Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Then the IPsec configuration should be correct. If the VXLAN set up is also correct, the VXLAN traffic should also be encrypted since the outer IP header uses “fd00::10” and “fd00::11”. Did you test VXLAN setup without IPsec enabled? -Qiuyu > On Oct 8, 2018, at 9:27 AM, Sebastian Pitei wrote: > > Hi Qiuyu, > > Yes, if I try to ping from fd::10 to fd::11 the ICMP gets through and is > encrypted. > > Seb > -Original Message- > From: Qiuyu Xiao > Sent: Monday, October 8, 2018 4:01 PM > To: Sebastian Pitei > Cc: ovs-discuss@openvswitch.org > Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong > > Your understanding is correct. Your previous configuration file seems to > encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one > host from another, will the ICMP traffic be encrypted? > > -Qiuyu > >> On Oct 7, 2018, at 1:05 PM, Sebastian Pitei wrote: >> >> P.S.: does the above make sense? Is there a flaw in my logic? >> >> P.P.S: this week I should also get some physical boxes to test the setup, >> maybe it will provide different results, as I've been testing this whole >> setup inside VirtualBox and VMware Workstation Pro. >> >> Thx, >> Seb >> >> -Original Message- >> From: Sebastian Pitei >> Sent: Sunday, October 7, 2018 8:03 PM >> To: Qiuyu Xiao >> Cc: ovs-discuss@openvswitch.org >> Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong >> >> Hi Qiuyu, >> >> Thanks a lot for your suggestions. In order to better troubleshoot this, let >> me state my understanding of the whole process: >> >> -a packet arrives on the physical interface. >> -OVS consults the flow tables and chooses to encapsulate the packet inside >> VXLAN. >> -using br0 source interface and the destination IP address in the OVS flow >> the packet leaves the OVS binary. >> -Strongswan should now "catch" the IP traffic (as specified by the traffic >> selectors) and encrypt the packet. >> >> -Original Message- >> From: Qiuyu Xiao >> Sent: Thursday, September 20, 2018 1:13 AM >> To: Sebastian Pitei >> Cc: ovs-discuss@openvswitch.org >> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong >> >> Hi Sebastian, >> >> If it is an IPsec configuation problem, you can check syslog to see what >> error messages were put by the strongswan daemon. >> >> There is a patchset which configures IPsec tunnel for OVS. It should work >> with VXLAN tunnel and strongswan. You can check it out in >> https://github.com/qiuyuX/ovs-ipsec. >> >> Best, >> Qiuyu >> On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote: >>> >>> Hi everyone, >>> >>> I'm trying to build a simple OVS setup as follows: >>> -two OVS switches (on separate machines), both having one physical port >>> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge. >>> -each br0 has a manually set IPv6 address that's being used as source and >>> destination for the VXLAN tunnel. >>> >>> [Scenario 1] >>> -VXLAN comes up, traffic flows from the physical interface to the >>> VXLAN tunnel and vice-versa >>> >>> [Scenario 2] >>> -I've added strongswan and configured host-to-host IPSec encryption, but >>> unfortunately traffic is not passing between briges. >>> >>> Am I missing something? Is there another way to do this? I'm pasting >>> below my configuration, maybe it helps >>> >>> [bridge-config] >>> Bridge "br0" >>> Controller "tcp:[fd00::100]" >>> fail_mode: secure >>> Port "br0" >>> Interface "br0" >>> type: internal >>> Port "vxlan0" >>> Interface "vxlan0" >>> type: vxlan >>> options: {key="1000", local_ip="fd00::10", >>> remote_ip="fd00::11"} >>> Port "enp0s10" >>> Interface "enp0s10" >>> ovs_version: "2.9.0" >>> >>> [openflow-flows] >>> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, >>> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0, >>> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100, >>> in_port=vxlan0 actions=output:enp0s10 >>> >>> [strongswan_ipsec.conf] >>> >>> conn %default >>> ikelifetime=60m >>> keylife=20m >>> rekeymargin=3m >>> keyingtries=1 >>> keyexchange=ikev2 >>> authby=secret >>> mobike=no >>> >>> conn host-host >>> left=fd00::10 >>> leftid=fd00::10 >>> right=fd00::11 >>> rightid=fd00::11 >>> auto=route >>> >>> >>> Thx, >>> Seb >>> ___ >>> discuss mailing list >>> disc...@openvswitch.org >>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Qiuyu, Yes, if I try to ping from fd::10 to fd::11 the ICMP gets through and is encrypted. Seb -Original Message- From: Qiuyu Xiao Sent: Monday, October 8, 2018 4:01 PM To: Sebastian Pitei Cc: ovs-discuss@openvswitch.org Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong Your understanding is correct. Your previous configuration file seems to encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one host from another, will the ICMP traffic be encrypted? -Qiuyu > On Oct 7, 2018, at 1:05 PM, Sebastian Pitei wrote: > > P.S.: does the above make sense? Is there a flaw in my logic? > > P.P.S: this week I should also get some physical boxes to test the setup, > maybe it will provide different results, as I've been testing this whole > setup inside VirtualBox and VMware Workstation Pro. > > Thx, > Seb > > -Original Message- > From: Sebastian Pitei > Sent: Sunday, October 7, 2018 8:03 PM > To: Qiuyu Xiao > Cc: ovs-discuss@openvswitch.org > Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong > > Hi Qiuyu, > > Thanks a lot for your suggestions. In order to better troubleshoot this, let > me state my understanding of the whole process: > > -a packet arrives on the physical interface. > -OVS consults the flow tables and chooses to encapsulate the packet inside > VXLAN. > -using br0 source interface and the destination IP address in the OVS flow > the packet leaves the OVS binary. > -Strongswan should now "catch" the IP traffic (as specified by the traffic > selectors) and encrypt the packet. > > -Original Message- > From: Qiuyu Xiao > Sent: Thursday, September 20, 2018 1:13 AM > To: Sebastian Pitei > Cc: ovs-discuss@openvswitch.org > Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong > > Hi Sebastian, > > If it is an IPsec configuation problem, you can check syslog to see what > error messages were put by the strongswan daemon. > > There is a patchset which configures IPsec tunnel for OVS. It should work > with VXLAN tunnel and strongswan. You can check it out in > https://github.com/qiuyuX/ovs-ipsec. > > Best, > Qiuyu > On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote: >> >> Hi everyone, >> >> I'm trying to build a simple OVS setup as follows: >> -two OVS switches (on separate machines), both having one physical port >> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge. >> -each br0 has a manually set IPv6 address that's being used as source and >> destination for the VXLAN tunnel. >> >> [Scenario 1] >> -VXLAN comes up, traffic flows from the physical interface to the >> VXLAN tunnel and vice-versa >> >> [Scenario 2] >> -I've added strongswan and configured host-to-host IPSec encryption, but >> unfortunately traffic is not passing between briges. >> >> Am I missing something? Is there another way to do this? I'm pasting >> below my configuration, maybe it helps >> >> [bridge-config] >>Bridge "br0" >>Controller "tcp:[fd00::100]" >>fail_mode: secure >>Port "br0" >>Interface "br0" >>type: internal >>Port "vxlan0" >>Interface "vxlan0" >>type: vxlan >>options: {key="1000", local_ip="fd00::10", >> remote_ip="fd00::11"} >>Port "enp0s10" >>Interface "enp0s10" >>ovs_version: "2.9.0" >> >> [openflow-flows] >> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, >> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0, >> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100, >> in_port=vxlan0 actions=output:enp0s10 >> >> [strongswan_ipsec.conf] >> >> conn %default >>ikelifetime=60m >>keylife=20m >>rekeymargin=3m >>keyingtries=1 >>keyexchange=ikev2 >>authby=secret >>mobike=no >> >> conn host-host >>left=fd00::10 >>leftid=fd00::10 >>right=fd00::11 >>rightid=fd00::11 >>auto=route >> >> >> Thx, >> Seb >> ___ >> discuss mailing list >> disc...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Your understanding is correct. Your previous configuration file seems to encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one host from another, will the ICMP traffic be encrypted? -Qiuyu > On Oct 7, 2018, at 1:05 PM, Sebastian Pitei wrote: > > P.S.: does the above make sense? Is there a flaw in my logic? > > P.P.S: this week I should also get some physical boxes to test the setup, > maybe it will provide different results, as I've been testing this whole > setup inside VirtualBox and VMware Workstation Pro. > > Thx, > Seb > > -Original Message- > From: Sebastian Pitei > Sent: Sunday, October 7, 2018 8:03 PM > To: Qiuyu Xiao > Cc: ovs-discuss@openvswitch.org > Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong > > Hi Qiuyu, > > Thanks a lot for your suggestions. In order to better troubleshoot this, let > me state my understanding of the whole process: > > -a packet arrives on the physical interface. > -OVS consults the flow tables and chooses to encapsulate the packet inside > VXLAN. > -using br0 source interface and the destination IP address in the OVS flow > the packet leaves the OVS binary. > -Strongswan should now "catch" the IP traffic (as specified by the traffic > selectors) and encrypt the packet. > > -Original Message- > From: Qiuyu Xiao > Sent: Thursday, September 20, 2018 1:13 AM > To: Sebastian Pitei > Cc: ovs-discuss@openvswitch.org > Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong > > Hi Sebastian, > > If it is an IPsec configuation problem, you can check syslog to see what > error messages were put by the strongswan daemon. > > There is a patchset which configures IPsec tunnel for OVS. It should work > with VXLAN tunnel and strongswan. You can check it out in > https://github.com/qiuyuX/ovs-ipsec. > > Best, > Qiuyu > On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote: >> >> Hi everyone, >> >> I'm trying to build a simple OVS setup as follows: >> -two OVS switches (on separate machines), both having one physical port >> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge. >> -each br0 has a manually set IPv6 address that's being used as source and >> destination for the VXLAN tunnel. >> >> [Scenario 1] >> -VXLAN comes up, traffic flows from the physical interface to the >> VXLAN tunnel and vice-versa >> >> [Scenario 2] >> -I've added strongswan and configured host-to-host IPSec encryption, but >> unfortunately traffic is not passing between briges. >> >> Am I missing something? Is there another way to do this? I'm pasting >> below my configuration, maybe it helps >> >> [bridge-config] >>Bridge "br0" >>Controller "tcp:[fd00::100]" >>fail_mode: secure >>Port "br0" >>Interface "br0" >>type: internal >>Port "vxlan0" >>Interface "vxlan0" >>type: vxlan >>options: {key="1000", local_ip="fd00::10", >> remote_ip="fd00::11"} >>Port "enp0s10" >>Interface "enp0s10" >>ovs_version: "2.9.0" >> >> [openflow-flows] >> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, >> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0, >> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100, >> in_port=vxlan0 actions=output:enp0s10 >> >> [strongswan_ipsec.conf] >> >> conn %default >>ikelifetime=60m >>keylife=20m >>rekeymargin=3m >>keyingtries=1 >>keyexchange=ikev2 >>authby=secret >>mobike=no >> >> conn host-host >>left=fd00::10 >>leftid=fd00::10 >>right=fd00::11 >>rightid=fd00::11 >>auto=route >> >> >> Thx, >> Seb >> ___ >> discuss mailing list >> disc...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
P.S.: does the above make sense? Is there a flaw in my logic? P.P.S: this week I should also get some physical boxes to test the setup, maybe it will provide different results, as I've been testing this whole setup inside VirtualBox and VMware Workstation Pro. Thx, Seb -Original Message- From: Sebastian Pitei Sent: Sunday, October 7, 2018 8:03 PM To: Qiuyu Xiao Cc: ovs-discuss@openvswitch.org Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong Hi Qiuyu, Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process: -a packet arrives on the physical interface. -OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN. -using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary. -Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet. -Original Message- From: Qiuyu Xiao Sent: Thursday, September 20, 2018 1:13 AM To: Sebastian Pitei Cc: ovs-discuss@openvswitch.org Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong Hi Sebastian, If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon. There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec. Best, Qiuyu On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote: > > Hi everyone, > > I'm trying to build a simple OVS setup as follows: > -two OVS switches (on separate machines), both having one physical port > (enp0s10) and a virtual one (vxlan0), on the same br0 bridge. > -each br0 has a manually set IPv6 address that's being used as source and > destination for the VXLAN tunnel. > > [Scenario 1] > -VXLAN comes up, traffic flows from the physical interface to the > VXLAN tunnel and vice-versa > > [Scenario 2] > -I've added strongswan and configured host-to-host IPSec encryption, but > unfortunately traffic is not passing between briges. > > Am I missing something? Is there another way to do this? I'm pasting > below my configuration, maybe it helps > > [bridge-config] > Bridge "br0" > Controller "tcp:[fd00::100]" > fail_mode: secure > Port "br0" > Interface "br0" > type: internal > Port "vxlan0" > Interface "vxlan0" > type: vxlan > options: {key="1000", local_ip="fd00::10", > remote_ip="fd00::11"} > Port "enp0s10" > Interface "enp0s10" > ovs_version: "2.9.0" > > [openflow-flows] > cookie=0x0, duration=86993.364s, table=0, n_packets=168419, > n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0, > duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100, > in_port=vxlan0 actions=output:enp0s10 > > [strongswan_ipsec.conf] > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > authby=secret > mobike=no > > conn host-host > left=fd00::10 > leftid=fd00::10 > right=fd00::11 > rightid=fd00::11 > auto=route > > > Thx, > Seb > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Qiuyu, Thanks a lot for your suggestions. In order to better troubleshoot this, let me state my understanding of the whole process: -a packet arrives on the physical interface. -OVS consults the flow tables and chooses to encapsulate the packet inside VXLAN. -using br0 source interface and the destination IP address in the OVS flow the packet leaves the OVS binary. -Strongswan should now "catch" the IP traffic (as specified by the traffic selectors) and encrypt the packet. -Original Message- From: Qiuyu Xiao Sent: Thursday, September 20, 2018 1:13 AM To: Sebastian Pitei Cc: ovs-discuss@openvswitch.org Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong Hi Sebastian, If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon. There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec. Best, Qiuyu On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote: > > Hi everyone, > > I'm trying to build a simple OVS setup as follows: > -two OVS switches (on separate machines), both having one physical port > (enp0s10) and a virtual one (vxlan0), on the same br0 bridge. > -each br0 has a manually set IPv6 address that's being used as source and > destination for the VXLAN tunnel. > > [Scenario 1] > -VXLAN comes up, traffic flows from the physical interface to the > VXLAN tunnel and vice-versa > > [Scenario 2] > -I've added strongswan and configured host-to-host IPSec encryption, but > unfortunately traffic is not passing between briges. > > Am I missing something? Is there another way to do this? I'm pasting > below my configuration, maybe it helps > > [bridge-config] > Bridge "br0" > Controller "tcp:[fd00::100]" > fail_mode: secure > Port "br0" > Interface "br0" > type: internal > Port "vxlan0" > Interface "vxlan0" > type: vxlan > options: {key="1000", local_ip="fd00::10", > remote_ip="fd00::11"} > Port "enp0s10" > Interface "enp0s10" > ovs_version: "2.9.0" > > [openflow-flows] > cookie=0x0, duration=86993.364s, table=0, n_packets=168419, > n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0, > duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100, > in_port=vxlan0 actions=output:enp0s10 > > [strongswan_ipsec.conf] > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > authby=secret > mobike=no > > conn host-host > left=fd00::10 > leftid=fd00::10 > right=fd00::11 > rightid=fd00::11 > auto=route > > > Thx, > Seb > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Sebastian, If it is an IPsec configuation problem, you can check syslog to see what error messages were put by the strongswan daemon. There is a patchset which configures IPsec tunnel for OVS. It should work with VXLAN tunnel and strongswan. You can check it out in https://github.com/qiuyuX/ovs-ipsec. Best, Qiuyu On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote: > > Hi everyone, > > I'm trying to build a simple OVS setup as follows: > -two OVS switches (on separate machines), both having one physical port > (enp0s10) and a virtual one (vxlan0), on the same br0 bridge. > -each br0 has a manually set IPv6 address that's being used as source and > destination for the VXLAN tunnel. > > [Scenario 1] > -VXLAN comes up, traffic flows from the physical interface to the VXLAN > tunnel and vice-versa > > [Scenario 2] > -I've added strongswan and configured host-to-host IPSec encryption, but > unfortunately traffic is not passing between briges. > > Am I missing something? Is there another way to do this? I'm pasting below my > configuration, maybe it helps > > [bridge-config] > Bridge "br0" > Controller "tcp:[fd00::100]" > fail_mode: secure > Port "br0" > Interface "br0" > type: internal > Port "vxlan0" > Interface "vxlan0" > type: vxlan > options: {key="1000", local_ip="fd00::10", > remote_ip="fd00::11"} > Port "enp0s10" > Interface "enp0s10" > ovs_version: "2.9.0" > > [openflow-flows] > cookie=0x0, duration=86993.364s, table=0, n_packets=168419, n_bytes=16303712, > in_port=enp0s10 actions=output:vxlan0 > cookie=0x0, duration=86992.812s, table=0, n_packets=167802, > n_bytes=16266100, in_port=vxlan0 actions=output:enp0s10 > > [strongswan_ipsec.conf] > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > authby=secret > mobike=no > > conn host-host > left=fd00::10 > leftid=fd00::10 > right=fd00::11 > rightid=fd00::11 > auto=route > > > Thx, > Seb > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] VXLAN over IPSec - what's wrong
Hi everyone, I'm trying to build a simple OVS setup as follows: -two OVS switches (on separate machines), both having one physical port (enp0s10) and a virtual one (vxlan0), on the same br0 bridge. -each br0 has a manually set IPv6 address that's being used as source and destination for the VXLAN tunnel. [Scenario 1] -VXLAN comes up, traffic flows from the physical interface to the VXLAN tunnel and vice-versa [Scenario 2] -I've added strongswan and configured host-to-host IPSec encryption, but unfortunately traffic is not passing between briges. Am I missing something? Is there another way to do this? I'm pasting below my configuration, maybe it helps [bridge-config] Bridge "br0" Controller "tcp:[fd00::100]" fail_mode: secure Port "br0" Interface "br0" type: internal Port "vxlan0" Interface "vxlan0" type: vxlan options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"} Port "enp0s10" Interface "enp0s10" ovs_version: "2.9.0" [openflow-flows] cookie=0x0, duration=86993.364s, table=0, n_packets=168419, n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0, duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100, in_port=vxlan0 actions=output:enp0s10 [strongswan_ipsec.conf] conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret mobike=no conn host-host left=fd00::10 leftid=fd00::10 right=fd00::11 rightid=fd00::11 auto=route Thx, Seb ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss