Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Then the IPsec configuration should be correct. If the VXLAN set up is also
correct, the VXLAN traffic should also be encrypted since the outer IP header
uses “fd00::10” and “fd00::11”. Did you test VXLAN setup without IPsec enabled?
-Qiuyu
> On Oct 8, 2018, at 9:27 AM, Sebastian Pitei wrote:
>
> Hi Qiuyu,
>
> Yes, if I try to ping from fd::10 to fd::11 the ICMP gets through and is
> encrypted.
>
> Seb
> -Original Message-
> From: Qiuyu Xiao
> Sent: Monday, October 8, 2018 4:01 PM
> To: Sebastian Pitei
> Cc: ovs-discuss@openvswitch.org
> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
>
> Your understanding is correct. Your previous configuration file seems to
> encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one
> host from another, will the ICMP traffic be encrypted?
>
> -Qiuyu
>
>> On Oct 7, 2018, at 1:05 PM, Sebastian Pitei wrote:
>>
>> P.S.: does the above make sense? Is there a flaw in my logic?
>>
>> P.P.S: this week I should also get some physical boxes to test the setup,
>> maybe it will provide different results, as I've been testing this whole
>> setup inside VirtualBox and VMware Workstation Pro.
>>
>> Thx,
>> Seb
>>
>> -Original Message-
>> From: Sebastian Pitei
>> Sent: Sunday, October 7, 2018 8:03 PM
>> To: Qiuyu Xiao
>> Cc: ovs-discuss@openvswitch.org
>> Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
>>
>> Hi Qiuyu,
>>
>> Thanks a lot for your suggestions. In order to better troubleshoot this, let
>> me state my understanding of the whole process:
>>
>> -a packet arrives on the physical interface.
>> -OVS consults the flow tables and chooses to encapsulate the packet inside
>> VXLAN.
>> -using br0 source interface and the destination IP address in the OVS flow
>> the packet leaves the OVS binary.
>> -Strongswan should now "catch" the IP traffic (as specified by the traffic
>> selectors) and encrypt the packet.
>>
>> -Original Message-
>> From: Qiuyu Xiao
>> Sent: Thursday, September 20, 2018 1:13 AM
>> To: Sebastian Pitei
>> Cc: ovs-discuss@openvswitch.org
>> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
>>
>> Hi Sebastian,
>>
>> If it is an IPsec configuation problem, you can check syslog to see what
>> error messages were put by the strongswan daemon.
>>
>> There is a patchset which configures IPsec tunnel for OVS. It should work
>> with VXLAN tunnel and strongswan. You can check it out in
>> https://github.com/qiuyuX/ovs-ipsec.
>>
>> Best,
>> Qiuyu
>> On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote:
>>>
>>> Hi everyone,
>>>
>>> I'm trying to build a simple OVS setup as follows:
>>> -two OVS switches (on separate machines), both having one physical port
>>> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
>>> -each br0 has a manually set IPv6 address that's being used as source and
>>> destination for the VXLAN tunnel.
>>>
>>> [Scenario 1]
>>> -VXLAN comes up, traffic flows from the physical interface to the
>>> VXLAN tunnel and vice-versa
>>>
>>> [Scenario 2]
>>> -I've added strongswan and configured host-to-host IPSec encryption, but
>>> unfortunately traffic is not passing between briges.
>>>
>>> Am I missing something? Is there another way to do this? I'm pasting
>>> below my configuration, maybe it helps
>>>
>>> [bridge-config]
>>> Bridge "br0"
>>> Controller "tcp:[fd00::100]"
>>> fail_mode: secure
>>> Port "br0"
>>> Interface "br0"
>>> type: internal
>>> Port "vxlan0"
>>> Interface "vxlan0"
>>> type: vxlan
>>> options: {key="1000", local_ip="fd00::10",
>>> remote_ip="fd00::11"}
>>> Port "enp0s10"
>>> Interface "enp0s10"
>>> ovs_version: "2.9.0"
>>>
>>> [openflow-flows]
>>> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
>>> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
>>> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
>>> in_port=vxlan0 actions=output:enp0s10
>>>
>>> [strongswan_ipsec.conf]
>>>
>>> conn %default
>>> ikelifetime=60m
>>> keylife=20m
>>> rekeymargin=3m
>>> keyingtries=1
>>> keyexchange=ikev2
>>> authby=secret
>>> mobike=no
>>>
>>> conn host-host
>>> left=fd00::10
>>> leftid=fd00::10
>>> right=fd00::11
>>> rightid=fd00::11
>>> auto=route
>>>
>>>
>>> Thx,
>>> Seb
>>> ___
>>> discuss mailing list
>>> disc...@openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Qiuyu,
Yes, if I try to ping from fd::10 to fd::11 the ICMP gets through and is
encrypted.
Seb
-Original Message-
From: Qiuyu Xiao
Sent: Monday, October 8, 2018 4:01 PM
To: Sebastian Pitei
Cc: ovs-discuss@openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Your understanding is correct. Your previous configuration file seems to
encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one
host from another, will the ICMP traffic be encrypted?
-Qiuyu
> On Oct 7, 2018, at 1:05 PM, Sebastian Pitei wrote:
>
> P.S.: does the above make sense? Is there a flaw in my logic?
>
> P.P.S: this week I should also get some physical boxes to test the setup,
> maybe it will provide different results, as I've been testing this whole
> setup inside VirtualBox and VMware Workstation Pro.
>
> Thx,
> Seb
>
> -Original Message-
> From: Sebastian Pitei
> Sent: Sunday, October 7, 2018 8:03 PM
> To: Qiuyu Xiao
> Cc: ovs-discuss@openvswitch.org
> Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
>
> Hi Qiuyu,
>
> Thanks a lot for your suggestions. In order to better troubleshoot this, let
> me state my understanding of the whole process:
>
> -a packet arrives on the physical interface.
> -OVS consults the flow tables and chooses to encapsulate the packet inside
> VXLAN.
> -using br0 source interface and the destination IP address in the OVS flow
> the packet leaves the OVS binary.
> -Strongswan should now "catch" the IP traffic (as specified by the traffic
> selectors) and encrypt the packet.
>
> -Original Message-
> From: Qiuyu Xiao
> Sent: Thursday, September 20, 2018 1:13 AM
> To: Sebastian Pitei
> Cc: ovs-discuss@openvswitch.org
> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
>
> Hi Sebastian,
>
> If it is an IPsec configuation problem, you can check syslog to see what
> error messages were put by the strongswan daemon.
>
> There is a patchset which configures IPsec tunnel for OVS. It should work
> with VXLAN tunnel and strongswan. You can check it out in
> https://github.com/qiuyuX/ovs-ipsec.
>
> Best,
> Qiuyu
> On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote:
>>
>> Hi everyone,
>>
>> I'm trying to build a simple OVS setup as follows:
>> -two OVS switches (on separate machines), both having one physical port
>> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
>> -each br0 has a manually set IPv6 address that's being used as source and
>> destination for the VXLAN tunnel.
>>
>> [Scenario 1]
>> -VXLAN comes up, traffic flows from the physical interface to the
>> VXLAN tunnel and vice-versa
>>
>> [Scenario 2]
>> -I've added strongswan and configured host-to-host IPSec encryption, but
>> unfortunately traffic is not passing between briges.
>>
>> Am I missing something? Is there another way to do this? I'm pasting
>> below my configuration, maybe it helps
>>
>> [bridge-config]
>>Bridge "br0"
>>Controller "tcp:[fd00::100]"
>>fail_mode: secure
>>Port "br0"
>>Interface "br0"
>>type: internal
>>Port "vxlan0"
>>Interface "vxlan0"
>>type: vxlan
>>options: {key="1000", local_ip="fd00::10",
>> remote_ip="fd00::11"}
>>Port "enp0s10"
>>Interface "enp0s10"
>>ovs_version: "2.9.0"
>>
>> [openflow-flows]
>> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
>> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
>> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
>> in_port=vxlan0 actions=output:enp0s10
>>
>> [strongswan_ipsec.conf]
>>
>> conn %default
>>ikelifetime=60m
>>keylife=20m
>>rekeymargin=3m
>>keyingtries=1
>>keyexchange=ikev2
>>authby=secret
>>mobike=no
>>
>> conn host-host
>>left=fd00::10
>>leftid=fd00::10
>>right=fd00::11
>>rightid=fd00::11
>>auto=route
>>
>>
>> Thx,
>> Seb
>> ___
>> discuss mailing list
>> disc...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Your understanding is correct. Your previous configuration file seems to
encrypt all traffic from host “fd00::10” to host “fd00::11”. If you ping one
host from another, will the ICMP traffic be encrypted?
-Qiuyu
> On Oct 7, 2018, at 1:05 PM, Sebastian Pitei wrote:
>
> P.S.: does the above make sense? Is there a flaw in my logic?
>
> P.P.S: this week I should also get some physical boxes to test the setup,
> maybe it will provide different results, as I've been testing this whole
> setup inside VirtualBox and VMware Workstation Pro.
>
> Thx,
> Seb
>
> -Original Message-
> From: Sebastian Pitei
> Sent: Sunday, October 7, 2018 8:03 PM
> To: Qiuyu Xiao
> Cc: ovs-discuss@openvswitch.org
> Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
>
> Hi Qiuyu,
>
> Thanks a lot for your suggestions. In order to better troubleshoot this, let
> me state my understanding of the whole process:
>
> -a packet arrives on the physical interface.
> -OVS consults the flow tables and chooses to encapsulate the packet inside
> VXLAN.
> -using br0 source interface and the destination IP address in the OVS flow
> the packet leaves the OVS binary.
> -Strongswan should now "catch" the IP traffic (as specified by the traffic
> selectors) and encrypt the packet.
>
> -Original Message-
> From: Qiuyu Xiao
> Sent: Thursday, September 20, 2018 1:13 AM
> To: Sebastian Pitei
> Cc: ovs-discuss@openvswitch.org
> Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
>
> Hi Sebastian,
>
> If it is an IPsec configuation problem, you can check syslog to see what
> error messages were put by the strongswan daemon.
>
> There is a patchset which configures IPsec tunnel for OVS. It should work
> with VXLAN tunnel and strongswan. You can check it out in
> https://github.com/qiuyuX/ovs-ipsec.
>
> Best,
> Qiuyu
> On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote:
>>
>> Hi everyone,
>>
>> I'm trying to build a simple OVS setup as follows:
>> -two OVS switches (on separate machines), both having one physical port
>> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
>> -each br0 has a manually set IPv6 address that's being used as source and
>> destination for the VXLAN tunnel.
>>
>> [Scenario 1]
>> -VXLAN comes up, traffic flows from the physical interface to the
>> VXLAN tunnel and vice-versa
>>
>> [Scenario 2]
>> -I've added strongswan and configured host-to-host IPSec encryption, but
>> unfortunately traffic is not passing between briges.
>>
>> Am I missing something? Is there another way to do this? I'm pasting
>> below my configuration, maybe it helps
>>
>> [bridge-config]
>>Bridge "br0"
>>Controller "tcp:[fd00::100]"
>>fail_mode: secure
>>Port "br0"
>>Interface "br0"
>>type: internal
>>Port "vxlan0"
>>Interface "vxlan0"
>>type: vxlan
>>options: {key="1000", local_ip="fd00::10",
>> remote_ip="fd00::11"}
>>Port "enp0s10"
>>Interface "enp0s10"
>>ovs_version: "2.9.0"
>>
>> [openflow-flows]
>> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
>> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
>> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
>> in_port=vxlan0 actions=output:enp0s10
>>
>> [strongswan_ipsec.conf]
>>
>> conn %default
>>ikelifetime=60m
>>keylife=20m
>>rekeymargin=3m
>>keyingtries=1
>>keyexchange=ikev2
>>authby=secret
>>mobike=no
>>
>> conn host-host
>>left=fd00::10
>>leftid=fd00::10
>>right=fd00::11
>>rightid=fd00::11
>>auto=route
>>
>>
>> Thx,
>> Seb
>> ___
>> discuss mailing list
>> disc...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
P.S.: does the above make sense? Is there a flaw in my logic?
P.P.S: this week I should also get some physical boxes to test the setup, maybe
it will provide different results, as I've been testing this whole setup inside
VirtualBox and VMware Workstation Pro.
Thx,
Seb
-Original Message-
From: Sebastian Pitei
Sent: Sunday, October 7, 2018 8:03 PM
To: Qiuyu Xiao
Cc: ovs-discuss@openvswitch.org
Subject: RE: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Qiuyu,
Thanks a lot for your suggestions. In order to better troubleshoot this, let me
state my understanding of the whole process:
-a packet arrives on the physical interface.
-OVS consults the flow tables and chooses to encapsulate the packet inside
VXLAN.
-using br0 source interface and the destination IP address in the OVS flow the
packet leaves the OVS binary.
-Strongswan should now "catch" the IP traffic (as specified by the traffic
selectors) and encrypt the packet.
-Original Message-
From: Qiuyu Xiao
Sent: Thursday, September 20, 2018 1:13 AM
To: Sebastian Pitei
Cc: ovs-discuss@openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Sebastian,
If it is an IPsec configuation problem, you can check syslog to see what error
messages were put by the strongswan daemon.
There is a patchset which configures IPsec tunnel for OVS. It should work with
VXLAN tunnel and strongswan. You can check it out in
https://github.com/qiuyuX/ovs-ipsec.
Best,
Qiuyu
On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote:
>
> Hi everyone,
>
> I'm trying to build a simple OVS setup as follows:
> -two OVS switches (on separate machines), both having one physical port
> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
> -each br0 has a manually set IPv6 address that's being used as source and
> destination for the VXLAN tunnel.
>
> [Scenario 1]
> -VXLAN comes up, traffic flows from the physical interface to the
> VXLAN tunnel and vice-versa
>
> [Scenario 2]
> -I've added strongswan and configured host-to-host IPSec encryption, but
> unfortunately traffic is not passing between briges.
>
> Am I missing something? Is there another way to do this? I'm pasting
> below my configuration, maybe it helps
>
> [bridge-config]
> Bridge "br0"
> Controller "tcp:[fd00::100]"
> fail_mode: secure
> Port "br0"
> Interface "br0"
> type: internal
> Port "vxlan0"
> Interface "vxlan0"
> type: vxlan
> options: {key="1000", local_ip="fd00::10",
> remote_ip="fd00::11"}
> Port "enp0s10"
> Interface "enp0s10"
> ovs_version: "2.9.0"
>
> [openflow-flows]
> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
> in_port=vxlan0 actions=output:enp0s10
>
> [strongswan_ipsec.conf]
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> mobike=no
>
> conn host-host
> left=fd00::10
> leftid=fd00::10
> right=fd00::11
> rightid=fd00::11
> auto=route
>
>
> Thx,
> Seb
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Qiuyu,
Thanks a lot for your suggestions. In order to better troubleshoot this, let me
state my understanding of the whole process:
-a packet arrives on the physical interface.
-OVS consults the flow tables and chooses to encapsulate the packet inside
VXLAN.
-using br0 source interface and the destination IP address in the OVS flow the
packet leaves the OVS binary.
-Strongswan should now "catch" the IP traffic (as specified by the traffic
selectors) and encrypt the packet.
-Original Message-
From: Qiuyu Xiao
Sent: Thursday, September 20, 2018 1:13 AM
To: Sebastian Pitei
Cc: ovs-discuss@openvswitch.org
Subject: Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Sebastian,
If it is an IPsec configuation problem, you can check syslog to see what error
messages were put by the strongswan daemon.
There is a patchset which configures IPsec tunnel for OVS. It should work with
VXLAN tunnel and strongswan. You can check it out in
https://github.com/qiuyuX/ovs-ipsec.
Best,
Qiuyu
On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote:
>
> Hi everyone,
>
> I'm trying to build a simple OVS setup as follows:
> -two OVS switches (on separate machines), both having one physical port
> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
> -each br0 has a manually set IPv6 address that's being used as source and
> destination for the VXLAN tunnel.
>
> [Scenario 1]
> -VXLAN comes up, traffic flows from the physical interface to the
> VXLAN tunnel and vice-versa
>
> [Scenario 2]
> -I've added strongswan and configured host-to-host IPSec encryption, but
> unfortunately traffic is not passing between briges.
>
> Am I missing something? Is there another way to do this? I'm pasting
> below my configuration, maybe it helps
>
> [bridge-config]
> Bridge "br0"
> Controller "tcp:[fd00::100]"
> fail_mode: secure
> Port "br0"
> Interface "br0"
> type: internal
> Port "vxlan0"
> Interface "vxlan0"
> type: vxlan
> options: {key="1000", local_ip="fd00::10",
> remote_ip="fd00::11"}
> Port "enp0s10"
> Interface "enp0s10"
> ovs_version: "2.9.0"
>
> [openflow-flows]
> cookie=0x0, duration=86993.364s, table=0, n_packets=168419,
> n_bytes=16303712, in_port=enp0s10 actions=output:vxlan0 cookie=0x0,
> duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
> in_port=vxlan0 actions=output:enp0s10
>
> [strongswan_ipsec.conf]
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> mobike=no
>
> conn host-host
> left=fd00::10
> leftid=fd00::10
> right=fd00::11
> rightid=fd00::11
> auto=route
>
>
> Thx,
> Seb
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] VXLAN over IPSec - what's wrong
Hi Sebastian,
If it is an IPsec configuation problem, you can check syslog to see
what error messages were put by the strongswan daemon.
There is a patchset which configures IPsec tunnel for OVS. It should
work with VXLAN tunnel and strongswan. You can check it out in
https://github.com/qiuyuX/ovs-ipsec.
Best,
Qiuyu
On Mon, Sep 17, 2018 at 3:57 PM Sebastian Pitei wrote:
>
> Hi everyone,
>
> I'm trying to build a simple OVS setup as follows:
> -two OVS switches (on separate machines), both having one physical port
> (enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
> -each br0 has a manually set IPv6 address that's being used as source and
> destination for the VXLAN tunnel.
>
> [Scenario 1]
> -VXLAN comes up, traffic flows from the physical interface to the VXLAN
> tunnel and vice-versa
>
> [Scenario 2]
> -I've added strongswan and configured host-to-host IPSec encryption, but
> unfortunately traffic is not passing between briges.
>
> Am I missing something? Is there another way to do this? I'm pasting below my
> configuration, maybe it helps
>
> [bridge-config]
> Bridge "br0"
> Controller "tcp:[fd00::100]"
> fail_mode: secure
> Port "br0"
> Interface "br0"
> type: internal
> Port "vxlan0"
> Interface "vxlan0"
> type: vxlan
> options: {key="1000", local_ip="fd00::10",
> remote_ip="fd00::11"}
> Port "enp0s10"
> Interface "enp0s10"
> ovs_version: "2.9.0"
>
> [openflow-flows]
> cookie=0x0, duration=86993.364s, table=0, n_packets=168419, n_bytes=16303712,
> in_port=enp0s10 actions=output:vxlan0
> cookie=0x0, duration=86992.812s, table=0, n_packets=167802,
> n_bytes=16266100, in_port=vxlan0 actions=output:enp0s10
>
> [strongswan_ipsec.conf]
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> mobike=no
>
> conn host-host
> left=fd00::10
> leftid=fd00::10
> right=fd00::11
> rightid=fd00::11
> auto=route
>
>
> Thx,
> Seb
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] VXLAN over IPSec - what's wrong
Hi everyone,
I'm trying to build a simple OVS setup as follows:
-two OVS switches (on separate machines), both having one physical port
(enp0s10) and a virtual one (vxlan0), on the same br0 bridge.
-each br0 has a manually set IPv6 address that's being used as source and
destination for the VXLAN tunnel.
[Scenario 1]
-VXLAN comes up, traffic flows from the physical interface to the VXLAN tunnel
and vice-versa
[Scenario 2]
-I've added strongswan and configured host-to-host IPSec encryption, but
unfortunately traffic is not passing between briges.
Am I missing something? Is there another way to do this? I'm pasting below my
configuration, maybe it helps
[bridge-config]
Bridge "br0"
Controller "tcp:[fd00::100]"
fail_mode: secure
Port "br0"
Interface "br0"
type: internal
Port "vxlan0"
Interface "vxlan0"
type: vxlan
options: {key="1000", local_ip="fd00::10", remote_ip="fd00::11"}
Port "enp0s10"
Interface "enp0s10"
ovs_version: "2.9.0"
[openflow-flows]
cookie=0x0, duration=86993.364s, table=0, n_packets=168419, n_bytes=16303712,
in_port=enp0s10 actions=output:vxlan0
cookie=0x0, duration=86992.812s, table=0, n_packets=167802, n_bytes=16266100,
in_port=vxlan0 actions=output:enp0s10
[strongswan_ipsec.conf]
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
mobike=no
conn host-host
left=fd00::10
leftid=fd00::10
right=fd00::11
rightid=fd00::11
auto=route
Thx,
Seb
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
