From patchwork Fri Oct 23 18:39:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Gray X-Patchwork-Id: 1386935 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VCeWNzFJ; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CHtLr3xtNz9sSs for ; Sat, 24 Oct 2020 05:39:48 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 516E92155D; Fri, 23 Oct 2020 18:39:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zcz4c4yZ46tR; Fri, 23 Oct 2020 18:39:43 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id 39A4A22011; Fri, 23 Oct 2020 18:39:43 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id C8CF7C1AD7; Fri, 23 Oct 2020 18:39:42 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id BC7C3C0051 for ; Fri, 23 Oct 2020 18:39:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id B8882870F7 for ; Fri, 23 Oct 2020 18:39:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgr4FETj2Hdd for ; Fri, 23 Oct 2020 18:39:40 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 1F05087078 for ; Fri, 23 Oct 2020 18:39:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1603478378; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Og85uGWoUpX4+/RFh1Efn0C1thwjWy0S0K6X8Ifbui0=; b=VCeWNzFJmYZIv4JRhLnS25gbqWUC8Ri4NFp5h+AfjVn2+zFwmKWWLptQKuSRRqaOrScrhY R1pAWNFU5bazz15TFBw/2V7pJuvL7q8SO7mtoe6vOxT/cQFuMjbMhXbVdcutF4GbJVvTiD 7zTWYrEsuCoxI0zTw7Qi3RfZ2nQ+0NU= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-497-X2tAFz5EOFuVgTpvaIe-Ew-1; Fri, 23 Oct 2020 14:39:36 -0400 X-MC-Unique: X2tAFz5EOFuVgTpvaIe-Ew-1 Received: by mail-qt1-f200.google.com with SMTP id n8so1683590qtf.10 for ; Fri, 23 Oct 2020 11:39:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Og85uGWoUpX4+/RFh1Efn0C1thwjWy0S0K6X8Ifbui0=; b=ABRGPEjo9PEU/+htnRXahm2Bq/y1SYrlKke/JuRRdbyCWIvPzBmPoQY8lPUv7o/Kiq Fqi3IgR6oG0NEWh4srXU5RuhOZthF2BvDDFSLDzXndFAC9GjMEpDRW5BGXVsbrI8PUDV WqIGe7xgVWPKsX7Qd4EMyuVNpE6stcrU9GtmOnefKJY2hAe+u2IZfRbzNMWdWAd7GoPc pf1EWj2Xuv4E7Tb8OoJPAmxe8/T/Ew+cWuAIAa1T+6dZReWkJLUjkNnhfortJwavnBaG QwmAdnn7y8fCoZ6IMcjNADzjpH9Xv8EzH483Y5OzKLoEASOx9TWs5hcOggYAq0C5AF65 RydA== X-Gm-Message-State: AOAM531pfIu6G4S3lWI+bdtqoUrpkduLHJ+iQO2S4lHlj46FYLmMKYb2 S/l/Yi4vFqp+jyavPMlIjeU1puaJHAV7pTWEMjAf/Xg5Fy8PBa6xtEX3KaOlty+1pSypbfK1blt vyv0XMuTPFd6hzG1N6A== X-Received: by 2002:ac8:370e:: with SMTP id o14mr3419359qtb.126.1603478376138; Fri, 23 Oct 2020 11:39:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJytQIiWDdBB6nx8PM1co7Bf6h0fu51PpELeSsPoBYsTydt3UlER5uKgBLWP4D1H4K4ciOwnaQ== X-Received: by 2002:ac8:370e:: with SMTP id o14mr3419345qtb.126.1603478375894; Fri, 23 Oct 2020 11:39:35 -0700 (PDT) Received: from wsfd-netdev77.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id h141sm1316674qke.41.2020.10.23.11.39.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Oct 2020 11:39:35 -0700 (PDT) From: Mark Gray To: ovs-dev@openvswitch.org Date: Fri, 23 Oct 2020 14:39:21 -0400 Message-Id: <20201023183922.332767-2-mark.d.gray@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201023183922.332767-1-mark.d.gray@redhat.com> References: <20201023183922.332767-1-mark.d.gray@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mark.d.gray@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: eric@garver.life Subject: [ovs-dev] [PATCH v2 1/2] Documentation: update IPsec tutorial for F32 X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" F32 requires the "python3-openvswitch" package now. Also, the iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32. Signed-off-by: Mark Gray Acked-by: Eric Garver --- Documentation/tutorials/ipsec.rst | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst index b4c3235132bc..c7f3c43ca6dd 100644 --- a/Documentation/tutorials/ipsec.rst +++ b/Documentation/tutorials/ipsec.rst @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages --------------------------------- OVS IPsec has .deb and .rpm packages. You should use the right package -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27 +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32 as examples. Ubuntu @@ -71,21 +71,23 @@ Ubuntu Fedora ~~~~~~ -1. Follow :doc:`/intro/install/fedora` to build RPM packages. +1. Install the related packages. Fedora 32 does not require installation of + the out-of-tree kernel module:: -2. Install the related packages:: + $ dnf install python3-openvswitch libreswan \ + openvswitch openvswitch-ipsec + +2. Install firewall rules to allow ESP and IKE traffic:: - $ dnf install python2-openvswitch libreswan \ - "kernel-devel-uname-r == $(uname -r)" - $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \ - openvswitch-openvswitch-ipsec-*.rpm + $ systemctl start firewalld + $ firewall-cmd --add-service ipsec -3. Install firewall rules to allow ESP and IKE traffic:: + Or to make permanent:: - $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT - $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT + $ systemctl enable firewalld + $ firewall-cmd --permanent --add-service ipsec -4. Run the openvswitch-ipsec service:: +3. Run the openvswitch-ipsec service:: $ systemctl start openvswitch-ipsec.service @@ -97,7 +99,7 @@ Fedora Configuring IPsec tunnel ------------------------ -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s +Suppose you want to build an IPsec tunnel between two hosts. Assume `host_1`'s external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure `host_1` and `host_2` can ping each other via these external IPs. @@ -123,8 +125,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure 2. Set up IPsec tunnel. - There are three authentication methods. You can choose one to set up your - IPsec tunnel. + There are three authentication methods. Choose one method to set up your + IPsec tunnel and follow the steps below. a) Using pre-shared key: