Sorry for the msg spam. I think the issue is OVS is still using the legacy *strongswan-starter* systemd service unit which uses *charon*, while the strongswan on our OS is installed with the new version *strongswan* unit which uses *charon-systemd*. At this point, I'm not sure if we can make OVS work with our environment with strongSwan since I don't think we can fall back to the legacy unit.
On Fri, Aug 16, 2024 at 12:03 AM Jim C <jimc84...@gmail.com> wrote: > Actually, it's probably due to this on that strongSwan page: *Note: Some > distributions (e.g. Fedora and its offsprings) rename the ipsec command to > strongswan* > > We found out that we have the *strongswan* command on our Rocky host. > Then we need to change all the fields in here > <https://github.com/openvswitch/ovs/blob/v3.4.0/ipsec/ovs-monitor-ipsec.in#L222-L228> > to > run strongswan command instead of ipsec? > > On Thu, Aug 15, 2024 at 11:33 PM Jim C <jimc84...@gmail.com> wrote: > >> From this strongSwan page >> <https://wiki.strongswan.org/projects/strongswan/wiki/Ipseccommand>, it >> seems we need to install strongswan-starter for ipsec cmd to pick it up. >> But that's for the legacy use case. Now we should probably use swanctl? >> >> On Thu, Aug 15, 2024 at 5:10 PM Jim C <jimc84...@gmail.com> wrote: >> >>> Hi, >>> >>> This might be a follow up to our previous thread >>> <https://mail.openvswitch.org/pipermail/ovs-discuss/2024-August/053256.html> >>> on using strongSwan for OVS on Rocky (RHEL). >>> >>> We have updated the option --ike-daemon=libreswan to >>> --ike-daemon=strongswan in file >>> /usr/lib/systemd/system/openvswitch-ipsec.service. And restarting the >>> openvswitch-ipsec service works this time. >>> >>> We next tried to create a gre tunnel with ipsec enabled (we specified >>> PSK) between two machines. But we then saw this error from the >>> openvswitch-ipsec daemon: >>> >>> >>> >>> >>> >>> *2024-08-15T22:44:47.154Z | 30 | ovs-monitor-ipsec | INFO | Tunnel tun >>> appeared in OVSDB2024-08-15T22:44:47.155Z | 32 | ovs-monitor-ipsec | INFO >>> | Refreshing StrongSwan configuration2024-08-15T22:44:47.162Z | 33 | >>> ovs-monitor-ipsec | ERR | StrongSwan failed to update configuration:b'' >>> b'/usr/sbin/ipsec: unknown IPsec command "update" ("ipsec --help" for >>> list)\n'* >>> >>> We then checked our ipsec: >>> *ipsec --version* returns *Libreswan 4.9* >>> *ipsec --help* also does not have an option for update >>> >>> I assume ipsec.service is bound to libreswan, is that correct? >>> If that's the case, then why do we need to call it for the strongSwan >>> use case? I suppose they should not even co-exist. >>> If ipsec.service is not only bound to libreswan, should we let >>> ipsec.service know that we are using strongSwan now? How to config that? >>> >>> Thanks, >>> Jim >>> >>
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
