Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Sebastian,
If it is an IPsec configuation problem, you can check syslog to see
what error messages were put by the strongswan daemon.
There is a patchset which configures IPsec tunnel for OVS. It should
work with VXLAN tunnel and strongswan. You can check it out in
https://github.com/qiuyuX/ovs-ipsec.
Best,
Qiuyu
On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote:
>
> Hi everyone,
>
> I'm trying to build a simple OVS setup as follows:
> -two OVS switches (on separate machines), both having one physical port
> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
> -each br0 has a manually set IPv6 address that's being used as source and
> destination for the VXLAN tunnel.
>
> [Scenario 1]
> -VXLAN comes up, traffic flows from the physical interface to the VXLAN
> tunnel and vice-versa
>
> [Scenario 2]
> -I've added strongswan and configured host-to-host IPSec encryption, but
> unfortunately traffic is not passing between briges.
>
> Am I missing something? Is there another way to do this? I'm pasting below my
> configuration, maybe it helps
>
> [bridge-config]
> Bridge "br0"
> Controller "tcp:[fd00::100]"
> fail_mode: secure
> Port "br0"
> Interface "br0"
> type: internal
> Port "vxlan0"
> Interface "vxlan0"
> type: vxlan
> options: {key="1000", local_ip="fd00::10",
> remote_ip="fd00::11"}
> Port "enp0s10"
> Interface "enp0s10"
> ovs_version: "2.9.0"
>
> [openflow-flows]
> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, n_bytes=16303712,
> in_port=enp0s10 actions=output:vxlan0
> cookie=0x0, duration=86992.812s, table=0, n_packets=167802,
> n_bytes=16266100, in_port=vxlan0 actions=output:enp0s10
>
> [strongswan_ipsec.conf]
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> mobike=no
>
> conn host-host
> left=fd00::10
> leftid=fd00::10
> right=fd00::11
> rightid=fd00::11
> auto=route
>
>
> Thx,
> Seb
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Creating system data path OVS in virtual machines
> On Sep 18, 2018, at 8:11 PM, karthik karra wrote: > > Hi All, > > I am not able to create a system data path OVS on virtual machines running on > open stack. I am facing this error ovs-vsctl: Error detected while setting up > ‘br0’. > > What could be the reason ? It could be many things. The ovs-vswitchd.log should contain some logging information. > How two OVS interact on virtual machines? Will it be through GRE or VxLAN > tunneling OR Are there any more means to achieve the communication ? You have many options; it depends on what you want to accomplish. If you want to use private addresses between them, you probably want to use tunnels (GRE, VxLAN, Geneve) or VLANs. In terms of management, you could write fairly simple OpenFlow flows or, if you need to create a much larger topology, use something like OVN. I believe there are many examples on the Internet of using both approaches with OVS. --Justin ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] New config with an issue
On Wed, Sep 19, 2018 at 8:21 PM Peter Eisch wrote: > Hi, > > The environment: Queens running 2.8.x with a hypervisor (dvr) and two L3 > agents (dvr-snat) in HA config. DVR mode, hybrid firewall and wanting to > not use any NAT north and south because the site is smallish (13 > hypervisors in all). > > The issue: A node is created and works mostly well. I see the > north->south traffic arrive via the snat interface on the active l3 host. > After some time, the egress (south->north) traffic will stop routing out > the fip on the hypervisor and, instead, transit through the l3 host. It > proceeds to jump around over time between the three hosts on what appears > to be five minute walls. At some point though, the node becomes > unreachable until the egress flips again. > > This tells me there's an arp timing out at 300 seconds. Is there a > cookbook for how to either diagnose better our configuration issue or what > config options to pay close attention? > > Respectfully, > > peter > > May be sending this email to the Openstack dev ML could get some comments. Thanks Numan > > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] New config with an issue
Hi, The environment: Queens running 2.8.x with a hypervisor (dvr) and two L3 agents (dvr-snat) in HA config. DVR mode, hybrid firewall and wanting to not use any NAT north and south because the site is smallish (13 hypervisors in all). The issue: A node is created and works mostly well. I see the north->south traffic arrive via the snat interface on the active l3 host. After some time, the egress (south->north) traffic will stop routing out the fip on the hypervisor and, instead, transit through the l3 host. It proceeds to jump around over time between the three hosts on what appears to be five minute walls. At some point though, the node becomes unreachable until the egress flips again. This tells me there's an arp timing out at 300 seconds. Is there a cookbook for how to either diagnose better our configuration issue or what config options to pay close attention? Respectfully, peter ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
