Re: [ovs-discuss] Our OVS is using libreswan as ike-daemon. How to switch to strongSwan?

Jim C via discuss Wed, 07 Aug 2024 15:23:25 -0700

Thanks Ilya, that's super helpful!

Regarding updating the file path, can we only do it in the python script?
Is there an ENV VAR somewhere that we can use for the update?


Thanks.

On Wed, Aug 7, 2024 at 2:27 PM Ilya Maximets <i.maxim...@ovn.org> wrote:

> On 8/7/24 23:10, Jim C wrote:
> > Actually, we may not have the right path. Instead of /etc/strongswan.d,
> > we have /etc/strongswan/strongswan.d.
> >
> > Is it fine as long as we manually create /etc/strongswan.d to allow OVS
> > to place its config file?
>
> I think, it should be in the main strongswan.d directory because that's the
> place charon (strongSwan) will look for configuration.  And it will likely
> not be found in /etc/strongswan.d.
>
> The path is hardcoded, unfortunately, because that's the place strongSwan
> stores configuration on Debian/Ubuntu.  You'll need to either re-configure
> your strongSwan to use /etc/strongswan.d (I'm not familiar enough with it
> to know how to do that) or you need to modify the hardcoded path in the
> ovs-monitor-ipsec daemon.  It is a python script, so you could just
> manually
> modify it for testing.  Locate the ovs-monitor-ipsec file on the disk, open
> it and change the self.CHARON_CONF variable to a different location.
>
> >
> > Also, by `by ovs-monitor-ipsec daemon when it starts`, is it when we run
> > `systemctl start openvswitch-ipsec`?
>
> Yes.
>
> >
> > On Wed, Aug 7, 2024 at 12:03 PM Ilya Maximets <i.maxim...@ovn.org
> <mailto:i.maxim...@ovn.org>> wrote:
> >
> >     On 8/7/24 20:36, Jim C wrote:
> >     > Thanks Ilya!
> >     >
> >     > We do have the directory /etc/strongswan.d on our host. How is
> this ovs.conf created?
> >     > Is it created when we install the OVS IPSec package and it will
> look for the strongSwan
> >     > directory and place the file there?
> >
> >     It is created by ovs-monitor-ipsec daemon when it starts.
> >     Where the error you posted is coming from?
> >
> >     I'd suggest checking audit log in case selinux is blocking access
> >     to that directory.  And generally checking if the daemon has access
> >     to that directory, i.e. user/group permissions.
> >
> >     >
> >     > If that's the case, does it mean that we must install OVS after
> strongSwan is installed?
> >     >
> >     > Thanks.
> >     >
> >     > On Wed, Aug 7, 2024 at 9:14 AM Ilya Maximets <i.maxim...@ovn.org
> <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org <mailto:
> i.maxim...@ovn.org>>> wrote:
> >     >
> >     >     On 8/7/24 09:11, Jim C wrote:
> >     >     > Thanks Ilya, but we see an error complaining:
> >     >     >
> >     >     > *FileNotFoundError: [Errno 2] No such file or directory:
> '/etc/strongswan.d/ovs.conf'
> >     >
> >     >     Does the /etc/strongswan.d directory exist?
> >     >     If not, you may need to check your strongswan installation
> >     >     and find out why it is not there.
> >     >
> >     >     Best regards, Ilya Maximets.
> >     >
> >     >     > *
> >     >     >
> >     >     > We are using:
> >     >     > strongSwan 5.10
> >     >     > Rocky (RHEL) Linux
> >     >     >
> >     >     > We do hope to get rid of the libreswan dependency tho. But
> for now, we can't switch to using strongSwan.
> >     >     >
> >     >     > Thanks.
> >     >     >
> >     >     > On Wed, Jul 24, 2024 at 4:50 AM Ilya Maximets <
> i.maxim...@ovn.org <mailto:i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org
> <mailto:i.maxim...@ovn.org>> <mailto:i.maxim...@ovn.org <mailto:
> i.maxim...@ovn.org> <mailto:i.maxim...@ovn.org <mailto:i.maxim...@ovn.org>>>>
> wrote:
> >     >     >
> >     >     >     On 7/24/24 08:31, Jim C via discuss wrote:
> >     >     >     > Hi,
> >     >     >     >
> >     >     >     > We saw our OVS has the following specs from this
> service file:
> >     >     >     >
> >     >     >     > # cat
> /etc/systemd/system/multi-user.target.wants/openvswitch-ipsec.service
> >     >     >     > [Unit]
> >     >     >     > Description=OVS IPsec daemon
> >     >     >     > Requires=openvswitch.service
> >     >     >     > After=openvswitch.service
> >     >     >     >
> >     >     >     > [Service]
> >     >     >     > Type=forking
> >     >     >     > PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid
> >     >     >     > *ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
> >     >     >     >                     --ike-daemon=libreswan
> start-ovs-ipsec*
> >     >     >     > ExecStop=/usr/share/openvswitch/scripts/ovs-ctl
> stop-ovs-ipsec
> >     >     >     >
> >     >     >     > [Install]
> >     >     >     > WantedBy=multi-user.target
> >     >     >     >
> >     >     >     > It seems it's using libreswan. How can we switch to
> using strongSwan instead?
> >     >     >
> >     >     >     If you have strongSwan installed, you should be able to
> just
> >     >     >     replace --ike-daemon=libreswan with
> --ike-daemon=strongswan
> >     >     >     in the service file.
> >     >     >
> >     >     >     Best regards, Ilya Maximets.
> >     >     >
> >     >
> >
>
>

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] Our OVS is using libreswan as ike-daemon. How to switch to strongSwan?

Reply via email to