[pve-devel] [PATCH pve-docs 0/2] sdn: evpn && vxlan improvments

[pve-devel] [PATCH pve-docs 0/2] sdn: evpn && vxlan improvments

[Alexandre Derumier]

add new evpn options  && notes on vxlan encryption

Alexandre Derumier (2):
  pvesdn: add evpn Advertise Subnets && Exit Nodes Local routing options
  sdn: add vxlan encryption notes

 pvesdn.adoc | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

-- 
2.30.2

[pve-devel] [PATCH pve-docs 1/2] pvesdn: add evpn Advertise Subnets && Exit Nodes Local routing options

[Alexandre Derumier]

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 pvesdn.adoc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index 3b3fd8f..d26c6b9 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -233,6 +233,15 @@ Exit Nodes:: This is used if you want to define some proxmox nodes, as exit
   gateway from evpn network through real network. The configured nodes will
   announce a default route in the EVPN network.
 
+Advertise Subnets:: Optional. If you have silent vms/CT (for example, multiples
+  ips by interfaces, and the anycast gateway don't see traffic from theses ips,
+  the ips addresses won't be able to be reach inside the evpn network). This
+  option will announce the full subnet in the evpn network in this case.
+
+Exit Nodes local routing:: Optional. This is a special option if you need to
+  reach a vm/ct service from an exit node. (By default, the exit nodes only
+  allow forwarding traffic between real network and evpn network).
+
 MTU:: because VXLAN encapsulation use 50 bytes, the MTU needs to be 50 bytes
   lower than the maximal MTU of the outgoing physical interface.
 
-- 
2.30.2

[pve-devel] [PATCH pve-docs 2/2] sdn: add vxlan encryption notes

[Alexandre Derumier]

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 pvesdn.adoc | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index d26c6b9..eae47ad 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -898,3 +898,55 @@ public network can reply back.
 
 If you have configured an external BGP router, the BGP-EVPN routes (10.0.1.0/24
 and 10.0.2.0/24 in this example), will be announced dynamically.
+
+
+Notes
+-----
+
+Vxlan Encryption
+~~~~~~~~~~~~~~~~
+If you need to add encryption on top of vxlan, it's possible to do it with strongswan software.
+You'll need to reduce the mtu around 60bytes (ipv4) or 80bytes (ipv6) to handle encryption.
+
+So with default 1500 mtu, you need mtu 1370 (1370 + 80bytes ipsec + 50 bytes vxlan).
+
+
+Install strongwan
+----
+apt install strongwan
+----
+
+Add configuration in /etc/ipsec.conf.
+(Encrypt only vxlan udp port 4789)
+
+----
+conn %default
+    ike=aes256-sha1-modp1024!  #the fastest (but reasonably secure)cipher on reasonably modern hardware
+    esp=aes256-sha1!
+    leftfirewall=yes           # this is necessary when using Proxmox firewall rules
+
+conn output
+    rightsubnet=%dynamic[udp/4789]
+    right=%any
+    type=transport
+    authby=psk
+    auto=route
+
+conn input
+    leftsubnet=%dynamic[udp/4789]
+    type=transport
+    authby=psk
+    auto=route
+----
+
+Then generate a preshared key with
+
+----
+openssl rand -base64 128
+----
+
+and copy the key in /etc/ipsec.secrets
+
+----
+: PSK <generatedbase64key>
+----
-- 
2.30.2

[pve-devel] applied: [PATCH pve-docs 1/2] pvesdn: add evpn Advertise Subnets && Exit Nodes Local routing options

[Thomas Lamprecht]

On 06.09.21 05:57, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
>  pvesdn.adoc | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
>

applied, thanks!

[pve-devel] applied: [PATCH pve-docs 2/2] sdn: add vxlan encryption notes

[Thomas Lamprecht]

On 06.09.21 05:57, Alexandre Derumier wrote:
> ...

> +So with default 1500 mtu, you need mtu 1370 (1370 + 80bytes ipsec + 50 bytes vxlan).
> +
> +
> +Install strongwan

typo strongwan vs. strongswan (missing s).

> +----
> +apt install strongwan

same typo


applied with above typos fixed and some wording/format fixes in general, thanks!