ovs-monitor-ipsec: Allow custom options per tunnel.

Tunnels in LibreSwan and OpenSwan allow for many options to be set on a per tunnel basis. Pass through any options starting with ipsec_ to the connection in the configuration file. Administrators are responsible for picking valid key/value pairs. Signed-off-by: Andreas Karis <ak.karis@gmail.com> Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-22 09:58:01 +00:00 · 2022-03-02 14:40:05 +01:00 · 2022-03-02 14:40:05 +01:00 · e8515c8cc0
commit e8515c8cc0
parent af864cedb0
4 changed files with 67 additions and 2 deletions
--- a/Documentation/tutorials/ipsec.rst
+++ b/Documentation/tutorials/ipsec.rst
@ -303,6 +303,50 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
   You should be able to see that ESP packets are being sent from `host_1` to
   `host_2`.

+Custom options
+--------------
+
+Any parameter prefixed with `ipsec_` will be added to the connection profile.
+For example::
+
+    # ovs-vsctl set interface tun options:ipsec_encapsulation=yes
+
+Will result in::
+
+    #  ovs-appctl -t ovs-monitor-ipsec tunnels/show
+    Interface name: tun v7 (CONFIGURED)
+    Tunnel Type:    vxlan
+    Local IP:       192.0.0.1
+    Remote IP:      192.0.0.2
+    Address Family: IPv4
+    SKB mark:       None
+    Local cert:     None
+    Local name:     None
+    Local key:      None
+    Remote cert:    None
+    Remote name:    None
+    CA cert:        None
+    PSK:            swordfish
+    Custom Options: {'encapsulation': 'yes'}
+
+And in the following connection profiles::
+
+    conn tun-in-7
+        left=192.0.0.1
+        right=192.0.0.2
+        authby=secret
+        encapsulation=yes
+        leftprotoport=udp/4789
+        rightprotoport=udp
+
+    conn tun-out-7
+        left=192.0.0.1
+        right=192.0.0.2
+        authby=secret
+        encapsulation=yes
+        leftprotoport=udp
+        rightprotoport=udp/4789
+
 Troubleshooting
 ---------------

@ -329,6 +373,7 @@ For example::
   Remote name:    None
   CA cert:        None
   PSK:            swordfish
+   Custom Options: {}
   Ofport:         1          <--- Whether ovs-vswitchd has assigned Ofport
                                   number to this Tunnel Port
   CFM state:      Up         <--- Whether CFM declared this tunnel healthy
--- a/3
+++ b/3
@ -23,6 +23,9 @@ Post-v2.17.0
         OpenFlow versions 1.0-1.2 with Nicira Extensions
         OpenFlow versions 1.3 with Open Network Foundation extension
         OpenFlow versions 1.4+, as defined in the OpenFlow specification
+   - IPsec:
+     * Added support for custom per-tunnel options via 'options:ipsec_*' knobs.
+       See Documentation/tutorials/ipsec.rst for details.
   - Windows:
     * Conntrack support for TCPv6, UDPv6, ICMPv6, FTPv6.
     * IPv6 Geneve tunnel support.
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@ -313,6 +313,10 @@ conn prevent_unencrypted_vxlan
                tmpl = self.auth_tmpl["pki_ca"]
                auth_section = tmpl.substitute(tunnel.conf)

+        if "custom_options" in tunnel.conf:
+            for key, value in tunnel.conf["custom_options"].items():
+                auth_section += "\n    " + key + "=" + value
+
        vals = tunnel.conf.copy()
        vals["auth_section"] = auth_section
        vals["version"] = tunnel.version
@ -550,6 +554,10 @@ conn prevent_unencrypted_vxlan
        if tunnel.conf["address_family"] == "IPv6":
            auth_section = self.IPV6_CONN + auth_section

+        if "custom_options" in tunnel.conf:
+            for key, value in tunnel.conf["custom_options"].items():
+                auth_section += "\n    " + key + "=" + value
+
        vals = tunnel.conf.copy()
        vals["auth_section"] = auth_section
        vals["version"] = tunnel.version
@ -831,6 +839,7 @@ class IPsecTunnel(object):
  Remote name:    $remote_name
  CA cert:        $ca_cert
  PSK:            $psk
+  Custom Options: $custom_options
 """)

    unixctl_status_tmpl = Template("""\
@ -874,7 +883,13 @@ class IPsecTunnel(object):
            "remote_cert": remote_cert,
            "remote_name": remote_name,
            "local_name": monitor.conf["pki"]["local_name"],
-            "psk": options.get("psk")}
+            "psk": options.get("psk"),
+            "custom_options": {}}
+
+        # add custom ipsec options to the connection
+        for key, value in options.items():
+            if key.startswith("ipsec_"):
+                new_conf["custom_options"][key[len("ipsec_"):]] = value

        if self.conf != new_conf:
            # Configuration was updated in OVSDB.  Validate it and figure
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@ -1046,7 +1046,9 @@
      <p>
        These settings control the global configuration of IPsec tunnels.  The
        <code>options</code> column of the <code>Interface</code> table
-        configures IPsec for individual tunnels.
+        configures IPsec for individual tunnels. The <code>options</code>
+        column also allows for custom options prefixed with <code>ipsec_</code>
+        to be passed to the individual connections.
      </p>
      <p>
        OVS IPsec supports the following three forms of authentication.