[ovs-discuss] Replacing IPsec-GRE tunnel ports

[Bolesław Tokarski]

Hi, Ansis,

I tried your openvswitch-ipsec patch for strongswan on my current OVS 2.3
installation. Although I found it was written somewhere between 2.3 and
2.4, it was relatively easy to adapt it to run on 2.3.3. As I needed only
gre_ipsec, I did not need to care this is only implemented from 2.4+.

I tested it on OpenSUSE 42.1, strongswan 5.2.2, ovs 2.3.3 (with my patches
and the strongswan patch).

There's a minor bug in the patch, it wraps
'charon.plugins.kernel-netlink.xfrm_ack_expires = 10' in some garbage in
front. The script generated /etc/ipsec.d/certs/ovs-$portname.pem, while I
think strongswan expected that to be an IP address (unless I stumbled upon
a cert issue I fixed later, details below). Also, I found it was required
to specify 'local_ip' in ovs-vsctl, as strongswan fails to find the tunnel
policy otherwise.

I found StrongSwan to be very picky regarding certificates. I needed to
specify an IP address in subjAltNames in the certificate.

Beside that - the support you wrote looks like it works decently. I had
some issues with racoon, with it not catching a certificate change, and
failing desperately on one connection. Since it seems Strongswan is
maintained better, it seems to be a good alternative.

Thank you for this nice piece of code :)

Regards,
Bolesław Tokarski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20161119/1bab79a5/attachment.html>