Bug 2043057 - Need a toggle for encapsulation=yes (libreswan) | forceencaps=yes (openswan) in ovs-ipsec-monitor
Summary: Need a toggle for encapsulation=yes (libreswan) | forceencaps=yes (openswan)...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: openvswitch
Version: FDP 22.L
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Timothy Redaelli
QA Contact: qding
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-20 14:49 UTC by Andreas Karis
Modified: 2023-07-18 08:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-18 08:28:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-1726 0 None None None 2022-01-20 14:57:41 UTC

Description Andreas Karis 2022-01-20 14:49:46 UTC 
Description of problem:

As a result of the request in https://bugzilla.redhat.com/show_bug.cgi?id=2041681, I would like to request that we implement a toggle for encapsulation=yes (libreswan) | forceencaps=yes  (openswan) in ovs-ipsec-monitor. This toggle will allow us to bypass NAT detection during IKE and instead to unconditionally force NAT-T mode. Some cloud platforms such as IBMcloud block IP protocol number 50 (ESP). However, the default of encapsulation=auto (in libreswan) will only switch over to udp/4500 for ESP if it detects NAT. That NAT detection is subject to actual changes in IP addresses or ports, though, and it can't deal with (transparent) firewalls that simply drop anything that's IP protocol 50. See https://bugzilla.redhat.com/show_bug.cgi?id=2041681#c8

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Here's a suggestion that should work:
https://github.com/andreaskaris/ovs/commit/971d5014ea648761cd0d77e98b466db397efbcd8

I tested it for libreswan (both ovs-ctl and ovs-monitor-ipsec) both with the flag on and off. With the flag on:
~~~
sh-4.4# ps aux | grep ovs-ipsec
root           1  0.0  0.0  11920  2992 ?        Ss   14:28   0:00 /bin/bash -c #!/bin/bash set -exuo pipefail  function cleanup() {   # In order to maintain traffic flows during container restart, we   # need to ensure that xfrm state and policies are not flushed.    # Don't allow ovs monitor to cleanup persistent state   kill $(cat /var/run/openvswitch/ovs-monitor-ipsec.pid 2>/dev/null) 2>/dev/null || true   # Don't allow pluto to clear xfrm state and policies on exit   kill -9 $(cat /var/run/pluto/pluto.pid 2>/devnull) 2>/dev/null || true    /usr/sbin/ipsec --stopnflog   exit 0 } trap cleanup SIGTERM  # Don't start IPsec until ovnkube-node has finished setting up the node counter=0 until [ -f /etc/cni/net.d/10-ovn-kubernetes.conf ] do   ((counter++))   sleep 1   if [ $counter -gt 300 ];   then           echo "ovnkube-node pod has not started after $counter seconds"           exit 1   fi done echo "ovnkube-node has configured node."  # After a restart of this container (or on initial startup), we flush xfrm state and policy # before we start pluto and ovs-monitor-ipsec in order to start in a known good state. This # will result in a small interruption in traffic until pluto and ovs-monitor-ipsec start again. ip x s flush ip x p flush  # Workaround for https://github.com/libreswan/libreswan/issues/373 ulimit -n 1024  /usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig # Check kernel modules /usr/libexec/ipsec/_stackmanager start # Check nss database status /usr/sbin/ipsec --checknss # Start the pluto IKE daemon /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --logfile /var/log/openvswitch/libreswan.log  # IBMCloud does not forward ESP (IP proto 50) # Instead, force IBMCloud IPsec to always use NAT-T force_encapsulation="--force-encapsulation" # Environment variables are for workaround for https://mail.openvswitch.org/pipermail/ovs-dev/2020-October/375734.html # We now start ovs-monitor-ipsec which will monitor for changes in the ovs # tunnelling configuration (for example addition of a node) and configures # libreswan appropriately. OVS_LOGDIR=/var/log/openvswitch OVS_RUNDIR=/var/run/openvswitch OVS_PKGDATADIR=/usr/share/openvswitch /usr/share/openvswitch/scripts/ovs-ctl --ike-daemon=libreswan --no-restart-ike-daemon ${force_encapsulation} start-ovs-ipsec  sleep infinity 
sh-4.4# cat /etc/ipsec.conf  | head -n 20
# Generated by ovs-monitor-ipsec...do not modify by hand!


config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist
    encapsulation=yes

conn ovn-14923f-0-in-1
    left=10.0.136.142
    right=10.0.136.36
    leftid=@cb443f0d-cb45-4c53-b750-58864cf49dc5
    rightid=@14923fda-c41c-47b5-86d1-0fa3c6711b2b
~~~

And I checked that the default section for OpenSwan was generated locally on my laptop by running the script (it crashed due to the absence of dependencies, but the header section of /etc/ipsec.conf was rendered correctly).

I posted a patch to the upstream list, but I don't know if I did everything correctly (well let's rather say I don't know if gmail didn't mess anything up ..........). It said that the patch is held until the moderator reviews it.

Delivered-To: akaris.com
Received: by 2002:a19:6d1b:0:0:0:0:0 with SMTP id i27csp67489lfc;
        Thu, 20 Jan 2022 04:08:16 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyiVeE2Xl7U6eGEYzttujBFuBUwWM9cITYCntBSm12CJqFS+BQPHE5bkREb44no6Jgua2yn
X-Received: by 2002:a05:620a:1907:: with SMTP id bj7mr24624535qkb.201.1642680495985;
        Thu, 20 Jan 2022 04:08:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642680495; cv=none;
        d=google.com; s=arc-20160816;
        b=NHYTMrfEda05e1Zr04Gk/MmXpYRlQVakhffFNp5aRMeCmMMoUN7EU8UqOsBQCAUKVv
         YyMfa9lgujYI2SWoBUzC3lZKj2BX7avEd0IViVAVRtEMoj7bn3mp58HWVXtfHkPpNyFE
         Ec1HbXREn3epmXKHpu4z7cTPnNOi0bAVayDGOzh1CJKmg+xbYx6Png7tbWFPBhSdRg6o
         rxkTVWW2wUaufKTHBrf3Ol/WrJHFynrwPwGoqo+Vq6+Z8fUR6TQzYw8yGzjHCB1GWxJ8
         XqUvhLyYmmjNvkPHBYPh6wJjQKjuh/Fk9zQcz2JfM49yoBM4SNGHNCqIzRavOF+1diSo
         dOPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:subject:message-id:date:from:mime-version:delivered-to;
        bh=JRtIpUHo3s0XO6am9FPGu8Ae2FobIDj+63mzrQPjsvs=;
        b=wHzPk4eHPod314hKPFzYwNRfahQ7tkV5+yXhw35KbaFY1UHFN10+QR2DshdlxZG58h
         uM/VKpgBp7KhQhHXK2mYwHs3iCVT8bvo79NZjYr5/k98y16/OGvOWLO00A41iJRoefUa
         9bPj5kxqpLoerTS5/eohGuf+xpy3Q372XK6z8Pi9EVqk4+qL+UNUiGhtV1NQGQgZJC0h
         cMLPywf3p40hosc/j6dnO0QFj8CDtEtTXUC6wtUqs+aHcDM68/Yr1bNCHxyLyj2WQYBC
         AvBvEnEgsEbasJvNkV7swvFYktwuoUolou3mhXh/zIuHl3iFf1iKcFhNX3yi1W4R3WYk
         bnPw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ak.karis designates 209.85.210.45 as permitted sender) smtp.mailfrom=ak.karis
Return-Path: <ak.karis>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com. [207.211.31.120])
        by mx.google.com with ESMTPS id 20si828676qtx.667.2022.01.20.04.08.15
        for <akaris.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 20 Jan 2022 04:08:15 -0800 (PST)
Received-SPF: pass (google.com: domain of ak.karis designates 209.85.210.45 as permitted sender) client-ip=209.85.210.45;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ak.karis designates 209.85.210.45 as permitted sender) smtp.mailfrom=ak.karis
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-403-do8W87LiNdKnGji5MBA_Kw-1; Thu, 20 Jan 2022 07:08:14 -0500
X-MC-Unique: do8W87LiNdKnGji5MBA_Kw-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 61963811E80
	for <akaris.com>; Thu, 20 Jan 2022 12:08:14 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
	id 5EE4C141DEE0; Thu, 20 Jan 2022 12:08:14 +0000 (UTC)
Delivered-To: akaris
Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 5AAE11400AFC
	for <akaris>; Thu, 20 Jan 2022 12:08:14 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 41080800B21
	for <akaris>; Thu, 20 Jan 2022 12:08:14 +0000 (UTC)
Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com
 [209.85.210.45]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-412-THVEfCk6MMqMMl0vGMpNlw-1; Thu, 20 Jan 2022 07:08:12 -0500
X-MC-Unique: THVEfCk6MMqMMl0vGMpNlw-1
Received: by mail-ot1-f45.google.com with SMTP id q13-20020a9d4b0d000000b0059b1209d708so7248730otf.10
        for <akaris>; Thu, 20 Jan 2022 04:08:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=JRtIpUHo3s0XO6am9FPGu8Ae2FobIDj+63mzrQPjsvs=;
        b=sMEuItmkDCbkzl+hSJgVUgTQRIr4h5c1K9LSWfW8xiZkwjSZJvFCGW37Qo7YWwmmw1
         hkYL0ws0DnG6+EvNDi7+hBVzXF82D1gKaX0sUD1cQlFuesU2BArEt5zV/f5pILKABGiL
         BAeRoKUIb1ViEpynZHmA/IQddi/hcYcQ4okQayevBasB4Yy2ciCNtErnrsvEROq+h6dp
         CRIVuAYqsArmU9C3Ll9HsTSIGXlwnQj5vYwR9Pn931ZqZb2PsQHeF1NaWLr3dCFjhKH0
         uSPK/IToniLExBpbMnPcs2fx1Sge+c9+Ls+oD1oQjEWmssDV06qonEY2iLe6YcAGirja
         LFBA==
X-Gm-Message-State: AOAM533gKV1vwVjR2y6UFMWVBHr2sznY00YM2wCkGMXk96IqgN21rXIO
	jQa9AXOrjKGOHUK+29+aVVjDOvl96OzhqBsWqarbMJCpeDA=
X-Received: by 2002:a05:6830:19e6:: with SMTP id t6mr26186754ott.357.1642680491296;
 Thu, 20 Jan 2022 04:08:11 -0800 (PST)
MIME-Version: 1.0
From: Andreas Karis <ak.karis>
Date: Thu, 20 Jan 2022 13:08:00 +0100
Message-ID: <CALVtEgTBQAm95HKM08sePbxfwX6wKtSuYSt6AekdroiGSOBjKA.com>
Subject: [PATCH] ovs-monitor-ipsec: Add force-encapsulation option to force NAT-T
To: dev
Cc: akaris
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: gmail.com
Content-Type: multipart/alternative; boundary="00000000000029cc0705d6025ba1"

--00000000000029cc0705d6025ba1
Content-Type: text/plain; charset="UTF-8"

Both LibreSwan and OpenSwan allow administrators to unconditionally
force enable NAT-T for ESP. This may help to surmount restrictive
firewalls in scenarios where IP protocol number 50 is blocked, but where
NAT autodetection fails. Add a switch --force-encapsulation to expose
this feature to users of ovs-monitor-ipsec

Signed-off-by: Andreas Karis <ak.karis>
---
 ipsec/ovs-monitor-ipsec.in | 30 ++++++++++++++++++++++--------
 utilities/ovs-ctl.in       |  7 +++++++
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
index 89a36fe17..89b074e25 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -171,8 +171,9 @@ conn %%default
     auto=route
     ike=aes256gcm16-sha256-modp2048
     esp=aes256gcm16-modp2048
+    %s

-""" % (FILE_HEADER)
+"""

     CA_SECTION = """ca ca_auth
     cacert=%s
@@ -219,13 +220,18 @@ conn prevent_unencrypted_vxlan
     rightid=$remote_name
     leftcert=$certificate""")}

-    def __init__(self, root_prefix):
+    def __init__(self, root_prefix, args):
         self.CHARON_CONF = root_prefix + "/etc/strongswan.d/ovs.conf"
         self.IPSEC = root_prefix + "/usr/sbin/ipsec"
         self.IPSEC_CONF = root_prefix + "/etc/ipsec.conf"
         self.IPSEC_SECRETS = root_prefix + "/etc/ipsec.secrets"
         self.conf_file = None
         self.secrets_file = None
+        if args.force_encapsulation:
+            self.extra_params = "forceencaps=yes"
+        else:
+            self.extra_params = ""
+

     def restart_ike_daemon(self):
         """This function restarts StrongSwan."""
@@ -234,7 +240,7 @@ conn prevent_unencrypted_vxlan
         f.close()

         f = open(self.IPSEC_CONF, "w")
-        f.write(self.CONF_HEADER)
+        f.write(self.CONF_HEADER % (FILE_HEADER, self.extra_params))
         f.close()

         f = open(self.IPSEC_SECRETS, "w")
@@ -274,7 +280,7 @@ conn prevent_unencrypted_vxlan
     def config_init(self):
         self.conf_file = open(self.IPSEC_CONF, "w")
         self.secrets_file = open(self.IPSEC_SECRETS, "w")
-        self.conf_file.write(self.CONF_HEADER)
+        self.conf_file.write(self.CONF_HEADER % (FILE_HEADER,
self.extra_params))
         self.secrets_file.write(FILE_HEADER)

     def config_global(self, monitor):
@@ -387,8 +393,9 @@ conn %%default
     ike=aes_gcm256-sha2_256
     esp=aes_gcm256
     ikev2=insist
+    %s

-""" % (FILE_HEADER)
+"""

     SHUNT_POLICY = """conn prevent_unencrypted_gre
     type=drop
@@ -452,6 +459,10 @@ conn prevent_unencrypted_vxlan
                         else "/etc/ipsec.secrets")
         ipsec_ctl = (args.ipsec_ctl if args.ipsec_ctl
                         else "/run/pluto/pluto.ctl")
+        if args.force_encapsulation:
+            self.extra_params = "encapsulation=yes"
+        else:
+            self.extra_params = ""

         self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec"
         self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf
@@ -472,7 +483,7 @@ conn prevent_unencrypted_vxlan
         self._nss_clear_database()

         f = open(self.IPSEC_CONF, "w")
-        f.write(self.CONF_HEADER)
+        f.write(self.CONF_HEADER % (FILE_HEADER, self.extra_params))
         f.close()

         f = open(self.IPSEC_SECRETS, "w")
@@ -485,7 +496,7 @@ conn prevent_unencrypted_vxlan
     def config_init(self):
         self.conf_file = open(self.IPSEC_CONF, "w")
         self.secrets_file = open(self.IPSEC_SECRETS, "w")
-        self.conf_file.write(self.CONF_HEADER)
+        self.conf_file.write(self.CONF_HEADER % (FILE_HEADER,
self.extra_params))
         self.secrets_file.write(FILE_HEADER)

     def config_global(self, monitor):
@@ -1012,7 +1023,7 @@ class IPsecMonitor(object):

         # Choose to either use StrongSwan or LibreSwan as IKE daemon
         if ike_daemon == "strongswan":
-            self.ike_helper = StrongSwanHelper(root_prefix)
+            self.ike_helper = StrongSwanHelper(root_prefix, args)
         elif ike_daemon == "libreswan":
             self.ike_helper = LibreSwanHelper(root_prefix, args)
         else:
@@ -1284,6 +1295,9 @@ def main():
     parser.add_argument("--ipsec-ctl", metavar="IPSEC-CTL",
                         help="Use DIR/IPSEC-CTL as location for "
                         " pluto ctl socket (libreswan only).")
+    parser.add_argument("--force-encapsulation", action='store_true',
+                        help="Unconditionally enable ESP NAT-T
encapsulation."
+                        " (either libreswan or strongswan).")

     ovs.vlog.add_args(parser)
     ovs.daemon.add_args(parser)
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index e6e07f476..38a73df76 100644
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -240,11 +240,15 @@ start_ovs_ipsec () {
     if test X$RESTART_IKE_DAEMON = Xno; then
         no_restart="--no-restart-ike-daemon"
     fi
+    if test X$FORCE_ENCAPSULATION = Xyes; then
+        force_encapsulation="--force-encapsulation"
+    fi

     ${datadir}/scripts/ovs-monitor-ipsec \
         --pidfile=${rundir}/ovs-monitor-ipsec.pid \
         --ike-daemon=$IKE_DAEMON \
         $no_restart \
+    $force_encapsulation \
         --log-file --detach --monitor unix:${rundir}/db.sock || return 1
     return 0
 }
@@ -354,6 +358,7 @@ set_defaults () {

     IKE_DAEMON=
     RESTART_IKE_DAEMON=yes
+    FORCE_ENCAPSULATION=no

     type_file=$etcdir/system-type.conf
     version_file=$etcdir/system-version.conf
@@ -448,6 +453,8 @@ Option for "start-ovs-ipsec":
       the IKE daemon for ipsec tunnels (either libreswan or strongswan)
   --no-restart-ike-daemon
       do not restart the IKE daemon on startup
+  --force-encapsulation
+      Unconditionally force ESP NAT-T (ESP over udp/4500)

 Other options:
   -h, --help                  display this help message
-- 
2.31.1

--00000000000029cc0705d6025ba1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Both LibreSwan and OpenSwan allow administrators to uncond=
itionally<br>force enable NAT-T for ESP. This may help to surmount restrict=
ive<br>firewalls in scenarios where IP protocol number 50 is blocked, but w=
here<br>NAT autodetection fails. Add a switch --force-encapsulation to expo=
se<br>this feature to users of ovs-monitor-ipsec<br><br>Signed-off-by: Andr=
eas Karis &lt;<a href=3D"ak.karis">ak.karis</a>&=
gt;<br>---<br>=C2=A0ipsec/<a href=3D"http://ovs-monitor-ipsec.in">ovs-monit=
or-ipsec.in</a> | 30 ++++++++++++++++++++++--------<br>=C2=A0utilities/<a h=
ref=3D"http://ovs-ctl.in">ovs-ctl.in</a> =C2=A0 =C2=A0 =C2=A0 | =C2=A07 +++=
++++<br>=C2=A02 files changed, 29 insertions(+), 8 deletions(-)<br><br>diff=
 --git a/ipsec/<a href=3D"http://ovs-monitor-ipsec.in">ovs-monitor-ipsec.in=
</a> b/ipsec/<a href=3D"http://ovs-monitor-ipsec.in">ovs-monitor-ipsec.in</=
a><br>index 89a36fe17..89b074e25 100755<br>--- a/ipsec/<a href=3D"http://ov=
s-monitor-ipsec.in">ovs-monitor-ipsec.in</a><br>+++ b/ipsec/<a href=3D"http=
://ovs-monitor-ipsec.in">ovs-monitor-ipsec.in</a><br>@@ -171,8 +171,9 @@ co=
nn %%default<br>=C2=A0 =C2=A0 =C2=A0auto=3Droute<br>=C2=A0 =C2=A0 =C2=A0ike=
=3Daes256gcm16-sha256-modp2048<br>=C2=A0 =C2=A0 =C2=A0esp=3Daes256gcm16-mod=
p2048<br>+ =C2=A0 =C2=A0%s<br>=C2=A0<br>-&quot;&quot;&quot; % (FILE_HEADER)=
<br>+&quot;&quot;&quot;<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0CA_SECTION =3D &qu=
ot;&quot;&quot;ca ca_auth<br>=C2=A0 =C2=A0 =C2=A0cacert=3D%s<br>@@ -219,13 =
+220,18 @@ conn prevent_unencrypted_vxlan<br>=C2=A0 =C2=A0 =C2=A0rightid=3D=
$remote_name<br>=C2=A0 =C2=A0 =C2=A0leftcert=3D$certificate&quot;&quot;&quo=
t;)}<br>=C2=A0<br>- =C2=A0 =C2=A0def __init__(self, root_prefix):<br>+ =C2=
=A0 =C2=A0def __init__(self, root_prefix, args):<br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0self.CHARON_CONF =3D root_prefix + &quot;/etc/strongswan.d/ovs=
.conf&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.IPSEC =3D root_prefix=
 + &quot;/usr/sbin/ipsec&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.IP=
SEC_CONF =3D root_prefix + &quot;/etc/ipsec.conf&quot;<br>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0self.IPSEC_SECRETS =3D root_prefix + &quot;/etc/ipsec.secr=
ets&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.conf_file =3D None<br>=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.secrets_file =3D None<br>+ =C2=A0 =
=C2=A0 =C2=A0 =C2=A0if args.force_encapsulation:<br>+ =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0self.extra_params =3D &quot;forceencaps=3Dyes&quot;<br>=
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0else:<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0self.extra_params =3D &quot;&quot;<br>+<br>=C2=A0<br>=C2=A0 =C2=A0 =
=C2=A0def restart_ike_daemon(self):<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&q=
uot;&quot;&quot;This function restarts StrongSwan.&quot;&quot;&quot;<br>@@ =
-234,7 +240,7 @@ conn prevent_unencrypted_vxlan<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0f.close()<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0f =3D op=
en(self.IPSEC_CONF, &quot;w&quot;)<br>- =C2=A0 =C2=A0 =C2=A0 =C2=A0f.write(=
self.CONF_HEADER)<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0f.write(self.CONF_HEADER =
% (FILE_HEADER, self.extra_params))<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0f.=
close()<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0f =3D open(self.IPSE=
C_SECRETS, &quot;w&quot;)<br>@@ -274,7 +280,7 @@ conn prevent_unencrypted_v=
xlan<br>=C2=A0 =C2=A0 =C2=A0def config_init(self):<br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0self.conf_file =3D open(self.IPSEC_CONF, &quot;w&quot;)<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.secrets_file =3D open(self.IPSEC_SECRET=
S, &quot;w&quot;)<br>- =C2=A0 =C2=A0 =C2=A0 =C2=A0self.conf_file.write(self=
.CONF_HEADER)<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0self.conf_file.write(self.CON=
F_HEADER % (FILE_HEADER, self.extra_params))<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0self.secrets_file.write(FILE_HEADER)<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=
=A0def config_global(self, monitor):<br>@@ -387,8 +393,9 @@ conn %%default<=
br>=C2=A0 =C2=A0 =C2=A0ike=3Daes_gcm256-sha2_256<br>=C2=A0 =C2=A0 =C2=A0esp=
=3Daes_gcm256<br>=C2=A0 =C2=A0 =C2=A0ikev2=3Dinsist<br>+ =C2=A0 =C2=A0%s<br=
>=C2=A0<br>-&quot;&quot;&quot; % (FILE_HEADER)<br>+&quot;&quot;&quot;<br>=
=C2=A0<br>=C2=A0 =C2=A0 =C2=A0SHUNT_POLICY =3D &quot;&quot;&quot;conn preve=
nt_unencrypted_gre<br>=C2=A0 =C2=A0 =C2=A0type=3Ddrop<br>@@ -452,6 +459,10 =
@@ conn prevent_unencrypted_vxlan<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0else &quot;/etc/ipsec.s=
ecrets&quot;)<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ipsec_ctl =3D (args.ipse=
c_ctl if args.ipsec_ctl<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0else &quot;/run/pluto/pluto.ctl&q=
uot;)<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0if args.force_encapsulation:<br>+ =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.extra_params =3D &quot;encapsula=
tion=3Dyes&quot;<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0else:<br>+ =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0self.extra_params =3D &quot;&quot;<br>=C2=A0<br>=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.IPSEC =3D libreswan_root_prefix + &q=
uot;/usr/sbin/ipsec&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.IPSEC_C=
ONF =3D libreswan_root_prefix + ipsec_conf<br>@@ -472,7 +483,7 @@ conn prev=
ent_unencrypted_vxlan<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self._nss_clear_=
database()<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0f =3D open(self.I=
PSEC_CONF, &quot;w&quot;)<br>- =C2=A0 =C2=A0 =C2=A0 =C2=A0f.write(self.CONF=
_HEADER)<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0f.write(self.CONF_HEADER % (FILE_H=
EADER, self.extra_params))<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0f.close()<b=
r>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0f =3D open(self.IPSEC_SECRETS=
, &quot;w&quot;)<br>@@ -485,7 +496,7 @@ conn prevent_unencrypted_vxlan<br>=
=C2=A0 =C2=A0 =C2=A0def config_init(self):<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0self.conf_file =3D open(self.IPSEC_CONF, &quot;w&quot;)<br>=C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0self.secrets_file =3D open(self.IPSEC_SECRETS, &quo=
t;w&quot;)<br>- =C2=A0 =C2=A0 =C2=A0 =C2=A0self.conf_file.write(self.CONF_H=
EADER)<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0self.conf_file.write(self.CONF_HEADE=
R % (FILE_HEADER, self.extra_params))<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
self.secrets_file.write(FILE_HEADER)<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0def c=
onfig_global(self, monitor):<br>@@ -1012,7 +1023,7 @@ class IPsecMonitor(ob=
ject):<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# Choose to either us=
e StrongSwan or LibreSwan as IKE daemon<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0if ike_daemon =3D=3D &quot;strongswan&quot;:<br>- =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0self.ike_helper =3D StrongSwanHelper(root_prefix)<br>+ =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self.ike_helper =3D StrongSwanHelp=
er(root_prefix, args)<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0elif ike_daemon =
=3D=3D &quot;libreswan&quot;:<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0self.ike_helper =3D LibreSwanHelper(root_prefix, args)<br>=C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0else:<br>@@ -1284,6 +1295,9 @@ def main():<br>=C2=
=A0 =C2=A0 =C2=A0parser.add_argument(&quot;--ipsec-ctl&quot;, metavar=3D&qu=
ot;IPSEC-CTL&quot;,<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0help=3D&quot;Use DIR/IPSEC-CTL as loc=
ation for &quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&quot; pluto ctl socket (libreswan only)=
.&quot;)<br>+ =C2=A0 =C2=A0parser.add_argument(&quot;--force-encapsulation&=
quot;, action=3D&#39;store_true&#39;,<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0help=3D&quot;Unconditio=
nally enable ESP NAT-T encapsulation.&quot;<br>+ =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&quot; (either l=
ibreswan or strongswan).&quot;)<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0ovs.vlog.a=
dd_args(parser)<br>=C2=A0 =C2=A0 =C2=A0ovs.daemon.add_args(parser)<br>diff =
--git a/utilities/<a href=3D"http://ovs-ctl.in">ovs-ctl.in</a> b/utilities/=
<a href=3D"http://ovs-ctl.in">ovs-ctl.in</a><br>index e6e07f476..38a73df76 =
100644<br>--- a/utilities/<a href=3D"http://ovs-ctl.in">ovs-ctl.in</a><br>+=
++ b/utilities/<a href=3D"http://ovs-ctl.in">ovs-ctl.in</a><br>@@ -240,11 +=
240,15 @@ start_ovs_ipsec () {<br>=C2=A0 =C2=A0 =C2=A0if test X$RESTART_IKE=
_DAEMON =3D Xno; then<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0no_restart=3D&qu=
ot;--no-restart-ike-daemon&quot;<br>=C2=A0 =C2=A0 =C2=A0fi<br>+ =C2=A0 =C2=
=A0if test X$FORCE_ENCAPSULATION =3D Xyes; then<br>+ =C2=A0 =C2=A0 =C2=A0 =
=C2=A0force_encapsulation=3D&quot;--force-encapsulation&quot;<br>+ =C2=A0 =
=C2=A0fi<br>=C2=A0<br>=C2=A0 =C2=A0 =C2=A0${datadir}/scripts/ovs-monitor-ip=
sec \<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0--pidfile=3D${rundir}/ovs-monito=
r-ipsec.pid \<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0--ike-daemon=3D$IKE_DAEM=
ON \<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0$no_restart \<br>+ =C2=A0 =C2=A0$=
force_encapsulation \<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0--log-file --det=
ach --monitor unix:${rundir}/db.sock || return 1<br>=C2=A0 =C2=A0 =C2=A0ret=
urn 0<br>=C2=A0}<br>@@ -354,6 +358,7 @@ set_defaults () {<br>=C2=A0<br>=C2=
=A0 =C2=A0 =C2=A0IKE_DAEMON=3D<br>=C2=A0 =C2=A0 =C2=A0RESTART_IKE_DAEMON=3D=
yes<br>+ =C2=A0 =C2=A0FORCE_ENCAPSULATION=3Dno<br>=C2=A0<br>=C2=A0 =C2=A0 =
=C2=A0type_file=3D$etcdir/system-type.conf<br>=C2=A0 =C2=A0 =C2=A0version_f=
ile=3D$etcdir/system-version.conf<br>@@ -448,6 +453,8 @@ Option for &quot;s=
tart-ovs-ipsec&quot;:<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0the IKE daemon for ipse=
c tunnels (either libreswan or strongswan)<br>=C2=A0 =C2=A0--no-restart-ike=
-daemon<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0do not restart the IKE daemon on star=
tup<br>+ =C2=A0--force-encapsulation<br>+ =C2=A0 =C2=A0 =C2=A0Unconditional=
ly force ESP NAT-T (ESP over udp/4500)<br>=C2=A0<br>=C2=A0Other options:<br=
>=C2=A0 =C2=A0-h, --help =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0display this help message<br>-- <br>2.31.1<br></div>

--00000000000029cc0705d6025ba1--
Comment 1 Andreas Karis 2022-01-20 15:00:12 UTC 
Amended version with some whitespaces fixed: https://github.com/andreaskaris/ovs/commit/ee314bca71084ca4b895748ae9c5bb8b00854e02
Comment 6 Andreas Karis 2022-05-30 12:22:48 UTC 
Fixed upstream with: https://github.com/openvswitch/ovs/commit/e8515c8cc082964f7611e6f03300e614b9b8eaca
Comment 7 Andreas Karis 2023-07-18 08:28:28 UTC 
As far as I know, this is also fixed downstream now by syncing with the upstream versions - closing
Note You need to log in before you can comment on or make changes to this bug.