On Tue, Nov 15, 2016 at 12:46 AM, Bolesław Tokarski <boleslaw.tokar...@gmail.com> wrote: > Hi, > > I found that IPsec - GRE tunnel-ports support was deprecated in OVS 2.6 and > removed from 2.7/master recently > (https://mail.openvswitch.org/pipermail/ovs-git/2016-September/018774.html)
I think that the title of that patch is slightly misleading. It should have been simply "Remove ovs-monitor-ipsec from OVS" and not "Allow external IPsec tunnel management", because external IPsec tunnel management was already possible before that patch by simply not installing openvswitch-ipsec package and letting administrator to populate IPsec configuration files manually. > > I am yet to come across a good guide on how to set up an OVS IPsec-GRE > tunnel port alternative. Most guides are either for site-to-site IPsec > tunnels, or for OVS GRE tunnels. Such guides in details wold be on strongSwan, racoon, OpenSwan or libreswan project sites. However, if you are interested you can take a peek at this link - https://www.mail-archive.com/dev@openvswitch.org/msg46915.html - and extract what the ovs-monitor-ipsec daemon would set in ipsec.conf and ipsec.secrets file. If you are ok to skip this particular OVS 2.7 version, then I plan to reintroduce ovs-monitor-ipsec daemon in the next one. It was abruptly removed because it was decided that ovs-monitor-ipsec can't have a hard coded bit of skb_mark because it interferes with OpenFlow skb_mark match. _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
