| Message ID | 20220601171150.3862795-1-ak.karis@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev,v3,1/1] IPsec: Add option to force NAT-T encapsulation | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | fail | github build: failed |
| ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
On Wed, Jun 1, 2022 at 1:12 PM Andreas Karis <ak.karis@gmail.com> wrote: > > Provide options to enforce NAT-T UDP encapsulation. Options are > encapsulation=true for libreswan and forceencaps=true for strongswan. > This may be required in environments where firewalls drop ESP > traffic but where NAT-T detection fails because packets are not > subject to NAT. > > Signed-off-by: Andreas Karis <ak.karis@gmail.com> > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2041681 Thanks. Acked-by: Numan Siddique <numans@ovn.org> Numan > --- > Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++ > NEWS | 3 +++ > controller/encaps.c | 15 +++++++++++++++ > tests/ovn-ipsec.at | 3 +++ > 4 files changed, 40 insertions(+) > > diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst > index 305dd566d..0ae84f803 100644 > --- a/Documentation/tutorials/ovn-ipsec.rst > +++ b/Documentation/tutorials/ovn-ipsec.rst > @@ -93,6 +93,24 @@ database to false:: > # systemctl enable firewalld > # firewall-cmd --permanent --add-service ipsec > > +Enabling OVN IPsec > +------------------ > + > +In specific situations, it may be required to enforce NAT-T (RFC3948) UDP > +encapsulation unconditionally and to bypass the normal NAT detection mechanism. > +For example, this may be required in environments where firewalls drop ESP > +traffic, but where NAT-T detection (RFC3947) fails because packets otherwise > +are not subject to NAT. > +In such scenarios, UDP encapsulation can be enforced with the following. > + > +For libreswan backends:: > + > + $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true > + > +For strongswan backends:: > + > + $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true > + > Troubleshooting > --------------- > > @@ -119,6 +137,7 @@ For example:: > Remote name: host_2 > CA cert: /path/to/cacert.pem > PSK: None > + Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced > Ofport: 2 <--- Whether ovs-vswitchd has assigned Ofport > number to this Tunnel Port > CFM state: Disabled <--- Whether CFM declared this tunnel healthy > diff --git a/NEWS b/NEWS > index 21782cc66..4bb801bfd 100644 > --- a/NEWS > +++ b/NEWS > @@ -2,6 +2,9 @@ Post v22.06.0 > ------------- > - ovn-controller: Add configuration knob, through OVS external-id > "ovn-encap-df_default" to enable or disable tunnel DF flag. > + - Added nb_global IPsec options ipsec_encapsulation=true (libreswan) > + and ipsec_forceencaps=true (strongswan) to unconditionally enforce > + NAT-T UDP encapsulation. > > OVN v22.06.0 - XX XXX XXXX > -------------------------- > diff --git a/controller/encaps.c b/controller/encaps.c > index a06aa258c..9647ba507 100644 > --- a/controller/encaps.c > +++ b/controller/encaps.c > @@ -207,6 +207,21 @@ tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, > if (sbg->ipsec) { > set_local_ip = true; > smap_add(&options, "remote_name", new_chassis_id); > + > + /* Force NAT-T traversal via configuration */ > + /* Two ipsec backends are supported: libreswan and strongswan */ > + /* libreswan param: encapsulation; strongswan param: forceencaps */ > + bool encapsulation; > + bool forceencaps; > + encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", > + false); > + forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", false); > + if (encapsulation) { > + smap_add(&options, "ipsec_encapsulation", "yes"); > + } > + if (forceencaps) { > + smap_add(&options, "ipsec_forceencaps", "yes"); > + } > } > > if (set_local_ip) { > diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at > index 4c600a9f2..10ef97878 100644 > --- a/tests/ovn-ipsec.at > +++ b/tests/ovn-ipsec.at > @@ -44,15 +44,18 @@ ovs-vsctl \ > > # Enable IPsec > ovn-nbctl set nb_global . ipsec=true > +ovn-nbctl set nb_global . options:ipsec_encapsulation=true > > check ovn-nbctl --wait=hv sync > > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.1]) > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.2]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > > AT_CLEANUP > > -- > 2.35.3 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On 6/2/22 21:55, Numan Siddique wrote: > On Wed, Jun 1, 2022 at 1:12 PM Andreas Karis <ak.karis@gmail.com> wrote: >> >> Provide options to enforce NAT-T UDP encapsulation. Options are >> encapsulation=true for libreswan and forceencaps=true for strongswan. >> This may be required in environments where firewalls drop ESP >> traffic but where NAT-T detection fails because packets are not >> subject to NAT. >> >> Signed-off-by: Andreas Karis <ak.karis@gmail.com> >> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2041681 > > Thanks. > > Acked-by: Numan Siddique <numans@ovn.org> FYI, support for these features will be available only in the next major OVS release. I think that dependency should be clearly stated in the documentation. Best regards, Ilya Maximets.
diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index 305dd566d..0ae84f803 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -93,6 +93,24 @@ database to false:: # systemctl enable firewalld # firewall-cmd --permanent --add-service ipsec +Enabling OVN IPsec +------------------ + +In specific situations, it may be required to enforce NAT-T (RFC3948) UDP +encapsulation unconditionally and to bypass the normal NAT detection mechanism. +For example, this may be required in environments where firewalls drop ESP +traffic, but where NAT-T detection (RFC3947) fails because packets otherwise +are not subject to NAT. +In such scenarios, UDP encapsulation can be enforced with the following. + +For libreswan backends:: + + $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true + +For strongswan backends:: + + $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true + Troubleshooting --------------- @@ -119,6 +137,7 @@ For example:: Remote name: host_2 CA cert: /path/to/cacert.pem PSK: None + Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced Ofport: 2 <--- Whether ovs-vswitchd has assigned Ofport number to this Tunnel Port CFM state: Disabled <--- Whether CFM declared this tunnel healthy diff --git a/NEWS b/NEWS index 21782cc66..4bb801bfd 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ Post v22.06.0 ------------- - ovn-controller: Add configuration knob, through OVS external-id "ovn-encap-df_default" to enable or disable tunnel DF flag. + - Added nb_global IPsec options ipsec_encapsulation=true (libreswan) + and ipsec_forceencaps=true (strongswan) to unconditionally enforce + NAT-T UDP encapsulation. OVN v22.06.0 - XX XXX XXXX -------------------------- diff --git a/controller/encaps.c b/controller/encaps.c index a06aa258c..9647ba507 100644 --- a/controller/encaps.c +++ b/controller/encaps.c @@ -207,6 +207,21 @@ tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, if (sbg->ipsec) { set_local_ip = true; smap_add(&options, "remote_name", new_chassis_id); + + /* Force NAT-T traversal via configuration */ + /* Two ipsec backends are supported: libreswan and strongswan */ + /* libreswan param: encapsulation; strongswan param: forceencaps */ + bool encapsulation; + bool forceencaps; + encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", + false); + forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", false); + if (encapsulation) { + smap_add(&options, "ipsec_encapsulation", "yes"); + } + if (forceencaps) { + smap_add(&options, "ipsec_forceencaps", "yes"); + } } if (set_local_ip) { diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at index 4c600a9f2..10ef97878 100644 --- a/tests/ovn-ipsec.at +++ b/tests/ovn-ipsec.at @@ -44,15 +44,18 @@ ovs-vsctl \ # Enable IPsec ovn-nbctl set nb_global . ipsec=true +ovn-nbctl set nb_global . options:ipsec_encapsulation=true check ovn-nbctl --wait=hv sync AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) AT_CLEANUP
Provide options to enforce NAT-T UDP encapsulation. Options are encapsulation=true for libreswan and forceencaps=true for strongswan. This may be required in environments where firewalls drop ESP traffic but where NAT-T detection fails because packets are not subject to NAT. Signed-off-by: Andreas Karis <ak.karis@gmail.com> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2041681 --- Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++ NEWS | 3 +++ controller/encaps.c | 15 +++++++++++++++ tests/ovn-ipsec.at | 3 +++ 4 files changed, 40 insertions(+)