Hi Jesse, I was trying to see if the performance degrade that is observed with GRE+IPSec as mentioned in this mail thread
http://www.mail-archive.com/[email protected]/msg00915.html can be overcome by trying CAPWAP tunnel instead. Is there any fix for the GRE+IPSec performance degrade yet? I observed the degrade in openvswitch-1.1.0 released code also. by the way, I should mention that I was able to make GRE+IPSec work by manually setting up SA/SP as following, # SA add HostA HostB esp 0x201 -E 3des-cbc <key>; add HostB HostA esp 0x201 -E 3des-cbc <key>; # SP spdadd HostA/32 HostB/32 gre -P out ipsec esp/transport//require; spdadd HostB/32 HostA/32 gre -P in ipsec esp/transport//require; and reverse on the other host. This is what made me think the same can work with CAPWAP. Thanks for the info, -Rajesh. On Thu, May 5, 2011 at 9:40 PM, Jesse Gross <[email protected]> wrote: > On Thu, May 5, 2011 at 7:39 AM, Rajesh Kumar G <[email protected]> > wrote: > > Hi, > > > > Greetings, > > > > I would like to know if it is possible to protect an OVS CAPWAP tunnel > using > > IPSec? If Yes, what should be the SA, SP created to make the traffic hit > > that? > > When Open vSwitch sets up IPsec tunnels itself it changes the behavior > of the tunneling code to make it compatible with IPsec. However, this > does not happen if you configure IPsec manually yourself. Is there a > reason that you are using CAPWAP instead of GRE? We have not found > any uses yet for CAPWAP over IPsec, which is why it is not > implemented. GRE is more standard and should work fine with the OVS > IPsec support. >
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
