Description of problem: OVS IPsec doesn't work for IPv6 tunnel. Version-Release number of selected component (if applicable): [root@dell-per730-04 ~]# rpm -qa | grep openvswitch openvswitch2.13-ipsec-2.13.0-79.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-24.el8fdp.noarch openvswitch2.13-2.13.0-79.el8fdp.x86_64 python3-openvswitch2.13-2.13.0-79.el8fdp.x86_64 [root@dell-per730-04 ~]# ovs-vsctl show 5fa03d0e-dac3-483a-9e3d-1f43fb7a21f5 Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: ip6gre options: {local_ip="2001:db8::123:1", psk=test123, remote_ip="2001:db8::123:2"} ovs_version: "2.13.2" [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# cat /etc/ipsec.conf # Generated by ovs-monitor-ipsec...do not modify by hand! config setup uniqueids=yes conn %default keyingtries=%forever type=transport auto=route ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: No ESP in packets through the tunnel Expected results: ESP is added in packets through the tunnel Additional info:
Can you post any libreswan messages in the journal and the ovs-monitor-ipsec.log file?
Created attachment 1747724 [details] log for "journalctl -u ipsec"
Created attachment 1747725 [details] log for "journalctl -u openvswitch-ipsec"
Hi, Tunnel type ip6gre is not supported. The only supported types are: gre, stt, vxlan, geneve Mark
(In reply to Mark Gray from comment #5) > Hi, > > Tunnel type ip6gre is not supported. The only supported types are: gre, stt, > vxlan, geneve > > Mark IPv6 vxlan and IPv6 geneve have no problem. But we have been using ip6gre to create ipv6 GRE tunnel and I tried with type=gre and remote_ip/local_ip as IPv6 address but it doesn't work even without IPsec. Please make sure only support gre is expected. I don't try with stt and don't know yet how to use it. Thanks.
(In reply to qding from comment #6) > (In reply to Mark Gray from comment #5) > > Hi, > > > > Tunnel type ip6gre is not supported. The only supported types are: gre, stt, > > vxlan, geneve > > > > Mark > > IPv6 vxlan and IPv6 geneve have no problem. > But we have been using ip6gre to create ipv6 GRE tunnel and I tried with > type=gre and remote_ip/local_ip as IPv6 address but it doesn't work even > without IPsec. Please make sure only support gre is expected. > I don't try with stt and don't know yet how to use it. > > Thanks. Ok if IPv6 generally works (for vxlan and geneve), can we change the title of this bug to GRE IPv6 support?
(In reply to Mark Gray from comment #7) > > Ok if IPv6 generally works (for vxlan and geneve), can we change the title > of this bug to GRE IPv6 support? I've changed it and please see if it's ok. Thanks.
Yes, looks fine now.
ovs-monitor-ipsec doesn't currently support ip6gre at all. I'll look into adding it.
I quickly added ip6gre to ovs-monitor-ipsec, but still wasn't able to establish a full ipsec tunnel. From a quick debugging session I see IKE negotiate, and even "ip xfrm state" shows the proper configuration. But egress ipv6 gre packets aren't encrypted properly.
Thanks Mike. The IPSEC w/ IPv6 is not supported downstream. I am closing this bug because we don't have RFE to enable that. fbl