Description of problem: ovn ipsec tunnel can't be set up Version-Release number of selected component (if applicable): # rpm -qa|grep ovn ovn2.13-central-20.12.0-9.el8fdp.x86_64 ovn2.13-host-20.12.0-9.el8fdp.x86_64 ovn2.13-20.12.0-9.el8fdp.x86_64 # rpm -qa|grep openvs python3-openvswitch2.13-2.13.0-79.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch openvswitch2.13-2.13.0-79.el8fdp.x86_64 openvswitch2.13-ipsec-2.13.0-79.el8fdp.x86_64 How reproducible: always Steps to Reproduce: 1.set up ovn topo as below: # ovn-nbctl show switch 41d6621d-ffb6-4c7c-baae-3d1b6dfc4bb5 (ls) port vm2 addresses: ["00:00:00:00:00:02"] port vm3 addresses: ["00:00:00:00:00:03"] port vm1 addresses: ["00:00:00:00:00:01"] # ovn-sbctl show Chassis hv0 hostname: dell-per740-54.rhts.eng.pek2.redhat.com Encap geneve ip: "20.0.65.26" options: {csum="true"} Port_Binding vm3 Port_Binding vm2 Chassis hv1 hostname: dell-per740-53.rhts.eng.pek2.redhat.com Encap geneve ip: "20.0.65.25" options: {csum="true"} Port_Binding vm1 # ovs-vsctl show a6029858-a2b0-4cbf-9fea-45864d429fef Bridge br-int fail_mode: secure Port vm1 Interface vm1 type: internal Port br-int Interface br-int type: internal Port ovn-hv0-0 Interface ovn-hv0-0 type: geneve options: {csum="true", key=flow, remote_ip="20.0.65.26", remote_name=hv0} ovs_version: "2.13.2" 2.set configuration of ipsec: # ovs-vsctl list Open_vSwitch . _uuid : a6029858-a2b0-4cbf-9fea-45864d429fef bridges : [12b4e617-8353-41c1-99a4-bab2dcdaa751] cur_cfg : 7 datapath_types : [netdev, system] datapaths : {} db_version : "8.2.0" dpdk_initialized : false dpdk_version : "DPDK 19.11.3" external_ids : {hostname=dell-per740-53.rhts.eng.pek2.redhat.com, ovn-encap-ip="20.0.65.25", ovn-encap-type=geneve, ovn-remote="tcp:20.0.65.25:6642", rundir="/var/run/openvswitch", system-id=hv1} iface_types : [erspan, geneve, gre, internal, ip6erspan, ip6gre, lisp, patch, stt, system, tap, vxlan] manager_options : [] next_cfg : 7 other_config : {ca_cert="/tmp/keys/cacert.pem", certificate="/tmp/keys/hv1-cert.pem", private_key="/tmp/keys/hv1-privkey.pem"} ovs_version : "2.13.2" ssl : [] statistics : {} system_type : rhel system_version : "8.4" 3.# ovs-appctl -t ovs-monitor-ipsec tunnels/show Interface name: ovn-hv0-0 v1 (CONFIGURED) Tunnel Type: geneve Local IP: %defaultroute ------------here no local ip Remote IP: 20.0.65.26 SKB mark: None Local cert: /tmp/keys/hv1-cert.pem Local name: hv1 Local key: /tmp/keys/hv1-privkey.pem Remote cert: None Remote name: hv0 CA cert: /tmp/keys/cacert.pem PSK: None Ofport: 1 CFM state: Disabled Kernel policies installed: src 10.73.88.174/32 dst 20.0.65.26/32 proto udp dport 6081 ---src wrong src 10.73.88.174/32 dst 20.0.65.26/32 proto udp dport 6081 src 10.73.88.174/32 dst 20.0.65.26/32 proto udp sport 6081 src 10.73.88.174/32 dst 20.0.65.26/32 proto udp sport 6081 Kernel security associations installed: IPsec connections that are active: Actual results: ipsec ovn-tunnel can't be set up Expected results: ipsec ovn-tunnel can be set up Additional info: for ovs-ipsec tunnel, there is an option local-ip to set the src,but for ovn there is no local-ip option. But for ovn ,there is an parameter ovn-encap-ip that is the local ip.
Created attachment 1754390 [details] ovn/ipsec log add the log about this
'ovs-monitor-ipsec' requires 'local_ip' to set up IPsec correctly if the the remote ip address is not reached via the default gateway address. 'ovn-encap-ip' should cause the OVS tunnel ports to set 'local_ip' on the tunnel port.
https://patchwork.ozlabs.org/project/ovn/patch/20210216095543.1311806-1-mark.d.gray@redhat.com/
v3 accepted upstream on 2021-03-16: https://patchwork.ozlabs.org/project/ovn/patch/20210216115533.1586837-1-mark.d.gray@redhat.com/ And will be part of ovn-21.06
verified on version: # rpm -qa|grep ovn ovn-2021-host-21.06.0-4.el8fdp.x86_64 ovn-2021-21.06.0-4.el8fdp.x86_64 ovn-2021-central-21.06.0-4.el8fdp.x86_64 # ovs-appctl -t ovs-monitor-ipsec tunnels/show Interface name: ovn-hv0-0 v1 (CONFIGURED) Tunnel Type: geneve Local IP: 20.0.20.25 Remote IP: 20.0.20.26 Address Family: IPv4 SKB mark: None Local cert: /tmp/keys/hv1-cert.pem Local name: hv1 Local key: /tmp/keys/hv1-privkey.pem Remote cert: None Remote name: hv0 CA cert: /tmp/keys/cacert.pem PSK: None Ofport: 1 CFM state: Disabled Kernel policies installed: src 20.0.20.25/32 dst 20.0.20.26/32 proto udp dport 6081 src 20.0.20.25/32 dst 20.0.20.26/32 proto udp dport 6081 src 20.0.20.25/32 dst 20.0.20.26/32 proto udp sport 6081 src 20.0.20.25/32 dst 20.0.20.26/32 proto udp sport 6081 Kernel security associations installed: sel src 20.0.20.26/32 dst 20.0.20.25/32 proto udp sport 6081 sel src 20.0.20.25/32 dst 20.0.20.26/32 proto udp dport 6081 sel src 20.0.20.26/32 dst 20.0.20.25/32 proto udp dport 6081 sel src 20.0.20.25/32 dst 20.0.20.26/32 proto udp sport 6081 IPsec connections that are active: 000 #2: "ovn-hv0-0-in-1" esp.3825d6e0.20.26 esp.9d4118c4.20.25 Traffic: ESPin=940B ESPout=0B! ESPmax=0B 000 #3: "ovn-hv0-0-out-1" esp.4ec506b8.20.26 esp.2df0938.20.25 Traffic: ESPin=0B ESPout=470B! ESPmax=0B # ovs-vsctl show 0de2155e-a6f8-453e-b824-f3c2e481d538 Bridge br-int fail_mode: secure Port vm1 Interface vm1 type: internal Port br-int Interface br-int type: internal Port ovn-hv0-0 Interface ovn-hv0-0 type: geneve options: {csum="true", key=flow, local_ip="20.0.20.25", remote_ip="20.0.20.26", remote_name=hv0} ovs_version: "2.13.4"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2969