In the libreswan case, 'ovs-monitor-ipsec' sets
'left' to '%defaultroute' which will use the local address
of the default route interface as the source IP address. In
multihomed environments, this may not be correct if the user
wants to specify what the source IP address is. In OVS, this
can be set for tunnel ports using the 'local_ip' option. This
patch also uses that option to populate the 'ipsec.conf'
configuration. If the 'local_ip' option is not present, it
will default to the previous behaviour of using '%defaultroute'
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=
1906280
Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Otherwise, error message will
be provided
Tunnel Type: gre
+ Local IP: %defaultroute
Remote IP: 2.2.2.2
SKB mark: None
Local cert: None
"""
auth_tmpl = {"psk": Template("""\
- left=%defaultroute
+ left=$local_ip
right=$remote_ip
authby=secret"""),
"pki_remote": Template("""\
- left=%defaultroute
+ left=$local_ip
right=$remote_ip
leftid=@$local_name
rightid=@$remote_name
rightcert="$remote_name"
leftrsasigkey=%cert"""),
"pki_ca": Template("""\
- left=%defaultroute
+ left=$local_ip
right=$remote_ip
leftid=@$local_name
rightid=@$remote_name
unixctl_config_tmpl = Template("""\
Tunnel Type: $tunnel_type
+ Local IP: $local_ip
Remote IP: $remote_ip
SKB mark: $skb_mark
Local cert: $certificate
new_conf = {
"ifname": self.name,
"tunnel_type": row.type,
+ "local_ip": options.get("local_ip", "%defaultroute"),
"remote_ip": options.get("remote_ip"),
"skb_mark": monitor.conf["skb_mark"],
"certificate": monitor.conf["pki"]["certificate"],