diff options
| author | Mark Gray <mark.d.gray@redhat.com> | 2020-12-24 07:57:01 -0500 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2021-01-05 19:32:34 +0100 |
| commit | 0c976363079071df59916b4a9c186ab377d5b1c7 (patch) | |
| tree | 6bd77bc50dca5c7690d5a3c891fc77786f2a0833 | |
| parent | 8397d46ee900879425aa21834d244550238163f9 (diff) | |
| download | openvswitch-0c976363079071df59916b4a9c186ab377d5b1c7.tar.gz | |
ovs-monitor-ipsec: Add support for tunnel 'local_ip'.
In the libreswan case, 'ovs-monitor-ipsec' sets
'left' to '%defaultroute' which will use the local address
of the default route interface as the source IP address. In
multihomed environments, this may not be correct if the user
wants to specify what the source IP address is. In OVS, this
can be set for tunnel ports using the 'local_ip' option. This
patch also uses that option to populate the 'ipsec.conf'
configuration. If the 'local_ip' option is not present, it
will default to the previous behaviour of using '%defaultroute'
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1906280
Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
| -rw-r--r-- | Documentation/tutorials/ipsec.rst | 1 | ||||
| -rwxr-xr-x | ipsec/ovs-monitor-ipsec.in | 8 |
2 files changed, 6 insertions, 3 deletions
diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst index b4c323513..d7c56d5fc 100644 --- a/Documentation/tutorials/ipsec.rst +++ b/Documentation/tutorials/ipsec.rst @@ -298,6 +298,7 @@ For example:: Otherwise, error message will be provided Tunnel Type: gre + Local IP: %defaultroute Remote IP: 2.2.2.2 SKB mark: None Local cert: None diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 5ae2ad5e1..5561657ab 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -416,11 +416,11 @@ conn prevent_unencrypted_vxlan """ auth_tmpl = {"psk": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip authby=secret"""), "pki_remote": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -428,7 +428,7 @@ conn prevent_unencrypted_vxlan rightcert="$remote_name" leftrsasigkey=%cert"""), "pki_ca": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -751,6 +751,7 @@ class IPsecTunnel(object): unixctl_config_tmpl = Template("""\ Tunnel Type: $tunnel_type + Local IP: $local_ip Remote IP: $remote_ip SKB mark: $skb_mark Local cert: $certificate @@ -791,6 +792,7 @@ class IPsecTunnel(object): new_conf = { "ifname": self.name, "tunnel_type": row.type, + "local_ip": options.get("local_ip", "%defaultroute"), "remote_ip": options.get("remote_ip"), "skb_mark": monitor.conf["skb_mark"], "certificate": monitor.conf["pki"]["certificate"], |