On 12/16/24 01:28, Mike Pattrick wrote: > On Tue, Dec 10, 2024 at 6:07 PM Ilya Maximets <[email protected]> wrote: >> >> Distributions are normally shipping with a special file with >> system-wide crypto policies. For example, on Fedora/RHEL: >> >> /etc/crypto-policies/back-ends/libreswan.config >> >> This file is included by the main /etc/ipsec.conf. >> >> Today, ovs-monitor-ipsec can't take advantage of that, because we're >> always defining ike and esp algorithms for our connections. >> >> Add '--use-default-crypto' option to ovs-monitor-ipsec. If it is set, >> the daemon will not specify any crypto policies for connections and >> will use what is provided by default. In case we're running with a >> root ipsec.conf, it'll be just the defaults that Libreswan has by >> itself. In case we're running with a sub-config and the >> '--root-ipsec-conf' option, connections will be using crypto options >> defined in 'conn %default' somewhere in other files included from the >> root ipsec.conf; in most cases that will be the system-wide crypto >> policy file like the one mentioned above. >> >> This provides system administrators better control over crypto >> policies used without requiring them to adjust configuration of every >> OVS tunnel. >> >> Users can still override options per-connection by setting >> "ipsec_ike/esp" tunnel configuration. >> >> This mostly makes sense together with '--root-ipsec-conf', so only >> implemented for Libreswan for now. >> >> Signed-off-by: Ilya Maximets <[email protected]> >> --- > > Acked-by: Mike Pattrick <[email protected]> >
Thanks, Mike! I applied the set to main. Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
