Actually, it's probably due to this on that strongSwan page: *Note: Some distributions (e.g. Fedora and its offsprings) rename the ipsec command to strongswan*
We found out that we have the *strongswan* command on our Rocky host. Then we need to change all the fields in here <https://github.com/openvswitch/ovs/blob/v3.4.0/ipsec/ovs-monitor-ipsec.in#L222-L228> to run strongswan command instead of ipsec? On Thu, Aug 15, 2024 at 11:33 PM Jim C <jimc84...@gmail.com> wrote: > From this strongSwan page > <https://wiki.strongswan.org/projects/strongswan/wiki/Ipseccommand>, it > seems we need to install strongswan-starter for ipsec cmd to pick it up. > But that's for the legacy use case. Now we should probably use swanctl? > > On Thu, Aug 15, 2024 at 5:10 PM Jim C <jimc84...@gmail.com> wrote: > >> Hi, >> >> This might be a follow up to our previous thread >> <https://mail.openvswitch.org/pipermail/ovs-discuss/2024-August/053256.html> >> on using strongSwan for OVS on Rocky (RHEL). >> >> We have updated the option --ike-daemon=libreswan to >> --ike-daemon=strongswan in file >> /usr/lib/systemd/system/openvswitch-ipsec.service. And restarting the >> openvswitch-ipsec service works this time. >> >> We next tried to create a gre tunnel with ipsec enabled (we specified >> PSK) between two machines. But we then saw this error from the >> openvswitch-ipsec daemon: >> >> >> >> >> >> *2024-08-15T22:44:47.154Z | 30 | ovs-monitor-ipsec | INFO | Tunnel tun >> appeared in OVSDB2024-08-15T22:44:47.155Z | 32 | ovs-monitor-ipsec | INFO >> | Refreshing StrongSwan configuration2024-08-15T22:44:47.162Z | 33 | >> ovs-monitor-ipsec | ERR | StrongSwan failed to update configuration:b'' >> b'/usr/sbin/ipsec: unknown IPsec command "update" ("ipsec --help" for >> list)\n'* >> >> We then checked our ipsec: >> *ipsec --version* returns *Libreswan 4.9* >> *ipsec --help* also does not have an option for update >> >> I assume ipsec.service is bound to libreswan, is that correct? >> If that's the case, then why do we need to call it for the strongSwan use >> case? I suppose they should not even co-exist. >> If ipsec.service is not only bound to libreswan, should we let >> ipsec.service know that we are using strongSwan now? How to config that? >> >> Thanks, >> Jim >> >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
