In the libreswan case, 'ovs-monitor-ipsec' sets 'left' to '%defaultroute' which will use the local address of the default route interface as the source IP address. In multihomed environments, this may not be correct if the user wants to specify what the source IP address is. In OVS, this can be set for tunnel ports using the 'local_ip' option. This patch also uses that option to populate the 'ipsec.conf' configuration. If the 'local_ip' option is not present, it will default to the previous behaviour of using '%defaultroute'
Signed-off-by: Mark Gray <[email protected]> --- ipsec/ovs-monitor-ipsec.in | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index b84608a55d8a..7b1d94593636 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -416,11 +416,11 @@ conn prevent_unencrypted_vxlan """ auth_tmpl = {"psk": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip authby=secret"""), "pki_remote": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -428,7 +428,7 @@ conn prevent_unencrypted_vxlan rightcert="$remote_name" leftrsasigkey=%cert"""), "pki_ca": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -750,6 +750,7 @@ class IPsecTunnel(object): unixctl_config_tmpl = Template("""\ Tunnel Type: $tunnel_type + Local IP: $local_ip Remote IP: $remote_ip SKB mark: $skb_mark Local cert: $certificate @@ -790,6 +791,7 @@ class IPsecTunnel(object): new_conf = { "ifname": self.name, "tunnel_type": row.type, + "local_ip": options.get("local_ip", "%defaultroute"), "remote_ip": options.get("remote_ip"), "skb_mark": monitor.conf["skb_mark"], "certificate": monitor.conf["pki"]["certificate"], -- 2.26.2 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
