1906701 – [OVS IPsec] unknown gre/vxlan argument 'remote_cert' when using self-signed certificate

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1906701 - [OVS IPsec] unknown gre/vxlan argument 'remote_cert' when using self-signed certificate

Summary: [OVS IPsec] unknown gre/vxlan argument 'remote_cert' when using self-signed c...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch2.13
Sub Component:
Version:	FDP 20.I
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Open vSwitch development team
QA Contact:	qding
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-11 08:00 UTC by qding
Modified:	2023-06-14 14:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-06-14 14:58:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
journalctl.log (324.07 KB, text/plain) 2020-12-21 05:40 UTC, qding	no flags	Details
journalctl log for CA-signed mode (672.62 KB, text/plain) 2020-12-21 11:40 UTC, qding	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-979	0	None	None	None	2021-11-14 22:34:13 UTC

Description qding 2020-12-11 08:00:59 UTC

Description of problem:

2020-12-11T07:58:02.792Z|00032|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert'


[root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- \
>     set interface tun123 type=gre \
>     options:remote_ip=192.168.123.2 \
>     options:remote_cert=/root/keys/h2-cert.pem
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# tail /var/log/openvswitch/ovs-vswitchd.log 
2020-12-11T07:57:54.170Z|00027|ofproto_dpif|INFO|system@ovs-system: Datapath does not support IPv6 ND Extensions
2020-12-11T07:57:54.213Z|00028|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534
2020-12-11T07:57:54.213Z|00029|bridge|INFO|bridge ovsbr0: using datapath ID 0000aa8b0cf77a44
2020-12-11T07:57:54.213Z|00030|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt"
2020-12-11T07:57:54.239Z|00031|bridge|INFO|ovs-vswitchd (Open vSwitch) 2.13.2
2020-12-11T07:58:02.792Z|00032|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert'
2020-12-11T07:58:02.798Z|00033|bridge|INFO|bridge ovsbr0: added interface tun123 on port 1
2020-12-11T07:58:02.800Z|00034|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert'
2020-12-11T07:58:04.147Z|00035|memory|INFO|158328 kB peak resident set size after 10.0 seconds
2020-12-11T07:58:04.147Z|00036|memory|INFO|handlers:35 ports:2 revalidators:13 rules:5 udpif keys:1
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ovs-vsctl show
6a5a6e4a-5434-40ad-89de-23a57991798a
    Bridge ovsbr0
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port tun123
            Interface tun123
                type: gre
                options: {remote_cert="/root/keys/h2-cert.pem", remote_ip="192.168.123.2"}
    ovs_version: "2.13.2"
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 



Version-Release number of selected component (if applicable):
[root@dell-per730-04 ~]# uname -r
4.18.0-259.el8.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-74.el8fdp.x86_64
openvswitch2.13-2.13.0-74.el8fdp.x86_64
openvswitch2.13-ipsec-2.13.0-74.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
[root@dell-per730-04 ~]# 


How reproducible: always

Comment 1 qding 2020-12-14 08:18:03 UTC

And when using CA-signed certificate, there is similar issue "unknown gre argument 'remote_name'" for remote_name.

[root@dell-per740-41 keys]# ovs-vsctl set Open_vSwitch . \
>         other_config:certificate=/root/keys/h1-cert.pem \
>         other_config:private_key=/etc/keys/h1-privkey.pem \
>         other_config:ca_cert=/root/keys/cacert.pem
[root@dell-per740-41 keys]# ovs-vsctl add-br ovsbr0
[root@dell-per740-41 keys]# 
[root@dell-per740-41 keys]# ovs-vsctl add-port ovsbr0 tun123 -- \
>         set interface tun123 type=gre \
>                        options:remote_ip=192.168.123.2 \
>                        options:remote_name=h2
[root@dell-per740-41 keys]# ovs-vsctl show
d51ceb93-7623-4528-87e7-969cc4054a53
    Bridge ovsbr0
        Port tun123
            Interface tun123
                type: gre
                options: {remote_ip="192.168.123.2", remote_name=h2}
        Port ovsbr0
            Interface ovsbr0
                type: internal
    ovs_version: "2.13.2"
[root@dell-per740-41 keys]# 
[root@dell-per740-41 keys]# cat /var/log/openvswitch/ovs-vswitchd.log 
...

2020-12-14T08:13:42.815Z|00030|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534
2020-12-14T08:13:42.815Z|00031|bridge|INFO|bridge ovsbr0: using datapath ID 00004e55dacc4049
2020-12-14T08:13:42.815Z|00032|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt"
2020-12-14T08:13:42.863Z|00033|netdev_vport|WARN|tun123: unknown gre argument 'remote_name'
2020-12-14T08:13:42.895Z|00034|bridge|INFO|bridge ovsbr0: added interface tun123 on port 1
2020-12-14T08:13:42.898Z|00035|netdev_vport|WARN|tun123: unknown gre argument 'remote_name'
2020-12-14T08:13:44.905Z|00036|memory|INFO|peak resident set size grew 207% in last 6615.7 seconds, from 51700 kB to 158540 kB
2020-12-14T08:13:44.905Z|00037|memory|INFO|handlers:35 ports:2 revalidators:13 rules:5
[root@dell-per740-41 keys]#

Comment 2 qding 2020-12-18 04:13:57 UTC

Same issue for RHEL7 packages

[root@dell-per730-04 ~]# uname -r
3.10.0-1160.11.1.el7.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ovs-vsctl set Open_vSwitch . \
>     other_config:certificate=/root/keys/h1-cert.pem \
>     other_config:private_key=/root/keys/h1-privkey.pem
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ovs-vsctl add-br ovsbr0
ovs-vsctl: cannot create a bridge named ovsbr0 because a bridge named ovsbr0 already exists
[root@dell-per730-04 ~]# ovs-vsctl del-port ovsbr0 tun123
ovs-vsctl: no port named tun123
[root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- \
>     set interface tun123 type=gre \
>     options:remote_ip=192.168.123.2 \
>     options:remote_cert=/root/keys/h2-cert.pem
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# tail /var/log/openvswitch/ovs-vswitchd.log 
2020-12-18T04:00:02.711Z|00042|netdev_vport|WARN|tun123: unknown gre argument 'psk'
2020-12-18T04:00:02.713Z|00043|netdev_vport|WARN|tun123: unknown gre argument 'psk'
2020-12-18T04:02:07.200Z|00044|netdev_vport|WARN|tun123: unknown gre argument 'psk'
2020-12-18T04:02:11.064Z|00045|netdev_vport|WARN|tun123: unknown gre argument 'psk'
2020-12-18T04:03:28.635Z|00046|netdev_vport|WARN|tun123: unknown gre argument 'psk'
2020-12-18T04:03:33.099Z|00047|netdev_vport|WARN|tun123: unknown gre argument 'psk'
2020-12-18T04:08:52.869Z|00048|bridge|INFO|bridge ovsbr0: deleted interface tun123 on port 1
2020-12-18T04:12:17.794Z|00049|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert'
2020-12-18T04:12:17.800Z|00050|bridge|INFO|bridge ovsbr0: added interface tun123 on port 2
2020-12-18T04:12:17.802Z|00051|netdev_vport|WARN|tun123: unknown gre argument 'remote_cert'
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]#

Comment 3 Mark Gray 2020-12-18 11:29:56 UTC

This is a warning from the ovs-vswitchd specifying that it does not recognise that configuration parameter in the OVSDB. It is expected because OVS does not use these parameters (ovs-monitor-ipsec does). This is not an error message so can be safely ignored. If you think it would help reduce user concern, I can submit a patch to suppress these cases?

Comment 4 qding 2020-12-18 13:11:50 UTC

(In reply to Mark Gray from comment #3)
> This is a warning from the ovs-vswitchd specifying that it does not
> recognise that configuration parameter in the OVSDB. It is expected because
> OVS does not use these parameters (ovs-monitor-ipsec does). This is not an
> error message so can be safely ignored. If you think it would help reduce
> user concern, I can submit a patch to suppress these cases?

In my test I don't think this is just a problem of warning message. I use steps described in https://docs.openvswitch.org/en/latest/tutorials/ipsec/ and don't actually successfully establish IPsec tunnel with self-signed certificate and CA signed certificate.

Comment 5 Mark Gray 2020-12-18 13:56:20 UTC

That message should be unrelated but I will confirm as we debug further.

* Is it only failing with self-signed and CA-signed certificate cases? 
* Are you failing across all tunnel-types?
* Are there any errors in the libreswan logs in `journalctl`?

Comment 6 qding 2020-12-21 05:40:15 UTC

Created attachment 1740873 [details]
journalctl.log

(In reply to Mark Gray from comment #5)
> That message should be unrelated but I will confirm as we debug further.
> 
> * Is it only failing with self-signed and CA-signed certificate cases?

In PSK mode, after changing left to local_ip in /etc/ipsec.conf IPsec tunnel can be successfully established. I never successfully established IPsec tunnel in self-signed or CA-signed certificated modes.

> * Are you failing across all tunnel-types?
I tried with GRE and VxLAN, they both failed.

> * Are there any errors in the libreswan logs in `journalctl`?

Please see the attachment journalctl.log

Comment 7 Mark Gray 2020-12-21 08:21:24 UTC

I think that log was with the self-signed case? I believe that is a duplicate of this: https://bugzilla.redhat.com/show_bug.cgi?id=1884646

Can you send the same for the CA-signed case?

Comment 8 qding 2020-12-21 11:40:40 UTC

Created attachment 1740938 [details]
journalctl log for CA-signed mode

(In reply to Mark Gray from comment #7)
> I think that log was with the self-signed case? I believe that is a
> duplicate of this: https://bugzilla.redhat.com/show_bug.cgi?id=1884646
> 
> Can you send the same for the CA-signed case?

After changing "left=%defaultroute" to "left=192.168.123.1", CA-signed mode works now. Please see the attached journalctl_ca.log

Comment 9 Mark Gray 2020-12-21 13:38:42 UTC

The self-signed case is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1884646. I have a patch posted upstream to resolve that. I also have the following patch to suppress the warning messages.

https://patchwork.ozlabs.org/project/openvswitch/patch/20201221131233.190544-1-mark.d.gray@redhat.com/

Thanks for testing.

Note You need to log in before you can comment on or make changes to this bug.