>From this strongSwan page <https://wiki.strongswan.org/projects/strongswan/wiki/Ipseccommand>, it seems we need to install strongswan-starter for ipsec cmd to pick it up. But that's for the legacy use case. Now we should probably use swanctl?
On Thu, Aug 15, 2024 at 5:10 PM Jim C <jimc84...@gmail.com> wrote: > Hi, > > This might be a follow up to our previous thread > <https://mail.openvswitch.org/pipermail/ovs-discuss/2024-August/053256.html> > on using strongSwan for OVS on Rocky (RHEL). > > We have updated the option --ike-daemon=libreswan to > --ike-daemon=strongswan in file > /usr/lib/systemd/system/openvswitch-ipsec.service. And restarting the > openvswitch-ipsec service works this time. > > We next tried to create a gre tunnel with ipsec enabled (we specified PSK) > between two machines. But we then saw this error from the openvswitch-ipsec > daemon: > > > > > > *2024-08-15T22:44:47.154Z | 30 | ovs-monitor-ipsec | INFO | Tunnel tun > appeared in OVSDB2024-08-15T22:44:47.155Z | 32 | ovs-monitor-ipsec | INFO > | Refreshing StrongSwan configuration2024-08-15T22:44:47.162Z | 33 | > ovs-monitor-ipsec | ERR | StrongSwan failed to update configuration:b'' > b'/usr/sbin/ipsec: unknown IPsec command "update" ("ipsec --help" for > list)\n'* > > We then checked our ipsec: > *ipsec --version* returns *Libreswan 4.9* > *ipsec --help* also does not have an option for update > > I assume ipsec.service is bound to libreswan, is that correct? > If that's the case, then why do we need to call it for the strongSwan use > case? I suppose they should not even co-exist. > If ipsec.service is not only bound to libreswan, should we let > ipsec.service know that we are using strongSwan now? How to config that? > > Thanks, > Jim >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
