search

openvswitch / ovs-issues

Issue tracker repo for Open vSwitch
10 stars 3 forks source link

How to use CA certificate to set up ovs ipsec tunnel? #247

Closed bettswang closed 1 year ago

bettswang commented 2 years ago

two servers which are on the same LAN want to set up ipsec tunnel by CA certificate. Type the flowing command on my lab. Tunnel has been set up as output and everything seems good, but it doesn't ping echo other through the tunnel. I don't see any errors log on the server. Did I make any mistake? Please give me some suggestions.

on host1:

ovs-pki init --force
ovs-pki req -u host_1
ovs-pki sign host_1 switch
ovs-pki sign host_2 switch
scp host_2-cert.pem root@192.168.121.108:/etc/ipsec.d/certs/
mv host_1-cert.pem /etc/ipsec.d/certs/
mv host_1-privkey.pem /etc/ipsec.d/private/
cp /var/lib/openvswitch/pki/switchca/cacert.pem /etc/ipsec.d/cacerts/
scp /var/lib/openvswitch/pki/switchca/cacert.pem root@192.168.121.108:/etc/ipsec.d/cacerts/

ovs-vsctl set Open_vSwitch . \
other_config:certificate=/etc/ipsec.d/certs/host_1-cert.pem \
other_config:private_key=/etc/ipsec.d/private/host_1-privkey.pem \
other_config:ca_cert=/etc/ipsec.d/cacerts/cacert.pem

ovs-vsctl add-port br-ipsec tun -- \
set interface tun type=gre \
options:remote_ip=192.168.121.108 \
options:remote_name=host_2

on host2:

ovs-pki req -u host_2
scp host_2-req.pem root@192.168.121.101:/root  //this command run before ovs-pki on host1
mv host_2-privkey.pem /etc/ipsec.d/private/

ovs-vsctl set Open_vSwitch . \
other_config:certificate=/etc/ipsec.d/certs/host_2-cert.pem \
other_config:private_key=/etc/ipsec.d/private/host_2-privkey.pem \
other_config:ca_cert=/etc/ipsec.d/cacerts/cacert.pem

ovs-vsctl add-port br-ipsec tun -- \
set interface tun type=gre \
options:remote_ip=$ip_1 \
options:remote_name=host_1

host1:

root@ubuntu2004:~# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: tun v1 (CONFIGURED)
  Tunnel Type:    gre
  Local IP:       %defaultroute
  Remote IP:      192.168.121.108
  Address Family: IPv4
  SKB mark:       None
  Local cert:     /etc/ipsec.d/certs/host_1-cert.pem
  Local name:     host_1
  Local key:      /etc/ipsec.d/private/host_1-privkey.pem
  Remote cert:    None
  Remote name:    host_2
  CA cert:        /etc/ipsec.d/cacerts/cacert.pem
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.121.101/32 dst 192.168.121.108/32 proto gre
  src 192.168.121.101/32 dst 192.168.121.108/32 proto gre
Kernel security associations installed:
  sel src 192.168.121.101/32 dst 192.168.121.108/32 proto gre key 0 dev ens33
IPsec connections that are active:
  tun-1{1}:   192.168.121.101/32[gre] === 192.168.121.108/32[gre]

host2:

root@ubuntu20-04-2:~# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: tun v1 (CONFIGURED)
  Tunnel Type:    gre
  Local IP:       %defaultroute
  Remote IP:      192.168.121.101
  Address Family: IPv4
  SKB mark:       None
  Local cert:     /etc/ipsec.d/certs/host_2-cert.pem
  Local name:     host_2
  Local key:      /etc/ipsec.d/private/host_2-privkey.pem
  Remote cert:    None
  Remote name:    host_1
  CA cert:        /etc/ipsec.d/cacerts/cacert.pem
  PSK:            None
  Ofport:         1
  CFM state:      Disabled
Kernel policies installed:
  src 192.168.121.108/32 dst 192.168.121.101/32 proto gre
  src 192.168.121.108/32 dst 192.168.121.101/32 proto gre
Kernel security associations installed:
  sel src 192.168.121.108/32 dst 192.168.121.101/32 proto gre key 0 dev ens33
IPsec connections that are active:
  tun-1{1}:   192.168.121.108/32[gre] === 192.168.121.101/32[gre]
bettswang commented 2 years ago

Could anyone help? I try to find out any error log, but nothing.