On 8/7/24 23:10, Jim C wrote: > Actually, we may not have the right path. Instead of /etc/strongswan.d, > we have /etc/strongswan/strongswan.d. > > Is it fine as long as we manually create /etc/strongswan.d to allow OVS > to place its config file?
I think, it should be in the main strongswan.d directory because that's the place charon (strongSwan) will look for configuration. And it will likely not be found in /etc/strongswan.d. The path is hardcoded, unfortunately, because that's the place strongSwan stores configuration on Debian/Ubuntu. You'll need to either re-configure your strongSwan to use /etc/strongswan.d (I'm not familiar enough with it to know how to do that) or you need to modify the hardcoded path in the ovs-monitor-ipsec daemon. It is a python script, so you could just manually modify it for testing. Locate the ovs-monitor-ipsec file on the disk, open it and change the self.CHARON_CONF variable to a different location. > > Also, by `by ovs-monitor-ipsec daemon when it starts`, is it when we run > `systemctl start openvswitch-ipsec`? Yes. > > On Wed, Aug 7, 2024 at 12:03 PM Ilya Maximets <i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>> wrote: > > On 8/7/24 20:36, Jim C wrote: > > Thanks Ilya! > > > > We do have the directory /etc/strongswan.d on our host. How is this > ovs.conf created? > > Is it created when we install the OVS IPSec package and it will look > for the strongSwan > > directory and place the file there? > > It is created by ovs-monitor-ipsec daemon when it starts. > Where the error you posted is coming from? > > I'd suggest checking audit log in case selinux is blocking access > to that directory. And generally checking if the daemon has access > to that directory, i.e. user/group permissions. > > > > > If that's the case, does it mean that we must install OVS after > strongSwan is installed? > > > > Thanks. > > > > On Wed, Aug 7, 2024 at 9:14 AM Ilya Maximets <i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>>> wrote: > > > > On 8/7/24 09:11, Jim C wrote: > > > Thanks Ilya, but we see an error complaining: > > > > > > *FileNotFoundError: [Errno 2] No such file or directory: > '/etc/strongswan.d/ovs.conf' > > > > Does the /etc/strongswan.d directory exist? > > If not, you may need to check your strongswan installation > > and find out why it is not there. > > > > Best regards, Ilya Maximets. > > > > > * > > > > > > We are using: > > > strongSwan 5.10 > > > Rocky (RHEL) Linux > > > > > > We do hope to get rid of the libreswan dependency tho. But for > now, we can't switch to using strongSwan. > > > > > > Thanks. > > > > > > On Wed, Jul 24, 2024 at 4:50 AM Ilya Maximets <i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>>>> wrote: > > > > > > On 7/24/24 08:31, Jim C via discuss wrote: > > > > Hi, > > > > > > > > We saw our OVS has the following specs from this service > file: > > > > > > > > # cat > /etc/systemd/system/multi-user.target.wants/openvswitch-ipsec.service > > > > [Unit] > > > > Description=OVS IPsec daemon > > > > Requires=openvswitch.service > > > > After=openvswitch.service > > > > > > > > [Service] > > > > Type=forking > > > > PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid > > > > *ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ > > > > --ike-daemon=libreswan start-ovs-ipsec* > > > > ExecStop=/usr/share/openvswitch/scripts/ovs-ctl > stop-ovs-ipsec > > > > > > > > [Install] > > > > WantedBy=multi-user.target > > > > > > > > It seems it's using libreswan. How can we switch to using > strongSwan instead? > > > > > > If you have strongSwan installed, you should be able to just > > > replace --ike-daemon=libreswan with --ike-daemon=strongswan > > > in the service file. > > > > > > Best regards, Ilya Maximets. > > > > > > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
