On Wed, Mar 2, 2022 at 8:40 AM Andreas Karis <ak.ka...@gmail.com> wrote: > > Tunnels in LibreSwan and OpenSwan allow for many options to be set on a > per tunnel basis. Pass through any options starting with ipsec_ to the > connection in the configuration file. Administrators are responsible for > picking valid key/value pairs. > > Signed-off-by: Andreas Karis <ak.ka...@gmail.com>
Acked-by: Mike Pattrick <m...@redhat.com> > --- > Documentation/tutorials/ipsec.rst | 45 +++++++++++++++++++++++++++++++ > ipsec/ovs-monitor-ipsec.in | 17 +++++++++++- > vswitchd/vswitch.xml | 4 ++- > 3 files changed, 64 insertions(+), 2 deletions(-) > > diff --git a/Documentation/tutorials/ipsec.rst > b/Documentation/tutorials/ipsec.rst > index b6cc1c3a8..00cdc5ec2 100644 > --- a/Documentation/tutorials/ipsec.rst > +++ b/Documentation/tutorials/ipsec.rst > @@ -303,6 +303,50 @@ external IP is 1.1.1.1, and `host_2`'s external IP is > 2.2.2.2. Make sure > You should be able to see that ESP packets are being sent from `host_1` to > `host_2`. > > +Custom options > +--------------- > + > +Any parameter prefixed with `ipsec_` will be added to the connection profile. > +For example:: > + > + # ovs-vsctl set interface tun options:ipsec_encapsulation=yes > + > +Will result in:: > + > + # ovs-appctl -t ovs-monitor-ipsec tunnels/show > + Interface name: tun v7 (CONFIGURED) > + Tunnel Type: vxlan > + Local IP: 192.0.0.1 > + Remote IP: 192.0.0.2 > + Address Family: IPv4 > + SKB mark: None > + Local cert: None > + Local name: None > + Local key: None > + Remote cert: None > + Remote name: None > + CA cert: None > + PSK: swordfish > + Custom Options: {'encapsulation': 'yes'} > + > +And in the following connection profiles:: > + > + conn tun-in-7 > + left=192.0.0.1 > + right=192.0.0.2 > + authby=secret > + encapsulation=yes > + leftprotoport=udp/4789 > + rightprotoport=udp > + > + conn tun-out-7 > + left=192.0.0.1 > + right=192.0.0.2 > + authby=secret > + encapsulation=yes > + leftprotoport=udp > + rightprotoport=udp/4789 > + > Troubleshooting > --------------- > > @@ -329,6 +373,7 @@ For example:: > Remote name: None > CA cert: None > PSK: swordfish > + Custom Options: {} > Ofport: 1 <--- Whether ovs-vswitchd has assigned Ofport > number to this Tunnel Port > CFM state: Up <--- Whether CFM declared this tunnel healthy > diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in > index a8b0705d9..e422b07bf 100755 > --- a/ipsec/ovs-monitor-ipsec.in > +++ b/ipsec/ovs-monitor-ipsec.in > @@ -313,6 +313,10 @@ conn prevent_unencrypted_vxlan > tmpl = self.auth_tmpl["pki_ca"] > auth_section = tmpl.substitute(tunnel.conf) > > + if "custom_options" in tunnel.conf: > + for key, value in tunnel.conf["custom_options"].items(): > + auth_section += "\n " + key + "=" + value > + > vals = tunnel.conf.copy() > vals["auth_section"] = auth_section > vals["version"] = tunnel.version > @@ -543,6 +547,10 @@ conn prevent_unencrypted_vxlan > if tunnel.conf["address_family"] == "IPv6": > auth_section = self.IPV6_CONN + auth_section > > + if "custom_options" in tunnel.conf: > + for key, value in tunnel.conf["custom_options"].items(): > + auth_section += "\n " + key + "=" + value > + > vals = tunnel.conf.copy() > vals["auth_section"] = auth_section > vals["version"] = tunnel.version > @@ -819,6 +827,7 @@ class IPsecTunnel(object): > Remote name: $remote_name > CA cert: $ca_cert > PSK: $psk > + Custom Options: $custom_options > """) > > unixctl_status_tmpl = Template("""\ > @@ -862,7 +871,13 @@ class IPsecTunnel(object): > "remote_cert": remote_cert, > "remote_name": remote_name, > "local_name": monitor.conf["pki"]["local_name"], > - "psk": options.get("psk")} > + "psk": options.get("psk"), > + "custom_options": {}} > + > + # add custom ipsec options to the connection > + for key, value in options.items(): > + if key.startswith("ipsec_"): > + new_conf["custom_options"][key[len("ipsec_"):]] = value > > if self.conf != new_conf: > # Configuration was updated in OVSDB. Validate it and figure > diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml > index 0c6632617..b124fee54 100644 > --- a/vswitchd/vswitch.xml > +++ b/vswitchd/vswitch.xml > @@ -1046,7 +1046,9 @@ > <p> > These settings control the global configuration of IPsec tunnels. > The > <code>options</code> column of the <code>Interface</code> table > - configures IPsec for individual tunnels. > + configures IPsec for individual tunnels. The <code>options</code> > + column also allows for custom options prefixed with > <code>ipsec_</code> > + to be passed to the individual connections. > </p> > <p> > OVS IPsec supports the following three forms of authentication. > -- > 2.35.1 > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev