On 8/16/24 15:38, Jim C via discuss wrote: > Sorry for the msg spam. I think the issue is OVS is still using the legacy > *strongswan-starter* systemd service unit which uses *charon*, while the > strongswan on our OS is installed with the new version *strongswan* unit > which uses *charon-systemd*.
That's true. We only support strongswan-starter configuration today as it is a default configuration for Ubuntu/Debian. > At this point, I'm not sure if we can make OVS work with our environment with > strongSwan since I don't think we can fall back to the legacy unit. I replied to this in the other thread: https://mail.openvswitch.org/pipermail/ovs-discuss/2024-August/053276.html But for completeness of this thread: ovs-monitor-ipsec is not essential for running OVS with IPsec. It should be possible to just disable that service and create a static strongSwan config instead, updating it when necessary. Best regards, Ilya Maximets. > > On Fri, Aug 16, 2024 at 12:03 AM Jim C <jimc84...@gmail.com > <mailto:jimc84...@gmail.com>> wrote: > > Actually, it's probably due to this on that strongSwan page: *Note: Some > distributions (e.g. Fedora and its offsprings) rename the ipsec command to > strongswan* > * > * > We found out that we have the *strongswan* command on our Rocky host. > Then we need to change all the fields in here > <https://github.com/openvswitch/ovs/blob/v3.4.0/ipsec/ovs-monitor-ipsec.in#L222-L228> > to run strongswan command instead of ipsec? > > On Thu, Aug 15, 2024 at 11:33 PM Jim C <jimc84...@gmail.com > <mailto:jimc84...@gmail.com>> wrote: > > From this strongSwan page > <https://wiki.strongswan.org/projects/strongswan/wiki/Ipseccommand>, it seems > we need to install strongswan-starter for ipsec cmd to pick it up. But that's > for the legacy use case. Now we should probably use swanctl? > > On Thu, Aug 15, 2024 at 5:10 PM Jim C <jimc84...@gmail.com > <mailto:jimc84...@gmail.com>> wrote: > > Hi, > > This might be a follow up to our previous thread > <https://mail.openvswitch.org/pipermail/ovs-discuss/2024-August/053256.html> > on using strongSwan for OVS on Rocky (RHEL). > > We have updated the option --ike-daemon=libreswan to > --ike-daemon=strongswan in file > /usr/lib/systemd/system/openvswitch-ipsec.service. And restarting the > openvswitch-ipsec service works this time. > > We next tried to create a gre tunnel with ipsec enabled (we > specified PSK) between two machines. But we then saw this error from the > openvswitch-ipsec daemon: > > *2024-08-15T22:44:47.154Z | 30 | ovs-monitor-ipsec | INFO | > Tunnel tun appeared in OVSDB > 2024-08-15T22:44:47.155Z | 32 | ovs-monitor-ipsec | INFO | > Refreshing StrongSwan configuration > 2024-08-15T22:44:47.162Z | 33 | ovs-monitor-ipsec | ERR | > StrongSwan failed to update configuration: > b'' > b'/usr/sbin/ipsec: unknown IPsec command "update" ("ipsec > --help" for list)\n'* > > We then checked our ipsec: > *ipsec --version* returns *Libreswan 4.9* > *ipsec --help* also does not have an option for update > > I assume ipsec.service is bound to libreswan, is that correct? > If that's the case, then why do we need to call it for the > strongSwan use case? I suppose they should not even co-exist. > If ipsec.service is not only bound to libreswan, should we let > ipsec.service know that we are using strongSwan now? How to config that? > > Thanks, > Jim > > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
