e:8a:cc:2b),eth_type(0x0800),ipv4(src=10.168.122.10,dst=10.168.122.200,proto=1,tos=0,ttl=64,frag=no),icmp(type=0,code=0), >> packets:0, bytes:0, used:never, actions:*3* >> >> From this if i understand correctly ovs is outputting to port 1 which is >> *gre0* with remote ip .But i don't understand >> 1.how packets go from *gre0* through bridge *kvmbr0* in which NIC is >> bridged. >> and >> 2. tcpdump not showing any packets in isolated bridge. >> >> Can some one please help me understand this better or point to some >> documentation >> >> Regards, >> kevin >> > > > ___ > discuss mailing list > discuss@openvswitch.org > http://openvswitch.org/mailman/listinfo/discuss > > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] OVS in debug mode
Hi Ben I have performed all the configuration described in OVS.Is there anything else which I need to configure? I'm using OVS versioon 1-11 for this. On Wed, Nov 20, 2013 at 12:21 PM, Ben Pfaff wrote: > It looks like you didn't configure a private key and a certificate. > > On Wed, Nov 20, 2013 at 12:15:46PM +0530, abhishek jain wrote: > > Hi Ben > > > > I have followed the same process as described in INSTALL.SSL but still > the > > result is same. > > Can you help regarding this? > > > > > > > > On Wed, Nov 20, 2013 at 11:19 AM, Ben Pfaff wrote: > > > > > On Wed, Nov 20, 2013 at 11:08:34AM +0530, abhishek jain wrote: > > > > Thanks for your help. > > > > I'm getting following error when configuring OVS for ssl. > > > > > > > > stream_ssl|ERR|Certificate must be configured to use SSL > > > > 2013-11-20T05:29:49Z|00598|rconn|WARN|br0<->ssl:192.168.6.129:6633: > > > > connection failed (Protocol not available) > > > > 2013-11-20T05:29:57Z|00599|stream_ssl|ERR|Private key must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:29:57Z|00600|stream_ssl|ERR|Certificate must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:29:57Z|00601|rconn|WARN|br0<->ssl:192.168.6.129:6633: > > > > connection failed (Protocol not available) > > > > 2013-11-20T05:30:05Z|00602|stream_ssl|ERR|Private key must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:30:05Z|00603|stream_ssl|ERR|Certificate must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:30:05Z|00604|rconn|WARN|br0<->ssl:192.168.6.129:6633: > > > > connection failed (Protocol not available) > > > > 2013-11-20T05:30:13Z|00605|stream_ssl|ERR|Private key must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:30:13Z|00606|stream_ssl|ERR|Certificate must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:30:13Z|00607|rconn|WARN|br0<->ssl:192.168.6.129:6633: > > > > connection failed (Protocol not available) > > > > 2013-11-20T05:30:21Z|00608|stream_ssl|ERR|Private key must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:30:21Z|00609|stream_ssl|ERR|Certificate must be > configured > > > to > > > > use SSL > > > > 2013-11-20T05:30:21Z|00610|rconn|WARN|br0<->ssl:192.168.6.129:6633: > > > > connection failed (Protocol not available) > > > > 2013-11-20T05:30:21Z|00611|fail_open|INFO|Still in fail-open mode > after > > > > 1479 seconds disconnected from controller > > > > > > > > Do you know how to deal with that. > > > > > > I would start by reading INSTALL.SSL. > > > > ___ > discuss mailing list > discuss@openvswitch.org > http://openvswitch.org/mailman/listinfo/discuss > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] OVS with SSL
Hi Ben, Its fine.We'll take care of that in future. Thanks On Wed, Nov 20, 2013 at 11:30 AM, Ben Pfaff wrote: > On Wed, Nov 20, 2013 at 11:27:11AM +0530, sonia verma wrote: > > Me and Abhishek Jain are working for the same team. > > Can you try to coordinate better? You two sent exactly the same > question less than 5 minutes apart. > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] OVS with SSL
Hi Ben Me and Abhishek Jain are working for the same team. On Wed, Nov 20, 2013 at 11:23 AM, Ben Pfaff wrote: > On Wed, Nov 20, 2013 at 11:12:16AM +0530, sonia verma wrote: > > Hi all, > > > > I'm getting following error while configuring OVS for ssl > > I'm getting a "duplicate user" error wondering why "sonia verma" and > "abhishek jain" are posting exactly the same logs (same sequence > numbers, dates, and times!) and exactly the same questions! > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] OVS with SSL
Hi all, I'm getting following error while configuring OVS for ssl stream_ssl|ERR|Certificate must be configured to use SSL 2013-11-20T05:29:49Z|00598|rconn|WARN|br0<->ssl:192.168.6.129:6633: connection failed (Protocol not available) 2013-11-20T05:29:57Z|00599|stream_ssl|ERR|Private key must be configured to use SSL 2013-11-20T05:29:57Z|00600|stream_ssl|ERR|Certificate must be configured to use SSL 2013-11-20T05:29:57Z|00601|rconn|WARN|br0<->ssl:192.168.6.129:6633: connection failed (Protocol not available) 2013-11-20T05:30:05Z|00602|stream_ssl|ERR|Private key must be configured to use SSL 2013-11-20T05:30:05Z|00603|stream_ssl|ERR|Certificate must be configured to use SSL 2013-11-20T05:30:05Z|00604|rconn|WARN|br0<->ssl:192.168.6.129:6633: connection failed (Protocol not available) 2013-11-20T05:30:13Z|00605|stream_ssl|ERR|Private key must be configured to use SSL 2013-11-20T05:30:13Z|00606|stream_ssl|ERR|Certificate must be configured to use SSL 2013-11-20T05:30:13Z|00607|rconn|WARN|br0<->ssl:192.168.6.129:6633: connection failed (Protocol not available) 2013-11-20T05:30:21Z|00608|stream_ssl|ERR|Private key must be configured to use SSL 2013-11-20T05:30:21Z|00609|stream_ssl|ERR|Certificate must be configured to use SSL 2013-11-20T05:30:21Z|00610|rconn|WARN|br0<->ssl:192.168.6.129:6633: connection failed (Protocol not available) 2013-11-20T05:30:21Z|00611|fail_open|INFO|Still in fail-open mode after 1479 seconds disconnected from controller Can you people help regarding this. Is there any file in which I need to enable ssl or make any changes. Thanks Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] SSL support in OVS
Thanks for replying. Also can you suggest me particular controller such as ryu,opendaylight which can establish ssl connection with OVS. I am trying with ryu controller but its not happening. Thanks On Fri, Nov 15, 2013 at 9:42 PM, Ben Pfaff wrote: > On Fri, Nov 15, 2013 at 02:51:20PM +0530, sonia verma wrote: > > I want to test ssl connnectivity of OVS with any of the Openflow > > controllers.Presently I'm testing it with floodlight but not able to > > proceed. > > So I want to know whether OVS supports SSL connectivity or not. > > OVS supports SSL. > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] SSL support in OVS
Hi all, I want to test ssl connnectivity of OVS with any of the Openflow controllers.Presently I'm testing it with floodlight but not able to proceed. So I want to know whether OVS supports SSL connectivity or not. If yes,Can you people provide some link regarding this. Thanks in advance. Regards.. Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] MPLS with OVs-1.11
Hi all. I'm using OVS version-1.11 having MPLS support for it. I want to ask whether mpls runs at user space or at kernel space. Thanks Regards .. Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
Re: [ovs-discuss] OVS not forwarding
Hi all.. The output of dmesg is as follows dmesg | grep ovs [0.00] Linux version 3.5.7.17 (root@vvdnovs) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #3 SMP Thu Sep 5 09:35:11 IST 2013 () [ 351.553616] device ovs-system entered promiscuous mode root@vvdnovs:~# root@vvdnovs:~# root@vvdnovs:~# dmesg | grep openvswitch [ 13.345922] openvswitch: Open vSwitch switching datapath The bridge is still not forwarding packets after enabling IPFIX.I am using Kernel version 3.5.7.17. Can you recommend me some specific kernel version which supports IPFIX. Thanks ... Sonia On Wed, Oct 2, 2013 at 10:16 PM, Ben Pfaff wrote: > abhishek jain sent an almost identical question > yesterday: > http://openvswitch.org/pipermail/discuss/2013-October/011407.html > I responded: > http://openvswitch.org/pipermail/discuss/2013-October/011422.html > > > On Tue, Oct 1, 2013 at 12:00 AM, sonia verma wrote: > >> Hi all.. >> >> >> I am trying IPFIX with OVS version 1.11. and not able to forward packets >> after enabling IPFIX on OVS.Following are the logs after enabling IPFIX on >> OVS.. >> >> >> 2013-10-01T05:37:25Z|00259|dpif|WARN|Dropped 37 log messages in last 148 >> seconds (most recently, 147 seconds ago) due to excessive rate >> > 2013-10-01T05:37:25Z|00260|dpif|WARN|system@ovs-system: failed to >> put[modify][zero] (Numerical result out of range) >> in_port(2),eth(src=e0:db:55:a0:e1:13,dst=00:27:13:b7:2f:74),eth_type(0x0800),ipv4(src= >> 192.168.1.200/0.0.0.0,dst=192.168.1.54/0.0.0.0,proto=1/0,tos=0/0,ttl=128/0,frag=no/0xff),icmp(type=8/0,code=0/0), >> packets:0, bytes:0, used:never, >> actions:sample(sample=100.0%,actions(userspace(pid=4294962366,ipfix))),4 >> > 2013-10-01T05:37:25Z|00261|dpif|WARN|system@ovs-system: failed to >> put[modify][zero] (Numerical result out of range) >> in_port(4),eth(src=00:27:13:b7:2f:74,dst=e0:db:55:a0:e1:13),eth_type(0x0800),ipv4(src= >> 192.168.1.54/0.0.0.0,dst=192.168.1.200/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no/0xff),icmp(type=0/0,code=0/0), >> packets:0, bytes:0, used:never, >> actions:sample(sample=100.0%,actions(userspace(pid=4294962363,ipfix))),2 >> >> >> WHAT DOES IT MEAN >> >> Thanks.. >> Sonia >> >> ___ >> discuss mailing list >> discuss@openvswitch.org >> http://openvswitch.org/mailman/listinfo/discuss >> >> > > > -- > "I don't normally do acked-by's. I think it's my way of avoiding > getting blamed when it all blows up." Andrew Morton > ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
[ovs-discuss] OVS not forwarding
Hi all.. I am trying IPFIX with OVS version 1.11. and not able to forward packets after enabling IPFIX on OVS.Following are the logs after enabling IPFIX on OVS.. 2013-10-01T05:37:25Z|00259|dpif|WARN|Dropped 37 log messages in last 148 seconds (most recently, 147 seconds ago) due to excessive rate > 2013-10-01T05:37:25Z|00260|dpif|WARN|system@ovs-system: failed to put[modify][zero] (Numerical result out of range) in_port(2),eth(src=e0:db:55:a0:e1:13,dst=00:27:13:b7:2f:74),eth_type(0x0800),ipv4(src= 192.168.1.200/0.0.0.0,dst=192.168.1.54/0.0.0.0,proto=1/0,tos=0/0,ttl=128/0,frag=no/0xff),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:sample(sample=100.0%,actions(userspace(pid=4294962366,ipfix))),4 > 2013-10-01T05:37:25Z|00261|dpif|WARN|system@ovs-system: failed to put[modify][zero] (Numerical result out of range) in_port(4),eth(src=00:27:13:b7:2f:74,dst=e0:db:55:a0:e1:13),eth_type(0x0800),ipv4(src= 192.168.1.54/0.0.0.0,dst=192.168.1.200/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no/0xff),icmp(type=0/0,code=0/0), packets:0, bytes:0, used:never, actions:sample(sample=100.0%,actions(userspace(pid=4294962363,ipfix))),2 WHAT DOES IT MEAN Thanks.. Sonia ___ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss