On Tue, Dec 10, 2024 at 6:07 PM Ilya Maximets <[email protected]> wrote: > > Distributions are normally shipping with a special file with > system-wide crypto policies. For example, on Fedora/RHEL: > > /etc/crypto-policies/back-ends/libreswan.config > > This file is included by the main /etc/ipsec.conf. > > Today, ovs-monitor-ipsec can't take advantage of that, because we're > always defining ike and esp algorithms for our connections. > > Add '--use-default-crypto' option to ovs-monitor-ipsec. If it is set, > the daemon will not specify any crypto policies for connections and > will use what is provided by default. In case we're running with a > root ipsec.conf, it'll be just the defaults that Libreswan has by > itself. In case we're running with a sub-config and the > '--root-ipsec-conf' option, connections will be using crypto options > defined in 'conn %default' somewhere in other files included from the > root ipsec.conf; in most cases that will be the system-wide crypto > policy file like the one mentioned above. > > This provides system administrators better control over crypto > policies used without requiring them to adjust configuration of every > OVS tunnel. > > Users can still override options per-connection by setting > "ipsec_ike/esp" tunnel configuration. > > This mostly makes sense together with '--root-ipsec-conf', so only > implemented for Libreswan for now. > > Signed-off-by: Ilya Maximets <[email protected]> > ---
Acked-by: Mike Pattrick <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
