From cccee538c4399d5f1b8620c1a7509da03e9c9a46 Mon Sep 17 00:00:00 2001
From: GRMrGecko <grmrgecko@gmail.com>
Date: Thu, 20 Feb 2025 17:27:46 -0600
Subject: [PATCH] Add support for IPSEC with tunnels.

---
 ovs/vswitch.go      | 24 ++++++++++++++++++++++++
 ovs/vswitch_test.go | 45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

diff --git a/ovs/vswitch.go b/ovs/vswitch.go
index 181ced2..353f12b 100644
--- a/ovs/vswitch.go
+++ b/ovs/vswitch.go
@@ -274,6 +274,18 @@ type InterfaceOptions struct {
 	// tunneled traffic leaving this interface. Optionally it could be set to
 	// "flow" which expects the flow to set tunnel ID.
 	Key string
+
+	// Pre-shared key to encrypt OVS tunnel with IPsec. Supports GRE, GENEVE,
+	// VXLAN, and STT tunnel.
+	PSK string
+
+	// Path to certificate of the remote server to encrypt with an self-signed cert
+	// using IPsec. Supports GRE, GENEVE, VXLAN, and STT tunnel.
+	RemoteCert string
+
+	// Common name of the remote certificate signed by an certificate authority to
+	// encrypt using IPsec. Supports GRE, GENEVE, VXLAN, and STT tunnel.
+	RemoteName string
 }
 
 // slice creates a string slice containing any non-zero option values from the
@@ -315,5 +327,17 @@ func (i InterfaceOptions) slice() []string {
 		s = append(s, fmt.Sprintf("options:key=%s", i.Key))
 	}
 
+	if i.PSK != "" {
+		s = append(s, fmt.Sprintf("options:psk=%s", i.PSK))
+	}
+
+	if i.RemoteCert != "" {
+		s = append(s, fmt.Sprintf("options:remote_cert=%s", i.RemoteCert))
+	}
+
+	if i.RemoteName != "" {
+		s = append(s, fmt.Sprintf("options:remote_name=%s", i.RemoteName))
+	}
+
 	return s
 }
diff --git a/ovs/vswitch_test.go b/ovs/vswitch_test.go
index 8298537..ca402b9 100644
--- a/ovs/vswitch_test.go
+++ b/ovs/vswitch_test.go
@@ -857,6 +857,51 @@ func TestInterfaceOptions_slice(t *testing.T) {
 				"options:key=flow",
 			},
 		},
+		{
+			desc: "ipsec PSK encrypted VXLAN tunnel",
+			i: InterfaceOptions{
+				Type:     InterfaceTypeVXLAN,
+				RemoteIP: "10.43.22.1",
+				Key:      "flow",
+				PSK:      "swordfish",
+			},
+			out: []string{
+				"type=stt",
+				"options:remote_ip=10.43.22.1",
+				"options:key=flow",
+				"options:psk=swordfish",
+			},
+		},
+		{
+			desc: "ipsec self-signed encrypted VXLAN tunnel",
+			i: InterfaceOptions{
+				Type:       InterfaceTypeVXLAN,
+				RemoteIP:   "10.43.22.1",
+				Key:        "flow",
+				RemoteCert: "/path/to/remote.pem",
+			},
+			out: []string{
+				"type=stt",
+				"options:remote_ip=10.43.22.1",
+				"options:key=flow",
+				"options:remote_cert=/path/to/remote.pem",
+			},
+		},
+		{
+			desc: "ipsec CA encrypted VXLAN tunnel",
+			i: InterfaceOptions{
+				Type:       InterfaceTypeVXLAN,
+				RemoteIP:   "10.43.22.1",
+				Key:        "flow",
+				RemoteName: "remote_cn",
+			},
+			out: []string{
+				"type=stt",
+				"options:remote_ip=10.43.22.1",
+				"options:key=flow",
+				"options:remote_name=remote_cn",
+			},
+		},
 		{
 			desc: "all options",
 			i: InterfaceOptions{