On 5/16/24 22:29, Ilya Maximets wrote: > On 5/16/24 19:33, Jim C via discuss wrote: >> Hi, >> >> I'm looking into this IPSec tutorial >> (https://docs.openvswitch.org/en/latest/tutorials/ipsec/). >> I wonder if there is an option for us to choose the encryption algorithm >> that we want given we >> want FIPS approved algorithms. Is there a manual? > > Hi. The algorithms are not configurable today. > > StrongSwan is configured with the following options: > > keyexchange=ikev2 > ike=aes256gcm16-sha256-modp2048 > esp=aes256gcm16-modp2048 > > And for Libreswan: > > ike=aes_gcm256-sha2_256 > esp=aes_gcm256 > ikev2=insist > > Changing these options will require changing the code of the > ovs-monitor-ipsec daemon. Which is a python script, so should > not be difficult if necessary.
Hmm, I'm taking this back. It may be possible to override the algorithms using custom options: https://docs.openvswitch.org/en/latest/tutorials/ipsec/#custom-options i.e. it should be possible to use something like (StrongSwan): ovs-vsctl set interface <iface> options:ipsec_ike="aes128gcm16-prfsha256-ecp256" ovs-vsctl set interface <iface> options:ipsec_esp="aes128gcm16-ecp256" That should override the default configuration on a per-tunnel level. Could you try that? Best regards, Ilya Maximets. _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
