Signed-off-by: Balazs Nemeth <bnem...@redhat.com> --- Documentation/tutorials/ipsec.rst | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst index 3b3e42c59..6bcf3842e 100644 --- a/Documentation/tutorials/ipsec.rst +++ b/Documentation/tutorials/ipsec.rst @@ -144,6 +144,14 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure options:remote_ip=$ip_1 \ options:psk=swordfish + Set the "local_ip" field in the Interface table on host_1:: + + $ ovs-vsctl set Interface tun options:local_ip=$ip_1 + + Same on host_2:: + + $ ovs-vsctl set Interface tun options:local_ip=$ip_2 + .. note:: Pre-shared key (PSK) based authentication is easy to set up but less @@ -273,7 +281,26 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure authenticated; otherwise, any certificate signed by the CA would be accepted. -3. Test IPsec tunnel. +3. Set the `local_ip` field in the Interface table (Optional) + + Make sure that the `local_ip` field in the Interface table is set to the + NIC used for egress traffic. + + On `host 1`:: + + # ovs-vsctl set Interface tun options:local_ip=$ip_1 + + Similarly, on `host 2`:: + + # ovs-vsctl set Interface tun options:local_ip=$ip_2 + + .. note:: + + It is not strictly necessary to set the `local_ip` field if your system + only has one NIC or the default gateway interface is set to the NIC + used for egress traffic. + +4. Test IPsec tunnel. Now you should have an IPsec GRE tunnel running between two hosts. To verify it, in `host_1`:: -- 2.29.2 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev