Both LibreSwan and OpenSwan allow administrators to unconditionally
force enable NAT-T for ESP. This may help to surmount restrictive
firewalls in scenarios where IP protocol number 50 is blocked, but where
NAT autodetection fails. Add a switch --force-encapsulation to expose
this feature to users of ovs-monitor-ipsec
Signed-off-by: Andreas Karis <ak.ka...@gmail.com>
---
ipsec/ovs-monitor-ipsec.in | 31 +++++++++++++++++++++++--------
utilities/ovs-ctl.in | 7 +++++++
2 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
index 89a36fe17..0e1847cba 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -171,8 +171,9 @@ conn %%default
auto=route
ike=aes256gcm16-sha256-modp2048
esp=aes256gcm16-modp2048
+ %s
-""" % (FILE_HEADER)
+"""
CA_SECTION = """ca ca_auth
cacert=%s
@@ -219,13 +220,17 @@ conn prevent_unencrypted_vxlan
rightid=$remote_name
leftcert=$certificate""")}
- def __init__(self, root_prefix):
+ def __init__(self, root_prefix, args):
self.CHARON_CONF = root_prefix + "/etc/strongswan.d/ovs.conf"
self.IPSEC = root_prefix + "/usr/sbin/ipsec"
self.IPSEC_CONF = root_prefix + "/etc/ipsec.conf"
self.IPSEC_SECRETS = root_prefix + "/etc/ipsec.secrets"
self.conf_file = None
self.secrets_file = None
+ if args.force_encapsulation:
+ self.extra_params = "forceencaps=yes"
+ else:
+ self.extra_params = ""
def restart_ike_daemon(self):
"""This function restarts StrongSwan."""
@@ -234,7 +239,7 @@ conn prevent_unencrypted_vxlan
f.close()
f = open(self.IPSEC_CONF, "w")
- f.write(self.CONF_HEADER)
+ f.write(self.CONF_HEADER % (FILE_HEADER, self.extra_params))
f.close()
f = open(self.IPSEC_SECRETS, "w")
@@ -274,7 +279,8 @@ conn prevent_unencrypted_vxlan
def config_init(self):
self.conf_file = open(self.IPSEC_CONF, "w")
self.secrets_file = open(self.IPSEC_SECRETS, "w")
- self.conf_file.write(self.CONF_HEADER)
+ self.conf_file.write(self.CONF_HEADER %
+ (FILE_HEADER, self.extra_params))
self.secrets_file.write(FILE_HEADER)
def config_global(self, monitor):
@@ -387,8 +393,9 @@ conn %%default
ike=aes_gcm256-sha2_256
esp=aes_gcm256
ikev2=insist
+ %s
-""" % (FILE_HEADER)
+"""
SHUNT_POLICY = """conn prevent_unencrypted_gre
type=drop
@@ -452,6 +459,10 @@ conn prevent_unencrypted_vxlan
else "/etc/ipsec.secrets")
ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl
else "/run/pluto/pluto.ctl")
+ if args.force_encapsulation:
+ self.extra_params = "encapsulation=yes"
+ else:
+ self.extra_params = ""
self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec"
self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf
@@ -472,7 +483,7 @@ conn prevent_unencrypted_vxlan
self._nss_clear_database()
f = open(self.IPSEC_CONF, "w")
- f.write(self.CONF_HEADER)
+ f.write(self.CONF_HEADER % (FILE_HEADER, self.extra_params))
f.close()
f = open(self.IPSEC_SECRETS, "w")
@@ -485,7 +496,8 @@ conn prevent_unencrypted_vxlan
def config_init(self):
self.conf_file = open(self.IPSEC_CONF, "w")
self.secrets_file = open(self.IPSEC_SECRETS, "w")
- self.conf_file.write(self.CONF_HEADER)
+ self.conf_file.write(self.CONF_HEADER %
+ (FILE_HEADER, self.extra_params))
self.secrets_file.write(FILE_HEADER)
def config_global(self, monitor):
@@ -1012,7 +1024,7 @@ class IPsecMonitor(object):
# Choose to either use StrongSwan or LibreSwan as IKE daemon
if ike_daemon == "strongswan":
- self.ike_helper = StrongSwanHelper(root_prefix)
+ self.ike_helper = StrongSwanHelper(root_prefix, args)
elif ike_daemon == "libreswan":
self.ike_helper = LibreSwanHelper(root_prefix, args)
else:
@@ -1284,6 +1296,9 @@ def main():
parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL",
help="Use DIR/IPSEC-CTL as location for "
" pluto ctl socket (libreswan only).")
+ parser.add_argument("--force-encapsulation", action='store_true',
+ help="Unconditionally enable ESP NAT-T encapsulation."
+ " (either libreswan or strongswan).")
ovs.vlog.add_args(parser)
ovs.daemon.add_args(parser)
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index e6e07f476..deb715ae5 100644
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -240,11 +240,15 @@ start_ovs_ipsec () {
if test X$RESTART_IKE_DAEMON = Xno; then
no_restart="--no-restart-ike-daemon"
fi
+ if test X$FORCE_ENCAPSULATION = Xyes; then
+ force_encapsulation="--force-encapsulation"
+ fi
${datadir}/scripts/ovs-monitor-ipsec \
--pidfile=${rundir}/ovs-monitor-ipsec.pid \
--ike-daemon=$IKE_DAEMON \
$no_restart \
+ $force_encapsulation \
--log-file --detach --monitor unix:${rundir}/db.sock || return 1
return 0
}
@@ -354,6 +358,7 @@ set_defaults () {
IKE_DAEMON=
RESTART_IKE_DAEMON=yes
+ FORCE_ENCAPSULATION=no
type_file=$etcdir/system-type.conf
version_file=$etcdir/system-version.conf
@@ -448,6 +453,8 @@ Option for "start-ovs-ipsec":
the IKE daemon for ipsec tunnels (either libreswan or strongswan)
--no-restart-ike-daemon
do not restart the IKE daemon on startup
+ --force-encapsulation
+ Unconditionally force ESP NAT-T (ESP over udp/4500)
Other options:
-h, --help display this help message
--
2.35.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
