Hello, I'm having a problem using StrongSwan IPSec implementation with OVS recently. Here's my setup:
IPSec client | V OVS bridge with normal flow only, priority 1. | V Host networking stack with StongSwan IPSec is setup with 10.2.0.0/24 inner IPs and the encrypted packets are transferred through 192.168.2.0/24 I can setup and do the key exchange process of IPSec without a problem. If I tcpdump on the ovs bridge, I see both traffic: the encapsulated and decapsulated one. Here's the output: 13:03:42.357602 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4 (0x0800), length 154: 192.168.2.18 > 192.168.2.254: ESP(spi=0xc1361f48,seq=0x4), length 120 13:03:42.357605 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4 (0x0800), length 154: 192.168.2.18 > 192.168.2.254: ESP(spi=0xc1361f48,seq=0x5), length 120 13:03:42.357602 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4 (0x0800), length 83: 10.2.0.1.49624 > 15.203.240.10.53: 57379+ A? dns1.org.com. (41) 13:03:42.357605 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4 (0x0800), length 83: 10.2.0.1.49624 > 15.203.240.10.53: 34411+ AAAA? dns1.org.com. (41) So I see the encapsulated packet first (encrypted with ESP), then I see the decapsulated one with 10.2.0.1. Then, I apply on the bridge the following rule: priority=25,ip,nw_src=10.2.0.0/24 actions=drop Which seems to be matching that 10.2.0.0 output that I see hitting the bridge on tcpdump. Unfortunately, the rule is never matched as the counters (n_packets, n_bytes) never go up. Please correct me if I'm wrong, but I was thinking that if it is hitting the bridge (as can be seen on tcpdump output), I should be able to filter the traffic on the bridge? (For info, I have DHCP, ARP traffic hitting the bridge from the host and I can catch them without a problem.) Thanks in advance for your help.
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
