Libreswan: always specify encapsulation

skitt · tpantelis · commit 55817204f6f7 · 2026-01-22T07:54:04.000-05:00
Instead of only specifying the encapsulation option when encapsulation is forced, configure it explicitly in all circumstances. This ensures that the option is tested even in default scenarios. Signed-off-by: Stephen Kitt <skitt@redhat.com> (cherry picked from commit 3756172)
diff --git a/pkg/cable/libreswan/libreswan.go b/pkg/cable/libreswan/libreswan.go
@@ -52,7 +52,7 @@ const (
 	whackTimeout     = 5 * time.Second
 	dpdDelay         = 30 // seconds
 	encryptArg       = "--encrypt"
-	forceencapsArg   = "--encaps=yes"
+	forceencapsArg   = "--encaps="
 	nameArg          = "--name"
 	hostArg          = "--host"
 	clientArg        = "--client"
@@ -491,7 +491,9 @@ func (i *libreswan) bidirectionalConnectToEndpoint(connectionName string, endpoi
 
 	args := []string{"--psk", encryptArg}
 	if endpointInfo.UseNAT || i.forceUDPEncapsulation {
-		args = append(args, forceencapsArg)
+		args = append(args, forceencapsArg+"yes")
+	} else {
+		args = append(args, forceencapsArg+"auto")
 	}
 
 	args = append(args, nameArg, connectionName, ipFamilyArgs[endpointInfo.UseFamily],
@@ -539,7 +541,9 @@ func (i *libreswan) serverConnectToEndpoint(connectionName string, endpointInfo
 
 	args := []string{"--psk", encryptArg}
 	if endpointInfo.UseNAT || i.forceUDPEncapsulation {
-		args = append(args, forceencapsArg)
+		args = append(args, forceencapsArg+"yes")
+	} else {
+		args = append(args, forceencapsArg+"auto")
 	}
 
 	args = append(args, nameArg, connectionName, ipFamilyArgs[endpointInfo.UseFamily],
@@ -580,7 +584,9 @@ func (i *libreswan) clientConnectToEndpoint(connectionName string, endpointInfo
 
 	args := []string{"--psk", encryptArg}
 	if endpointInfo.UseNAT || i.forceUDPEncapsulation {
-		args = append(args, forceencapsArg)
+		args = append(args, forceencapsArg+"yes")
+	} else {
+		args = append(args, forceencapsArg+"auto")
 	}
 
 	args = append(args, nameArg, connectionName, ipFamilyArgs[endpointInfo.UseFamily],
