Bug 1935599 - [OVS IPsec] NAT-T doesn't work
Summary: [OVS IPsec] NAT-T doesn't work
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: openvswitch2.13
Version: FDP 21.B
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: Mohamad Heib
QA Contact: qding
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-05 08:51 UTC by qding
Modified: 2022-01-13 14:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
log for "journalctl -u ipsec" (116.59 KB, text/plain)
2021-03-05 08:55 UTC, qding
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-1117 0 None None None 2021-10-29 08:57:15 UTC

Description qding 2021-03-05 08:51:19 UTC
Description of problem:

OVS IPsec NAT-T doesn't work

Host1:

[root@dell-per730-04 ~]# ovs-vsctl show
f8e547b4-6001-41f3-8458-d4b8aabbb01a
    Bridge ovsbr0
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port tun123
            Interface tun123
                type: gre
                options: {local_ip="192.168.1.1", psk=test123, remote_ip="10.1.1.2"}
    Bridge br-nat
        Port eno1np0
            Interface eno1np0
        Port br-nat
            Interface br-nat
                type: internal
    ovs_version: "2.13.2"
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ip add show ovsbr0
13: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 12:08:82:54:ec:43 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.1/24 scope global ovsbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::1008:82ff:fe54:ec43/64 scope link 
       valid_lft forever preferred_lft forever
[root@dell-per730-04 ~]# ip add show br-nat
12: br-nat: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 scope global br-nat
       valid_lft forever preferred_lft forever
    inet6 fe80::215:4dff:fe12:2dac/64 scope link 
       valid_lft forever preferred_lft forever
[root@dell-per730-04 ~]# ovs-ofctl dump-flows ovsbr0
 cookie=0x0, duration=6975.392s, table=0, n_packets=282, n_bytes=16152, priority=0 actions=NORMAL
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# ovs-ofctl dump-flows br-nat
 cookie=0x0, duration=7046.132s, table=0, n_packets=70, n_bytes=14788, ip,nw_src=192.168.1.1 actions=ct(commit,zone=100,nat(src=10.1.1.1)),output:eno1np0
 cookie=0x0, duration=7046.122s, table=0, n_packets=89, n_bytes=3738, arp,arp_spa=192.168.1.1 actions=load:0xa010101->NXM_OF_ARP_SPA[],output:eno1np0
 cookie=0x0, duration=7046.127s, table=0, n_packets=379, n_bytes=178646, ip,nw_dst=10.1.1.1 actions=ct(zone=100,nat),LOCAL
 cookie=0x0, duration=7046.117s, table=0, n_packets=80, n_bytes=4800, arp,arp_tpa=10.1.1.1 actions=load:0xc0a80101->NXM_OF_ARP_TPA[],LOCAL
[root@dell-per730-04 ~]# 
[root@dell-per730-04 ~]# 


Host2:

[root@dell-per730-05 ~]# ovs-vsctl show
3ed3c0de-7ab0-4074-b74e-c170bd22313c
    Bridge ovsbr0
        Port tun123
            Interface tun123
                type: gre
                options: {local_ip="10.1.1.2", psk=test123, remote_ip="10.1.1.1"}
        Port ovsbr0
            Interface ovsbr0
                type: internal
    ovs_version: "2.13.2"
[root@dell-per730-05 ~]# 
[root@dell-per730-05 ~]# ip add show ovsbr0
12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 2a:fe:fc:bb:f1:4e brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.2/24 scope global ovsbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::28fe:fcff:febb:f14e/64 scope link 
       valid_lft forever preferred_lft forever
[root@dell-per730-05 ~]# ip add show enp4s0f0
7: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:fd:fe:bb:1b:6c brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.2/24 scope global enp4s0f0
       valid_lft forever preferred_lft forever
[root@dell-per730-05 ~]# 
[root@dell-per730-05 ~]# ovs-ofctl dump-flows ovsbr0
 cookie=0x0, duration=7046.995s, table=0, n_packets=76, n_bytes=6704, priority=0 actions=NORMAL
[root@dell-per730-05 ~]# 



Version-Release number of selected component (if applicable):

[root@dell-per730-04 ~]# uname -r
4.18.0-291.el8.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
openvswitch2.13-test-2.13.0-79.5.el8fdp.noarch
openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch
python3-openvswitch2.13-2.13.0-79.5.el8fdp.x86_64
openvswitch2.13-ipsec-2.13.0-79.5.el8fdp.x86_64
openvswitch2.13-2.13.0-79.5.el8fdp.x86_64
[root@dell-per730-04 ~]#

Comment 1 qding 2021-03-05 08:55:00 UTC
Created attachment 1760842 [details]
log for "journalctl -u ipsec"

Please see the attachment for log

Comment 2 qding 2021-03-05 09:05:23 UTC
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp or udp port 500 or udp port 4500
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:00:37.861975 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 530: (tos 0x0, ttl 64, id 51250, offset 0, flags [DF], proto UDP (17), length 516)
    10.1.1.1.500 > 10.1.1.2.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
    (sa: len=92
        (p: #1 protoid=isakmp transform=10 len=92
            (t: #1 type=encr id=#20 (type=keylen value=0100))
            (t: #2 type=prf id=#5 )
            (t: #3 type=dh id=modp2048 )
            (t: #4 type=dh id=modp3072 )
            (t: #5 type=dh id=modp4096 )
            (t: #6 type=dh id=modp8192 )
            (t: #7 type=dh id=#19 )
            (t: #8 type=dh id=#20 )
            (t: #9 type=dh id=#21 )
            (t: #10 type=dh id=#31 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(4f513f1642b8953c07bb...fedac6335f91031578c9758aa9b6019de764effa))
    (n: prot_id=#0 type=16430(status))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
09:00:37.863832 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 474: (tos 0x0, ttl 64, id 23069, offset 0, flags [DF], proto UDP (17), length 460)
    10.1.1.2.500 > 10.1.1.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
    (sa: len=36
        (p: #1 protoid=isakmp transform=3 len=36
            (t: #1 type=encr id=#20 (type=keylen value=0100))
            (t: #2 type=prf id=#5 )
            (t: #3 type=dh id=modp2048 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(566881890770f9b6f6d5...d1c930729ba38f146064c0dc4ee5db735b9f72dd))
    (n: prot_id=#0 type=16430(status))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
09:00:37.865072 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 247: (tos 0x0, ttl 64, id 51253, offset 0, flags [DF], proto UDP (17), length 233)
    10.1.1.1.4500 > 10.1.1.2.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]:
    (v2e: len=169)
09:00:37.866209 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 111: (tos 0x0, ttl 64, id 23071, offset 0, flags [DF], proto UDP (17), length 97)
    10.1.1.2.4500 > 10.1.1.1.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]:
    (v2e: len=33)
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]#


Note You need to log in before you can comment on or make changes to this bug.