IPsec tunnels are only supported on Debian systems running
ovs-monitor-ipsec. Since that daemon configures IPsec, ovs-vswitchd
doesn't know whether IPsec will actually work. With this commit, a
warning is printed that it is unlikely to work unless that daemon is
started.
There is a more serious issue that IPsec traffic can pass unencrypted if
that daemon is not running. To fix that problem, changes to the kernel
module will need to occur. A future commit will address that issue, but
this earlier warning will be useful regardless.
Bug #4854
#include <sys/ioctl.h>
#include "byte-order.h"
+#include "daemon.h"
+#include "dirs.h"
#include "dpif-linux.h"
#include "hash.h"
#include "hmap.h"
}
if (is_ipsec) {
+ char *file_name = xasprintf("%s/%s", ovs_rundir(),
+ "ovs-monitor-ipsec.pid");
+ if (read_pidfile(file_name) < 0) {
+ VLOG_WARN("%s: ovs-monitor-ipsec doesn't appear to be running, "
+ "traffic may not pass", name);
+ }
+ free(file_name);
+
if (shash_find(args, "peer_cert") && shash_find(args, "psk")) {
VLOG_WARN("%s: cannot define both 'peer_cert' and 'psk'", name);
return EINVAL;