Bug 1915687
| Summary: | [OVS IPsec] No ESP in packets through OVS tunnel with type=ip6gre | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | qding | ||||||
| Component: | openvswitch3.1 | Assignee: | Mike Pattrick <mpattric> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | qding | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | FDP 21.A | CC: | ctrautma, fleitner, jhsiao, ralongi, tredaelli | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2023-08-04 18:23:48 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Can you post any libreswan messages in the journal and the ovs-monitor-ipsec.log file? Created attachment 1747724 [details]
log for "journalctl -u ipsec"
Created attachment 1747725 [details]
log for "journalctl -u openvswitch-ipsec"
Hi, Tunnel type ip6gre is not supported. The only supported types are: gre, stt, vxlan, geneve Mark (In reply to Mark Gray from comment #5) > Hi, > > Tunnel type ip6gre is not supported. The only supported types are: gre, stt, > vxlan, geneve > > Mark IPv6 vxlan and IPv6 geneve have no problem. But we have been using ip6gre to create ipv6 GRE tunnel and I tried with type=gre and remote_ip/local_ip as IPv6 address but it doesn't work even without IPsec. Please make sure only support gre is expected. I don't try with stt and don't know yet how to use it. Thanks. (In reply to qding from comment #6) > (In reply to Mark Gray from comment #5) > > Hi, > > > > Tunnel type ip6gre is not supported. The only supported types are: gre, stt, > > vxlan, geneve > > > > Mark > > IPv6 vxlan and IPv6 geneve have no problem. > But we have been using ip6gre to create ipv6 GRE tunnel and I tried with > type=gre and remote_ip/local_ip as IPv6 address but it doesn't work even > without IPsec. Please make sure only support gre is expected. > I don't try with stt and don't know yet how to use it. > > Thanks. Ok if IPv6 generally works (for vxlan and geneve), can we change the title of this bug to GRE IPv6 support? (In reply to Mark Gray from comment #7) > > Ok if IPv6 generally works (for vxlan and geneve), can we change the title > of this bug to GRE IPv6 support? I've changed it and please see if it's ok. Thanks. Yes, looks fine now. ovs-monitor-ipsec doesn't currently support ip6gre at all. I'll look into adding it. I quickly added ip6gre to ovs-monitor-ipsec, but still wasn't able to establish a full ipsec tunnel. From a quick debugging session I see IKE negotiate, and even "ip xfrm state" shows the proper configuration. But egress ipv6 gre packets aren't encrypted properly. Thanks Mike. The IPSEC w/ IPv6 is not supported downstream. I am closing this bug because we don't have RFE to enable that. fbl |
Description of problem: OVS IPsec doesn't work for IPv6 tunnel. Version-Release number of selected component (if applicable): [root@dell-per730-04 ~]# rpm -qa | grep openvswitch openvswitch2.13-ipsec-2.13.0-79.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-24.el8fdp.noarch openvswitch2.13-2.13.0-79.el8fdp.x86_64 python3-openvswitch2.13-2.13.0-79.el8fdp.x86_64 [root@dell-per730-04 ~]# ovs-vsctl show 5fa03d0e-dac3-483a-9e3d-1f43fb7a21f5 Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: ip6gre options: {local_ip="2001:db8::123:1", psk=test123, remote_ip="2001:db8::123:2"} ovs_version: "2.13.2" [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# cat /etc/ipsec.conf # Generated by ovs-monitor-ipsec...do not modify by hand! config setup uniqueids=yes conn %default keyingtries=%forever type=transport auto=route ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: No ESP in packets through the tunnel Expected results: ESP is added in packets through the tunnel Additional info: