Description of problem: 2020-12-11T07:58:02.792Z|00032|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' [root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- \ > set interface tun123 type=gre \ > options:remote_ip=192.168.123.2 \ > options:remote_cert=/root/keys/h2-cert.pem [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tail /var/log/openvswitch/ovs-vswitchd.log 2020-12-11T07:57:54.170Z|00027|ofproto_dpif|INFO|system@ovs-system: Datapath does not support IPv6 ND Extensions 2020-12-11T07:57:54.213Z|00028|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534 2020-12-11T07:57:54.213Z|00029|bridge|INFO|bridge ovsbr0: using datapath ID 0000aa8b0cf77a44 2020-12-11T07:57:54.213Z|00030|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt" 2020-12-11T07:57:54.239Z|00031|bridge|INFO|ovs-vswitchd (Open vSwitch) 2.13.2 2020-12-11T07:58:02.792Z|00032|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' 2020-12-11T07:58:02.798Z|00033|bridge|INFO|bridge ovsbr0: added interface tun123 on port 1 2020-12-11T07:58:02.800Z|00034|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' 2020-12-11T07:58:04.147Z|00035|memory|INFO|158328 kB peak resident set size after 10.0 seconds 2020-12-11T07:58:04.147Z|00036|memory|INFO|handlers:35 ports:2 revalidators:13 rules:5 udpif keys:1 [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-vsctl show 6a5a6e4a-5434-40ad-89de-23a57991798a Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: gre options: {remote_cert="/root/keys/h2-cert.pem", remote_ip="192.168.123.2"} ovs_version: "2.13.2" [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# Version-Release number of selected component (if applicable): [root@dell-per730-04 ~]# uname -r 4.18.0-259.el8.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-74.el8fdp.x86_64 openvswitch2.13-2.13.0-74.el8fdp.x86_64 openvswitch2.13-ipsec-2.13.0-74.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch [root@dell-per730-04 ~]# How reproducible: always
And when using CA-signed certificate, there is similar issue "unknown gre argument 'remote_name'" for remote_name. [root@dell-per740-41 keys]# ovs-vsctl set Open_vSwitch . \ > other_config:certificate=/root/keys/h1-cert.pem \ > other_config:private_key=/etc/keys/h1-privkey.pem \ > other_config:ca_cert=/root/keys/cacert.pem [root@dell-per740-41 keys]# ovs-vsctl add-br ovsbr0 [root@dell-per740-41 keys]# [root@dell-per740-41 keys]# ovs-vsctl add-port ovsbr0 tun123 -- \ > set interface tun123 type=gre \ > options:remote_ip=192.168.123.2 \ > options:remote_name=h2 [root@dell-per740-41 keys]# ovs-vsctl show d51ceb93-7623-4528-87e7-969cc4054a53 Bridge ovsbr0 Port tun123 Interface tun123 type: gre options: {remote_ip="192.168.123.2", remote_name=h2} Port ovsbr0 Interface ovsbr0 type: internal ovs_version: "2.13.2" [root@dell-per740-41 keys]# [root@dell-per740-41 keys]# cat /var/log/openvswitch/ovs-vswitchd.log ... 2020-12-14T08:13:42.815Z|00030|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534 2020-12-14T08:13:42.815Z|00031|bridge|INFO|bridge ovsbr0: using datapath ID 00004e55dacc4049 2020-12-14T08:13:42.815Z|00032|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt" 2020-12-14T08:13:42.863Z|00033|netdev_vport|WARN|tun123: unknown gre argument 'remote_name' 2020-12-14T08:13:42.895Z|00034|bridge|INFO|bridge ovsbr0: added interface tun123 on port 1 2020-12-14T08:13:42.898Z|00035|netdev_vport|WARN|tun123: unknown gre argument 'remote_name' 2020-12-14T08:13:44.905Z|00036|memory|INFO|peak resident set size grew 207% in last 6615.7 seconds, from 51700 kB to 158540 kB 2020-12-14T08:13:44.905Z|00037|memory|INFO|handlers:35 ports:2 revalidators:13 rules:5 [root@dell-per740-41 keys]#
Same issue for RHEL7 packages [root@dell-per730-04 ~]# uname -r 3.10.0-1160.11.1.el7.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-2.13.0-68.el7fdp.x86_64 openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-vsctl set Open_vSwitch . \ > other_config:certificate=/root/keys/h1-cert.pem \ > other_config:private_key=/root/keys/h1-privkey.pem [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-vsctl add-br ovsbr0 ovs-vsctl: cannot create a bridge named ovsbr0 because a bridge named ovsbr0 already exists [root@dell-per730-04 ~]# ovs-vsctl del-port ovsbr0 tun123 ovs-vsctl: no port named tun123 [root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- \ > set interface tun123 type=gre \ > options:remote_ip=192.168.123.2 \ > options:remote_cert=/root/keys/h2-cert.pem [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tail /var/log/openvswitch/ovs-vswitchd.log 2020-12-18T04:00:02.711Z|00042|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:00:02.713Z|00043|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:02:07.200Z|00044|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:02:11.064Z|00045|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:03:28.635Z|00046|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:03:33.099Z|00047|netdev_vport|WARN|tun123: unknown gre argument 'psk' 2020-12-18T04:08:52.869Z|00048|bridge|INFO|bridge ovsbr0: deleted interface tun123 on port 1 2020-12-18T04:12:17.794Z|00049|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' 2020-12-18T04:12:17.800Z|00050|bridge|INFO|bridge ovsbr0: added interface tun123 on port 2 2020-12-18T04:12:17.802Z|00051|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert' [root@dell-per730-04 ~]# [root@dell-per730-04 ~]#
This is a warning from the ovs-vswitchd specifying that it does not recognise that configuration parameter in the OVSDB. It is expected because OVS does not use these parameters (ovs-monitor-ipsec does). This is not an error message so can be safely ignored. If you think it would help reduce user concern, I can submit a patch to suppress these cases?
(In reply to Mark Gray from comment #3) > This is a warning from the ovs-vswitchd specifying that it does not > recognise that configuration parameter in the OVSDB. It is expected because > OVS does not use these parameters (ovs-monitor-ipsec does). This is not an > error message so can be safely ignored. If you think it would help reduce > user concern, I can submit a patch to suppress these cases? In my test I don't think this is just a problem of warning message. I use steps described in https://docs.openvswitch.org/en/latest/tutorials/ipsec/ and don't actually successfully establish IPsec tunnel with self-signed certificate and CA signed certificate.
That message should be unrelated but I will confirm as we debug further. * Is it only failing with self-signed and CA-signed certificate cases? * Are you failing across all tunnel-types? * Are there any errors in the libreswan logs in `journalctl`?
Created attachment 1740873 [details] journalctl.log (In reply to Mark Gray from comment #5) > That message should be unrelated but I will confirm as we debug further. > > * Is it only failing with self-signed and CA-signed certificate cases? In PSK mode, after changing left to local_ip in /etc/ipsec.conf IPsec tunnel can be successfully established. I never successfully established IPsec tunnel in self-signed or CA-signed certificated modes. > * Are you failing across all tunnel-types? I tried with GRE and VxLAN, they both failed. > * Are there any errors in the libreswan logs in `journalctl`? Please see the attachment journalctl.log
I think that log was with the self-signed case? I believe that is a duplicate of this: https://bugzilla.redhat.com/show_bug.cgi?id=1884646 Can you send the same for the CA-signed case?
Created attachment 1740938 [details] journalctl log for CA-signed mode (In reply to Mark Gray from comment #7) > I think that log was with the self-signed case? I believe that is a > duplicate of this: https://bugzilla.redhat.com/show_bug.cgi?id=1884646 > > Can you send the same for the CA-signed case? After changing "left=%defaultroute" to "left=192.168.123.1", CA-signed mode works now. Please see the attached journalctl_ca.log
The self-signed case is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1884646. I have a patch posted upstream to resolve that. I also have the following patch to suppress the warning messages. https://patchwork.ozlabs.org/project/openvswitch/patch/20201221131233.190544-1-mark.d.gray@redhat.com/ Thanks for testing.