[ovs-dev,1/1] IPsec: Add option to force NAT-T encapsulation

Provide an option to enforce NAT-T UDP
encapsulation (encapsulation=true or forceencaps=true depending on the
chosen backend). This may be required in environments where firewalls
drop ESP traffic but where NAT-T detection fails because packets are not
subject to NAT.

Signed-off-by: Andreas Karis <ak.karis@gmail.com>
---
 Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++
 controller/encaps.c                   | 14 ++++++++++++++
 tests/ovn-ipsec.at                    |  3 +++
 3 files changed, 36 insertions(+)

On Wed, Jun 1, 2022 at 11:39 AM Andreas Karis <ak.karis@gmail.com> wrote:
>
> Provide an option to enforce NAT-T UDP
> encapsulation (encapsulation=true or forceencaps=true depending on the
> chosen backend). This may be required in environments where firewalls
> drop ESP traffic but where NAT-T detection fails because packets are not
> subject to NAT.
>
> Signed-off-by: Andreas Karis <ak.karis@gmail.com>

Thanks for the patch.  Can you also please add a NEWS entry for this option ?

Numan

> ---
>  Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++
>  controller/encaps.c                   | 14 ++++++++++++++
>  tests/ovn-ipsec.at                    |  3 +++
>  3 files changed, 36 insertions(+)
>
> diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst
> index 305dd566d..0ae84f803 100644
> --- a/Documentation/tutorials/ovn-ipsec.rst
> +++ b/Documentation/tutorials/ovn-ipsec.rst
> @@ -93,6 +93,24 @@ database to false::
>         # systemctl enable firewalld
>         # firewall-cmd --permanent --add-service ipsec
>
> +Enabling OVN IPsec
> +------------------
> +
> +In specific situations, it may be required to enforce NAT-T (RFC3948) UDP
> +encapsulation unconditionally and to bypass the normal NAT detection mechanism.
> +For example, this may be required in environments where firewalls drop ESP
> +traffic, but where NAT-T detection (RFC3947) fails because packets otherwise
> +are not subject to NAT.
> +In such scenarios, UDP encapsulation can be enforced with the following.
> +
> +For libreswan backends::
> +
> +    $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true
> +
> +For strongswan backends::
> +
> +    $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true
> +
>  Troubleshooting
>  ---------------
>
> @@ -119,6 +137,7 @@ For example::
>     Remote name:    host_2
>     CA cert:        /path/to/cacert.pem
>     PSK:            None
> +   Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced
>     Ofport:         2          <--- Whether ovs-vswitchd has assigned Ofport
>                                     number to this Tunnel Port
>     CFM state:      Disabled     <--- Whether CFM declared this tunnel healthy
> diff --git a/controller/encaps.c b/controller/encaps.c
> index a06aa258c..068c8f3f8 100644
> --- a/controller/encaps.c
> +++ b/controller/encaps.c
> @@ -207,6 +207,20 @@ tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg,
>      if (sbg->ipsec) {
>          set_local_ip = true;
>          smap_add(&options, "remote_name", new_chassis_id);
> +
> +        /* Force NAT-T traversal via configuration */
> +        /* Two ipsec backends are supported: libreswan and openswan */
> +        /* libreswan parameter: encapsulation ; openswan parameter: forceencaps */
> +        bool encapsulation;
> +        bool forceencaps;
> +        encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", false);
> +        forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", false);
> +        if (encapsulation) {
> +            smap_add(&options, "ipsec_encapsulation", "yes");
> +        }
> +        if (forceencaps) {
> +            smap_add(&options, "ipsec_forceencaps", "yes");
> +        }
>      }
>
>      if (set_local_ip) {
> diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at
> index 4c600a9f2..10ef97878 100644
> --- a/tests/ovn-ipsec.at
> +++ b/tests/ovn-ipsec.at
> @@ -44,15 +44,18 @@ ovs-vsctl \
>
>  # Enable IPsec
>  ovn-nbctl set nb_global . ipsec=true
> +ovn-nbctl set nb_global . options:ipsec_encapsulation=true
>
>  check ovn-nbctl --wait=hv sync
>
>  AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.1])
>  AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2])
>  AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1])
> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
>  AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.2])
>  AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1])
>  AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2])
> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
>
>  AT_CLEANUP
>
> --
> 2.35.3
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

Bleep bloop.  Greetings Andreas Karis, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
WARNING: Line is 82 characters long (recommended limit is 79)
#67 FILE: controller/encaps.c:213:
        /* libreswan parameter: encapsulation ; openswan parameter: forceencaps */

WARNING: Line is 83 characters long (recommended limit is 79)
#70 FILE: controller/encaps.c:216:
        encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", false);

Lines checked: 106, Warnings: 2, Errors: 0


Please check this out.  If you feel there has been an error, please email aconole@redhat.com

Thanks,
0-day Robot