Tunnels in LibreSwan and OpenSwan allow for many options to be set on a per tunnel basis. Pass through any options starting with ipsec_ to the connection in the configuration file. Administrators are responsible for picking valid key/value pairs.
Signed-off-by: Andreas Karis <[email protected]> --- Documentation/tutorials/ipsec.rst | 45 +++++++++++++++++++++++++++++++ ipsec/ovs-monitor-ipsec.in | 17 +++++++++++- vswitchd/vswitch.xml | 4 ++- 3 files changed, 64 insertions(+), 2 deletions(-) diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst index b6cc1c3a8..00cdc5ec2 100644 --- a/Documentation/tutorials/ipsec.rst +++ b/Documentation/tutorials/ipsec.rst @@ -303,6 +303,50 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure You should be able to see that ESP packets are being sent from `host_1` to `host_2`. +Custom options +--------------- + +Any parameter prefixed with `ipsec_` will be added to the connection profile. +For example:: + + # ovs-vsctl set interface tun options:ipsec_encapsulation=yes + +Will result in:: + + # ovs-appctl -t ovs-monitor-ipsec tunnels/show + Interface name: tun v7 (CONFIGURED) + Tunnel Type: vxlan + Local IP: 192.0.0.1 + Remote IP: 192.0.0.2 + Address Family: IPv4 + SKB mark: None + Local cert: None + Local name: None + Local key: None + Remote cert: None + Remote name: None + CA cert: None + PSK: swordfish + Custom Options: {'encapsulation': 'yes'} + +And in the following connection profiles:: + + conn tun-in-7 + left=192.0.0.1 + right=192.0.0.2 + authby=secret + encapsulation=yes + leftprotoport=udp/4789 + rightprotoport=udp + + conn tun-out-7 + left=192.0.0.1 + right=192.0.0.2 + authby=secret + encapsulation=yes + leftprotoport=udp + rightprotoport=udp/4789 + Troubleshooting --------------- @@ -329,6 +373,7 @@ For example:: Remote name: None CA cert: None PSK: swordfish + Custom Options: {} Ofport: 1 <--- Whether ovs-vswitchd has assigned Ofport number to this Tunnel Port CFM state: Up <--- Whether CFM declared this tunnel healthy diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index a8b0705d9..e422b07bf 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -313,6 +313,10 @@ conn prevent_unencrypted_vxlan tmpl = self.auth_tmpl["pki_ca"] auth_section = tmpl.substitute(tunnel.conf) + if "custom_options" in tunnel.conf: + for key, value in tunnel.conf["custom_options"].items(): + auth_section += "\n " + key + "=" + value + vals = tunnel.conf.copy() vals["auth_section"] = auth_section vals["version"] = tunnel.version @@ -543,6 +547,10 @@ conn prevent_unencrypted_vxlan if tunnel.conf["address_family"] == "IPv6": auth_section = self.IPV6_CONN + auth_section + if "custom_options" in tunnel.conf: + for key, value in tunnel.conf["custom_options"].items(): + auth_section += "\n " + key + "=" + value + vals = tunnel.conf.copy() vals["auth_section"] = auth_section vals["version"] = tunnel.version @@ -819,6 +827,7 @@ class IPsecTunnel(object): Remote name: $remote_name CA cert: $ca_cert PSK: $psk + Custom Options: $custom_options """) unixctl_status_tmpl = Template("""\ @@ -862,7 +871,13 @@ class IPsecTunnel(object): "remote_cert": remote_cert, "remote_name": remote_name, "local_name": monitor.conf["pki"]["local_name"], - "psk": options.get("psk")} + "psk": options.get("psk"), + "custom_options": {}} + + # add custom ipsec options to the connection + for key, value in options.items(): + if key.startswith("ipsec_"): + new_conf["custom_options"][key[len("ipsec_"):]] = value if self.conf != new_conf: # Configuration was updated in OVSDB. Validate it and figure diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 0c6632617..b124fee54 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -1046,7 +1046,9 @@ <p> These settings control the global configuration of IPsec tunnels. The <code>options</code> column of the <code>Interface</code> table - configures IPsec for individual tunnels. + configures IPsec for individual tunnels. The <code>options</code> + column also allows for custom options prefixed with <code>ipsec_</code> + to be passed to the individual connections. </p> <p> OVS IPsec supports the following three forms of authentication. -- 2.35.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
