Thanks for the update Mairtin! Acked-by: Mark Michelson <[email protected]>
I pushed this to main. On Tue, May 26, 2026 at 6:14 AM Mairtin O'Loingsigh via dev <[email protected]> wrote: > > Add ability to pass any nb_global option with the ipsec prefix to sb, which > ovs-monitor-ipsec will use to configure IPsec backend. For example > > ovn-nbctl set nb_global . options:ipsec_replay-window=128 > ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > Reported-at: https://redhat.atlassian.net/browse/FDP-3029 > Signed-off-by: Mairtin O'Loingsigh <[email protected]> > --- > Changes since v2: > - Update ovn-ipsec.rst with the following > * encapsulation/forceencaps are boolean and only accept true/yes. > * Other ipsec_* options pass through directly. > - ipsec_encapsulation=yes works like =true. > - Uses node->value not smap_get(). > - Move ipsec_* Column inside "Security Configurations" group. > - Fix spelling typos. > - Add ipsec.conf reference with <code> style. > Changes since v1: > - Make prefix string static const. > - Fix documentation. > - Update news entry to reference NB_Global. > > Documentation/tutorials/ovn-ipsec.rst | 7 +++++++ > NEWS | 2 ++ > controller/encaps.c | 28 +++++++++++++++++---------- > ovn-nb.xml | 7 +++++++ > tests/ovn-ipsec.at | 12 ++++++++++++ > 5 files changed, 46 insertions(+), 10 deletions(-) > > diff --git a/Documentation/tutorials/ovn-ipsec.rst > b/Documentation/tutorials/ovn-ipsec.rst > index aebd3e848..249d3230a 100644 > --- a/Documentation/tutorials/ovn-ipsec.rst > +++ b/Documentation/tutorials/ovn-ipsec.rst > @@ -166,6 +166,13 @@ You can also check the logs of the ``ovs-monitor-ipsec`` > daemon and the IKE > daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to > ``/var/log/openvswitch/ovs-monitor-ipsec.log``. > > +The ipsec_encapsulation and ipsec_forceencaps options are boolean > +and only accept true or yes. Additional "ipsec_*" options such as > +the one below can be set to pass configuration directly to the underlying > +IPsec backend. > + > + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128 > + > Bug Reporting > ------------- > > diff --git a/NEWS b/NEWS > index e34a219ad..c7cec2c33 100644 > --- a/NEWS > +++ b/NEWS > @@ -1,5 +1,7 @@ > Post v26.03.0 > ------------- > + - Added ability to set any "ipsec_*" NB_Global option to configure the > + IPsec backend. > - Documented missing ovn-nbctl commands: "mirror-rule-add", > "mirror-rule-del", "lr-nat-update-ext-ip", > "ha-chassis-group-set-chassis-prio", "lsp-add-router-port", > diff --git a/controller/encaps.c b/controller/encaps.c > index 081fbe671..048e85c38 100644 > --- a/controller/encaps.c > +++ b/controller/encaps.c > @@ -265,16 +265,24 @@ tunnel_add(struct tunnel_ctx *tc, > /* Force NAT-T traversal via configuration */ > /* Two ipsec backends are supported: libreswan and strongswan */ > /* libreswan param: encapsulation; strongswan param: forceencaps */ > - bool encapsulation; > - bool forceencaps; > - encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", > - false); > - forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", > false); > - if (encapsulation) { > - smap_add(&options, "ipsec_encapsulation", "yes"); > - } > - if (forceencaps) { > - smap_add(&options, "ipsec_forceencaps", "yes"); > + > + struct smap_node *node; > + SMAP_FOR_EACH (node, &sbg->options) { > + static const char ipsec_prefix[] = "ipsec_"; > + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix))) { > + if (!strcmp(node->key, "ipsec_encapsulation") || > + !strcmp(node->key, "ipsec_forceencaps")) { > + if (!strcasecmp(node->value, "true") || > + !strcasecmp(node->value, "yes")) { > + smap_add(&options, node->key, "yes"); > + } > + continue; > + } > + > + if (node->value) { > + smap_add(&options, node->key, node->value); > + } > + } > } > } > > diff --git a/ovn-nb.xml b/ovn-nb.xml > index 442657018..38c6a84a2 100644 > --- a/ovn-nb.xml > +++ b/ovn-nb.xml > @@ -601,6 +601,13 @@ > Tunnel encryption configuration. If this column is set to be true, > all > OVN tunnels will be encrypted with IPsec. > </column> > + > + <column name="options" key="ipsec_*"> > + IPsec configuration parameters are passed to IPsec backend by > prefixing > + libreswan/strongswan options with ipsec_. Please reference > + <code>ipsec.conf</code>(5) for a comprehensive set of instructions on > + IPsec configuration. > + </column> > </group> > > <group title="Read-only Options"> > diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at > index 961fc643f..05fbced28 100644 > --- a/tests/ovn-ipsec.at > +++ b/tests/ovn-ipsec.at > @@ -45,6 +45,10 @@ ovs-vsctl \ > # Enable IPsec > check ovn-nbctl set nb_global . ipsec=true > check ovn-nbctl set nb_global . options:ipsec_encapsulation=true > +check ovn-nbctl set nb_global . options:ipsec_replay-window=100 > +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > check ovn-nbctl --wait=hv sync > > @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface > ovn-hv1-0 options:remote_i > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d > '"\n'], [0], [192.168.0.2]) > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr > -d '\n'], [0], [hv1]) > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 > options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 > options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | > tr -d '\n'], [0], ["30s"]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout > | tr -d '\n'], [0], ["120s"]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime > | tr -d '\n'], [0], ["8h"]) > OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 > options:remote_ip | tr -d '"\n'` = x192.168.0.2]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d > '"\n'], [0], [192.168.0.1]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr > -d '\n'], [0], [hv2]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 > options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 > options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | > tr -d '\n'], [0], ["30s"]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout > | tr -d '\n'], [0], ["120s"]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime > | tr -d '\n'], [0], ["8h"]) > > AT_CLEANUP > -- > 2.54.0 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
