Sorry for late response, there was something wrong with my mail and I missed all these mails. This seems to be a regression introduced in 1.10.
The iptables rule you have there will break all plain gre tunnels (while it would allow ipsec_gre). The correct iptables rules should look like: iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -p udp --dport 4500 -j MARK --set-mark 1 I will send out a patch shortly that will install them automatically for you. Thanks for the report! Ansis On Tue, Dec 31, 2013 at 1:26 PM, Daniel Hiltgen <[email protected]> wrote: > Thanks for the pointer! As a quick experiment, I just manually did: > > iptables -t mangle -A PREROUTING -p gre -j MARK --set-mark 1 > > and that fixed it. ipsec_gre packets are flowing again. > > Ansis, (or others) is this the recommended way to get ipsec_gre working, or > was the intention that the marks would be unique per tunnel, or something > else? I would have thought the ovs-monitor-ipsec script would take care of > setting this up if it was that simple, so I'm guessing there's more here > than just that. Can I safely assume the mark is always going to be 1? Is > there a new option when establishing the gre link to set the mark for the > tunnel so I can make my config deterministic, or is that implicitly handled > by setting up flow tables maybe? Any documentation on the details of how > this is intended to work would be greatly appreciated. > > Thanks! > Daniel > > > > On Mon, Dec 30, 2013 at 2:46 PM, Jesse Gross <[email protected]> wrote: >> >> On Fri, Dec 27, 2013 at 5:50 PM, Daniel Hiltgen <[email protected]> >> wrote: >> > I'm on ubuntu, and had ipsec gre tunnels working with ovs version 1.4, >> > but >> > recently upgraded to 1.10, and now my ipsec tunnels aren't working. >> > Regular >> > gre tunnels work fine. (I also tried ovs 2.0.1 built from source but I >> > see >> > the same behavior.) >> > >> > The racoon logs imply the ipsec connection is working properly. >> > >> > In the ovs-vswitchd.log file I see errors like the following: >> > >> > 2013-12-27T21:41:26.907Z|00001|tunnel(miss_handler)|WARN|receive tunnel >> > port >> > not found (192.168.122.192->10.4.10.32, key=0, dp port=2, pkt mark=0) >> > >> > 2013-12-27T21:41:26.907Z|00002|ofproto_dpif_upcall(miss_handler)|INFO|received >> > packet on unassociated datapath port 2 >> >> Ansis, this requires iptables to set the mark, right? Do the scripts >> set that up automatically? > > _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
