1906280 – [OVS IPsec] left=%defaultroute in /etc/ipsec.conf doesn't work for OVS tunnel

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1906280 - [OVS IPsec] left=%defaultroute in /etc/ipsec.conf doesn't work for OVS tunnel

Summary: [OVS IPsec] left=%defaultroute in /etc/ipsec.conf doesn't work for OVS tunnel

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch2.13
Sub Component:
Version:	FDP 20.I
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Open vSwitch development team
QA Contact:	qding
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-10 06:25 UTC by qding
Modified:	2023-06-14 14:57 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-06-14 14:57:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-977	0	None	None	None	2021-11-14 22:34:26 UTC

Description qding 2020-12-10 06:25:20 UTC

Description of problem:

In the test machine there are two interfaces, each of them has its own ip address. One of interfaces is for remote management, the other one is for the test as tunnel endpoint. When enable OVS IPsec, the auto-generated /etc/ipsec.conf has "left=%defaultroute" so that it will use the ip address of the interface for remote management, not the one for tunnel endpoint.

With "left=%defaultroute", the traffic through the tunnel has no ESP. It has ESP if it's changed to the corresponding tunnel TEP address.

[root@dell-per730-04 ~]# ovs-vsctl show
bd56cb0f-4424-41c8-8105-3edb3fde3eea
    Bridge ovsbr0
        Port tun123
            Interface tun123
                type: geneve
                options: {local_ip="192.168.123.1", psk=test123, remote_ip="192.168.123.2"}
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port vnet1
            Interface vnet1
    ovs_version: "2.13.2"
[root@dell-per730-04 ~]# cat /etc/ipsec.conf
# Generated by ovs-monitor-ipsec...do not modify by hand!


config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun123-in-1
    left=%defaultroute
    right=192.168.123.2
    authby=secret
    leftprotoport=udp/6081
    rightprotoport=udp

conn tun123-out-1
    left=%defaultroute
    right=192.168.123.2
    authby=secret
    leftprotoport=udp
    rightprotoport=udp/6081

[root@dell-per730-04 ~]# sed -i 's/left=%defaultroute/left=192.168.123.2/g' /etc/ipsec.conf
[root@dell-per730-04 ~]# systemctl restart ipsec
[root@dell-per730-04 ~]# cat /etc/ipsec.conf
# Generated by ovs-monitor-ipsec...do not modify by hand!


config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun123-in-1
    left=192.168.123.2
    right=192.168.123.2
    authby=secret
    leftprotoport=udp/6081
    rightprotoport=udp

conn tun123-out-1
    left=192.168.123.2
    right=192.168.123.2
    authby=secret
    leftprotoport=udp
    rightprotoport=udp/6081

[root@dell-per730-04 ~]# 



Version-Release number of selected component (if applicable):

[root@dell-per730-04 ~]# uname -r
4.18.0-259.el8.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-74.el8fdp.x86_64
openvswitch2.13-2.13.0-74.el8fdp.x86_64
openvswitch2.13-ipsec-2.13.0-74.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 



How reproducible: always


Steps to Reproduce:
1.
2.
3.

Actual results:
OVS IPsec doesn't work

Expected results:
OVS IPsec work normally


Additional info:

Comment 1 qding 2020-12-14 03:14:43 UTC

When created the bug, I pasted the wrong side command in the description#c0. It should be like the below to get PSK ipsec work well. Sorry for this.

[root@dell-per730-04 ~]# sed -i 's/left=%defaultroute/left=192.168.123.1/g' /etc/ipsec.conf
[root@dell-per730-04 ~]# systemctl restart ipsec
[root@dell-per730-04 ~]# cat /etc/ipsec.conf
# Generated by ovs-monitor-ipsec...do not modify by hand!


config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun123-in-1
    left=192.168.123.1
    right=192.168.123.2
    authby=secret
    leftprotoport=udp/6081
    rightprotoport=udp

conn tun123-out-1
    left=192.168.123.1
    right=192.168.123.2
    authby=secret
    leftprotoport=udp
    rightprotoport=udp/6081

[root@dell-per730-04 ~]#

Comment 2 Mark Gray 2020-12-16 08:31:23 UTC

Hi,

Can you paste the output from `ip r` and `ip a`?

Mark

Comment 3 qding 2020-12-16 12:57:03 UTC

(In reply to Mark Gray from comment #2)
> Hi,
> 
> Can you paste the output from `ip r` and `ip a`?
> 
> Mark

[root@dell-per730-04 ~]# ip r
default via 10.73.89.254 dev eno1 proto dhcp metric 100 
10.73.88.0/23 dev eno1 proto kernel scope link src 10.73.88.41 metric 100 
172.16.30.0/24 dev ovsbr0 proto kernel scope link src 172.16.30.1 
192.168.123.0/24 dev eno1np0 proto kernel scope link src 192.168.123.1 
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 14:18:77:35:5b:1b brd ff:ff:ff:ff:ff:ff
    inet 10.73.88.41/23 brd 10.73.89.255 scope global dynamic noprefixroute eno1
       valid_lft 18669sec preferred_lft 18669sec
    inet6 2620:52:0:4958:1618:77ff:fe35:5b1b/64 scope global dynamic noprefixroute 
       valid_lft 2591569sec preferred_lft 604369sec
    inet6 fe80::1618:77ff:fe35:5b1b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1c brd ff:ff:ff:ff:ff:ff
4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1d brd ff:ff:ff:ff:ff:ff
5: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:ab:35:64 brd ff:ff:ff:ff:ff:ff
6: eno4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1e brd ff:ff:ff:ff:ff:ff
7: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:ab:35:66 brd ff:ff:ff:ff:ff:ff
8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.1/24 scope global eno1np0
       valid_lft forever preferred_lft forever
9: eno1np1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:4d:12:2d:ad brd ff:ff:ff:ff:ff:ff
10: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
11: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 6e:2d:87:e6:37:b0 brd ff:ff:ff:ff:ff:ff
12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 12:f9:ec:9c:2d:40 brd ff:ff:ff:ff:ff:ff
    inet 172.16.30.1/24 scope global ovsbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::10f9:ecff:fe9c:2d40/64 scope link 
       valid_lft forever preferred_lft forever
13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: gre_sys@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc fq_codel master ovs-system state UNKNOWN group default qlen 1000
    link/ether 2a:0c:24:3e:e7:ff brd ff:ff:ff:ff:ff:ff
    inet6 fe80::280c:24ff:fe3e:e7ff/64 scope link 
       valid_lft forever preferred_lft forever
[root@dell-per730-04 ~]# 

[root@dell-per730-04 ~]# ovs-vsctl show
78577c58-df18-4437-9585-67d92988049f
    Bridge ovsbr0
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port tun123
            Interface tun123
                type: gre
                options: {local_ip="192.168.123.1", psk=test123, remote_ip="192.168.123.2"}
    ovs_version: "2.13.2"
[root@dell-per730-04 ~]#

Comment 4 qding 2020-12-18 04:07:35 UTC

Same issue for RHEL7 packages.

[root@dell-per730-04 ~]# uname -r
3.10.0-1160.11.1.el7.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# cat /etc/ipsec.conf 
# Generated by ovs-monitor-ipsec...do not modify by hand!


config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun123-1
    left=%defaultroute
    right=192.168.123.2
    authby=secret
    leftprotoport=gre
    rightprotoport=gre

[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ip r
default via 10.73.89.254 dev em1 proto dhcp metric 100 
10.73.88.0/23 dev em1 proto kernel scope link src 10.73.88.41 metric 100 
172.16.30.0/24 dev ovsbr0 proto kernel scope link src 172.16.30.1 
192.168.123.0/24 dev eno1np0 proto kernel scope link src 192.168.123.1 
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 14:18:77:35:5b:1b brd ff:ff:ff:ff:ff:ff
    inet 10.73.88.41/23 brd 10.73.89.255 scope global noprefixroute dynamic em1
       valid_lft 40767sec preferred_lft 40767sec
    inet6 2620:52:0:4958:1618:77ff:fe35:5b1b/64 scope global noprefixroute dynamic 
       valid_lft 2591961sec preferred_lft 604761sec
    inet6 fe80::1618:77ff:fe35:5b1b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: em2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1c brd ff:ff:ff:ff:ff:ff
4: em3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1d brd ff:ff:ff:ff:ff:ff
5: em4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 14:18:77:35:5b:1e brd ff:ff:ff:ff:ff:ff
6: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:ab:35:64 brd ff:ff:ff:ff:ff:ff
7: p5p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:ab:35:66 brd ff:ff:ff:ff:ff:ff
8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.1/24 scope global eno1np0
       valid_lft forever preferred_lft forever
9: eno1np1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:4d:12:2d:ad brd ff:ff:ff:ff:ff:ff
10: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
11: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether fe:88:83:d7:ae:6f brd ff:ff:ff:ff:ff:ff
12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 22:74:fe:e1:53:47 brd ff:ff:ff:ff:ff:ff
    inet 172.16.30.1/24 scope global ovsbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::2074:feff:fee1:5347/64 scope link 
       valid_lft forever preferred_lft forever
13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: gre_sys@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc pfifo_fast master ovs-system state UNKNOWN group default qlen 1000
    link/ether 56:59:bb:af:53:f5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5459:bbff:feaf:53f5/64 scope link 
       valid_lft forever preferred_lft forever
[root@dell-per730-04 ~]#

Comment 5 Mark Gray 2020-12-18 08:47:24 UTC

As you have seen, the issue is that OVS uses the '%defaultroute' keyword which specifies to libreswan to use the local address of the default-route interface (as determined at IPsec startup time). Maybe we could make the "left" interface a configurable parameter? However, this could also be avoided by the underlay network configuration changes.

Comment 6 qding 2020-12-18 09:20:51 UTC

(In reply to Mark Gray from comment #5)
> As you have seen, the issue is that OVS uses the '%defaultroute' keyword
> which specifies to libreswan to use the local address of the default-route
> interface (as determined at IPsec startup time). Maybe we could make the
> "left" interface a configurable parameter? However, this could also be
> avoided by the underlay network configuration changes.

If there is only one interface in the system, '%defaultroute' would be a good idea, otherwise I'm not sure. Especially in my test the both sides of the tunnel in the same subnetwork, it uses the direct route. Just like right is set to options:remote_ip, would it be a good way that if options:local_ip is given for the tunnel port in ovs, the left is set to the local_ip, otherwise '%defaultroute' will be used?

Comment 7 Mark Gray 2020-12-18 10:44:53 UTC

Do you think a single host local_ip would be sufficient?

Comment 8 qding 2020-12-18 13:06:34 UTC

(In reply to Mark Gray from comment #7)
> Do you think a single host local_ip would be sufficient?

In ipsec.conf it can have multiple conn sections so that each tunnel will have its own conn. OVS tunnel definition has only local_ip and remote_ip. So it would be sufficient for this. Anyway I don't have so much IPsec configuration experience. Advice and discussions from more people would be appreciated too.

Comment 9 Mark Gray 2020-12-21 13:37:11 UTC

https://patchwork.ozlabs.org/project/openvswitch/patch/20201221101021.3904963-1-mark.d.gray@redhat.com/

I took your suggestion and enabled the 'local_ip' option.

Note You need to log in before you can comment on or make changes to this bug.