Thanks for the pointer! As a quick experiment, I just manually did: iptables -t mangle -A PREROUTING -p gre -j MARK --set-mark 1
and that fixed it. ipsec_gre packets are flowing again. Ansis, (or others) is this the recommended way to get ipsec_gre working, or was the intention that the marks would be unique per tunnel, or something else? I would have thought the ovs-monitor-ipsec script would take care of setting this up if it was that simple, so I'm guessing there's more here than just that. Can I safely assume the mark is always going to be 1? Is there a new option when establishing the gre link to set the mark for the tunnel so I can make my config deterministic, or is that implicitly handled by setting up flow tables maybe? Any documentation on the details of how this is intended to work would be greatly appreciated. Thanks! Daniel On Mon, Dec 30, 2013 at 2:46 PM, Jesse Gross <[email protected]> wrote: > On Fri, Dec 27, 2013 at 5:50 PM, Daniel Hiltgen <[email protected]> > wrote: > > I'm on ubuntu, and had ipsec gre tunnels working with ovs version 1.4, > but > > recently upgraded to 1.10, and now my ipsec tunnels aren't working. > Regular > > gre tunnels work fine. (I also tried ovs 2.0.1 built from source but I > see > > the same behavior.) > > > > The racoon logs imply the ipsec connection is working properly. > > > > In the ovs-vswitchd.log file I see errors like the following: > > > > 2013-12-27T21:41:26.907Z|00001|tunnel(miss_handler)|WARN|receive tunnel > port > > not found (192.168.122.192->10.4.10.32, key=0, dp port=2, pkt mark=0) > > > 2013-12-27T21:41:26.907Z|00002|ofproto_dpif_upcall(miss_handler)|INFO|received > > packet on unassociated datapath port 2 > > Ansis, this requires iptables to set the mark, right? Do the scripts > set that up automatically? >
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
