forked from openvswitch/ovs
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipsec: Add support for using default crypto with Libreswan.
Distributions are normally shipping with a special file with system-wide crypto policies. For example, on Fedora/RHEL: /etc/crypto-policies/back-ends/libreswan.config This file is included by the main /etc/ipsec.conf. Today, ovs-monitor-ipsec can't take advantage of that, because we're always defining ike and esp algorithms for our connections. Add '--use-default-crypto' option to ovs-monitor-ipsec. If it is set, the daemon will not specify any crypto policies for connections and will use what is provided by default. In case we're running with a root ipsec.conf, it'll be just the defaults that Libreswan has by itself. In case we're running with a sub-config and the '--root-ipsec-conf' option, connections will be using crypto options defined in 'conn %default' somewhere in other files included from the root ipsec.conf; in most cases that will be the system-wide crypto policy file like the one mentioned above. This provides system administrators better control over crypto policies used without requiring them to adjust configuration of every OVS tunnel. Users can still override options per-connection by setting "ipsec_ike/esp" tunnel configuration. This mostly makes sense together with '--root-ipsec-conf', so only implemented for Libreswan for now. Acked-by: Mike Pattrick <[email protected]> Signed-off-by: Ilya Maximets <[email protected]>
- Loading branch information
Showing
3 changed files
with
85 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters