1782141 – [RFE RHEL8] Enable IPSec for OVS

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1782141 - [RFE RHEL8] Enable IPSec for OVS

Summary: [RFE RHEL8] Enable IPSec for OVS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch2.13
Sub Component:
Version:	RHEL 8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Timothy Redaelli
QA Contact:	qding
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1782056 1898615
TreeView+	depends on / blocked

Reported:	2019-12-11 09:13 UTC by Dominik Holler
Modified:	2021-02-03 21:22 UTC (History)
CC List:	13 users (show)
Fixed In Version:	openvswitch2.13-2.13.0-77.el8fdp
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-03 21:21:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:0402	0	None	None	None	2021-02-03 21:22:04 UTC

Description Dominik Holler 2019-12-11 09:13:29 UTC

Description of problem:
Enable OVNs support of IPSec encryption of the tunnels.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/
2.
3.

Actual results:
openvswitch-ipsec is missing

Expected results:
All required software to use encrypted tunnels are available for RHV.

Additional info:

Comment 2 Dan Williams 2019-12-16 21:48:10 UTC

OVS packaging builds but does not ship the ovs-monitor-ipsec binary; I think this RFE is requesting that the OVS package start shipping the ovs-monitor-ipsec binary.

Comment 7 Raphaël HOAREAU 2020-01-22 13:41:21 UTC

As described here : https://bugzilla.redhat.com/show_bug.cgi?id=1782056
I'm trying to make openvswitch-ipsec works on a 3 node RHHI-V Cluster.
 - 3 RHV-H node running on RHEL 7.7 with RHV 4.3
 - 1 RHV Manager running on RHEL 7.7
 - 1 VM (RHEL 7.7) running on rhhi-host-01. 172.16.0.10 / ovirtmgmt network
 - 1 VM (RHEL 7.7) running on rhhi-host-03. 172.16.0.11 / ovirtmgmt network

openvswich-ipsec package has been compiled from red hat pkgs git/openvswitch2.11, branch fast-datapath-rhel-7
packages build : 
######################################
openvswitch2.11-2.11.0-35.el7.src.rpm
openvswitch2.11-2.11.0-35.el7.x86_64.rpm
openvswitch2.11-debuginfo-2.11.0-35.el7.x86_64.rpm
openvswitch2.11-devel-2.11.0-35.el7.x86_64.rpm
openvswitch2.11-ipsec-2.11.0-35.el7.x86_64.rpm
openvswitch2.11-test-2.11.0-35.el7.noarch.rpm
python-openvswitch2.11-2.11.0-35.el7.x86_64.rpm
######################################

I followed http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/

Note that libreswan-3.25 is affected by this : https://lists.libreswan.org/pipermail/swan/2018/002697.html
Fixed in libreswan-3.26, not available on rhel7.
I backported the commit (https://github.com/libreswan/libreswan/commit/9d52ef1a3559d55cd7077edfabd01b14dd7e74f7) on top of libreswan-3.25-8.1.el7_7 with this patch : 
######################################
diff -u -r libreswan-3.25-pristine/programs/pluto/ikev2_child.c libreswan-3.25/programs/pluto/ikev2_child.c                                                                                                        
--- libreswan-3.25-pristine/programs/pluto/ikev2_child.c        2018-06-27 17:42:26.000000000 +0200
+++ libreswan-3.25/programs/pluto/ikev2_child.c 2020-01-22 12:16:11.300000000 +0100
@@ -867,7 +867,7 @@
                                                    d->name));
                                        int bfit_p =
                                                ikev2_evaluate_connection_port_fit(
-                                                       d, sra, role,
+                                                       d, sr, role,
                                                        tsi, tsr,
                                                        tsi_n, tsr_n,
                                                        &best_tsi_i,
@@ -881,7 +881,7 @@
                                                            best_tsr_i));
                                                int bfit_pr =
                                                        ikev2_evaluate_connection_protocol_fit(
-                                                               d, sra, role,
+                                                               d, sr, role,
                                                                tsi, tsr,
                                                                tsi_n, tsr_n,
                                                                &best_tsi_i,
######################################
Tunnels are now up in and out.

Results : 

On host-1 : 
######################################
[root@rhhi-host-01 ~]# ovs-vsctl show
daf6b2f2-7e00-49f9-b661-d572f1c6d75b
    Bridge br-int
        fail_mode: secure
        Port "ovn-40d3e4-0"
            Interface "ovn-40d3e4-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.91.218", remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"}
        Port br-int
            Interface br-int
                type: internal
        Port "ovn-57ecad-0"
            Interface "ovn-57ecad-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.91.217", remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"}
    ovs_version: "2.11.0"

[root@rhhi-host-01 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: ovn-57ecad-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Remote IP:      192.168.91.217
  SKB mark:       0/1
  Local cert:     /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem
  Local name:     81497e31-1b4c-4667-bd67-de4f0d7cebf6
  Local key:      /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem
  Remote cert:    None
  Remote name:    57ecad94-604f-4bf0-b757-90e5ea5610bd
  CA cert:        /etc/ssl/cacert.pem
  PSK:            None
  Ofport:         14
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
  src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
  src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081
  src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081
Kernel security associations installed:
  sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
  sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
  sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
  sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081
IPsec connections that are active:

Interface name: ovn-40d3e4-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Remote IP:      192.168.91.218
  SKB mark:       0/1
  Local cert:     /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem
  Local name:     81497e31-1b4c-4667-bd67-de4f0d7cebf6
  Local key:      /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem
  Remote cert:    None
  Remote name:    40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
  CA cert:        /etc/ssl/cacert.pem
  PSK:            None
  Ofport:         13
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
  src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
  src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
  src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
Kernel security associations installed:
  sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
  sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
IPsec connections that are active:

[root@rhhi-host-01 ~]#

[root@rhhi-host-01 ~]# ipsec show
192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16401
192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16393
192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16397
192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16389

[root@rhhi-host-01 ~]# ip a
...
4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UP group default qlen 1000
    link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff
...
8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster state UP group default qlen 1000
    link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff
...
53: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 72:bd:cd:59:31:80 brd ff:ff:ff:ff:ff:ff
54: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether e2:12:55:73:4d:49 brd ff:ff:ff:ff:ff:ff
55: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.91.216/25 brd 192.168.91.255 scope global ovirtmgmt
       valid_lft forever preferred_lft forever
    inet6 fe80::e643:4bff:fe8e:e2f2/64 scope link 
       valid_lft forever preferred_lft forever
59: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
    link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global gluster
       valid_lft forever preferred_lft forever
    inet6 fe80::b696:91ff:fe5f:1a88/64 scope link 
       valid_lft forever preferred_lft forever
67: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UNKNOWN group default qlen 1000
    link/ether fe:16:3e:35:f9:2f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc16:3eff:fe35:f92f/64 scope link 
       valid_lft forever preferred_lft forever
70: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovirtmgmt state UNKNOWN group default qlen 1000
    link/ether fe:6f:27:2a:00:00 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc6f:27ff:fe2a:0/64 scope link 
       valid_lft forever preferred_lft forever
71: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether 4e:87:ce:fe:f9:51 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::4c87:ceff:fefe:f951/64 scope link 
       valid_lft forever preferred_lft forever

[root@rhhi-host-01 ~]# ip r
default via 192.168.91.129 dev ovirtmgmt 
169.254.0.0/16 dev ovirtmgmt scope link metric 1055 
169.254.0.0/16 dev gluster scope link metric 1059 
192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.1 
192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.216
######################################

On host-2 : 
######################################
[root@rhhi-host-02 ~]# ovs-vsctl show
53914599-f2b4-4c69-8159-a1e984c36102
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
        Port "ovn-81497e-0"
            Interface "ovn-81497e-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.91.216", remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"}
        Port "ovn-40d3e4-0"
            Interface "ovn-40d3e4-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.91.218", remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"}
    ovs_version: "2.11.0"

[root@rhhi-host-02 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: ovn-40d3e4-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Remote IP:      192.168.91.218
  SKB mark:       0/1
  Local cert:     /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem
  Local name:     57ecad94-604f-4bf0-b757-90e5ea5610bd
  Local key:      /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem
  Remote cert:    None
  Remote name:    40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
  CA cert:        /etc/ssl/cacert.pem
  PSK:            None
  Ofport:         2
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
  src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
  src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
  src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
Kernel security associations installed:
  sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
  sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
  sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
  sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
IPsec connections that are active:

Interface name: ovn-81497e-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Remote IP:      192.168.91.216
  SKB mark:       0/1
  Local cert:     /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem
  Local name:     57ecad94-604f-4bf0-b757-90e5ea5610bd
  Local key:      /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem
  Remote cert:    None
  Remote name:    81497e31-1b4c-4667-bd67-de4f0d7cebf6
  CA cert:        /etc/ssl/cacert.pem
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
  src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
  src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
  src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
Kernel security associations installed:
  sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
  sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
  sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/rbc-cl1-app0132 dst 192.168.91.217/32 proto udp sport 6081
  sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
IPsec connections that are active:

[root@rhhi-host-02 ~]#

[root@rhhi-host-02 ~]# ipsec show
192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16397
192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16401
192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16393
192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16389

[root@rhhi-host-02 ~]# ip a
...
4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UP group default qlen 1000
    link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff
...
8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster state UP group default qlen 1000
    link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff
...
14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether f6:1a:0d:d0:40:36 brd ff:ff:ff:ff:ff:ff
15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 36:f0:32:99:95:48 brd ff:ff:ff:ff:ff:ff
31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff
    inet 192.168.91.217/25 brd 192.168.91.255 scope global ovirtmgmt
       valid_lft forever preferred_lft forever
    inet6 fe80::e643:4bff:fe8e:d462/64 scope link 
       valid_lft forever preferred_lft forever
32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
    link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global gluster
       valid_lft forever preferred_lft forever
    inet6 fe80::b696:91ff:fe5f:8eb0/64 scrbc-cl1-app01ope link 
       valid_lft forever preferred_lft forever
...
34: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether f2:7a:7a:ec:77:32 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f07a:7aff:feec:7732/64 scope link 
       valid_lft forever preferred_lft forever
36: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0

[root@rhhi-host-02 ~]# ip r
default via 192.168.91.129 dev ovirtmgmt 
169.254.0.0/16 dev ovirtmgmt scope link metric 1031 
169.254.0.0/16 dev gluster scope link metric 1032 
192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.2 
192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.217 
######################################

On host-3 :
######################################
[root@rhhi-host-03 ~]# ovs-vsctl show
4f8152c3-1159-4b22-8655-be6c48906ce1
    Bridge br-int
        fail_mode: secure
        Port "ovn-81497e-0"
            Interface "ovn-81497e-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.91.216", remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"}
        Porrbc-cl1-app02t "ovn-57ecad-0"
            Interface "ovn-57ecad-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.91.217", remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"}
        Port br-int
            Interface br-int
                type: internal
    ovs_version: "2.11.0"

[root@rhhi-host-03 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: ovn-57ecad-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Remote IP:      192.168.91.217
  SKB mark:       None
  Local cert:     /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem
  Local name:     40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
  Local key:      /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem
  Remote cert:    None
  Remote name:    57ecad94-604f-4bf0-b757-90e5ea5610bd
  CA cert:        /etc/ssl/cacert.pem
  PSK:            None
  Ofport:         3
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
  src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
  src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
  src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
Kernel security associations installed:
  sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
  sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
  sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
  sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
IPsec connections that are active:

Interface name: ovn-81497e-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Remote IP:      192.168.91.216
  SKB mark:       None
  Local cert:     /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem
  Local name:     40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
  Local key:      /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem
  Remote cert:    None
  Remote name:    81497e31-1b4c-4667-bd67-de4f0d7cebf6
  CA cert:        /etc/ssl/cacert.pem
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
  src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
  src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
  src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
Kernel security associations installed:
  sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
  sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
  sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
  sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
IPsec connections that are active:

[root@rhhi-host-03 ~]# 

[root@rhhi-host-03 ~]# ipsec show
192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16397
192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16401
192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16389
192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16393

[root@rhhi-host-03 ~]# ip a
...
4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt state UP group default qlen 1000
    link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff
5: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster state UP group default qlen 1000
    link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff
...
14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 76:e7:03:fb:3e:de brd ff:ff:ff:ff:ff:ff
15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 4e:c5:aa:51:76:4e brd ff:ff:ff:ff:ff:ff
31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff
    inet 192.168.91.218/25 brd 192.168.91.255 scope global ovirtmgmt
       valid_lft forever preferred_lft forever
    inet6 fe80::e643:4bff:fe8e:d5aa/64 scope link 
       valid_lft forever preferred_lft forever
32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
    link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.3/24 brd 192.168.0.255 scope global gluster
       valid_lft forever preferred_lft forever
    inet6 fe80::b696:91ff:fe5f:91dc/64 scope link 
       valid_lft forever preferred_lft forever
33: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether fa:b3:f5:f2:0b:7e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f8b3:f5ff:fef2:b7e/64 scope link 
       valid_lft forever preferred_lft forever
...
35: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovirtmgmt state UNKNOWN group default qlen 1000
    link/ether fe:6f:27:2a:00:01 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc6f:27ff:fe2a:1/64 scope link 
       valid_lft forever preferred_lft forever
...

[root@rhhi-host-03 ~]# ip r
default via 192.168.91.129 dev ovirtmgmt 
169.254.0.0/16 dev ovirtmgmt scope link metric 1031 
169.254.0.0/16 dev gluster scope link metric 1032 
192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.3 
192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.218 
######################################

Ping from VM1 (172.16.0.10) to VM2 (172.16.0.11) goes in clear :
######################################
[root@rhhi-host-01 ~]# tcpdump -ni any icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:15:53.202689 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492, seq 15051, length 64
14:15:53.202706 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492, seq 15051, length 64
14:15:53.202890 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq 15051, length 64
14:15:53.202894 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq 15051, length 64
######################################

Any hint on why it's not encrypted ? Did i miss something ?

Comment 9 Mark Gray 2020-11-02 13:48:25 UTC

(In reply to Raphaël HOAREAU from comment #7)
> As described here : https://bugzilla.redhat.com/show_bug.cgi?id=1782056
> I'm trying to make openvswitch-ipsec works on a 3 node RHHI-V Cluster.
>  - 3 RHV-H node running on RHEL 7.7 with RHV 4.3
>  - 1 RHV Manager running on RHEL 7.7
>  - 1 VM (RHEL 7.7) running on rhhi-host-01. 172.16.0.10 / ovirtmgmt network
>  - 1 VM (RHEL 7.7) running on rhhi-host-03. 172.16.0.11 / ovirtmgmt network
> 
> openvswich-ipsec package has been compiled from red hat pkgs
> git/openvswitch2.11, branch fast-datapath-rhel-7
> packages build : 
> ######################################
> openvswitch2.11-2.11.0-35.el7.src.rpm
> openvswitch2.11-2.11.0-35.el7.x86_64.rpm
> openvswitch2.11-debuginfo-2.11.0-35.el7.x86_64.rpm
> openvswitch2.11-devel-2.11.0-35.el7.x86_64.rpm
> openvswitch2.11-ipsec-2.11.0-35.el7.x86_64.rpm
> openvswitch2.11-test-2.11.0-35.el7.noarch.rpm
> python-openvswitch2.11-2.11.0-35.el7.x86_64.rpm
> ######################################
> 
> I followed http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/
> 
> Note that libreswan-3.25 is affected by this :
> https://lists.libreswan.org/pipermail/swan/2018/002697.html
> Fixed in libreswan-3.26, not available on rhel7.
> I backported the commit
> (https://github.com/libreswan/libreswan/commit/
> 9d52ef1a3559d55cd7077edfabd01b14dd7e74f7) on top of libreswan-3.25-8.1.el7_7
> with this patch : 
> ######################################
> diff -u -r libreswan-3.25-pristine/programs/pluto/ikev2_child.c
> libreswan-3.25/programs/pluto/ikev2_child.c                                 
> 
> --- libreswan-3.25-pristine/programs/pluto/ikev2_child.c        2018-06-27
> 17:42:26.000000000 +0200
> +++ libreswan-3.25/programs/pluto/ikev2_child.c 2020-01-22
> 12:16:11.300000000 +0100
> @@ -867,7 +867,7 @@
>                                                     d->name));
>                                         int bfit_p =
>                                                
> ikev2_evaluate_connection_port_fit(
> -                                                       d, sra, role,
> +                                                       d, sr, role,
>                                                         tsi, tsr,
>                                                         tsi_n, tsr_n,
>                                                         &best_tsi_i,
> @@ -881,7 +881,7 @@
>                                                             best_tsr_i));
>                                                 int bfit_pr =
>                                                        
> ikev2_evaluate_connection_protocol_fit(
> -                                                               d, sra, role,
> +                                                               d, sr, role,
>                                                                 tsi, tsr,
>                                                                 tsi_n, tsr_n,
>                                                                 &best_tsi_i,
> ######################################
> Tunnels are now up in and out.
> 
> Results : 
> 
> On host-1 : 
> ######################################
> [root@rhhi-host-01 ~]# ovs-vsctl show
> daf6b2f2-7e00-49f9-b661-d572f1c6d75b
>     Bridge br-int
>         fail_mode: secure
>         Port "ovn-40d3e4-0"
>             Interface "ovn-40d3e4-0"
>                 type: geneve
>                 options: {csum="true", key=flow, remote_ip="192.168.91.218",
> remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"}
>         Port br-int
>             Interface br-int
>                 type: internal
>         Port "ovn-57ecad-0"
>             Interface "ovn-57ecad-0"
>                 type: geneve
>                 options: {csum="true", key=flow, remote_ip="192.168.91.217",
> remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"}
>     ovs_version: "2.11.0"
> 
> [root@rhhi-host-01 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show
> Interface name: ovn-57ecad-0 v1 (CONFIGURED)
>   Tunnel Type:    geneve
>   Remote IP:      192.168.91.217
>   SKB mark:       0/1
>   Local cert:     /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem
>   Local name:     81497e31-1b4c-4667-bd67-de4f0d7cebf6
>   Local key:      /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem
>   Remote cert:    None
>   Remote name:    57ecad94-604f-4bf0-b757-90e5ea5610bd
>   CA cert:        /etc/ssl/cacert.pem
>   PSK:            None
>   Ofport:         14
>   CFM state:      Disabled
> Kernel policies installed:
>   src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
>   src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
>   src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081
>   src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081
> Kernel security associations installed:
>   sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp sport 6081
> IPsec connections that are active:
> 
> Interface name: ovn-40d3e4-0 v1 (CONFIGURED)
>   Tunnel Type:    geneve
>   Remote IP:      192.168.91.218
>   SKB mark:       0/1
>   Local cert:     /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-cert-dns.pem
>   Local name:     81497e31-1b4c-4667-bd67-de4f0d7cebf6
>   Local key:      /etc/ssl/81497e31-1b4c-4667-bd67-de4f0d7cebf6-privkey.pem
>   Remote cert:    None
>   Remote name:    40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
>   CA cert:        /etc/ssl/cacert.pem
>   PSK:            None
>   Ofport:         13
>   CFM state:      Disabled
> Kernel policies installed:
>   src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
>   src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
>   src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
>   src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
> Kernel security associations installed:
>   sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
> IPsec connections that are active:
> 
> [root@rhhi-host-01 ~]#
> 
> [root@rhhi-host-01 ~]# ipsec show
> 192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16401
> 192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16393
> 192.168.91.216/32 <=> 192.168.91.218/32 using reqid 16397
> 192.168.91.216/32 <=> 192.168.91.217/32 using reqid 16389
> 
> [root@rhhi-host-01 ~]# ip a
> ...
> 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt
> state UP group default qlen 1000
>     link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff
> ...
> 8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster
> state UP group default qlen 1000
>     link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff
> ...
> 53: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>     link/ether 72:bd:cd:59:31:80 brd ff:ff:ff:ff:ff:ff
> 54: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>     link/ether e2:12:55:73:4d:49 brd ff:ff:ff:ff:ff:ff
> 55: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
> state UP group default qlen 1000
>     link/ether e4:43:4b:8e:e2:f2 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.91.216/25 brd 192.168.91.255 scope global ovirtmgmt
>        valid_lft forever preferred_lft forever
>     inet6 fe80::e643:4bff:fe8e:e2f2/64 scope link 
>        valid_lft forever preferred_lft forever
> 59: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state
> UP group default qlen 1000
>     link/ether b4:96:91:5f:1a:88 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global gluster
>        valid_lft forever preferred_lft forever
>     inet6 fe80::b696:91ff:fe5f:1a88/64 scope link 
>        valid_lft forever preferred_lft forever
> 67: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master
> ovirtmgmt state UNKNOWN group default qlen 1000
>     link/ether fe:16:3e:35:f9:2f brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::fc16:3eff:fe35:f92f/64 scope link 
>        valid_lft forever preferred_lft forever
> 70: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> master ovirtmgmt state UNKNOWN group default qlen 1000
>     link/ether fe:6f:27:2a:00:00 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::fc6f:27ff:fe2a:0/64 scope link 
>        valid_lft forever preferred_lft forever
> 71: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc
> noqueue master ovs-system state UNKNOWN group default qlen 1000
>     link/ether 4e:87:ce:fe:f9:51 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::4c87:ceff:fefe:f951/64 scope link 
>        valid_lft forever preferred_lft forever
> 
> [root@rhhi-host-01 ~]# ip r
> default via 192.168.91.129 dev ovirtmgmt 
> 169.254.0.0/16 dev ovirtmgmt scope link metric 1055 
> 169.254.0.0/16 dev gluster scope link metric 1059 
> 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.1 
> 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.216
> ######################################
> 
> On host-2 : 
> ######################################
> [root@rhhi-host-02 ~]# ovs-vsctl show
> 53914599-f2b4-4c69-8159-a1e984c36102
>     Bridge br-int
>         fail_mode: secure
>         Port br-int
>             Interface br-int
>                 type: internal
>         Port "ovn-81497e-0"
>             Interface "ovn-81497e-0"
>                 type: geneve
>                 options: {csum="true", key=flow, remote_ip="192.168.91.216",
> remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"}
>         Port "ovn-40d3e4-0"
>             Interface "ovn-40d3e4-0"
>                 type: geneve
>                 options: {csum="true", key=flow, remote_ip="192.168.91.218",
> remote_name="40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d"}
>     ovs_version: "2.11.0"
> 
> [root@rhhi-host-02 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show
> Interface name: ovn-40d3e4-0 v1 (CONFIGURED)
>   Tunnel Type:    geneve
>   Remote IP:      192.168.91.218
>   SKB mark:       0/1
>   Local cert:     /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem
>   Local name:     57ecad94-604f-4bf0-b757-90e5ea5610bd
>   Local key:      /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem
>   Remote cert:    None
>   Remote name:    40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
>   CA cert:        /etc/ssl/cacert.pem
>   PSK:            None
>   Ofport:         2
>   CFM state:      Disabled
> Kernel policies installed:
>   src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
>   src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
>   src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
>   src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
> Kernel security associations installed:
>   sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
> IPsec connections that are active:
> 
> Interface name: ovn-81497e-0 v1 (CONFIGURED)
>   Tunnel Type:    geneve
>   Remote IP:      192.168.91.216
>   SKB mark:       0/1
>   Local cert:     /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-cert-dns.pem
>   Local name:     57ecad94-604f-4bf0-b757-90e5ea5610bd
>   Local key:      /etc/ssl/57ecad94-604f-4bf0-b757-90e5ea5610bd-privkey.pem
>   Remote cert:    None
>   Remote name:    81497e31-1b4c-4667-bd67-de4f0d7cebf6
>   CA cert:        /etc/ssl/cacert.pem
>   PSK:            None
>   Ofport:         1
>   CFM state:      Disabled
> Kernel policies installed:
>   src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
>   src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
>   src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
>   src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
> Kernel security associations installed:
>   sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.217/32 proto udp dport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/rbc-cl1-app0132 dst 192.168.91.217/32 proto udp
> sport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.216/32 proto udp dport 6081
> IPsec connections that are active:
> 
> [root@rhhi-host-02 ~]#
> 
> [root@rhhi-host-02 ~]# ipsec show
> 192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16397
> 192.168.91.217/32 <=> 192.168.91.216/32 using reqid 16401
> 192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16393
> 192.168.91.217/32 <=> 192.168.91.218/32 using reqid 16389
> 
> [root@rhhi-host-02 ~]# ip a
> ...
> 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt
> state UP group default qlen 1000
>     link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff
> ...
> 8: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster
> state UP group default qlen 1000
>     link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff
> ...
> 14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>     link/ether f6:1a:0d:d0:40:36 brd ff:ff:ff:ff:ff:ff
> 15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>     link/ether 36:f0:32:99:95:48 brd ff:ff:ff:ff:ff:ff
> 31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
> state UP group default qlen 1000
>     link/ether e4:43:4b:8e:d4:62 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.91.217/25 brd 192.168.91.255 scope global ovirtmgmt
>        valid_lft forever preferred_lft forever
>     inet6 fe80::e643:4bff:fe8e:d462/64 scope link 
>        valid_lft forever preferred_lft forever
> 32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state
> UP group default qlen 1000
>     link/ether b4:96:91:5f:8e:b0 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.2/24 brd 192.168.0.255 scope global gluster
>        valid_lft forever preferred_lft forever
>     inet6 fe80::b696:91ff:fe5f:8eb0/64 scrbc-cl1-app01ope link 
>        valid_lft forever preferred_lft forever
> ...
> 34: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc
> noqueue master ovs-system state UNKNOWN group default qlen 1000
>     link/ether f2:7a:7a:ec:77:32 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::f07a:7aff:feec:7732/64 scope link 
>        valid_lft forever preferred_lft forever
> 36: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen
> 1000
>     link/ipip 0.0.0.0 brd 0.0.0.0
> 
> [root@rhhi-host-02 ~]# ip r
> default via 192.168.91.129 dev ovirtmgmt 
> 169.254.0.0/16 dev ovirtmgmt scope link metric 1031 
> 169.254.0.0/16 dev gluster scope link metric 1032 
> 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.2 
> 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.217 
> ######################################
> 
> On host-3 :
> ######################################
> [root@rhhi-host-03 ~]# ovs-vsctl show
> 4f8152c3-1159-4b22-8655-be6c48906ce1
>     Bridge br-int
>         fail_mode: secure
>         Port "ovn-81497e-0"
>             Interface "ovn-81497e-0"
>                 type: geneve
>                 options: {csum="true", key=flow, remote_ip="192.168.91.216",
> remote_name="81497e31-1b4c-4667-bd67-de4f0d7cebf6"}
>         Porrbc-cl1-app02t "ovn-57ecad-0"
>             Interface "ovn-57ecad-0"
>                 type: geneve
>                 options: {csum="true", key=flow, remote_ip="192.168.91.217",
> remote_name="57ecad94-604f-4bf0-b757-90e5ea5610bd"}
>         Port br-int
>             Interface br-int
>                 type: internal
>     ovs_version: "2.11.0"
> 
> [root@rhhi-host-03 ~]# ovs-appctl -t ovs-monitor-ipsec tunnels/show
> Interface name: ovn-57ecad-0 v1 (CONFIGURED)
>   Tunnel Type:    geneve
>   Remote IP:      192.168.91.217
>   SKB mark:       None
>   Local cert:     /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem
>   Local name:     40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
>   Local key:      /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem
>   Remote cert:    None
>   Remote name:    57ecad94-604f-4bf0-b757-90e5ea5610bd
>   CA cert:        /etc/ssl/cacert.pem
>   PSK:            None
>   Ofport:         3
>   CFM state:      Disabled
> Kernel policies installed:
>   src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
>   src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
>   src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
>   src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
> Kernel security associations installed:
>   sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp sport 6081
>   sel src 192.168.91.217/32 dst 192.168.91.218/32 proto udp sport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.217/32 proto udp dport 6081
> IPsec connections that are active:
> 
> Interface name: ovn-81497e-0 v1 (CONFIGURED)
>   Tunnel Type:    geneve
>   Remote IP:      192.168.91.216
>   SKB mark:       None
>   Local cert:     /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-cert-dns.pem
>   Local name:     40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d
>   Local key:      /etc/ssl/40d3e4b8-bec7-4c9f-bbf9-064b97a0bf9d-privkey.pem
>   Remote cert:    None
>   Remote name:    81497e31-1b4c-4667-bd67-de4f0d7cebf6
>   CA cert:        /etc/ssl/cacert.pem
>   PSK:            None
>   Ofport:         1
>   CFM state:      Disabled
> Kernel policies installed:
>   src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
>   src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
>   src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
>   src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
> Kernel security associations installed:
>   sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp dport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp sport 6081
>   sel src 192.168.91.216/32 dst 192.168.91.218/32 proto udp sport 6081
>   sel src 192.168.91.218/32 dst 192.168.91.216/32 proto udp dport 6081
> IPsec connections that are active:
> 
> [root@rhhi-host-03 ~]# 
> 
> [root@rhhi-host-03 ~]# ipsec show
> 192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16397
> 192.168.91.218/32 <=> 192.168.91.216/32 using reqid 16401
> 192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16389
> 192.168.91.218/32 <=> 192.168.91.217/32 using reqid 16393
> 
> [root@rhhi-host-03 ~]# ip a
> ...
> 4: em3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovirtmgmt
> state UP group default qlen 1000
>     link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff
> 5: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq master gluster
> state UP group default qlen 1000
>     link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff
> ...
> 14: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>     link/ether 76:e7:03:fb:3e:de brd ff:ff:ff:ff:ff:ff
> 15: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>     link/ether 4e:c5:aa:51:76:4e brd ff:ff:ff:ff:ff:ff
> 31: ovirtmgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
> state UP group default qlen 1000
>     link/ether e4:43:4b:8e:d5:aa brd ff:ff:ff:ff:ff:ff
>     inet 192.168.91.218/25 brd 192.168.91.255 scope global ovirtmgmt
>        valid_lft forever preferred_lft forever
>     inet6 fe80::e643:4bff:fe8e:d5aa/64 scope link 
>        valid_lft forever preferred_lft forever
> 32: gluster: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state
> UP group default qlen 1000
>     link/ether b4:96:91:5f:91:dc brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.3/24 brd 192.168.0.255 scope global gluster
>        valid_lft forever preferred_lft forever
>     inet6 fe80::b696:91ff:fe5f:91dc/64 scope link 
>        valid_lft forever preferred_lft forever
> 33: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc
> noqueue master ovs-system state UNKNOWN group default qlen 1000
>     link/ether fa:b3:f5:f2:0b:7e brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::f8b3:f5ff:fef2:b7e/64 scope link 
>        valid_lft forever preferred_lft forever
> ...
> 35: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> master ovirtmgmt state UNKNOWN group default qlen 1000
>     link/ether fe:6f:27:2a:00:01 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::fc6f:27ff:fe2a:1/64 scope link 
>        valid_lft forever preferred_lft forever
> ...
> 
> [root@rhhi-host-03 ~]# ip r
> default via 192.168.91.129 dev ovirtmgmt 
> 169.254.0.0/16 dev ovirtmgmt scope link metric 1031 
> 169.254.0.0/16 dev gluster scope link metric 1032 
> 192.168.0.0/24 dev gluster proto kernel scope link src 192.168.0.3 
> 192.168.91.128/25 dev ovirtmgmt proto kernel scope link src 192.168.91.218 
> ######################################
> 
> Ping from VM1 (172.16.0.10) to VM2 (172.16.0.11) goes in clear :
> ######################################
> [root@rhhi-host-01 ~]# tcpdump -ni any icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144
> bytes
> 14:15:53.202689 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492,
> seq 15051, length 64
> 14:15:53.202706 IP 172.16.0.10 > 172.16.0.11: ICMP echo request, id 10492,
> seq 15051, length 64
> 14:15:53.202890 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq
> 15051, length 64
> 14:15:53.202894 IP 172.16.0.11 > 172.16.0.10: ICMP echo reply, id 10492, seq
> 15051, length 64
> ######################################
> 
> Any hint on why it's not encrypted ? Did i miss something ?

This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1884481

Comment 12 qding 2020-12-18 04:52:40 UTC

Set to FailedQA due to bugs: bz#1906278, bz#1906280 and bz#1906701.

Comment 15 errata-xmlrpc 2021-02-03 21:21:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch2.13 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0402

Note You need to log in before you can comment on or make changes to this bug.