Hello, For some reason machine receiving traffic through ipsec_gre is not putting it through to the LOCAL interface.
I have a basic test setup: hostA - ip network - hostB Both hosts have just a single eth0 interface. I managed to get a regular gre tunnel working (thanks to Mathy Vanvoorden's blogpost) with - hostA: ovs-vsctl add-br insecure ip link set insecure up ip addr add 192.168.10.1/24 broadcast 192.168.10.255 dev insecure ovs-vsctl add-port insecure gre0 -- set interface gre0 type=gre options:remote_ip=2.2.2.2 hostB: ovs-vsctl add-br insecure ip link set insecure up ip addr add 192.168.10.2/24 broadcast 192.168.10.255 dev insecure ovs-vsctl add-port insecure gre0 — set interface gre0 type=gre options: remote_ip=1.1.1.1 on hostB. Now, I am able to ping both hostA and hostB between each other using the 192.168.10.1 and 192.168.10.2 IP addresses. However, changing this to ipsec_gre causes some problems - hostA: ovs-vsctl add-br secure ip link set secure up ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev secure ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre options:remote_ip=2.2.2.2 options:psk=secret hostB: ovs-vsctl add-br secure ip link set secure up ip addr add 192.168.20.2/24 broadcast 192.168.20.255 dev secure ovs-vsctl add-port secure gre3 -- set interface gre3 type=ipsec_gre options:remote_ip=1.1.1.1 options:psk=secret Pinging the machines between each with the internal IPs gives no response. On the machine attempting ping, tcpdump shows arp requests on the "secure" interface, ESP outgoing packets on eth0. On the machine receiving I see incoming ESP packets on eth0, and nothing on the "secure" interface. I checked the logs and I can confirm that ipsec session was initiated successfully. Increasing the ovs-vswitchd log verbosity to DEBUG I could even spot packets arp packets on the receiving machine: 2016-07-05T22:24:12.771Z|34809|dpif(revalidator35)|DBG|system@ovs-system: flow_dump recirc_id(0),dp_hash(0/0),skb_priority(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=2.2.2.2,tos=0x0,ttl=63,flags()),in_port(1),skb_mark(0),eth(src=11:22:33:44:55:66,dst=ff:ff:ff:ff:ff:f f),eth_type(0x0806),arp(sip= 192.168.20.1/255.255.255.255,tip=192.168.20.2/255.255.255.255,op=1/0xff,sha=22:33:44:55:66:77/00:00:00:00:00:00,tha=00:00:00:00:00:00/00:00:00:00:00:00), packets:13, bytes:546, used:0.476s, actions:3 So, iiuc, it means that the ARP request got through the ipsec tunnel and was received by vswitchd on the other side, but for some reason, vswitchd did not put the request to the "secure" interface. I think it is some bug, but I can't rule out that this is an expected behaviour. Please point me out if you notice anything missing from my setup. The machines are running OpenSUSE 42.1, with kernel 4.1.21, ipsec-tools 0.8.0 and openvswitch 2.3.1. Best regards, Bolesław Tokarski
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
