diff options
author | Mark Gray <mark.d.gray@redhat.com> | 2020-12-24 07:57:01 -0500 |
---|---|---|
committer | Ilya Maximets <i.maximets@ovn.org> | 2021-01-05 19:27:41 +0100 |
commit | 1d4190c1ee165ab012ecb9882217151b09d3a85d (patch) | |
tree | b7bc4956b10b7bbf7565b810418960506c1e9c14 /ipsec | |
parent | b9c6da7edc1662f336bdf06e8fa564e90d082fd9 (diff) | |
download | openvswitch-1d4190c1ee165ab012ecb9882217151b09d3a85d.tar.gz |
ovs-monitor-ipsec: Add support for tunnel 'local_ip'.
In the libreswan case, 'ovs-monitor-ipsec' sets
'left' to '%defaultroute' which will use the local address
of the default route interface as the source IP address. In
multihomed environments, this may not be correct if the user
wants to specify what the source IP address is. In OVS, this
can be set for tunnel ports using the 'local_ip' option. This
patch also uses that option to populate the 'ipsec.conf'
configuration. If the 'local_ip' option is not present, it
will default to the previous behaviour of using '%defaultroute'
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1906280
Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Diffstat (limited to 'ipsec')
-rwxr-xr-x | ipsec/ovs-monitor-ipsec.in | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 5ae2ad5e1..5561657ab 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -416,11 +416,11 @@ conn prevent_unencrypted_vxlan """ auth_tmpl = {"psk": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip authby=secret"""), "pki_remote": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -428,7 +428,7 @@ conn prevent_unencrypted_vxlan rightcert="$remote_name" leftrsasigkey=%cert"""), "pki_ca": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -751,6 +751,7 @@ class IPsecTunnel(object): unixctl_config_tmpl = Template("""\ Tunnel Type: $tunnel_type + Local IP: $local_ip Remote IP: $remote_ip SKB mark: $skb_mark Local cert: $certificate @@ -791,6 +792,7 @@ class IPsecTunnel(object): new_conf = { "ifname": self.name, "tunnel_type": row.type, + "local_ip": options.get("local_ip", "%defaultroute"), "remote_ip": options.get("remote_ip"), "skb_mark": monitor.conf["skb_mark"], "certificate": monitor.conf["pki"]["certificate"], |