IPsec mode not working with IPv6 overlays #3151
Assignees
Labels
area/transit/encryption
Issues or PRs related to transit encryption (IPSec, SSL).
area/transit/ipv6
Issues or PRs related to IPv6.
kind/bug
Categorizes issue or PR as related to a bug.
priority/important-longterm
Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Comments
antoninbas
added
area/transit/encryption
|
I submitted an OVS patch for this after getting some help from the strongSwan folks: https://mail.openvswitch.org/pipermail/ovs-dev/2021-December/390357.html I think we can apply this patch manually in our build until it is merged upstream. |
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Dec 21, 2021
When using IPv6, the IPsec configuration (ipsec.conf) generated by ovs-monitor-ipsec for strongSwan is currently not correct. A patch has been submitted upstream, but until it is accepted and merged, we apply a temporary version of the patch. This was tested for a VXLAN overlay in an IPv6-only cluster. Fixes antrea-io#3151 Signed-off-by: Antonin Bas <abas@vmware.com>
antoninbas
added a commit
to antoninbas/antrea
that referenced
this issue
Mar 17, 2022
When using IPv6, the IPsec configuration (ipsec.conf) generated by ovs-monitor-ipsec for strongSwan is currently not correct. A patch has been submitted upstream, but until it is accepted and merged, we apply a temporary version of the patch. This was tested for a VXLAN overlay in an IPv6-only cluster. Fixes antrea-io#3151 Signed-off-by: Antonin Bas <abas@vmware.com>
antoninbas
added a commit
that referenced
this issue
Mar 18, 2022
When using IPv6, the IPsec configuration (ipsec.conf) generated by ovs-monitor-ipsec for strongSwan is currently not correct. A patch has been submitted upstream, but until it is accepted and merged, we apply a temporary version of the patch. This was tested for a VXLAN overlay in an IPv6-only cluster. Fixes #3151 Signed-off-by: Antonin Bas <abas@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In an IPv6-only cluster, trying to enable IPv6 doesn't work (so far I have tried with VXLAN tunnels only). There is no connectivity between Pods across different Nodes, and no IPsec Security Associations are being created.
To Reproduce
Apply the
antrea-ipsec.ymlmanifest in an IPv6-only K8s cluster, check Pod connectivity.Versions:
Antrea v1.4 and ToT
Additional context
I am trying to get some help from the strongSwan community: strongswan/strongswan#821
I actually did run some tests with GRE after tentatively adding support for the
ip6greOVS tunnel type (see #3150). However, becauseovs-monitor-ipsecdoes not actually supportip6gre(https://github.com/openvswitch/ovs/blob/11441385c2f788320799ba29b344098b917d8827/ipsec/ovs-monitor-ipsec.in#L34-L80), no connection entries are generated in/etc/ipsec.conf. If we do manage to make UDP tunnels work, we should consider submitting a patch to OVS adding support forip6gre.If we cannot get help from the strongSwan community, it may be worth it to test with libreSwan to check if we run into the same issue.
The text was updated successfully, but these errors were encountered: