Both LibreSwan and OpenSwan allow administrators to unconditionally force enable NAT-T for ESP. This may help to surmount restrictive firewalls in scenarios where IP protocol number 50 is blocked, but where NAT autodetection fails. Add a switch --force-encapsulation to expose this feature to users of ovs-monitor-ipsec
Signed-off-by: Andreas Karis <ak.ka...@gmail.com> --- ipsec/ovs-monitor-ipsec.in | 31 +++++++++++++++++++++++-------- utilities/ovs-ctl.in | 7 +++++++ 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 89a36fe17..0e1847cba 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -171,8 +171,9 @@ conn %%default auto=route ike=aes256gcm16-sha256-modp2048 esp=aes256gcm16-modp2048 + %s -""" % (FILE_HEADER) +""" CA_SECTION = """ca ca_auth cacert=%s @@ -219,13 +220,17 @@ conn prevent_unencrypted_vxlan rightid=$remote_name leftcert=$certificate""")} - def __init__(self, root_prefix): + def __init__(self, root_prefix, args): self.CHARON_CONF = root_prefix + "/etc/strongswan.d/ovs.conf" self.IPSEC = root_prefix + "/usr/sbin/ipsec" self.IPSEC_CONF = root_prefix + "/etc/ipsec.conf" self.IPSEC_SECRETS = root_prefix + "/etc/ipsec.secrets" self.conf_file = None self.secrets_file = None + if args.force_encapsulation: + self.extra_params = "forceencaps=yes" + else: + self.extra_params = "" def restart_ike_daemon(self): """This function restarts StrongSwan.""" @@ -234,7 +239,7 @@ conn prevent_unencrypted_vxlan f.close() f = open(self.IPSEC_CONF, "w") - f.write(self.CONF_HEADER) + f.write(self.CONF_HEADER % (FILE_HEADER, self.extra_params)) f.close() f = open(self.IPSEC_SECRETS, "w") @@ -274,7 +279,8 @@ conn prevent_unencrypted_vxlan def config_init(self): self.conf_file = open(self.IPSEC_CONF, "w") self.secrets_file = open(self.IPSEC_SECRETS, "w") - self.conf_file.write(self.CONF_HEADER) + self.conf_file.write(self.CONF_HEADER % + (FILE_HEADER, self.extra_params)) self.secrets_file.write(FILE_HEADER) def config_global(self, monitor): @@ -387,8 +393,9 @@ conn %%default ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist + %s -""" % (FILE_HEADER) +""" SHUNT_POLICY = """conn prevent_unencrypted_gre type=drop @@ -452,6 +459,10 @@ conn prevent_unencrypted_vxlan else "/etc/ipsec.secrets") ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl else "/run/pluto/pluto.ctl") + if args.force_encapsulation: + self.extra_params = "encapsulation=yes" + else: + self.extra_params = "" self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec" self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf @@ -472,7 +483,7 @@ conn prevent_unencrypted_vxlan self._nss_clear_database() f = open(self.IPSEC_CONF, "w") - f.write(self.CONF_HEADER) + f.write(self.CONF_HEADER % (FILE_HEADER, self.extra_params)) f.close() f = open(self.IPSEC_SECRETS, "w") @@ -485,7 +496,8 @@ conn prevent_unencrypted_vxlan def config_init(self): self.conf_file = open(self.IPSEC_CONF, "w") self.secrets_file = open(self.IPSEC_SECRETS, "w") - self.conf_file.write(self.CONF_HEADER) + self.conf_file.write(self.CONF_HEADER % + (FILE_HEADER, self.extra_params)) self.secrets_file.write(FILE_HEADER) def config_global(self, monitor): @@ -1012,7 +1024,7 @@ class IPsecMonitor(object): # Choose to either use StrongSwan or LibreSwan as IKE daemon if ike_daemon == "strongswan": - self.ike_helper = StrongSwanHelper(root_prefix) + self.ike_helper = StrongSwanHelper(root_prefix, args) elif ike_daemon == "libreswan": self.ike_helper = LibreSwanHelper(root_prefix, args) else: @@ -1284,6 +1296,9 @@ def main(): parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL", help="Use DIR/IPSEC-CTL as location for " " pluto ctl socket (libreswan only).") + parser.add_argument("--force-encapsulation", action='store_true', + help="Unconditionally enable ESP NAT-T encapsulation." + " (either libreswan or strongswan).") ovs.vlog.add_args(parser) ovs.daemon.add_args(parser) diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in index e6e07f476..deb715ae5 100644 --- a/utilities/ovs-ctl.in +++ b/utilities/ovs-ctl.in @@ -240,11 +240,15 @@ start_ovs_ipsec () { if test X$RESTART_IKE_DAEMON = Xno; then no_restart="--no-restart-ike-daemon" fi + if test X$FORCE_ENCAPSULATION = Xyes; then + force_encapsulation="--force-encapsulation" + fi ${datadir}/scripts/ovs-monitor-ipsec \ --pidfile=${rundir}/ovs-monitor-ipsec.pid \ --ike-daemon=$IKE_DAEMON \ $no_restart \ + $force_encapsulation \ --log-file --detach --monitor unix:${rundir}/db.sock || return 1 return 0 } @@ -354,6 +358,7 @@ set_defaults () { IKE_DAEMON= RESTART_IKE_DAEMON=yes + FORCE_ENCAPSULATION=no type_file=$etcdir/system-type.conf version_file=$etcdir/system-version.conf @@ -448,6 +453,8 @@ Option for "start-ovs-ipsec": the IKE daemon for ipsec tunnels (either libreswan or strongswan) --no-restart-ike-daemon do not restart the IKE daemon on startup + --force-encapsulation + Unconditionally force ESP NAT-T (ESP over udp/4500) Other options: -h, --help display this help message -- 2.35.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev