On Mon, Jun 8, 2015 at 7:57 PM, Harsh Jain <[email protected]> wrote: > Hi Ansis, > > I used "ip xfrm add policy" command to add policy.
> I have not used "ovs-monitor-ipsec".Can it be used to encryt based on GRE > key?. No, ovs-monitor-ipsec can't be used used to install IPsec policies that match on GRE key. > I tested with GRE key value only.I will test weather Port no, based > filtering is supported in OVS or not and revert. Pravin told me that he will look into this patch before applying. One small comment - if gre KEY is not set, shouldn't we set it to 0 instead of leaving unset before performing route lookup? > > > Regards > Harsh jain > > > Regards > Harsh Jain > > On Tue, Jun 9, 2015 at 2:07 AM, Ansis Atteka <[email protected]> wrote: >> On Mon, Jun 8, 2015 at 12:19 AM, Harsh Jain <[email protected]> wrote: >>> Hi, >>> >>> >>> While trying to encrypt(IPsec policy) packets based on GRE key >>> received in packets. kernel didn't encrypted the packets received from >>> OVS bridge. The packets forwarded to Desination unencrypted. >>> Kernel treats packet having different keys as same flow type. >> >> It seems that you are not using ovs-monitor-ipsec to install IPsec >> policies for you? >> >>> >>> >>> Kernel Version used : 3.18.14 >>> ovs-vswitchd (Open vSwitch) 2.0.1 >>> Compiled Apr 16 2014 14:19:17 >>> OpenFlow versions 0x1:0x1 >>> >>> Fix Applied : Find attached initial patch. >>> >>> Please confirm if it is bug?. >> >> I think this could be classified as bug for those use cases when one >> wants to install such fine grained IPsec policies based on GRE key. >> BTW I looked in ip-xfrm man page and it has more fields in SELECTOR. >> >> >>> >>> >>> Regards >>> Harsh Jain >>> >>> _______________________________________________ >>> discuss mailing list >>> [email protected] >>> http://openvswitch.org/mailman/listinfo/discuss >>> _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
