This document provides a step by step guide describing the use of IPSec encrypted tunnel traffic in Open Virtual Network (OVN). OVN tunnel traffic transmitted by the physical routers and switches. These physical devices may not be trusted (device in the public network) or may be compromised. Enable encryption for IPSec tunnel traffic can block the flow of data to be monitored and manipulated. For more detailed information about OVN IPsec design, see ovn-architecture(7) man page.
This document assumes OVN installed on your system and functioning properly. Also, you need to install on each machine OVS box IPsec software package (see: install-ovs-ipsec).
Generate a certificate and key
When you create an IPSec tunnel, OVN chassis using the CA-signed certificate peers box for authentication. If role-based access control (RBAC) is enabled in the OVN, you can use RBAC SSL certificates and keys to set the OVN IPsec. Or you can use ovs-pkito generate individual certificates and keys (see: gen certs keys).
Note :
OVN IPsec requires x.509 version 3 certificate format, and subjectAltname DNS fields the common name (CN) field to use the same string. CN should be set to the chassis name. Open vSwitch version 2.10.90 or later in ovs-pkican generate such a certificate. If you use other tools or an old version of PKI ovs-pki, ensure that the certificate generation compatible.
OVN IPSec configuration
You need to install the CA certificate on each machine frame, chassis certificate and private key. Use the following command:
$ ovs-vsctl set Open_vSwitch . \
other_config:certificate=/path/to/chassis-cert.pem \
other_config:private_key=/path/to/chassis-privkey.pem \
other_config:ca_cert=/path/to/cacert.pem
Enable OVN IPsec
To enable OVN IPSec, set up north to the database NB_Globaltables ipsecas true:
$ ovn-nbctl set nb_global . ipsec=true
After OVN IPSec enabled, all tunnel traffic in the OVN will use IPSec encryption. Disabled, set up north to database NB_Globaltables ipsecas false:
$ ovn-nbctl set nb_global . ipsec=false
Troubleshooting
Daemon on each shelf ovs-monitor-ipsecmanagement and status monitoring IPSec tunnel. Use the following ovs-appctlcommand to view the ovs-monitor-ipsecinside of the tunnel to show the process of configuration:
$ ovs-appctl -t ovs-monitor-ipsec tunnels/show
If you have not configured properly, ovs-appctlit should show reasons, such as:
Interface name: ovn-host_2-0 v1 (CONFIGURED) <--- 应设置为 CONFIGURED. 否则, 将显示错误信息
Tunnel Type: geneve
Remote IP: 2.2.2.2
SKB mark: None
Local cert: /path/to/chassis-cert.pem
Local name: host_1
Local key: /path/to/chassis-privkey.pem
Remote cert: None
Remote name: host_2
CA cert: /path/to/cacert.pem
PSK: None
Ofport: 2 <--- ovs-vswitchd进程是否分配了Ofport数字到此Tunnel Port
CFM state: Disabled <--- CFM表明此隧道是否健康
Kernel policies installed:
... <--- Strongswan安装到Linux Kernel中的OVS隧道使用的IPsec策略
Kernel security associations installed:
... <--- Strongswan安装到Linux Kernel中的OVS隧道相关的IPsec安全关联security associations
IPsec connections that are active:
... <--- IPsec "connections" for this OVS tunnel
If the above does not show any active connection, try the command refresh ovs-monitor-ipsecprocess:
$ ovs-appctl -t ovs-monitor-ipsec refresh
You can also check the ovs-monitor-ipseclog information process and the IKE process to find the problem. ovs-monitor-ipsecThe information is written to the log file /var/log/openvswitch/ovs-monitor-ipsec.log.