This task is tracking the test case writing activities to cover the feature request described below.

What's the feature?

Allow setting custom ipsec_<key>=<value> options in northbound db, so they can be passed down to OVS as tunnel ipsec configuration options and end up as part of connection specification in ipsec.conf for OVN tunnels.

Why is it needed?

Today OVN allows setting ipsec_encapsulation/ipsec_forceencaps for the tunnels when ipsec is enabled. But it doesn't allow any other options that may be required for the connection to work properly in a particular environment. For example, in an environment where a higher than standard packet reordering is expected it may be necessary to specify a replay-window size. It may also be useful to try different options while debugging ipsec issues. Some of this can be mitigated by setting %default connection options in a separate config file included from ipsec.conf, but it's not always possible, e.g. if ovs-monitor-ipsec owns the root ipsec.conf. It may also be desired to change configuration for OVN tunnels only without affecting N-S ipsec configuration on the node.
 

Who will benefit?

Users that require specific configuration for ipsec to work in their environment. Support and developers will be able to try different configuration changes easily while debugging complex ipsec issues like FDP-2940.