igsilya
commented
1 year ago Hi, it looks like the functionality you need was covered by commit https://github.com/openvswitch/ovs/commit/e8515c8cc082 and released in OVS 3.0. Is it enough for your use-case, or do you need something else?
Currently in Open vSwitch the IPSec tunnel parameters for LibreSwan appear to be hardcoded to set aes_gcm256-sha2_256 for the ike= line in ipsec.conf and aes_gcm256 for the esp= line, and only sets these values for the default section, not per tunnel.
In cases where Open Virtual Switch is being used to form tunnels or overlay networks over IPSec with non Open Virtual Switch endpoints it would be useful to be able to modify these values, either the defaults or per tunnel instance. Currently modifying the values in ipsec.conf will result in these values being reset when open vswitch is restarted.
Basically, some way to passthrough libreswan tunnel options including the ike=, esp=, and the mode= (assuming one doesn't already exist) would allow the tunnel's behavior to be customized to conform with the expectations of the remote endpoint, which for policy or administrative reasons may not be able to have its configuration adjusted to match what Open vSwitch wants it to be.