[ovs-discuss] Is OVS FIPS compliant?

2024-05-13 Thread Jim C via discuss
We want to use Open vSwitch to build our network and enable IPSec for encryption in-transit. I wonder if there is a document that describes if the OVS package itself is FIPS compliant? Maybe my question is not described accurately. Please let me know what more information is needed. Thanks. _

[ovs-discuss] Can we choose the encryption algorithms in IPSec?

2024-05-16 Thread Jim C via discuss
Hi, I'm looking into this IPSec tutorial ( https://docs.openvswitch.org/en/latest/tutorials/ipsec/). I wonder if there is an option for us to choose the encryption algorithm that we want given we want FIPS approved algorithms. Is there a manual? Thanks in advance.

Re: [ovs-discuss] Is OVS FIPS compliant?

2024-05-16 Thread Jim C via discuss
information on that? On Mon, May 13, 2024 at 2:39 AM Ilya Maximets wrote: > On 5/12/24 08:17, Jim C via discuss wrote: > > We want to use Open vSwitch to build our network and enable IPSec > > for encryption in-transit. I wonder if there is a document that > > describes if t

[ovs-discuss] Does OVS IPsec support key rotation?

2024-05-19 Thread Jim C via discuss
Hi, If I use a pre-shared key for IPSec authentication with OVS, is there a way for me to change the key for the same IPSec tunnel later? Thanks. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] Is OVS FIPS compliant?

2024-05-29 Thread Jim C via discuss
mets. > > > > > On Mon, May 13, 2024 at 2:39 AM Ilya Maximets <mailto:i.maxim...@ovn.org>> wrote: > > > > On 5/12/24 08:17, Jim C via discuss wrote: > > > We want to use Open vSwitch to build our network and enable IPSec > > > for encryption in

[ovs-discuss] Our OVS is using libreswan as ike-daemon. How to switch to strongSwan?

2024-07-23 Thread Jim C via discuss
Hi, We saw our OVS has the following specs from this service file: # cat /etc/systemd/system/multi-user.target.wants/openvswitch-ipsec.service [Unit] Description=OVS IPsec daemon Requires=openvswitch.service After=openvswitch.service [Service] Type=forking PIDFile=/run/openvswitch/ovs-monitor-ip

[ovs-discuss] How to install OVS IPSec package without installing libreswan?

2024-08-06 Thread Jim C via discuss
Hi, It seems libreswan is a dependency of the OVS IPSec package. It's piggybacked on our OS when we installed the OVS IPSec pkg. However, our host is already installed with strongSwan and we want to keep using that. Then we detect some malfunction on the strongSwan side and we suspect it's due to

Re: [ovs-discuss] Our OVS is using libreswan as ike-daemon. How to switch to strongSwan?

2024-08-07 Thread Jim C via discuss
ngSwan. Thanks. On Wed, Jul 24, 2024 at 4:50 AM Ilya Maximets wrote: > On 7/24/24 08:31, Jim C via discuss wrote: > > Hi, > > > > We saw our OVS has the following specs from this service file: > > > > # cat > /etc/systemd/system/multi-user.target.wants/openv

Re: [ovs-discuss] Our OVS is using libreswan as ike-daemon. How to switch to strongSwan?

2024-08-07 Thread Jim C via discuss
nux > > > > We do hope to get rid of the libreswan dependency tho. But for now, we > can't switch to using strongSwan. > > > > Thanks. > > > > On Wed, Jul 24, 2024 at 4:50 AM Ilya Maximets <mailto:i.maxim...@ovn.org>> wrote: > &g

Re: [ovs-discuss] Our OVS is using libreswan as ike-daemon. How to switch to strongSwan?

2024-08-07 Thread Jim C via discuss
> > > * > > > > > > We are using: > > > strongSwan 5.10 > > > Rocky (RHEL) Linux > > > > > > We do hope to get rid of the libreswan dependency tho. But for > now, we can't switch

Re: [ovs-discuss] Our OVS is using libreswan as ike-daemon. How to switch to strongSwan?

2024-08-07 Thread Jim C via discuss
t; > Best regards, Ilya Maximets. > > > > > > > * > > > > > > > > We are using: > > > > strongSwan 5.10 > > > > Rocky (RHEL) Linux > > > > > > >

[ovs-discuss] ovs-monitor-ipsec reports: StrongSwan failed to update configuration

2024-08-15 Thread Jim C via discuss
Hi, This might be a follow up to our previous thread on using strongSwan for OVS on Rocky (RHEL). We have updated the option --ike-daemon=libreswan to --ike-daemon=strongswan in file /usr/lib/systemd/system/openvswitch-i

Re: [ovs-discuss] ovs-monitor-ipsec reports: StrongSwan failed to update configuration

2024-08-15 Thread Jim C via discuss
>From this strongSwan page , it seems we need to install strongswan-starter for ipsec cmd to pick it up. But that's for the legacy use case. Now we should probably use swanctl? On Thu, Aug 15, 2024 at 5:10 PM Jim C wrote: > Hi, >

Re: [ovs-discuss] ovs-monitor-ipsec reports: StrongSwan failed to update configuration

2024-08-16 Thread Jim C via discuss
Actually, it's probably due to this on that strongSwan page: *Note: Some distributions (e.g. Fedora and its offsprings) rename the ipsec command to strongswan* We found out that we have the *strongswan* command on our Rocky host. Then we need to change all the fields in here

Re: [ovs-discuss] ovs-monitor-ipsec reports: StrongSwan failed to update configuration

2024-08-16 Thread Jim C via discuss
Sorry for the msg spam. I think the issue is OVS is still using the legacy *strongswan-starter* systemd service unit which uses *charon*, while the strongswan on our OS is installed with the new version *strongswan* unit which uses *charon-systemd*. At this point, I'm not sure if we can make OVS wo

[ovs-discuss] Questions about the implementation of StrongSwanHelper in OVS IPSec

2024-08-18 Thread Jim C via discuss
Hi, I'm looking into the implementation of StrongSwanHelper in OVS IPSec. I noticed that we are using */usr/sbin/ipsec* for strongSwan, which means we are still using the legacy *strongswan-starter* systemd service (whi

Re: [ovs-discuss] Questions about the implementation of StrongSwanHelper in OVS IPSec

2024-08-19 Thread Jim C via discuss
2024 at 4:52 AM Ilya Maximets wrote: > On 8/18/24 11:16, Jim C via discuss wrote: > > Hi, > > > > I'm looking into the implementation of StrongSwanHelper in OVS IPSec. I > noticed that > > we are using */usr/sbin/ipsec* for strongSwan, which means we

Re: [ovs-discuss] Questions about the implementation of StrongSwanHelper in OVS IPSec

2024-08-19 Thread Jim C via discuss
=down} > > for both of my nodes. I do think the tunnel is working since our upper > layer who uses the OVS tunnel works. But why are the states all down and > it's showing "No Diagnostic"? > > Thanks, > Jim > > On Mon, Aug 19, 2024 at 4:52 AM Ilya Maximets wr

Re: [ovs-discuss] Questions about the implementation of StrongSwanHelper in OVS IPSec

2024-08-19 Thread Jim C via discuss
On Mon, Aug 19, 2024 at 3:40 PM Ilya Maximets wrote: > On 8/20/24 00:10, Jim C via discuss wrote: > > Oh also I noticed that the port used for VXLAN is always udp 4789. > > Then I suppose I can just always hard code that in our strongSwan policy? > > Yes, 4789 is a regi