Thanks Ansis for the reply. 1. Yes I have cross checked and found that the pid are in the same ovs run directory and after that still I am facing the same issue.
2. Also in the ovs-dpctl show command there is no gre_system interface . 3. I am not having the two rules that you have mentioned as a bug in ovs-1.10 and newer releases. Also Ansis could that be an issue that I have build the openvswitch from the source code and installed the openvswitch-ipsec from the debian package as Gurucharan was pointing. Can you please provide some configuration guide or steps about how to implement gre over ipsec in openvswitch as I haven't found anything helpful regarding this on the internet. Thanks.... Sonia On Fri, Feb 14, 2014 at 12:56 AM, Ansis Atteka <[email protected]> wrote: > 1. Previously you said that you saw following error messages: > > 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the > ovs-monitor-ipsec daemon > 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network device > gre0 (Invalid argument) > > If pid files are in the same OVS run directory then you should not see > them any more. Is this the case? > > 2. ipsec_gre tunnel not showing up in ovs-dpctl output is an expected > change, I believe, it was introduced in 1.10 as part of flow based > tunneling. However you should still see gre_system port that is shared with > ipsec_gre ports. > > 3. Also there was an IPsec bug in 1.10 (and in newer releases) that we > fixed recently. The problem was that two iptables rules were missing. Can > you verify if you have them? > > iptables -A INPUT -t mangle -p esp -j MARK --set-mark 1/1 > iptables -A INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 > > 4. If all of above is configured correctly, then can you verify, if you > see IPsec configuration in the kernel? Do "ip xfrm policy" and "ip xfrm > state" commands and search for the peer's IP address. If it does not have a > trace of peer's IP address, then please make sure that you have valid > configuration in OVSDB (take a look at ovs-vswitchd.conf.db man page). > > 5. Also, if this is the first time you are trying to set up OVS+IPsec, > then I would recommend to start with PSKs and only then with PKI. Starting > with PSKs will rule out any certificate issues. Later you can do the switch > to PKI, if deemed so. > > Ansis > > ------------------------------ > *From: *"sonia verma" <[email protected]> > *To: *"Ansis Atteka" <[email protected]> > *Cc: *[email protected] > *Sent: *Thursday, February 13, 2014 10:49:48 AM > > *Subject: *Re: [ovs-discuss] GRE over IPsec > > Sorry Ansis for the late reply . > > As you said I checked and found that the ovs-monitor-ipsec.pid file is in > the same ovs run directory just like all other pid files. > > But the error still persists and the interface is still not getting shown > at the kernel level. > > Please help me regarding this. > > Thanks > > > On Thu, Feb 13, 2014 at 1:03 AM, Ansis Atteka <[email protected]> wrote: > >> ovs-monitor-ipsec package dependends on raccon package. Once both of them >> are installed, ovs-monitor-ipsec will automatically provision racoon with >> necessary configuration through /etc/ipsec.conf file. >> >> ------------------------------ >> *From: *"sonia verma" <[email protected]> >> *To: *"Ansis Atteka" <[email protected]> >> *Cc: *[email protected] >> *Sent: *Wednesday, February 12, 2014 11:27:23 AM >> *Subject: *Re: [ovs-discuss] GRE over IPsec >> >> >> Thanks Gurucharan and Ansis for the quick reply. >> >> YES I did installed the IPsec daemon from the debian package for my >> system but I installed the ovs-vswitchd >> daemon from the source code for my system. >> >> Does this mean that either I have to install the openvswitch and its >> ipsec daemon from debian package or from their respective source codes? >> >> Also , I will make sure that the ovs-monitor-ipsec pid file is in the ovs >> run dir. >> >> One more thing I want to clarify is that does the openvswitch ipsec >> package will take care of the ipsec functionality in openvswitch >> automatically or do I have to make some configuration for this in the >> racoon daemon? >> >> Please help me regargding this.I will let you know whether this worked or >> not. >> >> Thanks >> >> >> On Wed, Feb 12, 2014 at 10:42 PM, Ansis Atteka <[email protected]>wrote: >> >>> >>> ----- Original Message ----- >>> From: "sonia verma" >>> gmail.com<https://urldefense.proofpoint.com/v1/url?u=http://gmail.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=IlCAyXRsc21DvT9iRFg4BjX%2BdulWDS2nfIKsR1BQny4%3D%0A&s=c63e6f7240c2b6629fbe72b8815867d0c2615d2f8a308989a2ddc5e4fb1e3bde> >>> > >>> To: [email protected] >>> Sent: Wednesday, February 12, 2014 3:28:04 AM >>> Subject: [ovs-discuss] GRE over IPsec >>> >>> Hi All, >>> >>> I have been able to implement GRE tunneling on OpenvSwitch and now I >>> want to implement GRE over IPsec on OpenvSwitch. >>> For this, I have installed the OpenvSwitch-IPsec package on my system >>> and I'm running the ovs-monitor-ipsec demon. >>> >>> But when I'm using the following command: >>> ovs-vsctl add-port br0 gre0 -- set interface gre0 type=ipsec_gre >>> options:remote_ip=10.10.10.2 . >>> The ipsec_gre interface is not getting shown at the kernel level. >>> I checked it using the following command: >>> ovs-dpctl show br0 >>> >>> When I see the OpenvSwitch logs,it is giving following error: >>> >>> 2014-02-12T11:04:38Z|00010|netdev_vport|ERR|gre0: IPsec requires the >>> ovs-monitor-ipsec daemon >>> 2014-02-12T11:04:38Z|00011|bridge|WARN|could not configure network >>> device gre0 (Invalid argument) >>> >>> [Ansis]: Make sure that ovs-monitor-ipsec.pid file is in the ovs run >>> directory (just like all other ovs pid files). >>> >>> I haven't been able to figure why this error is coming , as the demon is >>> running in the background. >>> Also I didn't found found any relevant document related to GRE over >>> IPsec which will show how the openvswitch-ipsec demon will commiunicate >>> with racoon in order to implement ipsec functionality on OpenvSwitch with >>> the configuration required in order to implement this. >>> >>> How should I configure racoon to implement IPsec functionality? >>> Do I need to do some more configuration regarding ipsec on openvswitch? >>> >>> Please help me regarding this issue.Any help would be appreciated. >>> >>> Thanks >>> >>> >>> >>> _______________________________________________ >>> discuss mailing list >>> [email protected] >>> >>> https://urldefense.proofpoint.com/v1/url?u=http://openvswitch.org/mailman/listinfo/discuss&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BXk50J8yLqbRhlVkuC%2BJEmVDkOTsHuSfu5t%2FO7oEwWU%3D%0A&m=rq7%2B0leIjGyTFuBcuv6Ke3fmaNeGmTLpmxFfwo9mHfU%3D%0A&s=97fe6496618575e64a00a40955541585c2313eb887ca1b136c6da693a5201783 >>> >> >> >> > >
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
