-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipsec: Add support for using non-root ipsec.conf.
Typical configuration file hierarchy for Libreswan in distributions looks like this: /etc /ipsec.conf /ipsec.d /*.conf /crypto-policies/back-ends/libreswan.config The root ipsec.conf contains the 'setup' section with the base configuration of the IKE daemon, includes system-wide crypto-policies and all the sub-config files in ipsec.d folder describing connections. ovs-monitor-ipsec today is not able to leverage this structure, because it requires the complete ownership of the ipsec.conf. If someone attempts to pass a sub-config file to the daemon in order to make it not overwrite the root ipsec.conf, this may cause a lot of trouble: 1. New tunnel is created in OVS. 2. ovs-monitor-ipsec writes it into sub-config file. 3. ovs-monitor-ipsec calls ipsec --start conn --config sub-config 4. Libreswan starts connection using configuration from only the sub-config and not taking into account any other file. 5. Re-start Libreswan. 6. Libreswan now reads all the files and configures connections using information from all the configuration files, including system-wide crypto policies and other potential 'conn %default' sections from all the files. 7. Now the connection is configured differently and potentially in an incompatible way with the other side. Worst of all is the behavior is unpredictable, taking into account the re-start can happen due to a crash or other random event. Another point is that 'setup' and 'conn %default' sections defined in our sub-config file will also bleed out configuration to connections defined in other files. And it's hard to say in which order configuration will be applied, because it's not clear in which order the files are included and parsed. So, this kind of file structure cannot be safely used. Let's add a minimal support for running with a sub-config. A new option '--root-ipsec-conf' is introduced to specify the location of the root ipsec.conf file, so ovs-monitor-ipsec can provide it while calling ipec commands instead. This will make Libreswan (pluto) to parse the whole tree of includes and apply the same configuration every time, regardless of restarts and other issues. When this new option is set, ovs-monitor-ipsec will also not define the 'setup' section to avoid overriding global configuration and will not define 'conn %default' section for the same reason. Instead, important connection options will be defined for every connection, so they are still applied without polluting defaults. The 'setup' section is just omitted in this case. We only define 'uniqeids', but it's true by default and we may assume users know what are they doing if they are changing this config in the main ipsec.conf. The Libreswan documentation also discourages from turning this option off and mentions that it may be removed in the future. Only implementing for Libreswan, because we do not even support non-default location of ipsec.conf with StrongSwan today. Acked-by: Mike Pattrick <[email protected]> Signed-off-by: Ilya Maximets <[email protected]>
- Loading branch information
Showing
3 changed files
with
105 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters