From patchwork Wed Jun 1 15:38:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Karis X-Patchwork-Id: 1638024 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=ZaxShFGG; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LCtc52h3Dz9s0r for ; Thu, 2 Jun 2022 01:39:15 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 6F2F6417E4; Wed, 1 Jun 2022 15:39:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VkLMuoilqTqX; Wed, 1 Jun 2022 15:39:12 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id 423A141734; Wed, 1 Jun 2022 15:39:11 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0D9CEC0039; Wed, 1 Jun 2022 15:39:11 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 12300C002D for ; Wed, 1 Jun 2022 15:39:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id EBC7F41829 for ; Wed, 1 Jun 2022 15:39:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7h03eaEkZ93 for ; Wed, 1 Jun 2022 15:39:07 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by smtp4.osuosl.org (Postfix) with ESMTPS id B7378417E4 for ; Wed, 1 Jun 2022 15:39:06 +0000 (UTC) Received: by mail-ej1-x62c.google.com with SMTP id q1so4560528ejz.9 for ; Wed, 01 Jun 2022 08:39:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1tE1Hn53MoNH1FnYOgUmzp9IMrP1+S1WLl0ga9Fm+BE=; b=ZaxShFGGAAbejFlh+ujSRZMiyhk9n0TdBc6tCYZcnw1xUNI7pA4feymjd1DtAf3btl Dz1pbvdej6uwIR5DGcleSjiTW2XnO4i9Iy+TxEGVQG8g/KrvXLXIPQSMcqOJeKAptKeC 5gWhdk/2ywx3wycGgAM+EokDffp8p8c90wRYBEeLDMscBzYOhjoz+HlhG7Z8CPvAUR2D 2fldy0Tg/uZh/DON9MR9mdhJshXJbAfRjmIvfbN9qpC5Ua6F/55vZwrfVW3fB8BpHLhZ REglBJ0y4An5obN5qmtw+lDvzO8cqKb9k08dMcARs0dK9csT7h5rW1QQvyMpap9sGKmX bpcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1tE1Hn53MoNH1FnYOgUmzp9IMrP1+S1WLl0ga9Fm+BE=; b=nyZwkI3wdeLlEOTR6YY3+trZFG+F/gvpC/x8WKwl8ovZDFEtKdFA27JYR5+1WpGa8I HnWcw89kkMixJl6iR4BZeavNdRwoQ1FACUvO03vernmI0EXgOxILqkDBK5Bv8V5tKsLJ 7/okhloSqaYfCupm5Mmtn9RsC8ViyIgBbu19AA+ELvxgV/GNOXFqHl8/8ORYJtVWgtAH JmyKqtHRPLPtY8KSAAC2aaNyTFMUEDw7svt1e4nyb9KOfWSyh3s+06/JzTdTcsPqckjR jJSFEHP6DxvkBhTFQVzrz5svWz5maoScgpc9xmOBYbxnSvsosY+ZXqjsvpipvzpTKxWc DVLQ== X-Gm-Message-State: AOAM533xm0dYJnWzxkpRyxhG8v1o8m8DlaM85t3G59fjBchMKp8vPQ/L WOyxpj2aIiww9Wt3o1z7Da6t6U6XkNfUmQ== X-Google-Smtp-Source: ABdhPJwZSmxGIpg/oSccS3Eg4qtgubnic8J6AQ1lUGu+N4U/0/BiyDxsqfOD1pzF46IjXFa3R5tt5Q== X-Received: by 2002:a17:907:3f16:b0:6fe:d885:181f with SMTP id hq22-20020a1709073f1600b006fed885181fmr137078ejc.26.1654097944205; Wed, 01 Jun 2022 08:39:04 -0700 (PDT) Received: from linux.redhat.com (dslb-002-205-087-155.002.205.pools.vodafone-ip.de. [2.205.87.155]) by smtp.gmail.com with ESMTPSA id c16-20020a170906171000b006fed85c1a72sm830104eje.223.2022.06.01.08.39.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Jun 2022 08:39:03 -0700 (PDT) From: Andreas Karis To: dev@openvswitch.org Date: Wed, 1 Jun 2022 17:38:44 +0200 Message-Id: <20220601153844.2185765-1-ak.karis@gmail.com> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Cc: Andreas Karis Subject: [ovs-dev] [PATCH ovn 1/1] IPsec: Add option to force NAT-T encapsulation X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Provide an option to enforce NAT-T UDP encapsulation (encapsulation=true or forceencaps=true depending on the chosen backend). This may be required in environments where firewalls drop ESP traffic but where NAT-T detection fails because packets are not subject to NAT. Signed-off-by: Andreas Karis --- Documentation/tutorials/ovn-ipsec.rst | 19 +++++++++++++++++++ controller/encaps.c | 14 ++++++++++++++ tests/ovn-ipsec.at | 3 +++ 3 files changed, 36 insertions(+) diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index 305dd566d..0ae84f803 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -93,6 +93,24 @@ database to false:: # systemctl enable firewalld # firewall-cmd --permanent --add-service ipsec +Enabling OVN IPsec +------------------ + +In specific situations, it may be required to enforce NAT-T (RFC3948) UDP +encapsulation unconditionally and to bypass the normal NAT detection mechanism. +For example, this may be required in environments where firewalls drop ESP +traffic, but where NAT-T detection (RFC3947) fails because packets otherwise +are not subject to NAT. +In such scenarios, UDP encapsulation can be enforced with the following. + +For libreswan backends:: + + $ ovn-nbctl set nb_global . options:ipsec_encapsulation=true + +For strongswan backends:: + + $ ovn-nbctl set nb_global . options:ipsec_forceencaps=true + Troubleshooting --------------- @@ -119,6 +137,7 @@ For example:: Remote name: host_2 CA cert: /path/to/cacert.pem PSK: None + Custom Options: {'encapsulation': 'yes'} <---- Whether NAT-T is enforced Ofport: 2 <--- Whether ovs-vswitchd has assigned Ofport number to this Tunnel Port CFM state: Disabled <--- Whether CFM declared this tunnel healthy diff --git a/controller/encaps.c b/controller/encaps.c index a06aa258c..068c8f3f8 100644 --- a/controller/encaps.c +++ b/controller/encaps.c @@ -207,6 +207,20 @@ tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, if (sbg->ipsec) { set_local_ip = true; smap_add(&options, "remote_name", new_chassis_id); + + /* Force NAT-T traversal via configuration */ + /* Two ipsec backends are supported: libreswan and openswan */ + /* libreswan parameter: encapsulation ; openswan parameter: forceencaps */ + bool encapsulation; + bool forceencaps; + encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", false); + forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", false); + if (encapsulation) { + smap_add(&options, "ipsec_encapsulation", "yes"); + } + if (forceencaps) { + smap_add(&options, "ipsec_forceencaps", "yes"); + } } if (set_local_ip) { diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at index 4c600a9f2..10ef97878 100644 --- a/tests/ovn-ipsec.at +++ b/tests/ovn-ipsec.at @@ -44,15 +44,18 @@ ovs-vsctl \ # Enable IPsec ovn-nbctl set nb_global . ipsec=true +ovn-nbctl set nb_global . options:ipsec_encapsulation=true check ovn-nbctl --wait=hv sync AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) AT_CLEANUP