Bug 1906280
Summary: | [OVS IPsec] left=%defaultroute in /etc/ipsec.conf doesn't work for OVS tunnel | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | qding |
Component: | openvswitch2.13 | Assignee: | Open vSwitch development team <ovs-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | qding |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | FDP 20.I | CC: | ctrautma, fleitner, jhsiao, jishi, ralongi, yinxu |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-06-14 14:57:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
qding
2020-12-10 06:25:20 UTC
When created the bug, I pasted the wrong side command in the description#c0. It should be like the below to get PSK ipsec work well. Sorry for this. [root@dell-per730-04 ~]# sed -i 's/left=%defaultroute/left=192.168.123.1/g' /etc/ipsec.conf [root@dell-per730-04 ~]# systemctl restart ipsec [root@dell-per730-04 ~]# cat /etc/ipsec.conf # Generated by ovs-monitor-ipsec...do not modify by hand! config setup uniqueids=yes conn %default keyingtries=%forever type=transport auto=route ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist conn tun123-in-1 left=192.168.123.1 right=192.168.123.2 authby=secret leftprotoport=udp/6081 rightprotoport=udp conn tun123-out-1 left=192.168.123.1 right=192.168.123.2 authby=secret leftprotoport=udp rightprotoport=udp/6081 [root@dell-per730-04 ~]# Hi, Can you paste the output from `ip r` and `ip a`? Mark (In reply to Mark Gray from comment #2) > Hi, > > Can you paste the output from `ip r` and `ip a`? > > Mark [root@dell-per730-04 ~]# ip r default via 10.73.89.254 dev eno1 proto dhcp metric 100 10.73.88.0/23 dev eno1 proto kernel scope link src 10.73.88.41 metric 100 172.16.30.0/24 dev ovsbr0 proto kernel scope link src 172.16.30.1 192.168.123.0/24 dev eno1np0 proto kernel scope link src 192.168.123.1 [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 14:18:77:35:5b:1b brd ff:ff:ff:ff:ff:ff inet 10.73.88.41/23 brd 10.73.89.255 scope global dynamic noprefixroute eno1 valid_lft 18669sec preferred_lft 18669sec inet6 2620:52:0:4958:1618:77ff:fe35:5b1b/64 scope global dynamic noprefixroute valid_lft 2591569sec preferred_lft 604369sec inet6 fe80::1618:77ff:fe35:5b1b/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1c brd ff:ff:ff:ff:ff:ff 4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1d brd ff:ff:ff:ff:ff:ff 5: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:36:9f:ab:35:64 brd ff:ff:ff:ff:ff:ff 6: eno4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1e brd ff:ff:ff:ff:ff:ff 7: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:36:9f:ab:35:66 brd ff:ff:ff:ff:ff:ff 8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff inet 192.168.123.1/24 scope global eno1np0 valid_lft forever preferred_lft forever 9: eno1np1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:4d:12:2d:ad brd ff:ff:ff:ff:ff:ff 10: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 11: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 6e:2d:87:e6:37:b0 brd ff:ff:ff:ff:ff:ff 12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 12:f9:ec:9c:2d:40 brd ff:ff:ff:ff:ff:ff inet 172.16.30.1/24 scope global ovsbr0 valid_lft forever preferred_lft forever inet6 fe80::10f9:ecff:fe9c:2d40/64 scope link valid_lft forever preferred_lft forever 13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000 link/gre 0.0.0.0 brd 0.0.0.0 14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 15: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 16: gre_sys@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc fq_codel master ovs-system state UNKNOWN group default qlen 1000 link/ether 2a:0c:24:3e:e7:ff brd ff:ff:ff:ff:ff:ff inet6 fe80::280c:24ff:fe3e:e7ff/64 scope link valid_lft forever preferred_lft forever [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-vsctl show 78577c58-df18-4437-9585-67d92988049f Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: gre options: {local_ip="192.168.123.1", psk=test123, remote_ip="192.168.123.2"} ovs_version: "2.13.2" [root@dell-per730-04 ~]# Same issue for RHEL7 packages. [root@dell-per730-04 ~]# uname -r 3.10.0-1160.11.1.el7.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# cat /etc/ipsec.conf # Generated by ovs-monitor-ipsec...do not modify by hand! config setup uniqueids=yes conn %default keyingtries=%forever type=transport auto=route ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist conn tun123-1 left=%defaultroute right=192.168.123.2 authby=secret leftprotoport=gre rightprotoport=gre [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ip r default via 10.73.89.254 dev em1 proto dhcp metric 100 10.73.88.0/23 dev em1 proto kernel scope link src 10.73.88.41 metric 100 172.16.30.0/24 dev ovsbr0 proto kernel scope link src 172.16.30.1 192.168.123.0/24 dev eno1np0 proto kernel scope link src 192.168.123.1 [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 14:18:77:35:5b:1b brd ff:ff:ff:ff:ff:ff inet 10.73.88.41/23 brd 10.73.89.255 scope global noprefixroute dynamic em1 valid_lft 40767sec preferred_lft 40767sec inet6 2620:52:0:4958:1618:77ff:fe35:5b1b/64 scope global noprefixroute dynamic valid_lft 2591961sec preferred_lft 604761sec inet6 fe80::1618:77ff:fe35:5b1b/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: em2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1c brd ff:ff:ff:ff:ff:ff 4: em3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1d brd ff:ff:ff:ff:ff:ff 5: em4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 14:18:77:35:5b:1e brd ff:ff:ff:ff:ff:ff 6: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:36:9f:ab:35:64 brd ff:ff:ff:ff:ff:ff 7: p5p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:36:9f:ab:35:66 brd ff:ff:ff:ff:ff:ff 8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff inet 192.168.123.1/24 scope global eno1np0 valid_lft forever preferred_lft forever 9: eno1np1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:4d:12:2d:ad brd ff:ff:ff:ff:ff:ff 10: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 11: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether fe:88:83:d7:ae:6f brd ff:ff:ff:ff:ff:ff 12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 22:74:fe:e1:53:47 brd ff:ff:ff:ff:ff:ff inet 172.16.30.1/24 scope global ovsbr0 valid_lft forever preferred_lft forever inet6 fe80::2074:feff:fee1:5347/64 scope link valid_lft forever preferred_lft forever 13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000 link/gre 0.0.0.0 brd 0.0.0.0 14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 15: gre_sys@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc pfifo_fast master ovs-system state UNKNOWN group default qlen 1000 link/ether 56:59:bb:af:53:f5 brd ff:ff:ff:ff:ff:ff inet6 fe80::5459:bbff:feaf:53f5/64 scope link valid_lft forever preferred_lft forever [root@dell-per730-04 ~]# As you have seen, the issue is that OVS uses the '%defaultroute' keyword which specifies to libreswan to use the local address of the default-route interface (as determined at IPsec startup time). Maybe we could make the "left" interface a configurable parameter? However, this could also be avoided by the underlay network configuration changes. (In reply to Mark Gray from comment #5) > As you have seen, the issue is that OVS uses the '%defaultroute' keyword > which specifies to libreswan to use the local address of the default-route > interface (as determined at IPsec startup time). Maybe we could make the > "left" interface a configurable parameter? However, this could also be > avoided by the underlay network configuration changes. If there is only one interface in the system, '%defaultroute' would be a good idea, otherwise I'm not sure. Especially in my test the both sides of the tunnel in the same subnetwork, it uses the direct route. Just like right is set to options:remote_ip, would it be a good way that if options:local_ip is given for the tunnel port in ovs, the left is set to the local_ip, otherwise '%defaultroute' will be used? Do you think a single host local_ip would be sufficient? (In reply to Mark Gray from comment #7) > Do you think a single host local_ip would be sufficient? In ipsec.conf it can have multiple conn sections so that each tunnel will have its own conn. OVS tunnel definition has only local_ip and remote_ip. So it would be sufficient for this. Anyway I don't have so much IPsec configuration experience. Advice and discussions from more people would be appreciated too. https://patchwork.ozlabs.org/project/openvswitch/patch/20201221101021.3904963-1-mark.d.gray@redhat.com/ I took your suggestion and enabled the 'local_ip' option. |