Description of problem: Enable OVNs support of IPSec encryption of the tunnels. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/ 2. 3. Actual results: openvswitch-ipsec is missing Expected results: All required software to use encrypted tunnels are available for RHV. Additional info:
OVS packaging builds but does not ship the ovs-monitor-ipsec binary; I think this RFE is requesting that the OVS package start shipping the ovs-monitor-ipsec binary.
As described here : https://bugzilla.redhat.com/show_bug.cgi?id=1782056 I'm trying to make openvswitch-ipsec works on a 3 node RHHI-V Cluster. - 3 RHV-H node running on RHEL 7.7 with RHV 4.3 - 1 RHV Manager running on RHEL 7.7 - 1 VM (RHEL 7.7) running on rhhi-host-01. 172.16.0.10 / ovirtmgmt network - 1 VM (RHEL 7.7) running on rhhi-host-03. 172.16.0.11 / ovirtmgmt network openvswich-ipsec package has been compiled from red hat pkgs git/openvswitch2.11, branch fast-datapath-rhel-7 packages build : ###################################### openvswitch2.11-2.11.0-35.el7.src.rpm openvswitch2.11-2.11.0-35.el7.x86_64.rpm openvswitch2.11-debuginfo-2.11.0-35.el7.x86_64.rpm openvswitch2.11-devel-2.11.0-35.el7.x86_64.rpm openvswitch2.11-ipsec-2.11.0-35.el7.x86_64.rpm openvswitch2.11-test-2.11.0-35.el7.noarch.rpm python-openvswitch2.11-2.11.0-35.el7.x86_64.rpm ###################################### I followed http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/ Note that libreswan-3.25 is affected by this : https://lists.libreswan.org/pipermail/swan/2018/002697.html Fixed in libreswan-3.26, not available on rhel7. I backported the commit (https://github.com/libreswan/libreswan/commit/9d52ef1a3559d55cd7077edfabd01b14dd7e74f7) on top of libreswan-3.25-8.1.el7_7 with this patch : ###################################### diff -u -r libreswan-3.25-pristine/programs/pluto/ikev2_child.c libreswan-3.25/programs/pluto/ikev2_child.c --- libreswan-3.25-pristine/programs/pluto/ikev2_child.c 2018-06-27 17:42:26.000000000 +0200 +++ libreswan-3.25/programs/pluto/ikev2_child.c 2020-01-22 12:16:11.300000000 +0100 @@ -867,7 +867,7 @@ d->name)); int bfit_p = ikev2_evaluate_connection_port_fit( - d, sra, role, + d, sr, role, tsi, tsr, tsi_n, tsr_n, &best_tsi_i, @@ -881,7 +881,7 @@ best_tsr_i)); int bfit_pr = ikev2_evaluate_connection_protocol_fit( - d, sra, role, + d, sr, role, tsi, tsr, tsi_n, tsr_n, &best_tsi_i, ###################################### Tunnels are now up in and out. Results : On host-1 : ###################################### [root@rhhi-host-01 ~]# ovs-vsctl show daf6b2f2-7e00-49f9-b661-d572f1c6d75b Bridge br-int fail_mode: secure Port "ovn-40d3e4-0" Interface "ovn-40d3e4-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.91.218", remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"} Port br-int Interface br-int type: internal Port "ovn-57ecad-0" Interface "ovn-57ecad-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.91.217", remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"} ovs_version: "2.11.0" [root@rhhi-host-01 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show Interface name: ovn-57ecad-0 v1 (CONFIGURED) Tunnel Type: geneve Remote IP: 192.168.91.217 SKB mark: 0/1 Local cert: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem Local name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 Local key: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem Remote cert: None Remote name: 57ecad94-604f-4bf0-b757-90e5ea5610bd CA cert: /etc/ssl/cacert.pem PSK: None Ofport: 14 CFM state: Disabled Kernel policies installed: src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081 src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081 Kernel security associations installed: sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081 IPsec connections that are active: Interface name: ovn-40d3e4-0 v1 (CONFIGURED) Tunnel Type: geneve Remote IP: 192.168.91.218 SKB mark: 0/1 Local cert: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem Local name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 Local key: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem Remote cert: None Remote name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d CA cert: /etc/ssl/cacert.pem PSK: None Ofport: 13 CFM state: Disabled Kernel policies installed: src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 Kernel security associations installed: sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 IPsec connections that are active: [root@rhhi-host-01 ~]# [root@rhhi-host-01 ~]# ipsec show 192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16401 192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16393 192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16397 192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16389 [root@rhhi-host-01 ~]# ip a ... 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UP group default qlen 1000 link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff ... 8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster state UP group default qlen 1000 link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff ... 53: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 72:bd:cd:59:31:80 brd ff:ff:ff:ff:ff:ff 54: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether e2:12:55:73:4d:49 brd ff:ff:ff:ff:ff:ff 55: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff inet 192.168.91.216/25 brd 192.168.91.255 scope global ovirtmgmt valid_lft forever preferred_lft forever inet6 fe80::e643:4bff:fe8e:e2f2/64 scope link valid_lft forever preferred_lft forever 59: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000 link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global gluster valid_lft forever preferred_lft forever inet6 fe80::b696:91ff:fe5f:1a88/64 scope link valid_lft forever preferred_lft forever 67: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UNKNOWN group default qlen 1000 link/ether fe:16:3e:35:f9:2f brd ff:ff:ff:ff:ff:ff inet6 fe80::fc16:3eff:fe35:f92f/64 scope link valid_lft forever preferred_lft forever 70: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovirtmgmt state UNKNOWN group default qlen 1000 link/ether fe:6f:27:2a:00:00 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc6f:27ff:fe2a:0/64 scope link valid_lft forever preferred_lft forever 71: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000 link/ether 4e:87:ce:fe:f9:51 brd ff:ff:ff:ff:ff:ff inet6 fe80::4c87:ceff:fefe:f951/64 scope link valid_lft forever preferred_lft forever [root@rhhi-host-01 ~]# ip r default via 192.168.91.129 dev ovirtmgmt 169.254.0.0/16 dev ovirtmgmt scope link metric 1055 169.254.0.0/16 dev gluster scope link metric 1059 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.1 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.216 ###################################### On host-2 : ###################################### [root@rhhi-host-02 ~]# ovs-vsctl show 53914599-f2b4-4c69-8159-a1e984c36102 Bridge br-int fail_mode: secure Port br-int Interface br-int type: internal Port "ovn-81497e-0" Interface "ovn-81497e-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.91.216", remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"} Port "ovn-40d3e4-0" Interface "ovn-40d3e4-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.91.218", remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"} ovs_version: "2.11.0" [root@rhhi-host-02 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show Interface name: ovn-40d3e4-0 v1 (CONFIGURED) Tunnel Type: geneve Remote IP: 192.168.91.218 SKB mark: 0/1 Local cert: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem Local name: 57ecad94-604f-4bf0-b757-90e5ea5610bd Local key: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem Remote cert: None Remote name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d CA cert: /etc/ssl/cacert.pem PSK: None Ofport: 2 CFM state: Disabled Kernel policies installed: src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 Kernel security associations installed: sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 IPsec connections that are active: Interface name: ovn-81497e-0 v1 (CONFIGURED) Tunnel Type: geneve Remote IP: 192.168.91.216 SKB mark: 0/1 Local cert: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem Local name: 57ecad94-604f-4bf0-b757-90e5ea5610bd Local key: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem Remote cert: None Remote name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 CA cert: /etc/ssl/cacert.pem PSK: None Ofport: 1 CFM state: Disabled Kernel policies installed: src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 Kernel security associations installed: sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/rbc-cl1-app0132 dst 192.168.91.217/32 proto udp sport 6081 sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 IPsec connections that are active: [root@rhhi-host-02 ~]# [root@rhhi-host-02 ~]# ipsec show 192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16397 192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16401 192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16393 192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16389 [root@rhhi-host-02 ~]# ip a ... 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UP group default qlen 1000 link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff ... 8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster state UP group default qlen 1000 link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff ... 14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether f6:1a:0d:d0:40:36 brd ff:ff:ff:ff:ff:ff 15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 36:f0:32:99:95:48 brd ff:ff:ff:ff:ff:ff 31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff inet 192.168.91.217/25 brd 192.168.91.255 scope global ovirtmgmt valid_lft forever preferred_lft forever inet6 fe80::e643:4bff:fe8e:d462/64 scope link valid_lft forever preferred_lft forever 32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000 link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff inet 192.168.0.2/24 brd 192.168.0.255 scope global gluster valid_lft forever preferred_lft forever inet6 fe80::b696:91ff:fe5f:8eb0/64 scrbc-cl1-app01ope link valid_lft forever preferred_lft forever ... 34: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000 link/ether f2:7a:7a:ec:77:32 brd ff:ff:ff:ff:ff:ff inet6 fe80::f07a:7aff:feec:7732/64 scope link valid_lft forever preferred_lft forever 36: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 [root@rhhi-host-02 ~]# ip r default via 192.168.91.129 dev ovirtmgmt 169.254.0.0/16 dev ovirtmgmt scope link metric 1031 169.254.0.0/16 dev gluster scope link metric 1032 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.2 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.217 ###################################### On host-3 : ###################################### [root@rhhi-host-03 ~]# ovs-vsctl show 4f8152c3-1159-4b22-8655-be6c48906ce1 Bridge br-int fail_mode: secure Port "ovn-81497e-0" Interface "ovn-81497e-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.91.216", remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"} Porrbc-cl1-app02t "ovn-57ecad-0" Interface "ovn-57ecad-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.91.217", remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"} Port br-int Interface br-int type: internal ovs_version: "2.11.0" [root@rhhi-host-03 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show Interface name: ovn-57ecad-0 v1 (CONFIGURED) Tunnel Type: geneve Remote IP: 192.168.91.217 SKB mark: None Local cert: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem Local name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d Local key: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem Remote cert: None Remote name: 57ecad94-604f-4bf0-b757-90e5ea5610bd CA cert: /etc/ssl/cacert.pem PSK: None Ofport: 3 CFM state: Disabled Kernel policies installed: src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 Kernel security associations installed: sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 IPsec connections that are active: Interface name: ovn-81497e-0 v1 (CONFIGURED) Tunnel Type: geneve Remote IP: 192.168.91.216 SKB mark: None Local cert: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem Local name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d Local key: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem Remote cert: None Remote name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 CA cert: /etc/ssl/cacert.pem PSK: None Ofport: 1 CFM state: Disabled Kernel policies installed: src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 Kernel security associations installed: sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 IPsec connections that are active: [root@rhhi-host-03 ~]# [root@rhhi-host-03 ~]# ipsec show 192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16397 192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16401 192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16389 192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16393 [root@rhhi-host-03 ~]# ip a ... 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UP group default qlen 1000 link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff 5: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster state UP group default qlen 1000 link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff ... 14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 76:e7:03:fb:3e:de brd ff:ff:ff:ff:ff:ff 15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 4e:c5:aa:51:76:4e brd ff:ff:ff:ff:ff:ff 31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff inet 192.168.91.218/25 brd 192.168.91.255 scope global ovirtmgmt valid_lft forever preferred_lft forever inet6 fe80::e643:4bff:fe8e:d5aa/64 scope link valid_lft forever preferred_lft forever 32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000 link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff inet 192.168.0.3/24 brd 192.168.0.255 scope global gluster valid_lft forever preferred_lft forever inet6 fe80::b696:91ff:fe5f:91dc/64 scope link valid_lft forever preferred_lft forever 33: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000 link/ether fa:b3:f5:f2:0b:7e brd ff:ff:ff:ff:ff:ff inet6 fe80::f8b3:f5ff:fef2:b7e/64 scope link valid_lft forever preferred_lft forever ... 35: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovirtmgmt state UNKNOWN group default qlen 1000 link/ether fe:6f:27:2a:00:01 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc6f:27ff:fe2a:1/64 scope link valid_lft forever preferred_lft forever ... [root@rhhi-host-03 ~]# ip r default via 192.168.91.129 dev ovirtmgmt 169.254.0.0/16 dev ovirtmgmt scope link metric 1031 169.254.0.0/16 dev gluster scope link metric 1032 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.3 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.218 ###################################### Ping from VM1 (172.16.0.10) to VM2 (172.16.0.11) goes in clear : ###################################### [root@rhhi-host-01 ~]# tcpdump -ni any icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 14:15:53.202689 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492, seq 15051, length 64 14:15:53.202706 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492, seq 15051, length 64 14:15:53.202890 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq 15051, length 64 14:15:53.202894 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq 15051, length 64 ###################################### Any hint on why it's not encrypted ? Did i miss something ?
(In reply to Raphaël HOAREAU from comment #7) > As described here : https://bugzilla.redhat.com/show_bug.cgi?id=1782056 > I'm trying to make openvswitch-ipsec works on a 3 node RHHI-V Cluster. > - 3 RHV-H node running on RHEL 7.7 with RHV 4.3 > - 1 RHV Manager running on RHEL 7.7 > - 1 VM (RHEL 7.7) running on rhhi-host-01. 172.16.0.10 / ovirtmgmt network > - 1 VM (RHEL 7.7) running on rhhi-host-03. 172.16.0.11 / ovirtmgmt network > > openvswich-ipsec package has been compiled from red hat pkgs > git/openvswitch2.11, branch fast-datapath-rhel-7 > packages build : > ###################################### > openvswitch2.11-2.11.0-35.el7.src.rpm > openvswitch2.11-2.11.0-35.el7.x86_64.rpm > openvswitch2.11-debuginfo-2.11.0-35.el7.x86_64.rpm > openvswitch2.11-devel-2.11.0-35.el7.x86_64.rpm > openvswitch2.11-ipsec-2.11.0-35.el7.x86_64.rpm > openvswitch2.11-test-2.11.0-35.el7.noarch.rpm > python-openvswitch2.11-2.11.0-35.el7.x86_64.rpm > ###################################### > > I followed http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/ > > Note that libreswan-3.25 is affected by this : > https://lists.libreswan.org/pipermail/swan/2018/002697.html > Fixed in libreswan-3.26, not available on rhel7. > I backported the commit > (https://github.com/libreswan/libreswan/commit/ > 9d52ef1a3559d55cd7077edfabd01b14dd7e74f7) on top of libreswan-3.25-8.1.el7_7 > with this patch : > ###################################### > diff -u -r libreswan-3.25-pristine/programs/pluto/ikev2_child.c > libreswan-3.25/programs/pluto/ikev2_child.c > > --- libreswan-3.25-pristine/programs/pluto/ikev2_child.c 2018-06-27 > 17:42:26.000000000 +0200 > +++ libreswan-3.25/programs/pluto/ikev2_child.c 2020-01-22 > 12:16:11.300000000 +0100 > @@ -867,7 +867,7 @@ > d->name)); > int bfit_p = > > ikev2_evaluate_connection_port_fit( > - d, sra, role, > + d, sr, role, > tsi, tsr, > tsi_n, tsr_n, > &best_tsi_i, > @@ -881,7 +881,7 @@ > best_tsr_i)); > int bfit_pr = > > ikev2_evaluate_connection_protocol_fit( > - d, sra, role, > + d, sr, role, > tsi, tsr, > tsi_n, tsr_n, > &best_tsi_i, > ###################################### > Tunnels are now up in and out. > > Results : > > On host-1 : > ###################################### > [root@rhhi-host-01 ~]# ovs-vsctl show > daf6b2f2-7e00-49f9-b661-d572f1c6d75b > Bridge br-int > fail_mode: secure > Port "ovn-40d3e4-0" > Interface "ovn-40d3e4-0" > type: geneve > options: {csum="true", key=flow, remote_ip="192.168.91.218", > remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"} > Port br-int > Interface br-int > type: internal > Port "ovn-57ecad-0" > Interface "ovn-57ecad-0" > type: geneve > options: {csum="true", key=flow, remote_ip="192.168.91.217", > remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"} > ovs_version: "2.11.0" > > [root@rhhi-host-01 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show > Interface name: ovn-57ecad-0 v1 (CONFIGURED) > Tunnel Type: geneve > Remote IP: 192.168.91.217 > SKB mark: 0/1 > Local cert: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem > Local name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 > Local key: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem > Remote cert: None > Remote name: 57ecad94-604f-4bf0-b757-90e5ea5610bd > CA cert: /etc/ssl/cacert.pem > PSK: None > Ofport: 14 > CFM state: Disabled > Kernel policies installed: > src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 > src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 > src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081 > src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081 > Kernel security associations installed: > sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 > sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 > sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 > sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081 > IPsec connections that are active: > > Interface name: ovn-40d3e4-0 v1 (CONFIGURED) > Tunnel Type: geneve > Remote IP: 192.168.91.218 > SKB mark: 0/1 > Local cert: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem > Local name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 > Local key: /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem > Remote cert: None > Remote name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d > CA cert: /etc/ssl/cacert.pem > PSK: None > Ofport: 13 > CFM state: Disabled > Kernel policies installed: > src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 > src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 > src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 > src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 > Kernel security associations installed: > sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 > sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 > IPsec connections that are active: > > [root@rhhi-host-01 ~]# > > [root@rhhi-host-01 ~]# ipsec show > 192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16401 > 192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16393 > 192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16397 > 192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16389 > > [root@rhhi-host-01 ~]# ip a > ... > 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt > state UP group default qlen 1000 > link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff > ... > 8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster > state UP group default qlen 1000 > link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff > ... > 53: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group > default qlen 1000 > link/ether 72:bd:cd:59:31:80 brd ff:ff:ff:ff:ff:ff > 54: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group > default qlen 1000 > link/ether e2:12:55:73:4d:49 brd ff:ff:ff:ff:ff:ff > 55: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue > state UP group default qlen 1000 > link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff > inet 192.168.91.216/25 brd 192.168.91.255 scope global ovirtmgmt > valid_lft forever preferred_lft forever > inet6 fe80::e643:4bff:fe8e:e2f2/64 scope link > valid_lft forever preferred_lft forever > 59: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state > UP group default qlen 1000 > link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global gluster > valid_lft forever preferred_lft forever > inet6 fe80::b696:91ff:fe5f:1a88/64 scope link > valid_lft forever preferred_lft forever > 67: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master > ovirtmgmt state UNKNOWN group default qlen 1000 > link/ether fe:16:3e:35:f9:2f brd ff:ff:ff:ff:ff:ff > inet6 fe80::fc16:3eff:fe35:f92f/64 scope link > valid_lft forever preferred_lft forever > 70: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > master ovirtmgmt state UNKNOWN group default qlen 1000 > link/ether fe:6f:27:2a:00:00 brd ff:ff:ff:ff:ff:ff > inet6 fe80::fc6f:27ff:fe2a:0/64 scope link > valid_lft forever preferred_lft forever > 71: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc > noqueue master ovs-system state UNKNOWN group default qlen 1000 > link/ether 4e:87:ce:fe:f9:51 brd ff:ff:ff:ff:ff:ff > inet6 fe80::4c87:ceff:fefe:f951/64 scope link > valid_lft forever preferred_lft forever > > [root@rhhi-host-01 ~]# ip r > default via 192.168.91.129 dev ovirtmgmt > 169.254.0.0/16 dev ovirtmgmt scope link metric 1055 > 169.254.0.0/16 dev gluster scope link metric 1059 > 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.1 > 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.216 > ###################################### > > On host-2 : > ###################################### > [root@rhhi-host-02 ~]# ovs-vsctl show > 53914599-f2b4-4c69-8159-a1e984c36102 > Bridge br-int > fail_mode: secure > Port br-int > Interface br-int > type: internal > Port "ovn-81497e-0" > Interface "ovn-81497e-0" > type: geneve > options: {csum="true", key=flow, remote_ip="192.168.91.216", > remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"} > Port "ovn-40d3e4-0" > Interface "ovn-40d3e4-0" > type: geneve > options: {csum="true", key=flow, remote_ip="192.168.91.218", > remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"} > ovs_version: "2.11.0" > > [root@rhhi-host-02 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show > Interface name: ovn-40d3e4-0 v1 (CONFIGURED) > Tunnel Type: geneve > Remote IP: 192.168.91.218 > SKB mark: 0/1 > Local cert: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem > Local name: 57ecad94-604f-4bf0-b757-90e5ea5610bd > Local key: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem > Remote cert: None > Remote name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d > CA cert: /etc/ssl/cacert.pem > PSK: None > Ofport: 2 > CFM state: Disabled > Kernel policies installed: > src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 > src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 > src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 > src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 > Kernel security associations installed: > sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 > sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 > sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 > sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 > IPsec connections that are active: > > Interface name: ovn-81497e-0 v1 (CONFIGURED) > Tunnel Type: geneve > Remote IP: 192.168.91.216 > SKB mark: 0/1 > Local cert: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem > Local name: 57ecad94-604f-4bf0-b757-90e5ea5610bd > Local key: /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem > Remote cert: None > Remote name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 > CA cert: /etc/ssl/cacert.pem > PSK: None > Ofport: 1 > CFM state: Disabled > Kernel policies installed: > src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 > src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 > src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 > src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 > Kernel security associations installed: > sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 > sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081 > sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/rbc-cl1-app0132 dst 192.168.91.217/32 proto udp > sport 6081 > sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081 > IPsec connections that are active: > > [root@rhhi-host-02 ~]# > > [root@rhhi-host-02 ~]# ipsec show > 192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16397 > 192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16401 > 192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16393 > 192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16389 > > [root@rhhi-host-02 ~]# ip a > ... > 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt > state UP group default qlen 1000 > link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff > ... > 8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster > state UP group default qlen 1000 > link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff > ... > 14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group > default qlen 1000 > link/ether f6:1a:0d:d0:40:36 brd ff:ff:ff:ff:ff:ff > 15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group > default qlen 1000 > link/ether 36:f0:32:99:95:48 brd ff:ff:ff:ff:ff:ff > 31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue > state UP group default qlen 1000 > link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff > inet 192.168.91.217/25 brd 192.168.91.255 scope global ovirtmgmt > valid_lft forever preferred_lft forever > inet6 fe80::e643:4bff:fe8e:d462/64 scope link > valid_lft forever preferred_lft forever > 32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state > UP group default qlen 1000 > link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.2/24 brd 192.168.0.255 scope global gluster > valid_lft forever preferred_lft forever > inet6 fe80::b696:91ff:fe5f:8eb0/64 scrbc-cl1-app01ope link > valid_lft forever preferred_lft forever > ... > 34: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc > noqueue master ovs-system state UNKNOWN group default qlen 1000 > link/ether f2:7a:7a:ec:77:32 brd ff:ff:ff:ff:ff:ff > inet6 fe80::f07a:7aff:feec:7732/64 scope link > valid_lft forever preferred_lft forever > 36: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen > 1000 > link/ipip 0.0.0.0 brd 0.0.0.0 > > [root@rhhi-host-02 ~]# ip r > default via 192.168.91.129 dev ovirtmgmt > 169.254.0.0/16 dev ovirtmgmt scope link metric 1031 > 169.254.0.0/16 dev gluster scope link metric 1032 > 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.2 > 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.217 > ###################################### > > On host-3 : > ###################################### > [root@rhhi-host-03 ~]# ovs-vsctl show > 4f8152c3-1159-4b22-8655-be6c48906ce1 > Bridge br-int > fail_mode: secure > Port "ovn-81497e-0" > Interface "ovn-81497e-0" > type: geneve > options: {csum="true", key=flow, remote_ip="192.168.91.216", > remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"} > Porrbc-cl1-app02t "ovn-57ecad-0" > Interface "ovn-57ecad-0" > type: geneve > options: {csum="true", key=flow, remote_ip="192.168.91.217", > remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"} > Port br-int > Interface br-int > type: internal > ovs_version: "2.11.0" > > [root@rhhi-host-03 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show > Interface name: ovn-57ecad-0 v1 (CONFIGURED) > Tunnel Type: geneve > Remote IP: 192.168.91.217 > SKB mark: None > Local cert: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem > Local name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d > Local key: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem > Remote cert: None > Remote name: 57ecad94-604f-4bf0-b757-90e5ea5610bd > CA cert: /etc/ssl/cacert.pem > PSK: None > Ofport: 3 > CFM state: Disabled > Kernel policies installed: > src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 > src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 > src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 > src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 > Kernel security associations installed: > sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 > sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081 > sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081 > sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081 > IPsec connections that are active: > > Interface name: ovn-81497e-0 v1 (CONFIGURED) > Tunnel Type: geneve > Remote IP: 192.168.91.216 > SKB mark: None > Local cert: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem > Local name: 40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d > Local key: /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem > Remote cert: None > Remote name: 81497e31-1b4c-4667-bd67-de4f0d7cebf6 > CA cert: /etc/ssl/cacert.pem > PSK: None > Ofport: 1 > CFM state: Disabled > Kernel policies installed: > src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 > src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 > src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 > src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 > Kernel security associations installed: > sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081 > sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081 > sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081 > sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081 > IPsec connections that are active: > > [root@rhhi-host-03 ~]# > > [root@rhhi-host-03 ~]# ipsec show > 192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16397 > 192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16401 > 192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16389 > 192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16393 > > [root@rhhi-host-03 ~]# ip a > ... > 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt > state UP group default qlen 1000 > link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff > 5: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster > state UP group default qlen 1000 > link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff > ... > 14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group > default qlen 1000 > link/ether 76:e7:03:fb:3e:de brd ff:ff:ff:ff:ff:ff > 15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group > default qlen 1000 > link/ether 4e:c5:aa:51:76:4e brd ff:ff:ff:ff:ff:ff > 31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue > state UP group default qlen 1000 > link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff > inet 192.168.91.218/25 brd 192.168.91.255 scope global ovirtmgmt > valid_lft forever preferred_lft forever > inet6 fe80::e643:4bff:fe8e:d5aa/64 scope link > valid_lft forever preferred_lft forever > 32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state > UP group default qlen 1000 > link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff > inet 192.168.0.3/24 brd 192.168.0.255 scope global gluster > valid_lft forever preferred_lft forever > inet6 fe80::b696:91ff:fe5f:91dc/64 scope link > valid_lft forever preferred_lft forever > 33: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc > noqueue master ovs-system state UNKNOWN group default qlen 1000 > link/ether fa:b3:f5:f2:0b:7e brd ff:ff:ff:ff:ff:ff > inet6 fe80::f8b3:f5ff:fef2:b7e/64 scope link > valid_lft forever preferred_lft forever > ... > 35: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > master ovirtmgmt state UNKNOWN group default qlen 1000 > link/ether fe:6f:27:2a:00:01 brd ff:ff:ff:ff:ff:ff > inet6 fe80::fc6f:27ff:fe2a:1/64 scope link > valid_lft forever preferred_lft forever > ... > > [root@rhhi-host-03 ~]# ip r > default via 192.168.91.129 dev ovirtmgmt > 169.254.0.0/16 dev ovirtmgmt scope link metric 1031 > 169.254.0.0/16 dev gluster scope link metric 1032 > 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.3 > 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.218 > ###################################### > > Ping from VM1 (172.16.0.10) to VM2 (172.16.0.11) goes in clear : > ###################################### > [root@rhhi-host-01 ~]# tcpdump -ni any icmp > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 > bytes > 14:15:53.202689 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492, > seq 15051, length 64 > 14:15:53.202706 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492, > seq 15051, length 64 > 14:15:53.202890 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq > 15051, length 64 > 14:15:53.202894 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq > 15051, length 64 > ###################################### > > Any hint on why it's not encrypted ? Did i miss something ? This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1884481
Set to FailedQA due to bugs: bz#1906278, bz#1906280 and bz#1906701.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openvswitch2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0402