On 05/04/2021 20:56, Flavio Leitner wrote: > On Thu, Apr 01, 2021 at 07:48:19PM +0100, Mark Gray wrote: >> On 01/04/2021 19:29, Ilya Maximets wrote: >>> On 4/1/21 3:58 PM, Mark Gray wrote: >>>> This series fixes IPv6 support for Libreswan and introduces >>>> IPsec system tests for Libreswan. >>>> >>>> Mark Gray (5): >>>> ipsec: IPv6 default route support for Libreswan >>>> system-common-macros: clean up veth device on test failure >>>> ipsec: Allow custom file locations >>>> ipsec: Introduce IPsec system tests for Libreswan >>>> ipsec: Update ordering of imports >>>> >>>> ipsec/ovs-monitor-ipsec.in | 144 ++++++++++-- >>>> tests/automake.mk | 3 +- >>>> tests/system-common-macros.at | 2 +- >>>> tests/system-ipsec.at | 406 +++++++++++++++++++++++++++++++++ >>>> tests/system-kmod-testsuite.at | 1 + >>>> 5 files changed, 529 insertions(+), 27 deletions(-) >>>> create mode 100644 tests/system-ipsec.at >>>> >>> >>> Thanks! Applied to master. >>> First patch with the fix also backported down to 2.13. >>> >>> Best regards, Ilya Maximets. >>> >> >> Thanks Ilya. >> >> Flavio was having some issues with the system test patch which appears >> to have a flake. We have not received his Ack yet. I will follow-up with >> a fix if it doesn't work for him or you can revert. > > It seems left side doesn't load the config fast enough, so the > replied proposal is none, AES_GCM_C_256-NONE-NONE-DISABLE. Then
So this gets rejected? > the retransmission happens in 60 seconds by default, but the > script timeout is 30s. Obviously the timeout always wins failing > the test. > > I used the following patch to test that and then the tunnel > succeeds on the second attempt retransmitting in 10s. > > I got 0 failures in 100 tests. > > diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in > index 89a36fe17..132db4dce 100755 > --- a/ipsec/ovs-monitor-ipsec.in > +++ b/ipsec/ovs-monitor-ipsec.in > @@ -383,6 +383,7 @@ config setup > conn %%default > keyingtries=%%forever > type=transport > + retransmit-timeout=10 > auto=route > ike=aes_gcm256-sha2_256 > esp=aes_gcm256 > > Another thing I tried is to add a simple sleep between the adding > the ports: > --- a/tests/system-ipsec.at > +++ b/tests/system-ipsec.at > @@ -166,6 +166,7 @@ dnl Set up IPsec tunnel on 'left' host > OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve \ > options:remote_ip=10.1.1.2 options:psk=swordfish) > > +sleep 1 > dnl Set up IPsec tunnel on 'right' host > > OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=geneve \ > > I got 0 failures in 100 tests with the above patch. > > What would be a good way to tell if a tunnel port is ready? Perhaps > we could poll for status similar to what it is done at CHECK_ESP_TRAFFIC > to make sure both sides are ready. You are saying is that one side comes up quick and one does not so it misses the negotiation window causing the test to timeout while it waits for IKE to re-transmit. I am surprised that the "slow" side does not trigger negotiation when it comes up. Does it timeout on waiting for the connection to be active? i.e. https://github.com/openvswitch/ovs/blob/f8be30acf2eb60d567bb7386b98f5cb58ddb9119/tests/system-ipsec.at#L135 > > Thanks, > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
