diff mbox series

[ovs-dev,v5,3/6] debian and rhel: Create IPsec package.

Message ID 20180807164245.18639-4-qiuyu.xiao.qyx@gmail.com
State Superseded
Headers show
Series IPsec support for tunneling | expand

Commit Message

Qiuyu Xiao Aug. 7, 2018, 4:42 p.m. UTC 
Added rules and files to create debian and rpm ovs-ipsec packages.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Ansis Atteka <aatteka@ovn.org>
---
 debian/automake.mk                            |   3 +
 debian/control                                |  21 ++
 debian/openvswitch-ipsec.dirs                 |   1 +
 debian/openvswitch-ipsec.init                 | 181 ++++++++++++++++++
 debian/openvswitch-ipsec.install              |   1 +
 rhel/automake.mk                              |   1 +
 rhel/openvswitch-fedora.spec.in               |  19 +-
 ...b_systemd_system_openvswitch-ipsec.service |  12 ++
 utilities/ovs-ctl.in                          |  18 ++
 9 files changed, 256 insertions(+), 1 deletion(-)
 create mode 100644 debian/openvswitch-ipsec.dirs
 create mode 100644 debian/openvswitch-ipsec.init
 create mode 100644 debian/openvswitch-ipsec.install
 create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service

Comments

Ansis Aug. 9, 2018, 7:40 p.m. UTC | #1 
On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> wrote:
>
> Added rules and files to create debian and rpm ovs-ipsec packages.
>
> Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
> Signed-off-by: Ansis Atteka <aatteka@ovn.org>
> Co-authored-by: Ansis Atteka <aatteka@ovn.org>

Did you test this patch on Fedora with SElinux enabled?
ovs-monitor-ipsec daemon fails to start. You need to create SElinux
policy too:

[root@fedoraubuilder vagrant]# systemctl restart openvswitch-ipsec
[root@fedoraubuilder vagrant]# ps -Af | grep ipsec
root      1799   880  0 19:37 pts/0    00:00:00 grep --color=auto ipsec
[root@fedoraubuilder vagrant]# journalctl -xe| tail -n20
-- Unit openvswitch-ipsec.service has begun starting up.
Aug 09 19:37:16 fedoraubuilder.dev audit[1769]: AVC avc:  denied  {
execute } for  pid=1769 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1776]: AVC avc:  denied  {
execute } for  pid=1776 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1781]: AVC avc:  denied  {
execute } for  pid=1781 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1788]: AVC avc:  denied  {
execute } for  pid=1788 comm="python" name="ipsec" dev="vda1"
ino=149908 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file
permissive=0
Aug 09 19:37:16 fedoraubuilder.dev python[1768]: ovs|  0  |
ovs-monitor-ipsec | ERR | [Errno 13] Permission denied
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1760]: 2018-08-09T19:37:16Z
|  0  | ovs-monitor-ipsec | ERR | [Errno 13] Permission denied
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]:
2018-08-09T19:37:16Z|00001|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid:
open: No such file or directory
Aug 09 19:37:16 fedoraubuilder.dev ovs-appctl[1797]:
ovs|00001|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid:
open: No such file or directory
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]: ovs-appctl: cannot
read pidfile "/var/run/openvswitch/ovs-monitor-ipsec.pid" (No such
file or directory)
Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=openvswitch-ipsec comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=openvswitch-ipsec comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Aug 09 19:37:16 fedoraubuilder.dev systemd[1]: Started OVS IPsec daemon.
-- Subject: Unit openvswitch-ipsec.service has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Ben Pfaff Aug. 9, 2018, 10:06 p.m. UTC | #2 
On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> wrote:
> >
> > Added rules and files to create debian and rpm ovs-ipsec packages.
> >
> > Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
> > Signed-off-by: Ansis Atteka <aatteka@ovn.org>
> > Co-authored-by: Ansis Atteka <aatteka@ovn.org>
> 
> Did you test this patch on Fedora with SElinux enabled?
> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
> policy too:

Is that something you can help with?  I doubt that Qiuyu has much
experience with SELinux (and I don't either).
Aaron Conole Aug. 9, 2018, 10:31 p.m. UTC | #3 
Ben Pfaff <blp@ovn.org> writes:

> On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
>> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> wrote:
>> >
>> > Added rules and files to create debian and rpm ovs-ipsec packages.
>> >
>> > Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
>> > Signed-off-by: Ansis Atteka <aatteka@ovn.org>
>> > Co-authored-by: Ansis Atteka <aatteka@ovn.org>
>> 
>> Did you test this patch on Fedora with SElinux enabled?
>> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
>> policy too:
>
> Is that something you can help with?  I doubt that Qiuyu has much
> experience with SELinux (and I don't either).

I'll throw something together tomorrow, if Ansis isn't able to do so.

-Aaron
Ben Pfaff Aug. 9, 2018, 10:38 p.m. UTC | #4 
On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote:
> Ben Pfaff <blp@ovn.org> writes:
> 
> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> wrote:
> >> >
> >> > Added rules and files to create debian and rpm ovs-ipsec packages.
> >> >
> >> > Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
> >> > Signed-off-by: Ansis Atteka <aatteka@ovn.org>
> >> > Co-authored-by: Ansis Atteka <aatteka@ovn.org>
> >> 
> >> Did you test this patch on Fedora with SElinux enabled?
> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
> >> policy too:
> >
> > Is that something you can help with?  I doubt that Qiuyu has much
> > experience with SELinux (and I don't either).
> 
> I'll throw something together tomorrow, if Ansis isn't able to do so.

Thanks!
Aaron Conole Aug. 10, 2018, 7:03 p.m. UTC | #5 
Ben Pfaff <blp@ovn.org> writes:

> On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote:
>> Ben Pfaff <blp@ovn.org> writes:
>> 
>> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
>> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> wrote:
>> >> >
>> >> > Added rules and files to create debian and rpm ovs-ipsec packages.
>> >> >
>> >> > Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
>> >> > Signed-off-by: Ansis Atteka <aatteka@ovn.org>
>> >> > Co-authored-by: Ansis Atteka <aatteka@ovn.org>
>> >> 
>> >> Did you test this patch on Fedora with SElinux enabled?
>> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
>> >> policy too:
>> >

Looking at the documentation and playing around here are my thoughts:

1. We probably can squelch the .local and ldconfig AVCs that pop out.
These seem to be related more to the python environment of the ipsec
monitor.

  dontaudit openvswitch_t gconf_home_t:dir { search };
  dontaudit openvswitch_t ldconfig_exec_t:file { execute };

I don't think there's any harm in them, so the above would simply keep
the alert log quiet.

2. The actual ipsec side seems a bit more complicated.

Since the openvswitch-ipsec daemon writes configurations to /etc, it
would be best to build a transition domain that has the ability just to
modify those files and start the ipsec daemon.  I'm not sure it makes
sense to allow openvswitch_t domain to write to all of /etc.  We can
certainly grant that for now and make the transition domain something to
do in the future.  I'll write that policy up and send it out (but it's a
bit bigger - even the non-domain transition one - just because of the
extra headache to allow /etc access).

On the other hand, it might be possible to use an existing ipsec service
and use the ipsec dbus interface.  Can you take a look to see if we
could integrate that by default and fall back to the manual monitoring
mode.  That would be my preferred solution (but I don't know if it has
all of the support needed).  The selinux policy for that is much simpler
as well (just a few macros).
Qiuyu Xiao Aug. 10, 2018, 8:51 p.m. UTC | #6 
Hi Aaron,

Thanks for the feedback!

On Fri, Aug 10, 2018 at 12:03 PM, Aaron Conole <aconole@redhat.com> wrote:
>
> Ben Pfaff <blp@ovn.org> writes:
>
> > On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote:
> >> Ben Pfaff <blp@ovn.org> writes:
> >>
> >> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
> >> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> wrote:
> >> >> >
> >> >> > Added rules and files to create debian and rpm ovs-ipsec packages.
> >> >> >
> >> >> > Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
> >> >> > Signed-off-by: Ansis Atteka <aatteka@ovn.org>
> >> >> > Co-authored-by: Ansis Atteka <aatteka@ovn.org>
> >> >>
> >> >> Did you test this patch on Fedora with SElinux enabled?
> >> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
> >> >> policy too:
> >> >
>
> Looking at the documentation and playing around here are my thoughts:
>
> 1. We probably can squelch the .local and ldconfig AVCs that pop out.
> These seem to be related more to the python environment of the ipsec
> monitor.
>
>   dontaudit openvswitch_t gconf_home_t:dir { search };
>   dontaudit openvswitch_t ldconfig_exec_t:file { execute };
>
> I don't think there's any harm in them, so the above would simply keep
> the alert log quiet.
>
> 2. The actual ipsec side seems a bit more complicated.
>
> Since the openvswitch-ipsec daemon writes configurations to /etc, it
> would be best to build a transition domain that has the ability just to
> modify those files and start the ipsec daemon.  I'm not sure it makes
> sense to allow openvswitch_t domain to write to all of /etc.  We can
> certainly grant that for now and make the transition domain something to
> do in the future.  I'll write that policy up and send it out (but it's a
> bit bigger - even the non-domain transition one - just because of the
> extra headache to allow /etc access).

The openvswitch-ipsec directly changes `/etc/ipsec.conf` and
`/etc/ipsec.secrects`, and uses `certutil` command to access NSS db
files in `/etc/ipsec.d/` directory. Can we only grant SELinux
permissions to those files?

>
> On the other hand, it might be possible to use an existing ipsec service
> and use the ipsec dbus interface.  Can you take a look to see if we
> could integrate that by default and fall back to the manual monitoring
> mode.  That would be my preferred solution (but I don't know if it has
> all of the support needed).  The selinux policy for that is much simpler
> as well (just a few macros).

LibreSwan wiki says that the dbus API is still under development.
Currently, openvswitch-ipsec daemon use `ipsec` command to communicate
with LibreSwan IPsec service.

-Qiuyu
diff mbox series

Patch

diff --git a/debian/automake.mk b/debian/automake.mk
index 4d8e204bb..8a8d43c9f 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -20,6 +20,9 @@  EXTRA_DIST += \
 	debian/openvswitch-datapath-source.copyright \
 	debian/openvswitch-datapath-source.dirs \
 	debian/openvswitch-datapath-source.install \
+	debian/openvswitch-ipsec.dirs \
+	debian/openvswitch-ipsec.init \
+	debian/openvswitch-ipsec.install \
 	debian/openvswitch-pki.dirs \
 	debian/openvswitch-pki.postinst \
 	debian/openvswitch-pki.postrm \
diff --git a/debian/control b/debian/control
index 9ae248f27..cde93f20e 100644
--- a/debian/control
+++ b/debian/control
@@ -322,3 +322,24 @@  Description: Open vSwitch development package
  1000V.
  .
  This package provides openvswitch headers and libopenvswitch for developers.
+
+Package: openvswitch-ipsec
+Architecture: linux-any
+Depends: iproute2,
+         openvswitch-common (= ${binary:Version}),
+         openvswitch-switch (= ${binary:Version}),
+         python,
+         python-openvswitch (= ${source:Version}),
+         strongswan,
+         ${misc:Depends},
+         ${shlibs:Depends}
+Description: Open vSwitch IPsec tunneling support
+ Open vSwitch is a production quality, multilayer, software-based,
+ Ethernet virtual switch. It is designed to enable massive network
+ automation through programmatic extension, while still supporting
+ standard management interfaces and protocols (e.g. NetFlow, IPFIX,
+ sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
+ to support distribution across multiple physical servers similar to
+ VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+ .
+ This package provides IPsec tunneling support for OVS tunnels.
diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs
new file mode 100644
index 000000000..fca44aa7b
--- /dev/null
+++ b/debian/openvswitch-ipsec.dirs
@@ -0,0 +1 @@ 
+usr/share/openvswitch/scripts
\ No newline at end of file
diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
new file mode 100644
index 000000000..8488beccf
--- /dev/null
+++ b/debian/openvswitch-ipsec.init
@@ -0,0 +1,181 @@ 
+#!/bin/sh
+#
+# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org>
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL;  if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides:          openvswitch-ipsec
+# Required-Start:    $network $local_fs $remote_fs openvswitch-switch
+# Required-Stop:     $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Open vSwitch GRE-over-IPsec daemon
+# Description:       The ovs-monitor-ipsec script provides support for
+#                    encrypting GRE tunnels with IPsec.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
+NAME=ovs-monitor-ipsec          # Introduce the short server's name here
+LOGDIR=/var/log/openvswitch     # Log directory to use
+DATADIR=/usr/share/openvswitch
+
+PIDFILE=/var/run/openvswitch/$NAME.pid
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+DODTIME=10              # Time to wait for the server to die, in seconds
+                        # If this value is set too low you might not
+                        # let some servers to die gracefully and
+                        # 'restart' will not work
+
+set -e
+
+running_pid() {
+# Check if a given process pid's cmdline matches a given name
+    pid=$1
+    name=$2
+    [ -z "$pid" ] && return 1
+    [ ! -d /proc/$pid ] &&  return 1
+    cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
+    # Is this the expected server
+    [ "$cmd" != "$name" ] &&  return 1
+    return 0
+}
+
+running() {
+# Check if the process is running looking at /proc
+# (works for all users)
+
+    # No pidfile, probably no daemon present
+    [ ! -f "$PIDFILE" ] && return 1
+    pid=`cat $PIDFILE`
+    running_pid $pid $DAEMON || return 1
+    return 0
+}
+
+start_server() {
+    ${DATADIR}/scripts/ovs-ctl start-ovs-ipsec
+    return 0
+}
+
+stop_server() {
+    ${DATADIR}/scripts/ovs-ctl stop-ovs-ipsec
+    return 0
+}
+
+force_stop() {
+# Force the process to die killing it manually
+    [ ! -e "$PIDFILE" ] && return
+    if running ; then
+        kill -15 $pid
+        # Is it really dead?
+        sleep "$DODTIME"
+        if running ; then
+            kill -9 $pid
+            sleep "$DODTIME"
+            if running ; then
+                echo "Cannot kill $NAME (pid=$pid)!"
+                exit 1
+            fi
+        fi
+    fi
+    rm -f $PIDFILE
+}
+
+
+case "$1" in
+  start)
+        log_daemon_msg "Starting $NAME"
+        # Check if it's running first
+        if running ;  then
+            log_progress_msg "apparently already running"
+            log_end_msg 0
+            exit 0
+        fi
+        if start_server && running ;  then
+            # It's ok, the server started and is running
+            log_end_msg 0
+        else
+            # Either we could not start it or it is not running
+            # after we did
+            # NOTE: Some servers might die some time after they start,
+            # this code does not try to detect this and might give
+            # a false positive (use 'status' for that)
+            log_end_msg 1
+        fi
+        ;;
+  stop)
+        log_daemon_msg "Stopping $NAME"
+        if running ; then
+            # Only stop the server if we see it running
+            stop_server
+            log_end_msg $?
+        else
+            # If it's not running don't do anything
+            log_progress_msg "apparently not running"
+            log_end_msg 0
+            exit 0
+        fi
+        ;;
+  force-stop)
+        # First try to stop gracefully the program
+        $0 stop
+        if running; then
+            # If it's still running try to kill it more forcefully
+            log_daemon_msg "Stopping (force) $NAME"
+            force_stop
+            log_end_msg $?
+        fi
+        ;;
+  restart|force-reload)
+        log_daemon_msg "Restarting $NAME"
+        stop_server
+        # Wait some sensible amount, some server need this
+        [ -n "$DODTIME" ] && sleep $DODTIME
+        start_server
+        running
+        log_end_msg $?
+        ;;
+  status)
+        log_daemon_msg "Checking status of $NAME"
+        if running ;  then
+            log_progress_msg "running"
+            log_end_msg 0
+        else
+            log_progress_msg "apparently not running"
+            log_end_msg 1
+            exit 1
+        fi
+        ;;
+  # Use this if the daemon cannot reload
+  reload)
+        log_warning_msg "Reloading $NAME daemon: not implemented, as the"
+        log_warning_msg "deamon cannot re-read the config file (use restart)."
+        ;;
+  *)
+        N=/etc/init.d/openvswitch-ipsec
+        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" \
+             >&2
+        exit 1
+        ;;
+esac
+
+exit 0
diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install
new file mode 100644
index 000000000..8fe665cb3
--- /dev/null
+++ b/debian/openvswitch-ipsec.install
@@ -0,0 +1 @@ 
+ipsec/ovs-monitor-ipsec usr/share/openvswitch/scripts
diff --git a/rhel/automake.mk b/rhel/automake.mk
index 7b6c78fd7..bc65d83e5 100644
--- a/rhel/automake.mk
+++ b/rhel/automake.mk
@@ -35,6 +35,7 @@  EXTRA_DIST += \
 	rhel/usr_lib_systemd_system_ovn-controller.service \
 	rhel/usr_lib_systemd_system_ovn-controller-vtep.service \
 	rhel/usr_lib_systemd_system_ovn-northd.service \
+	rhel/usr_lib_systemd_system_openvswitch-ipsec.service \
 	rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
 	rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml
 
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 9f8664e95..ca2b5bc85 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -210,6 +210,14 @@  Requires: openvswitch openvswitch-ovn-common %{_py2}-openvswitch
 %description ovn-docker
 Docker network plugins for OVN.
 
+%package openvswitch-ipsec
+Summary: Open vSwitch IPsec tunneling support
+License: ASL 2.0
+Requires: openvswitch %{_py2}-openvswitch libreswan
+
+%description openvswitch-ipsec
+This package provides IPsec tunneling support for OVS tunnels.
+
 %prep
 %setup -q
 
@@ -261,7 +269,8 @@  install -p -D -m 0644 \
         rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \
         $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch
 for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \
-                ovn-controller ovn-controller-vtep ovn-northd; do
+                ovn-controller ovn-controller-vtep ovn-northd \
+                openvswitch-ipsec; do
         install -p -D -m 0644 \
                         rhel/usr_lib_systemd_system_${service}.service \
                         $RPM_BUILD_ROOT%{_unitdir}/${service}.service
@@ -319,6 +328,10 @@  install -p -D -m 0755 \
         rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \
         $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload
 
+install -m 0755 \
+        ipsec/ovs-monitor-ipsec \
+        $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+
 # remove unpackaged files
 rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
         $RPM_BUILD_ROOT%{_sbindir}/ovs-vlan-bug-workaround \
@@ -647,6 +660,10 @@  fi
 %{_mandir}/man8/ovn-controller-vtep.8*
 %{_unitdir}/ovn-controller-vtep.service
 
+%files openvswitch-ipsec
+%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+%{_unitdir}/openvswitch-ipsec.service
+
 %changelog
 * Wed Jan 12 2011 Ralf Spenneberg <ralf@os-s.net>
 - First build on F14
diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
new file mode 100644
index 000000000..813844e51
--- /dev/null
+++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service
@@ -0,0 +1,12 @@ 
+[Unit]
+Description=OVS IPsec daemon
+Requires=openvswitch.service
+After=openvswitch.service
+
+[Service]
+Type=forking
+ExecStart=/usr/share/openvswitch/scripts/ovs-ctl start-ovs-ipsec
+ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec
+
+[Install]
+WantedBy=multi-user.target
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 43c8f32b7..d9b6ed943 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -222,6 +222,13 @@  start_forwarding () {
     return 0
 }
 
+start_ovs_ipsec () {
+    ${datadir}/scripts/ovs-monitor-ipsec \
+        --pidfile=${rundir}/ovs-monitor-ipsec.pid \
+        --log-file --detach --monitor unix:${rundir}/db.sock
+    return 0
+}
+
 ## ---- ##
 ## stop ##
 ## ---- ##
@@ -238,6 +245,11 @@  stop_forwarding () {
     fi
 }
 
+stop_ovs_ipsec () {
+    ${bindir}/ovs-appctl -t ovs-monitor-ipsec exit
+    return 0
+}
+
 ## --------------- ##
 ## enable-protocol ##
 ## --------------- ##
@@ -522,6 +534,12 @@  case $command in
     delete-transient-ports)
         del_transient_ports
         ;;
+    start-ovs-ipsec)
+        start_ovs_ipsec
+        ;;
+    stop-ovs-ipsec)
+        stop_ovs_ipsec
+        ;;
     help)
         usage
         ;;