diff mbox series

[ovs-dev,v3,1/2] Documentation: update IPsec tutorial for F32

Message ID 20201027144518.712805-2-mark.d.gray@redhat.com
State Superseded
Headers show
Series Some fixes for OVS IPsec on Fedora | expand

Commit Message

Mark Gray Oct. 27, 2020, 2:45 p.m. UTC
F32 requires the "python3-openvswitch" package now. Also, the
iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
---
 Documentation/tutorials/ipsec.rst | 108 +++++++++++++++---------------
 1 file changed, 55 insertions(+), 53 deletions(-)

Comments

Eric Garver Oct. 27, 2020, 4:43 p.m. UTC | #1
On Tue, Oct 27, 2020 at 10:45:17AM -0400, Mark Gray wrote:
> F32 requires the "python3-openvswitch" package now. Also, the
> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
> 
> Signed-off-by: Mark Gray <mark.d.gray@redhat.com>

Thanks.

Acked-by: Eric Garver <eric@garver.life>

> ---
>  Documentation/tutorials/ipsec.rst | 108 +++++++++++++++---------------
>  1 file changed, 55 insertions(+), 53 deletions(-)
> 
> diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
> index b4c3235132bc..ebc0ae429c19 100644
> --- a/Documentation/tutorials/ipsec.rst
> +++ b/Documentation/tutorials/ipsec.rst
> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>  ---------------------------------
>  
>  OVS IPsec has .deb and .rpm packages. You should use the right package
> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>  as examples.
>  
>  Ubuntu
> @@ -59,8 +59,8 @@ Ubuntu
>  
>  2. Install the related packages::
>  
> -       $ apt-get install dkms strongswan
> -       $ dpkg -i libopenvswitch_*.deb openvswitch-common_*.deb \
> +       # apt-get install dkms strongswan
> +       # dpkg -i libopenvswitch_*.deb openvswitch-common_*.deb \
>               openvswitch-switch_*.deb openvswitch-datapath-dkms_*.deb \
>               python-openvswitch_*.deb openvswitch-pki_*.deb \
>               openvswitch-ipsec_*.deb
> @@ -71,23 +71,25 @@ Ubuntu
>  Fedora
>  ~~~~~~
>  
> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
> +1. Install the related packages. Fedora 32 does not require installation of
> +   the out-of-tree kernel module::
>  
> -2. Install the related packages::
> +       # dnf install python3-openvswitch libreswan \
> +                     openvswitch openvswitch-ipsec
> +
> +2. Install firewall rules to allow ESP and IKE traffic::
>  
> -       $ dnf install python2-openvswitch libreswan \
> -                     "kernel-devel-uname-r == $(uname -r)"
> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
> -                openvswitch-openvswitch-ipsec-*.rpm
> +       # systemctl start firewalld
> +       # firewall-cmd --add-service ipsec
>  
> -3. Install firewall rules to allow ESP and IKE traffic::
> +   Or to make permanent::
>  
> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
> +       # systemctl enable firewalld
> +       # firewall-cmd --permanent --add-service ipsec
>  
> -4. Run the openvswitch-ipsec service::
> +3. Run the openvswitch-ipsec service::
>  
> -       $ systemctl start openvswitch-ipsec.service
> +       # systemctl start openvswitch-ipsec.service
>  
>     .. note::
>  
> @@ -97,47 +99,47 @@ Fedora
>  Configuring IPsec tunnel
>  ------------------------
>  
> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
> +Suppose you want to build an IPsec tunnel between two hosts. Assume `host_1`'s
>  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>  `host_1` and `host_2` can ping each other via these external IPs.
>  
>  0. Set up some variables to make life easier.  On both hosts, set ``ip_1`` and
>     ``ip_2`` variables, e.g.::
>  
> -     $ ip_1=1.1.1.1
> -     $ ip_2=2.2.2.2
> +     # ip_1=1.1.1.1
> +     # ip_2=2.2.2.2
>  
>  1. Set up OVS bridges in both hosts.
>  
>     In `host_1`::
>  
> -       $ ovs-vsctl add-br br-ipsec
> -       $ ip addr add 192.0.0.1/24 dev br-ipsec
> -       $ ip link set br-ipsec up
> +       # ovs-vsctl add-br br-ipsec
> +       # ip addr add 192.0.0.1/24 dev br-ipsec
> +       # ip link set br-ipsec up
>  
>     In `host_2`::
>  
> -       $ ovs-vsctl add-br br-ipsec
> -       $ ip addr add 192.0.0.2/24 dev br-ipsec
> -       $ ip link set br-ipsec up
> +       # ovs-vsctl add-br br-ipsec
> +       # ip addr add 192.0.0.2/24 dev br-ipsec
> +       # ip link set br-ipsec up
>  
>  2. Set up IPsec tunnel.
>  
> -   There are three authentication methods. You can choose one to set up your
> -   IPsec tunnel.
> +   There are three authentication methods.  Choose one method to set up your
> +   IPsec tunnel and follow the steps below.
>  
>     a) Using pre-shared key:
>  
>        In `host_1`::
>  
> -          $ ovs-vsctl add-port br-ipsec tun -- \
> +          # ovs-vsctl add-port br-ipsec tun -- \
>                        set interface tun type=gre \
>                                      options:remote_ip=$ip_2 \
>                                      options:psk=swordfish
>  
>        In `host_2`::
>  
> -          $ ovs-vsctl add-port br-ipsec tun -- \
> +          # ovs-vsctl add-port br-ipsec tun -- \
>                        set interface tun type=gre \
>                                      options:remote_ip=$ip_1 \
>                                      options:psk=swordfish
> @@ -156,15 +158,15 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>  
>        In `host_1`::
>  
> -          $ ovs-pki req -u host_1
> -          $ ovs-pki self-sign host_1
> -          $ scp host_1-cert.pem $ip_2:/etc/keys/host_1-cert.pem
> +          # ovs-pki req -u host_1
> +          # ovs-pki self-sign host_1
> +          # scp host_1-cert.pem $ip_2:/etc/keys/host_1-cert.pem
>  
>        In `host_2`::
>  
> -          $ ovs-pki req -u host_2
> -          $ ovs-pki self-sign host_2
> -          $ scp host_2-cert.pem $ip_1:/etc/keys/host_2-cert.pem
> +          # ovs-pki req -u host_2
> +          # ovs-pki self-sign host_2
> +          # scp host_2-cert.pem $ip_1:/etc/keys/host_2-cert.pem
>  
>        .. note::
>  
> @@ -176,20 +178,20 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>  
>        In `host_1`::
>  
> -          $ ovs-vsctl set Open_vSwitch . \
> +          # ovs-vsctl set Open_vSwitch . \
>                       other_config:certificate=/etc/keys/host_1-cert.pem \
>                       other_config:private_key=/etc/keys/host_1-privkey.pem
> -          $ ovs-vsctl add-port br-ipsec tun -- \
> +          # ovs-vsctl add-port br-ipsec tun -- \
>                        set interface tun type=gre \
>                               options:remote_ip=$ip_2 \
>                               options:remote_cert=/etc/keys/host_2-cert.pem
>  
>        In `host_2`::
>  
> -          $ ovs-vsctl set Open_vSwitch . \
> +          # ovs-vsctl set Open_vSwitch . \
>                       other_config:certificate=/etc/keys/host_2-cert.pem \
>                       other_config:private_key=/etc/keys/host_2-privkey.pem
> -          $ ovs-vsctl add-port br-ipsec tun -- \
> +          # ovs-vsctl add-port br-ipsec tun -- \
>                        set interface tun type=gre \
>                               options:remote_ip=$ip_1 \
>                               options:remote_cert=/etc/keys/host_1-cert.pem
> @@ -207,29 +209,29 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>  
>        In `host_1`::
>  
> -          $ ovs-pki init
> +          # ovs-pki init
>  
>        Generate certificate requests and copy the certificate request of
>        `host_2` to `host_1`.
>  
>        In `host_1`::
>  
> -          $ ovs-pki req -u host_1
> +          # ovs-pki req -u host_1
>  
>        In `host_2`::
>  
> -          $ ovs-pki req -u host_2
> -          $ scp host_2-req.pem $ip_1:/etc/keys/host_2-req.pem
> +          # ovs-pki req -u host_2
> +          # scp host_2-req.pem $ip_1:/etc/keys/host_2-req.pem
>  
>        Sign the certificate requests with the CA key. Copy `host_2`'s signed
>        certificate and the CA certificate to `host_2`.
>  
>        In `host_1`::
>  
> -          $ ovs-pki sign host_1 switch
> -          $ ovs-pki sign host_2 switch
> -          $ scp host_2-cert.pem $ip_2:/etc/keys/host_2-cert.pem
> -          $ scp /var/lib/openvswitch/pki/switchca/cacert.pem \
> +          # ovs-pki sign host_1 switch
> +          # ovs-pki sign host_2 switch
> +          # scp host_2-cert.pem $ip_2:/etc/keys/host_2-cert.pem
> +          # scp /var/lib/openvswitch/pki/switchca/cacert.pem \
>                      $ip_2:/etc/keys/cacert.pem
>  
>        .. note::
> @@ -243,22 +245,22 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>  
>        In `host_1`::
>  
> -          $ ovs-vsctl set Open_vSwitch . \
> +          # ovs-vsctl set Open_vSwitch . \
>                    other_config:certificate=/etc/keys/host_1-cert.pem \
>                    other_config:private_key=/etc/keys/host_1-privkey.pem \
>                    other_config:ca_cert=/etc/keys/cacert.pem
> -          $ ovs-vsctl add-port br-ipsec tun -- \
> +          # ovs-vsctl add-port br-ipsec tun -- \
>                     set interface tun type=gre \
>                                   options:remote_ip=$ip_2 \
>                                   options:remote_name=host_2
>  
>        In `host_2`::
>  
> -          $ ovs-vsctl set Open_vSwitch . \
> +          # ovs-vsctl set Open_vSwitch . \
>                    other_config:certificate=/etc/keys/host_2-cert.pem \
>                    other_config:private_key=/etc/keys/host_2-privkey.pem \
>                    other_config:ca_cert=/etc/keys/cacert.pem
> -          $ ovs-vsctl add-port br-ipsec tun -- \
> +          # ovs-vsctl add-port br-ipsec tun -- \
>                     set interface tun type=gre \
>                                   options:remote_ip=$ip_1 \
>                                   options:remote_name=host_1
> @@ -276,8 +278,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>     Now you should have an IPsec GRE tunnel running between two hosts. To verify
>     it, in `host_1`::
>  
> -       $ ping 192.0.0.2 &
> -       $ tcpdump -ni any net $ip_2
> +       # ping 192.0.0.2 &
> +       # tcpdump -ni any net $ip_2
>  
>     You should be able to see that ESP packets are being sent from `host_1` to
>     `host_2`.
> @@ -289,7 +291,7 @@ The ``ovs-monitor-ipsec`` daemon manages and monitors the IPsec tunnel state.
>  Use the following ``ovs-appctl`` command to view ``ovs-monitor-ipsec`` internal
>  representation of tunnel configuration::
>  
> -    $ ovs-appctl -t ovs-monitor-ipsec tunnels/show
> +    # ovs-appctl -t ovs-monitor-ipsec tunnels/show
>  
>  If there is misconfiguration, then ``ovs-appctl`` should indicate why.
>  For example::
> @@ -324,7 +326,7 @@ For example::
>  If you don't see any active connections, try to run the following command to
>  refresh the ``ovs-monitor-ipsec`` daemon::
>  
> -    $ ovs-appctl -t ovs-monitor-ipsec refresh
> +    # ovs-appctl -t ovs-monitor-ipsec refresh
>  
>  You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE
>  daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to
> -- 
> 2.26.2
> 
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
diff mbox series

Patch

diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
index b4c3235132bc..ebc0ae429c19 100644
--- a/Documentation/tutorials/ipsec.rst
+++ b/Documentation/tutorials/ipsec.rst
@@ -42,7 +42,7 @@  Installing OVS and IPsec Packages
 ---------------------------------
 
 OVS IPsec has .deb and .rpm packages. You should use the right package
-based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
+based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
 as examples.
 
 Ubuntu
@@ -59,8 +59,8 @@  Ubuntu
 
 2. Install the related packages::
 
-       $ apt-get install dkms strongswan
-       $ dpkg -i libopenvswitch_*.deb openvswitch-common_*.deb \
+       # apt-get install dkms strongswan
+       # dpkg -i libopenvswitch_*.deb openvswitch-common_*.deb \
              openvswitch-switch_*.deb openvswitch-datapath-dkms_*.deb \
              python-openvswitch_*.deb openvswitch-pki_*.deb \
              openvswitch-ipsec_*.deb
@@ -71,23 +71,25 @@  Ubuntu
 Fedora
 ~~~~~~
 
-1. Follow :doc:`/intro/install/fedora` to build RPM packages.
+1. Install the related packages. Fedora 32 does not require installation of
+   the out-of-tree kernel module::
 
-2. Install the related packages::
+       # dnf install python3-openvswitch libreswan \
+                     openvswitch openvswitch-ipsec
+
+2. Install firewall rules to allow ESP and IKE traffic::
 
-       $ dnf install python2-openvswitch libreswan \
-                     "kernel-devel-uname-r == $(uname -r)"
-       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
-                openvswitch-openvswitch-ipsec-*.rpm
+       # systemctl start firewalld
+       # firewall-cmd --add-service ipsec
 
-3. Install firewall rules to allow ESP and IKE traffic::
+   Or to make permanent::
 
-       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
-       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
+       # systemctl enable firewalld
+       # firewall-cmd --permanent --add-service ipsec
 
-4. Run the openvswitch-ipsec service::
+3. Run the openvswitch-ipsec service::
 
-       $ systemctl start openvswitch-ipsec.service
+       # systemctl start openvswitch-ipsec.service
 
    .. note::
 
@@ -97,47 +99,47 @@  Fedora
 Configuring IPsec tunnel
 ------------------------
 
-Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
+Suppose you want to build an IPsec tunnel between two hosts. Assume `host_1`'s
 external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
 `host_1` and `host_2` can ping each other via these external IPs.
 
 0. Set up some variables to make life easier.  On both hosts, set ``ip_1`` and
    ``ip_2`` variables, e.g.::
 
-     $ ip_1=1.1.1.1
-     $ ip_2=2.2.2.2
+     # ip_1=1.1.1.1
+     # ip_2=2.2.2.2
 
 1. Set up OVS bridges in both hosts.
 
    In `host_1`::
 
-       $ ovs-vsctl add-br br-ipsec
-       $ ip addr add 192.0.0.1/24 dev br-ipsec
-       $ ip link set br-ipsec up
+       # ovs-vsctl add-br br-ipsec
+       # ip addr add 192.0.0.1/24 dev br-ipsec
+       # ip link set br-ipsec up
 
    In `host_2`::
 
-       $ ovs-vsctl add-br br-ipsec
-       $ ip addr add 192.0.0.2/24 dev br-ipsec
-       $ ip link set br-ipsec up
+       # ovs-vsctl add-br br-ipsec
+       # ip addr add 192.0.0.2/24 dev br-ipsec
+       # ip link set br-ipsec up
 
 2. Set up IPsec tunnel.
 
-   There are three authentication methods. You can choose one to set up your
-   IPsec tunnel.
+   There are three authentication methods.  Choose one method to set up your
+   IPsec tunnel and follow the steps below.
 
    a) Using pre-shared key:
 
       In `host_1`::
 
-          $ ovs-vsctl add-port br-ipsec tun -- \
+          # ovs-vsctl add-port br-ipsec tun -- \
                       set interface tun type=gre \
                                     options:remote_ip=$ip_2 \
                                     options:psk=swordfish
 
       In `host_2`::
 
-          $ ovs-vsctl add-port br-ipsec tun -- \
+          # ovs-vsctl add-port br-ipsec tun -- \
                       set interface tun type=gre \
                                     options:remote_ip=$ip_1 \
                                     options:psk=swordfish
@@ -156,15 +158,15 @@  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
 
       In `host_1`::
 
-          $ ovs-pki req -u host_1
-          $ ovs-pki self-sign host_1
-          $ scp host_1-cert.pem $ip_2:/etc/keys/host_1-cert.pem
+          # ovs-pki req -u host_1
+          # ovs-pki self-sign host_1
+          # scp host_1-cert.pem $ip_2:/etc/keys/host_1-cert.pem
 
       In `host_2`::
 
-          $ ovs-pki req -u host_2
-          $ ovs-pki self-sign host_2
-          $ scp host_2-cert.pem $ip_1:/etc/keys/host_2-cert.pem
+          # ovs-pki req -u host_2
+          # ovs-pki self-sign host_2
+          # scp host_2-cert.pem $ip_1:/etc/keys/host_2-cert.pem
 
       .. note::
 
@@ -176,20 +178,20 @@  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
 
       In `host_1`::
 
-          $ ovs-vsctl set Open_vSwitch . \
+          # ovs-vsctl set Open_vSwitch . \
                      other_config:certificate=/etc/keys/host_1-cert.pem \
                      other_config:private_key=/etc/keys/host_1-privkey.pem
-          $ ovs-vsctl add-port br-ipsec tun -- \
+          # ovs-vsctl add-port br-ipsec tun -- \
                       set interface tun type=gre \
                              options:remote_ip=$ip_2 \
                              options:remote_cert=/etc/keys/host_2-cert.pem
 
       In `host_2`::
 
-          $ ovs-vsctl set Open_vSwitch . \
+          # ovs-vsctl set Open_vSwitch . \
                      other_config:certificate=/etc/keys/host_2-cert.pem \
                      other_config:private_key=/etc/keys/host_2-privkey.pem
-          $ ovs-vsctl add-port br-ipsec tun -- \
+          # ovs-vsctl add-port br-ipsec tun -- \
                       set interface tun type=gre \
                              options:remote_ip=$ip_1 \
                              options:remote_cert=/etc/keys/host_1-cert.pem
@@ -207,29 +209,29 @@  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
 
       In `host_1`::
 
-          $ ovs-pki init
+          # ovs-pki init
 
       Generate certificate requests and copy the certificate request of
       `host_2` to `host_1`.
 
       In `host_1`::
 
-          $ ovs-pki req -u host_1
+          # ovs-pki req -u host_1
 
       In `host_2`::
 
-          $ ovs-pki req -u host_2
-          $ scp host_2-req.pem $ip_1:/etc/keys/host_2-req.pem
+          # ovs-pki req -u host_2
+          # scp host_2-req.pem $ip_1:/etc/keys/host_2-req.pem
 
       Sign the certificate requests with the CA key. Copy `host_2`'s signed
       certificate and the CA certificate to `host_2`.
 
       In `host_1`::
 
-          $ ovs-pki sign host_1 switch
-          $ ovs-pki sign host_2 switch
-          $ scp host_2-cert.pem $ip_2:/etc/keys/host_2-cert.pem
-          $ scp /var/lib/openvswitch/pki/switchca/cacert.pem \
+          # ovs-pki sign host_1 switch
+          # ovs-pki sign host_2 switch
+          # scp host_2-cert.pem $ip_2:/etc/keys/host_2-cert.pem
+          # scp /var/lib/openvswitch/pki/switchca/cacert.pem \
                     $ip_2:/etc/keys/cacert.pem
 
       .. note::
@@ -243,22 +245,22 @@  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
 
       In `host_1`::
 
-          $ ovs-vsctl set Open_vSwitch . \
+          # ovs-vsctl set Open_vSwitch . \
                   other_config:certificate=/etc/keys/host_1-cert.pem \
                   other_config:private_key=/etc/keys/host_1-privkey.pem \
                   other_config:ca_cert=/etc/keys/cacert.pem
-          $ ovs-vsctl add-port br-ipsec tun -- \
+          # ovs-vsctl add-port br-ipsec tun -- \
                    set interface tun type=gre \
                                  options:remote_ip=$ip_2 \
                                  options:remote_name=host_2
 
       In `host_2`::
 
-          $ ovs-vsctl set Open_vSwitch . \
+          # ovs-vsctl set Open_vSwitch . \
                   other_config:certificate=/etc/keys/host_2-cert.pem \
                   other_config:private_key=/etc/keys/host_2-privkey.pem \
                   other_config:ca_cert=/etc/keys/cacert.pem
-          $ ovs-vsctl add-port br-ipsec tun -- \
+          # ovs-vsctl add-port br-ipsec tun -- \
                    set interface tun type=gre \
                                  options:remote_ip=$ip_1 \
                                  options:remote_name=host_1
@@ -276,8 +278,8 @@  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
    Now you should have an IPsec GRE tunnel running between two hosts. To verify
    it, in `host_1`::
 
-       $ ping 192.0.0.2 &
-       $ tcpdump -ni any net $ip_2
+       # ping 192.0.0.2 &
+       # tcpdump -ni any net $ip_2
 
    You should be able to see that ESP packets are being sent from `host_1` to
    `host_2`.
@@ -289,7 +291,7 @@  The ``ovs-monitor-ipsec`` daemon manages and monitors the IPsec tunnel state.
 Use the following ``ovs-appctl`` command to view ``ovs-monitor-ipsec`` internal
 representation of tunnel configuration::
 
-    $ ovs-appctl -t ovs-monitor-ipsec tunnels/show
+    # ovs-appctl -t ovs-monitor-ipsec tunnels/show
 
 If there is misconfiguration, then ``ovs-appctl`` should indicate why.
 For example::
@@ -324,7 +326,7 @@  For example::
 If you don't see any active connections, try to run the following command to
 refresh the ``ovs-monitor-ipsec`` daemon::
 
-    $ ovs-appctl -t ovs-monitor-ipsec refresh
+    # ovs-appctl -t ovs-monitor-ipsec refresh
 
 You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE
 daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to