Bug 1924041

Summary: [OVN] ovn ipsec tunnel can't be set up
Product: Red Hat Enterprise Linux Fast Datapath Reporter: ying xu <yinxu>
Component: ovn2.13Assignee: Mark Gray <mark.d.gray>
Status: CLOSED ERRATA QA Contact: ying xu <yinxu>
Severity: high Docs Contact:
Priority: high    
Version: FDP 21.ACC: ctrautma, dcbw, jishi, kfida, mmichels, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn-2021-21.06.0-3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-29 20:05:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ovn/ipsec log none

Description ying xu 2021-02-02 13:21:14 UTC 
Description of problem:
ovn ipsec tunnel can't be set up

Version-Release number of selected component (if applicable):
# rpm -qa|grep ovn
ovn2.13-central-20.12.0-9.el8fdp.x86_64
ovn2.13-host-20.12.0-9.el8fdp.x86_64
ovn2.13-20.12.0-9.el8fdp.x86_64

# rpm -qa|grep openvs
python3-openvswitch2.13-2.13.0-79.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch
openvswitch2.13-2.13.0-79.el8fdp.x86_64
openvswitch2.13-ipsec-2.13.0-79.el8fdp.x86_64


How reproducible:
always

Steps to Reproduce:
1.set up ovn
topo as below:
# ovn-nbctl show
switch 41d6621d-ffb6-4c7c-baae-3d1b6dfc4bb5 (ls)
    port vm2
        addresses: ["00:00:00:00:00:02"]
    port vm3
        addresses: ["00:00:00:00:00:03"]
    port vm1
        addresses: ["00:00:00:00:00:01"]
# ovn-sbctl show
Chassis hv0
    hostname: dell-per740-54.rhts.eng.pek2.redhat.com
    Encap geneve
        ip: "20.0.65.26"
        options: {csum="true"}
    Port_Binding vm3
    Port_Binding vm2
Chassis hv1
    hostname: dell-per740-53.rhts.eng.pek2.redhat.com
    Encap geneve
        ip: "20.0.65.25"
        options: {csum="true"}
    Port_Binding vm1
# ovs-vsctl show
a6029858-a2b0-4cbf-9fea-45864d429fef
    Bridge br-int
        fail_mode: secure
        Port vm1
            Interface vm1
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port ovn-hv0-0
            Interface ovn-hv0-0
                type: geneve
                options: {csum="true", key=flow, remote_ip="20.0.65.26", remote_name=hv0}
    ovs_version: "2.13.2"

2.set configuration of ipsec:
# ovs-vsctl list Open_vSwitch .
_uuid               : a6029858-a2b0-4cbf-9fea-45864d429fef
bridges             : [12b4e617-8353-41c1-99a4-bab2dcdaa751]
cur_cfg             : 7
datapath_types      : [netdev, system]
datapaths           : {}
db_version          : "8.2.0"
dpdk_initialized    : false
dpdk_version        : "DPDK 19.11.3"
external_ids        : {hostname=dell-per740-53.rhts.eng.pek2.redhat.com, ovn-encap-ip="20.0.65.25", ovn-encap-type=geneve, ovn-remote="tcp:20.0.65.25:6642", rundir="/var/run/openvswitch", system-id=hv1}
iface_types         : [erspan, geneve, gre, internal, ip6erspan, ip6gre, lisp, patch, stt, system, tap, vxlan]
manager_options     : []
next_cfg            : 7
other_config        : {ca_cert="/tmp/keys/cacert.pem", certificate="/tmp/keys/hv1-cert.pem", private_key="/tmp/keys/hv1-privkey.pem"}
ovs_version         : "2.13.2"
ssl                 : []
statistics          : {}
system_type         : rhel
system_version      : "8.4"

3.# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: ovn-hv0-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Local IP:       %defaultroute            ------------here no local ip
  Remote IP:      20.0.65.26
  SKB mark:       None
  Local cert:     /tmp/keys/hv1-cert.pem
  Local name:     hv1
  Local key:      /tmp/keys/hv1-privkey.pem
  Remote cert:    None
  Remote name:    hv0
  CA cert:        /tmp/keys/cacert.pem
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 10.73.88.174/32 dst 20.0.65.26/32 proto udp dport 6081       ---src wrong
  src 10.73.88.174/32 dst 20.0.65.26/32 proto udp dport 6081
  src 10.73.88.174/32 dst 20.0.65.26/32 proto udp sport 6081
  src 10.73.88.174/32 dst 20.0.65.26/32 proto udp sport 6081
Kernel security associations installed:
IPsec connections that are active:


Actual results:
ipsec ovn-tunnel can't be set up

Expected results:
ipsec ovn-tunnel can be set up

Additional info:
for ovs-ipsec tunnel, there is an option local-ip to set the src,but for ovn there is no local-ip option.
But for ovn ,there is an parameter ovn-encap-ip that is the local ip.
Comment 1 ying xu 2021-02-02 13:22:41 UTC 
Created attachment 1754390 [details]
ovn/ipsec log

add the log about this
Comment 2 Mark Gray 2021-02-02 14:35:37 UTC 
'ovs-monitor-ipsec' requires 'local_ip' to set up IPsec correctly if the the remote ip address is not reached via the default gateway address. 'ovn-encap-ip' should cause the OVS tunnel ports to set 'local_ip' on the tunnel port.
Comment 3 Mark Gray 2021-02-16 09:59:16 UTC 
https://patchwork.ozlabs.org/project/ovn/patch/20210216095543.1311806-1-mark.d.gray@redhat.com/
Comment 4 Dan Williams 2021-05-25 17:19:15 UTC 
v3 accepted upstream on 2021-03-16: https://patchwork.ozlabs.org/project/ovn/patch/20210216115533.1586837-1-mark.d.gray@redhat.com/

And will be part of ovn-21.06
Comment 7 ying xu 2021-07-09 04:15:58 UTC 
verified on version:
# rpm -qa|grep ovn
ovn-2021-host-21.06.0-4.el8fdp.x86_64
ovn-2021-21.06.0-4.el8fdp.x86_64
ovn-2021-central-21.06.0-4.el8fdp.x86_64

# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: ovn-hv0-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Local IP:       20.0.20.25
  Remote IP:      20.0.20.26
  Address Family: IPv4
  SKB mark:       None
  Local cert:     /tmp/keys/hv1-cert.pem
  Local name:     hv1
  Local key:      /tmp/keys/hv1-privkey.pem
  Remote cert:    None
  Remote name:    hv0
  CA cert:        /tmp/keys/cacert.pem
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 20.0.20.25/32 dst 20.0.20.26/32 proto udp dport 6081
  src 20.0.20.25/32 dst 20.0.20.26/32 proto udp dport 6081
  src 20.0.20.25/32 dst 20.0.20.26/32 proto udp sport 6081
  src 20.0.20.25/32 dst 20.0.20.26/32 proto udp sport 6081
Kernel security associations installed:
  sel src 20.0.20.26/32 dst 20.0.20.25/32 proto udp sport 6081
  sel src 20.0.20.25/32 dst 20.0.20.26/32 proto udp dport 6081
  sel src 20.0.20.26/32 dst 20.0.20.25/32 proto udp dport 6081
  sel src 20.0.20.25/32 dst 20.0.20.26/32 proto udp sport 6081
IPsec connections that are active:
  000 #2: "ovn-hv0-0-in-1" esp.3825d6e0.20.26 esp.9d4118c4.20.25 Traffic: ESPin=940B ESPout=0B! ESPmax=0B
  000 #3: "ovn-hv0-0-out-1" esp.4ec506b8.20.26 esp.2df0938.20.25 Traffic: ESPin=0B ESPout=470B! ESPmax=0B



# ovs-vsctl show
0de2155e-a6f8-453e-b824-f3c2e481d538
    Bridge br-int
        fail_mode: secure
        Port vm1
            Interface vm1
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port ovn-hv0-0
            Interface ovn-hv0-0
                type: geneve
                options: {csum="true", key=flow, local_ip="20.0.20.25", remote_ip="20.0.20.26", remote_name=hv0}
    ovs_version: "2.13.4"
Comment 9 errata-xmlrpc 2021-07-29 20:05:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2969