On Wed, Jun 1, 2022 at 11:39 AM Andreas Karis <[email protected]> wrote:
>
> Provide an option to enforce NAT-T UDP
> encapsulation (encapsulation=true or forceencaps=true depending on the
> chosen backend). This may be required in environments where firewalls
> drop ESP traffic but where NAT-T detection fails because packets are not
> subject to NAT.
>
> Signed-off-by: Andreas Karis <[email protected]>
Thanks for the patch. Can you also please add a NEWS entry for this option ?
Numan
> ---
> Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++
> controller/encaps.c | 14 ++++++++++++++
> tests/ovn-ipsec.at | 3 +++
> 3 files changed, 36 insertions(+)
>
> diff --git a/Documentation/tutorials/ovn-ipsec.rst
> b/Documentation/tutorials/ovn-ipsec.rst
> index 305dd566d..0ae84f803 100644
> --- a/Documentation/tutorials/ovn-ipsec.rst
> +++ b/Documentation/tutorials/ovn-ipsec.rst
> @@ -93,6 +93,24 @@ database to false::
> # systemctl enable firewalld
> # firewall-cmd --permanent --add-service ipsec
>
> +Enabling OVN IPsec
> +------------------
> +
> +In specific situations, it may be required to enforce NAT-T (RFC3948) UDP
> +encapsulation unconditionally and to bypass the normal NAT detection
> mechanism.
> +For example, this may be required in environments where firewalls drop ESP
> +traffic, but where NAT-T detection (RFC3947) fails because packets otherwise
> +are not subject to NAT.
> +In such scenarios, UDP encapsulation can be enforced with the following.
> +
> +For libreswan backends::
> +
> + $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true
> +
> +For strongswan backends::
> +
> + $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true
> +
> Troubleshooting
> ---------------
>
> @@ -119,6 +137,7 @@ For example::
> Remote name: host_2
> CA cert: /path/to/cacert.pem
> PSK: None
> + Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced
> Ofport: 2 <--- Whether ovs-vswitchd has assigned Ofport
> number to this Tunnel Port
> CFM state: Disabled <--- Whether CFM declared this tunnel healthy
> diff --git a/controller/encaps.c b/controller/encaps.c
> index a06aa258c..068c8f3f8 100644
> --- a/controller/encaps.c
> +++ b/controller/encaps.c
> @@ -207,6 +207,20 @@ tunnel_add(struct tunnel_ctx *tc, const struct
> sbrec_sb_global *sbg,
> if (sbg->ipsec) {
> set_local_ip = true;
> smap_add(&options, "remote_name", new_chassis_id);
> +
> + /* Force NAT-T traversal via configuration */
> + /* Two ipsec backends are supported: libreswan and openswan */
> + /* libreswan parameter: encapsulation ; openswan parameter:
> forceencaps */
> + bool encapsulation;
> + bool forceencaps;
> + encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation",
> false);
> + forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps",
> false);
> + if (encapsulation) {
> + smap_add(&options, "ipsec_encapsulation", "yes");
> + }
> + if (forceencaps) {
> + smap_add(&options, "ipsec_forceencaps", "yes");
> + }
> }
>
> if (set_local_ip) {
> diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at
> index 4c600a9f2..10ef97878 100644
> --- a/tests/ovn-ipsec.at
> +++ b/tests/ovn-ipsec.at
> @@ -44,15 +44,18 @@ ovs-vsctl \
>
> # Enable IPsec
> ovn-nbctl set nb_global . ipsec=true
> +ovn-nbctl set nb_global . options:ipsec_encapsulation=true
>
> check ovn-nbctl --wait=hv sync
>
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d
> '"\n'], [0], [192.168.0.1])
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d
> '"\n'], [0], [192.168.0.2])
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr
> -d '\n'], [0], [hv1])
> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0
> options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d
> '"\n'], [0], [192.168.0.2])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d
> '"\n'], [0], [192.168.0.1])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr
> -d '\n'], [0], [hv2])
> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0
> options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
>
> AT_CLEANUP
>
> --
> 2.35.3
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
