Hi, I'm looking into the implementation of StrongSwanHelper <https://github.com/openvswitch/ovs/blob/main/ipsec/ovs-monitor-ipsec.in#L145> in OVS IPSec. I noticed that we are using */usr/sbin/ipsec* for strongSwan, which means we are still using the legacy *strongswan-starter* systemd service (which uses *charon*).
However, the environment that I'm working on is using the new strongSwan service *strongswan* which uses *swanctl* and *charon-systemd*. Hence, I'm trying to see if I can modify that part of the implementation and integrate the new strongSwan service. Now I have a couple of questions: 1) In function StrongSwanHelper, do we only update the new policy to strongSwan? Do we make any updates on the OVS side (e.g. update OVS dbs, configs, etc.)? I.e., if we can somehow update the strongSwan policy somewhere else (e.g. hardcode the policy in the new strongSwan config files), we don't actually need to rely on that OVS helper function? 2) Currently, the way I'm using to verify if the OVS tunnel works is *ovs-appctl -t ovs-monitor-ipsec tunnels/show * After I manually update the strongSwan policy in its config files, I can see output for - Kernel policies installed - Kernel security associations installed but NOT - IPsec connections that are active I checked the code and it seems expected because the result of the last item comes from *ipsec status*, but our env doesn't have strongswan-starter so we can't support that command. But I'm more interested in the field *CFM state*. For my case, it's *disabled*. Does it mean that the OVS tunnel is FOR SURE not working correctly? Or OVS doesn't know in this case? And in my case, is there a better way to check what's going on with the CFM state, and overall is there another way to verify the tunnel works correctly? Thanks, Jim
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
