@@ -93,6 +93,24 @@ database to false::
# systemctl enable firewalld
# firewall-cmd --permanent --add-service ipsec
+Enabling OVN IPsec
+------------------
+
+In specific situations, it may be required to enforce NAT-T (RFC3948) UDP
+encapsulation unconditionally and to bypass the normal NAT detection mechanism.
+For example, this may be required in environments where firewalls drop ESP
+traffic, but where NAT-T detection (RFC3947) fails because packets otherwise
+are not subject to NAT.
+In such scenarios, UDP encapsulation can be enforced with the following.
+
+For libreswan backends::
+
+ $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true
+
+For strongswan backends::
+
+ $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true
+
Troubleshooting
---------------
@@ -119,6 +137,7 @@ For example::
Remote name: host_2
CA cert: /path/to/cacert.pem
PSK: None
+ Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced
Ofport: 2 <--- Whether ovs-vswitchd has assigned Ofport
number to this Tunnel Port
CFM state: Disabled <--- Whether CFM declared this tunnel healthy
@@ -2,6 +2,9 @@ Post v22.06.0
-------------
- ovn-controller: Add configuration knob, through OVS external-id
"ovn-encap-df_default" to enable or disable tunnel DF flag.
+ - Added nb_global IPsec options ipsec_encapsulation=true (libreswan)
+ and ipsec_forceencaps=true (openswan) to unconditionally enforce
+ NAT-T UDP encapsulation.
OVN v22.06.0 - XX XXX XXXX
--------------------------
@@ -207,6 +207,21 @@ tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg,
if (sbg->ipsec) {
set_local_ip = true;
smap_add(&options, "remote_name", new_chassis_id);
+
+ /* Force NAT-T traversal via configuration */
+ /* Two ipsec backends are supported: libreswan and openswan */
+ /* libreswan param: encapsulation ; openswan param: forceencaps */
+ bool encapsulation;
+ bool forceencaps;
+ encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation",
+ false);
+ forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", false);
+ if (encapsulation) {
+ smap_add(&options, "ipsec_encapsulation", "yes");
+ }
+ if (forceencaps) {
+ smap_add(&options, "ipsec_forceencaps", "yes");
+ }
}
if (set_local_ip) {
@@ -44,15 +44,18 @@ ovs-vsctl \
# Enable IPsec
ovn-nbctl set nb_global . ipsec=true
+ovn-nbctl set nb_global . options:ipsec_encapsulation=true
check ovn-nbctl --wait=hv sync
AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.1])
AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2])
AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1])
+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.2])
AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1])
AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2])
+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
AT_CLEANUP
Provide an option to enforce NAT-T UDP encapsulation (encapsulation=true or forceencaps=true depending on the chosen backend). This may be required in environments where firewalls drop ESP traffic but where NAT-T detection fails because packets are not subject to NAT. Signed-off-by: Andreas Karis <ak.karis@gmail.com> --- Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++ NEWS | 3 +++ controller/encaps.c | 15 +++++++++++++++ tests/ovn-ipsec.at | 3 +++ 4 files changed, 40 insertions(+)