| Message ID | 20211014132134.67138-1-mark.d.gray@redhat.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] ipsec: Update documentation for Fedora | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/github-robot-_ovn-kubernetes | fail | github build: failed |
On Thu, Oct 14, 2021 at 9:22 AM Mark Gray <mark.d.gray@redhat.com> wrote: > > When running on Fedora, it may be necessary to allow ESP and IKE traffic > through the host firewall. If not, this will result in ICMP host > unreachable messages: > > 13:52:10.000695 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 > 13:52:10.000721 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 > 13:52:10.000864 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 > 13:52:10.000874 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 > > This commit updates the documentation to reflect this. > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2002278 > Signed-off-by: Mark Gray <mark.d.gray@redhat.com> Thanks. I applied to the main branch. Numan > --- > Documentation/tutorials/ovn-ipsec.rst | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst > index 3adef68bb697..fa35eb84b316 100644 > --- a/Documentation/tutorials/ovn-ipsec.rst > +++ b/Documentation/tutorials/ovn-ipsec.rst > @@ -80,6 +80,19 @@ database to false:: > > $ ovn-nbctl set nb_global . ipsec=false > > +.. note:: > + > + On Fedora, you may need to install firewall rules to allow ESP and IKE > + traffic:: > + > + # systemctl start firewalld > + # firewall-cmd --add-service ipsec > + > + Or to make permanent:: > + > + # systemctl enable firewalld > + # firewall-cmd --permanent --add-service ipsec > + > Troubleshooting > --------------- > > -- > 2.27.0 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On 20/10/2021 16:00, Numan Siddique wrote: > On Thu, Oct 14, 2021 at 9:22 AM Mark Gray <mark.d.gray@redhat.com> wrote: >> >> When running on Fedora, it may be necessary to allow ESP and IKE traffic >> through the host firewall. If not, this will result in ICMP host >> unreachable messages: >> >> 13:52:10.000695 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 >> 13:52:10.000721 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 >> 13:52:10.000864 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 >> 13:52:10.000874 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 >> >> This commit updates the documentation to reflect this. >> >> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2002278 >> Signed-off-by: Mark Gray <mark.d.gray@redhat.com> > > Thanks. I applied to the main branch. > Thanks > Numan > >> --- >> Documentation/tutorials/ovn-ipsec.rst | 13 +++++++++++++ >> 1 file changed, 13 insertions(+) >> >> diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst >> index 3adef68bb697..fa35eb84b316 100644 >> --- a/Documentation/tutorials/ovn-ipsec.rst >> +++ b/Documentation/tutorials/ovn-ipsec.rst >> @@ -80,6 +80,19 @@ database to false:: >> >> $ ovn-nbctl set nb_global . ipsec=false >> >> +.. note:: >> + >> + On Fedora, you may need to install firewall rules to allow ESP and IKE >> + traffic:: >> + >> + # systemctl start firewalld >> + # firewall-cmd --add-service ipsec >> + >> + Or to make permanent:: >> + >> + # systemctl enable firewalld >> + # firewall-cmd --permanent --add-service ipsec >> + >> Troubleshooting >> --------------- >> >> -- >> 2.27.0 >> >> _______________________________________________ >> dev mailing list >> dev@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> >
diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index 3adef68bb697..fa35eb84b316 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -80,6 +80,19 @@ database to false:: $ ovn-nbctl set nb_global . ipsec=false +.. note:: + + On Fedora, you may need to install firewall rules to allow ESP and IKE + traffic:: + + # systemctl start firewalld + # firewall-cmd --add-service ipsec + + Or to make permanent:: + + # systemctl enable firewalld + # firewall-cmd --permanent --add-service ipsec + Troubleshooting ---------------
When running on Fedora, it may be necessary to allow ESP and IKE traffic through the host firewall. If not, this will result in ICMP host unreachable messages: 13:52:10.000695 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 13:52:10.000721 IP 192.168.122.228 > 192.168.122.125: ESP(spi=0xa5830a6b,seq=0x2), length 156 13:52:10.000864 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 13:52:10.000874 IP 192.168.122.125 > 192.168.122.228: ICMP host 192.168.122.125 unreachable - admin prohibited filter, length 184 This commit updates the documentation to reflect this. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2002278 Signed-off-by: Mark Gray <mark.d.gray@redhat.com> --- Documentation/tutorials/ovn-ipsec.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+)