Hi,
This might be a follow up to our previous thread
<https://mail.openvswitch.org/pipermail/ovs-discuss/2024-August/053256.html>
on using strongSwan for OVS on Rocky (RHEL).
We have updated the option --ike-daemon=libreswan to
--ike-daemon=strongswan in file
/usr/lib/systemd/system/openvswitch-ipsec.service. And restarting the
openvswitch-ipsec service works this time.
We next tried to create a gre tunnel with ipsec enabled (we specified PSK)
between two machines. But we then saw this error from the openvswitch-ipsec
daemon:
*2024-08-15T22:44:47.154Z | 30 | ovs-monitor-ipsec | INFO | Tunnel tun
appeared in OVSDB2024-08-15T22:44:47.155Z | 32 | ovs-monitor-ipsec | INFO
| Refreshing StrongSwan configuration2024-08-15T22:44:47.162Z | 33 |
ovs-monitor-ipsec | ERR | StrongSwan failed to update configuration:b''
b'/usr/sbin/ipsec: unknown IPsec command "update" ("ipsec --help" for
list)\n'*
We then checked our ipsec:
*ipsec --version* returns *Libreswan 4.9*
*ipsec --help* also does not have an option for update
I assume ipsec.service is bound to libreswan, is that correct?
If that's the case, then why do we need to call it for the strongSwan use
case? I suppose they should not even co-exist.
If ipsec.service is not only bound to libreswan, should we let
ipsec.service know that we are using strongSwan now? How to config that?
Thanks,
Jim
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
