Hi! On previous Windows OVS meeting we discussed about implementing IPsec in Windows for GRE tunnel. I already spent some time on this and I made some progress.
The progress so far: - Tried ipsec_gre tunnel in Linux but the config file generated for racoon is not 100% compatible with Windows IPsec (maybe I missed something here and can be solved using another config on Windows side). I will research more on this side as soon as I have a working ipsec_gre tunnel on Windows - I created a GRE tunnel with a custom config file for racoon service on Linux side and created a simple IPsec rule on Windows with PSK authentication. This way the keys negotiation works without problems. Implemented a WFP callout that filters traffic on FWPS_LAYER_INBOUND_IPPACKET_V4 and V4_DISCARD in order to get the decrypted packets and inject them back in OVS similar with VXLAN imeplementation. V4_DISCARD filtering is needed because Windows drops the GRE protocol packets. This way the INGRESS connection works and the guest OS replies to received ARPs. The EGRESS connection is not working yet but I'm trying to find a similar solution with INGRES, letting Windows to do the encryption part. This implies getting the GRE encapsulated packets and inject them back in Windows stack above IP layer. Now I'm trying to solve the EGRESS part and if this works, I will try to adjust the Windows settings for IPsec config to be fully compatible with current config on Linux. The config management can be done by a Python script, similar to 'ovs-monitor-IPsec', that adds the required rules in Windows Firewall. Regards, Paul _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
