Bug 1924041 - [OVN] ovn ipsec tunnel can't be set up
Summary: [OVN] ovn ipsec tunnel can't be set up
Status: POST
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn2.13
Version: FDP 21.A
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Mark Gray
QA Contact: ying xu
Depends On:
TreeView+ depends on / blocked
Reported: 2021-02-02 13:21 UTC by ying xu
Modified: 2021-05-25 17:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)
ovn/ipsec log (461.22 KB, text/plain)
2021-02-02 13:22 UTC, ying xu
no flags Details

Description ying xu 2021-02-02 13:21:14 UTC
Description of problem:
ovn ipsec tunnel can't be set up

Version-Release number of selected component (if applicable):
# rpm -qa|grep ovn

# rpm -qa|grep openvs

How reproducible:

Steps to Reproduce:
1.set up ovn
topo as below:
# ovn-nbctl show
switch 41d6621d-ffb6-4c7c-baae-3d1b6dfc4bb5 (ls)
    port vm2
        addresses: ["00:00:00:00:00:02"]
    port vm3
        addresses: ["00:00:00:00:00:03"]
    port vm1
        addresses: ["00:00:00:00:00:01"]
# ovn-sbctl show
Chassis hv0
    hostname: dell-per740-54.rhts.eng.pek2.redhat.com
    Encap geneve
        ip: ""
        options: {csum="true"}
    Port_Binding vm3
    Port_Binding vm2
Chassis hv1
    hostname: dell-per740-53.rhts.eng.pek2.redhat.com
    Encap geneve
        ip: ""
        options: {csum="true"}
    Port_Binding vm1
# ovs-vsctl show
    Bridge br-int
        fail_mode: secure
        Port vm1
            Interface vm1
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port ovn-hv0-0
            Interface ovn-hv0-0
                type: geneve
                options: {csum="true", key=flow, remote_ip="", remote_name=hv0}
    ovs_version: "2.13.2"

2.set configuration of ipsec:
# ovs-vsctl list Open_vSwitch .
_uuid               : a6029858-a2b0-4cbf-9fea-45864d429fef
bridges             : [12b4e617-8353-41c1-99a4-bab2dcdaa751]
cur_cfg             : 7
datapath_types      : [netdev, system]
datapaths           : {}
db_version          : "8.2.0"
dpdk_initialized    : false
dpdk_version        : "DPDK 19.11.3"
external_ids        : {hostname=dell-per740-53.rhts.eng.pek2.redhat.com, ovn-encap-ip="", ovn-encap-type=geneve, ovn-remote="tcp:", rundir="/var/run/openvswitch", system-id=hv1}
iface_types         : [erspan, geneve, gre, internal, ip6erspan, ip6gre, lisp, patch, stt, system, tap, vxlan]
manager_options     : []
next_cfg            : 7
other_config        : {ca_cert="/tmp/keys/cacert.pem", certificate="/tmp/keys/hv1-cert.pem", private_key="/tmp/keys/hv1-privkey.pem"}
ovs_version         : "2.13.2"
ssl                 : []
statistics          : {}
system_type         : rhel
system_version      : "8.4"

3.# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: ovn-hv0-0 v1 (CONFIGURED)
  Tunnel Type:    geneve
  Local IP:       %defaultroute            ------------here no local ip
  Remote IP:
  SKB mark:       None
  Local cert:     /tmp/keys/hv1-cert.pem
  Local name:     hv1
  Local key:      /tmp/keys/hv1-privkey.pem
  Remote cert:    None
  Remote name:    hv0
  CA cert:        /tmp/keys/cacert.pem
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src dst proto udp dport 6081       ---src wrong
  src dst proto udp dport 6081
  src dst proto udp sport 6081
  src dst proto udp sport 6081
Kernel security associations installed:
IPsec connections that are active:

Actual results:
ipsec ovn-tunnel can't be set up

Expected results:
ipsec ovn-tunnel can be set up

Additional info:
for ovs-ipsec tunnel, there is an option local-ip to set the src,but for ovn there is no local-ip option.
But for ovn ,there is an parameter ovn-encap-ip that is the local ip.

Comment 1 ying xu 2021-02-02 13:22:41 UTC
Created attachment 1754390 [details]
ovn/ipsec log

add the log about this

Comment 2 Mark Gray 2021-02-02 14:35:37 UTC
'ovs-monitor-ipsec' requires 'local_ip' to set up IPsec correctly if the the remote ip address is not reached via the default gateway address. 'ovn-encap-ip' should cause the OVS tunnel ports to set 'local_ip' on the tunnel port.

Comment 4 Dan Williams 2021-05-25 17:19:15 UTC
v3 accepted upstream on 2021-03-16: https://patchwork.ozlabs.org/project/ovn/patch/20210216115533.1586837-1-mark.d.gray@redhat.com/

And will be part of ovn-21.06

Note You need to log in before you can comment on or make changes to this bug.