search

openvswitch / ovs-issues

Issue tracker repo for Open vSwitch
10 stars 3 forks source link

ovs use self-signed certificate to set up IPec tunnel #245

Closed bettswang closed 2 years ago

bettswang commented 2 years ago

I have two servers , they are all the same (both are ubuntu20.04). I build and install ovs. Then I use self-signed certificate to set up IPec tunnel , so the tunnel has been set up. But the servers could not ping from echo other through the tunnel. I don't find any error message in /var/log/openvswitch/ovs-monitor-ipsec.log. When I capture bettwen host1 and host2 , I can see auth package. Any suggestion about this issue ?

root@ubuntu20-04-1:/var/log/openvswitch# cat ovs-monitor-ipsec.log
2022-02-22T06:35:57.18.Z |  3  | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connecting...
2022-02-22T06:35:57.20.Z |  6  | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connected
2022-02-22T06:45:43.587Z |  14 | ovs-monitor-ipsec | INFO | Refreshing StrongSwan configuration
2022-02-22T06:45:50.472Z |  16 | ovs-monitor-ipsec | INFO | Tunnel tun appeared in OVSDB
2022-02-22T06:45:50.493Z |  18 | ovs-monitor-ipsec | INFO | Refreshing StrongSwan configuration

root@ubuntu20-04-2:/etc/keys# cat /var/log/openvswitch/ovs-monitor-ipsec.log
2022-02-22T06:37:51.623Z |  0  | ovs-monitor-ipsec | INFO | Restarting IKE daemon
2022-02-22T06:37:51.624Z |  1  | ovs-monitor-ipsec | INFO | Restarting StrongSwan
2022-02-22T06:37:53.769Z |  3  | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connecting...
2022-02-22T06:37:53.771Z |  6  | reconnect | INFO | unix:/var/run/openvswitch/db.sock: connected
2022-02-22T06:46:02.161Z |  15 | ovs-monitor-ipsec | INFO | Refreshing StrongSwan configuration
2022-02-22T06:46:07.290Z |  17 | ovs-monitor-ipsec | INFO | Tunnel tun appeared in OVSDB
2022-02-22T06:46:07.307Z |  19 | ovs-monitor-ipsec | INFO | Refreshing StrongSwan configuration

root@ubuntu20-04-1:/var/log/openvswitch# ovs-vsctl show
a30dab02-1204-4767-8dae-1b36e3c79674
    Bridge br-ipsec
        Port br-ipsec
            Interface br-ipsec
                type: internal
        Port tun
            Interface tun
                type: gre
                options: {remote_cert="/etc/keys/host_2-cert.pem", remote_ip="192.168.121.108"}
    ovs_version: "2.16.1"

root@ubuntu20-04-2:/etc/keys# ovs-vsctl show
eab263f2-78c1-4874-9493-2fe79355380e
    Bridge br-ipsec
        Port br-ipsec
            Interface br-ipsec
                type: internal
        Port tun
            Interface tun
                type: gre
                options: {remote_cert="/etc/keys/host_1-cert.pem", remote_ip="192.168.121.101"}
    ovs_version: "2.16.1"

root@ubuntu20-04-1:/var/log/openvswitch# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: tun v1 (CONFIGURED)
  Tunnel Type:    gre
  Local IP:       %defaultroute
  Remote IP:      192.168.121.108
  Address Family: IPv4
  SKB mark:       None
  Local cert:     /etc/keys/host_1-cert.pem
  Local name:     host_1
  Local key:      /etc/keys/host_1-privkey.pem
  Remote cert:    /etc/keys/host_2-cert.pem
  Remote name:    host_2
  CA cert:        None
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.121.101/32 dst 192.168.121.108/32 proto gre
  src 192.168.121.101/32 dst 192.168.121.108/32 proto gre
Kernel security associations installed:
IPsec connections that are active:
  tun-1{1}:   192.168.121.101/32[gre] === 192.168.121.108/32[gre]

root@ubuntu20-04-2:/etc/keys# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: tun v1 (CONFIGURED)
  Tunnel Type:    gre
  Local IP:       %defaultroute
  Remote IP:      192.168.121.101
  Address Family: IPv4
  SKB mark:       None
  Local cert:     /etc/keys/host_2-cert.pem
  Local name:     host_2
  Local key:      /etc/keys/host_2-privkey.pem
  Remote cert:    /etc/keys/host_1-cert.pem
  Remote name:    host_1
  CA cert:        None
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.121.108/32 dst 192.168.121.101/32 proto gre
  src 192.168.121.108/32 dst 192.168.121.101/32 proto gre
Kernel security associations installed:
  sel src 192.168.121.108/32 dst 192.168.121.101/32 proto gre key 0 dev ens33
IPsec connections that are active:
  tun-1{1}:   192.168.121.108/32[gre] === 192.168.121.101/32[gre]

root@ubuntu20-04-2:/etc/keys# tcpdump -nn -i ens33 host 192.168.121.101 and host 192.168.121.108
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
07:27:28.661440 IP 192.168.121.101.500 > 192.168.121.108.500: isakmp: parent_sa ikev2_init[I]
07:27:28.665970 IP 192.168.121.108.500 > 192.168.121.101.500: isakmp: parent_sa ikev2_init[R]
bettswang commented 2 years ago

It's my mistake. I put the file cert.pem and privkey.pem to wrong path which ike damon do not access. Change the path to /etc/ipsec.d/cert /etc/ipsec.d/privkey and /etc/ipsec.d/reqs when you use strongswan as IKE damon.