ipsec: Add support for using default crypto with Libreswan.

Distributions are normally shipping with a special file with
system-wide crypto policies.  For example, on Fedora/RHEL:

  /etc/crypto-policies/back-ends/libreswan.config

This file is included by the main /etc/ipsec.conf.

Today, ovs-monitor-ipsec can't take advantage of that, because we're
always defining ike and esp algorithms for our connections.

Add '--use-default-crypto' option to ovs-monitor-ipsec.  If it is set,
the daemon will not specify any crypto policies for connections and
will use what is provided by default.  In case we're running with a
root ipsec.conf, it'll be just the defaults that Libreswan has by
itself.  In case we're running with a sub-config and the
'--root-ipsec-conf' option, connections will be using crypto options
defined in 'conn %default' somewhere in other files included from the
root ipsec.conf; in most cases that will be the system-wide crypto
policy file like the one mentioned above.

This provides system administrators better control over crypto
policies used without requiring them to adjust configuration of every
OVS tunnel.

Users can still override options per-connection by setting
"ipsec_ike/esp" tunnel configuration.

This mostly makes sense together with '--root-ipsec-conf', so only
implemented for Libreswan for now.

Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>

NEWS

@@ -51,6 +51,10 @@ Post-v3.4.0
      * New option '--root-ipsec-conf' for ovs-monitor-ipsec with Libreswan
        to allow cases where '--ipsec-conf' is not the main ipsec.conf, but
        included from it.  The value should be the path to the main ipsec.conf.
+     * New option '--use-default-crypto' for ovs-monitor-ipsec with Libreswan
+       to make it not configure any crypto options (ike/esp) for connections.
+       Most useful in combination with '--root-ipsec-conf' where system-wide
+       crypto-policy is included from the root ipsec.conf.
 
 
 v3.4.0 - 15 Aug 2024

ipsec/ovs-monitor-ipsec.in

@@ -540,6 +540,7 @@ conn prevent_unencrypted_vxlan
         self.last_refresh = time.time()
         self.secrets_file = None
         self.use_default_conn = self.IPSEC_CONF == self.ROOT_IPSEC_CONF
+        self.use_default_crypto = args.use_default_crypto
         vlog.dbg("Using: " + self.IPSEC)
         vlog.dbg("Configuration file: " + self.IPSEC_CONF)
         vlog.dbg("Root configuration file: " + self.ROOT_IPSEC_CONF)
@@ -557,7 +558,8 @@ conn prevent_unencrypted_vxlan
         if self.use_default_conn:
             f.write(self.CONF_DEFAULT_HEADER)
             f.write(self.CONN_CONF_BASE)
-            f.write(self.CONN_CONF_CRYPTO)
+            if not self.use_default_crypto:
+                f.write(self.CONN_CONF_CRYPTO)
             f.write("\n")
         f.close()
 
@@ -575,7 +577,8 @@ conn prevent_unencrypted_vxlan
         if self.use_default_conn:
             self.conf_file.write(self.CONF_DEFAULT_HEADER)
             self.conf_file.write(self.CONN_CONF_BASE)
-            self.conf_file.write(self.CONN_CONF_CRYPTO)
+            if not self.use_default_crypto:
+                self.conf_file.write(self.CONN_CONF_CRYPTO)
             self.conf_file.write("\n")
 
         self.secrets_file.write(FILE_HEADER)
@@ -637,7 +640,8 @@ conn prevent_unencrypted_vxlan
 
         if not self.use_default_conn:
             auth_section = self.CONN_CONF_BASE + auth_section
-            auth_section = self.CONN_CONF_CRYPTO + auth_section
+            if not self.use_default_crypto:
+                auth_section = self.CONN_CONF_CRYPTO + auth_section
 
         if "custom_options" in tunnel.conf:
             for key, value in tunnel.conf["custom_options"].items():
@@ -1431,6 +1435,10 @@ def main():
                         type=int, default=120,
                         help="Timeout for external commands called by the "
                         "ovs-monitor-ipsec daemon, e.g. ipsec --start.")
+    parser.add_argument("--use-default-crypto", action='store_true',
+                        help="Use default crypto configuration, i.e. do"
+                        " not set ike/esp/ikev2 in connections"
+                        " (libreswan only)")
 
     ovs.vlog.add_args(parser)
     ovs.daemon.add_args(parser)

tests/system-ipsec.at

@@ -21,7 +21,7 @@ m4_define([START_PLUTO], [
 ])
 
 dnl IPSEC_ADD_NODE([namespace], [device], [address], [peer address],
-dnl                [custom-ipsec-conf])
+dnl                [custom-ipsec-conf], [extra])
 dnl
 dnl Creates a dummy host that acts as an IPsec endpoint. Creates host in
 dnl 'namespace' and attaches a veth 'device' to 'namespace' to act as the host
@@ -33,6 +33,9 @@ dnl Starts all daemons in 'namespace' that are required for IPsec.
 dnl
 dnl If 'custom-ipsec-conf' is provided, then it will be used as --ipsec-conf
 dnl and the ipsec.conf will be used as --root-ipsec-conf.
+dnl
+dnl If 'extra' is provided, passes it as an additional argument list for
+dnl ovs-monitor-ipsec.
 m4_define([IPSEC_ADD_NODE],
   [ADD_NAMESPACES($1)
   dnl Disable DAD. We know we wont get duplicates on this underlay network.
@@ -79,6 +82,7 @@ m4_define([IPSEC_ADD_NODE],
         --ipsec-secrets=$ovs_base/$1/secrets \
         --log-file=$ovs_base/$1/ovs-monitor-ipsec.log \
         --ipsec-ctl=$ovs_base/$1/pluto.ctl \
+        m4_if([$6], [], [], [$6]) \
         --no-restart-ike-daemon --detach ], [0], [], [stderr])
   on_exit "kill `cat $ovs_base/$1/ovs-monitor-ipsec.pid`"
 
@@ -88,9 +92,9 @@ m4_define([IPSEC_ADD_NODE],
                -- set-controller br-ipsec punix:$ovs_base/br-ipsec.$1.mgmt])]
 )
 m4_define([IPSEC_ADD_NODE_LEFT],
-          [IPSEC_ADD_NODE(left, p0, $1, $2, [$3])])
+          [IPSEC_ADD_NODE(left, p0, $1, $2, [$3], [$4])])
 m4_define([IPSEC_ADD_NODE_RIGHT],
-          [IPSEC_ADD_NODE(right, p1, $1, $2, [$3])])
+          [IPSEC_ADD_NODE(right, p1, $1, $2, [$3], [$4])])
 
 dnl OVS_VSCTL([namespace], [sub-command])
 dnl
@@ -459,6 +463,69 @@ AT_CHECK([grep -c -E "(ike|ikev2|esp)=" $ovs_base/right/custom.conf], [0], [6
 OVS_TRAFFIC_VSWITCHD_STOP()
 AT_CLEANUP
 
+AT_SETUP([IPsec -- Libreswan (ipv4, geneve, default crypto)])
+AT_KEYWORDS([ipsec libreswan ipv4 geneve psk default crypto])
+dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
+dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
+
+CHECK_LIBRESWAN()
+OVS_TRAFFIC_VSWITCHD_START()
+IPSEC_SETUP_UNDERLAY()
+
+dnl Set up hosts.
+IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2, [], [--use-default-crypto])
+IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1, [], [--use-default-crypto])
+
+dnl Set up IPsec tunnel on 'left' host.
+IPSEC_ADD_TUNNEL_LEFT([geneve],
+                      [options:remote_ip=10.1.1.2 options:psk=swordfish])
+
+dnl Set up IPsec tunnel on 'right' host.
+IPSEC_ADD_TUNNEL_RIGHT([geneve],
+                       [options:remote_ip=10.1.1.1 options:psk=swordfish])
+CHECK_ESP_TRAFFIC
+
+dnl Check that ipsec.conf doesn't include ike or esp configuration.
+AT_CHECK([grep -q "conn %default" $ovs_base/left/ipsec.conf])
+AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/left/ipsec.conf], [1])
+AT_CHECK([grep -q "conn %default" $ovs_base/right/ipsec.conf])
+AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/right/ipsec.conf], [1])
+
+OVS_TRAFFIC_VSWITCHD_STOP()
+AT_CLEANUP
+
+AT_SETUP([IPsec -- Libreswan (ipv4, geneve, custom conf, default crypto)])
+AT_KEYWORDS([ipsec libreswan ipv4 geneve psk custom conf default crypto])
+dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645
+dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
+
+CHECK_LIBRESWAN()
+OVS_TRAFFIC_VSWITCHD_START()
+IPSEC_SETUP_UNDERLAY()
+
+dnl Set up hosts.
+IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2, [custom.conf], [--use-default-crypto])
+IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1, [custom.conf], [--use-default-crypto])
+
+dnl Set up IPsec tunnel on 'left' host.
+IPSEC_ADD_TUNNEL_LEFT([geneve],
+                      [options:remote_ip=10.1.1.2 options:psk=swordfish])
+
+dnl Set up IPsec tunnel on 'right' host.
+IPSEC_ADD_TUNNEL_RIGHT([geneve],
+                       [options:remote_ip=10.1.1.1 options:psk=swordfish])
+CHECK_ESP_TRAFFIC
+
+dnl Check that custom.conf doesn't include default section, and also doesn't
+dnl have ike or esp configuration.
+AT_CHECK([grep -q "conn %default" $ovs_base/left/custom.conf], [1])
+AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/left/custom.conf], [1])
+AT_CHECK([grep -q "conn %default" $ovs_base/right/custom.conf], [1])
+AT_CHECK([grep -q -E "(ike|ikev2|esp)=" $ovs_base/right/custom.conf], [1])
+
+OVS_TRAFFIC_VSWITCHD_STOP()
+AT_CLEANUP
+
 AT_SETUP([IPsec -- Libreswan NxN geneve tunnels + reconciliation])
 AT_KEYWORDS([ipsec libreswan scale reconciliation])
 dnl Note: Geneve test may not work on older kernels due to CVE-2020-25645