diff --git a/.gitignore b/.gitignore
index 49d995f..e60be9c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,3 +34,4 @@
 /openvswitch-2.9.2.tar.gz
 /openvswitch-2.10.0.tar.gz
 /openvswitch-2.10.1.tar.gz
+/openvswitch-2.11.0.tar.gz
diff --git a/0001-ovn-nbctl-Fix-the-ovn-nbctl-test-LBs-daemon-which-fa.patch b/0001-ovn-nbctl-Fix-the-ovn-nbctl-test-LBs-daemon-which-fa.patch
deleted file mode 100644
index 6ee491a..0000000
--- a/0001-ovn-nbctl-Fix-the-ovn-nbctl-test-LBs-daemon-which-fa.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 71981938b2db070c130ec717aab141cd9c0fa860 Mon Sep 17 00:00:00 2001
-From: Numan Siddique <nusiddiq@redhat.com>
-Date: Tue, 6 Nov 2018 11:59:38 +0530
-Subject: [PATCH] ovn-nbctl: Fix the ovn-nbctl test "LBs - daemon" which fails
- during rpm build
-
-When 'make check' is called by the mock rpm build (which disables networking),
-the test "ovn-nbctl: LBs - daemon" fails when it runs the command
-"ovn-nbctl lb-add lb0 30.0.0.1a 192.168.10.10:80,192.168.10.20:80". ovn-nbctl
-extracts the vip by calling the socket util function 'inet_parse_active()',
-and this function blocks when libunbound function ub_resolve() is called
-further down. ub_resolve() is a blocking function without timeout and all the
-ovs/ovn utilities use this function.
-
-As reported by Timothy Redaelli, the issue can also be reproduced by running
-the below commands
-
-$ sudo unshare -mn -- sh -c 'ip addr add dev lo 127.0.0.1 && \
-  mount --bind /dev/null /etc/resolv.conf && runuser $SUDO_USER'
-$ make sandbox SANDBOXFLAGS="--ovn"
-$ ovn-nbctl -vsocket_util:off lb-add lb0 30.0.0.1a \
-  192.168.10.10:80,192.168.10.20:80
-
-To address this issue, this patch adds a new bool argument 'resolve_host' to
-the function inet_parse_active() to resolve the host only if it is 'true'.
-
-ovn-nbctl/ovn-northd will pass 'false' when it calls this function to parse
-the load balancer values.
-
-Reported-by: Timothy Redaelli <tredaelli@redhat.com>
-Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1641672
-Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
-Signed-off-by: Ben Pfaff <blp@ovn.org>
----
- lib/socket-util.c            | 7 ++++---
- lib/socket-util.h            | 2 +-
- lib/stream.c                 | 2 +-
- ofproto/ofproto-dpif-sflow.c | 2 +-
- ovn/northd/ovn-northd.c      | 2 +-
- ovn/utilities/ovn-nbctl.c    | 6 +++---
- ovsdb/raft-private.c         | 2 +-
- 7 files changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/lib/socket-util.c b/lib/socket-util.c
-index 504f4cd59..5f82e89c1 100644
---- a/lib/socket-util.c
-+++ b/lib/socket-util.c
-@@ -518,12 +518,13 @@ exit:
-  * is optional and defaults to 'default_port' (use 0 to make the kernel choose
-  * an available port, although this isn't usually appropriate for active
-  * connections).  If 'default_port' is negative, then <port> is required.
-+ * It resolves the host if 'resolve_host' is true.
-  *
-  * On success, returns true and stores the parsed remote address into '*ss'.
-  * On failure, logs an error, stores zeros into '*ss', and returns false. */
- bool
- inet_parse_active(const char *target_, int default_port,
--                  struct sockaddr_storage *ss)
-+                  struct sockaddr_storage *ss, bool resolve_host)
- {
-     char *target = xstrdup(target_);
-     char *port, *host;
-@@ -538,7 +539,7 @@ inet_parse_active(const char *target_, int default_port,
-         ok = false;
-     } else {
-         ok = parse_sockaddr_components(ss, host, port, default_port,
--                                       target_, true);
-+                                       target_, resolve_host);
-     }
-     if (!ok) {
-         memset(ss, 0, sizeof *ss);
-@@ -575,7 +576,7 @@ inet_open_active(int style, const char *target, int default_port,
-     int error;
- 
-     /* Parse. */
--    if (!inet_parse_active(target, default_port, &ss)) {
-+    if (!inet_parse_active(target, default_port, &ss, true)) {
-         error = EAFNOSUPPORT;
-         goto exit;
-     }
-diff --git a/lib/socket-util.h b/lib/socket-util.h
-index 6d386304d..a65433d90 100644
---- a/lib/socket-util.h
-+++ b/lib/socket-util.h
-@@ -49,7 +49,7 @@ ovs_be32 guess_netmask(ovs_be32 ip);
- void inet_parse_host_port_tokens(char *s, char **hostp, char **portp);
- void inet_parse_port_host_tokens(char *s, char **portp, char **hostp);
- bool inet_parse_active(const char *target, int default_port,
--                       struct sockaddr_storage *ssp);
-+                       struct sockaddr_storage *ssp, bool resolve_host);
- int inet_open_active(int style, const char *target, int default_port,
-                      struct sockaddr_storage *ssp, int *fdp, uint8_t dscp);
- 
-diff --git a/lib/stream.c b/lib/stream.c
-index 4e15fe0c8..c4dabda39 100644
---- a/lib/stream.c
-+++ b/lib/stream.c
-@@ -751,7 +751,7 @@ stream_parse_target_with_default_port(const char *target, int default_port,
-                                       struct sockaddr_storage *ss)
- {
-     return ((!strncmp(target, "tcp:", 4) || !strncmp(target, "ssl:", 4))
--            && inet_parse_active(target + 4, default_port, ss));
-+            && inet_parse_active(target + 4, default_port, ss, true));
- }
- 
- /* Attempts to guess the content type of a stream whose first few bytes were
-diff --git a/ofproto/ofproto-dpif-sflow.c b/ofproto/ofproto-dpif-sflow.c
-index 62a09b5d1..7da31753c 100644
---- a/ofproto/ofproto-dpif-sflow.c
-+++ b/ofproto/ofproto-dpif-sflow.c
-@@ -468,7 +468,7 @@ sflow_choose_agent_address(const char *agent_device,
-     const char *target;
-     SSET_FOR_EACH (target, targets) {
-         struct sockaddr_storage ss;
--        if (inet_parse_active(target, SFL_DEFAULT_COLLECTOR_PORT, &ss)) {
-+        if (inet_parse_active(target, SFL_DEFAULT_COLLECTOR_PORT, &ss, true)) {
-             /* sFlow only supports target in default routing table with
-              * packet mark zero.
-              */
-diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
-index 5e61708be..d59fc45ca 100644
---- a/ovn/northd/ovn-northd.c
-+++ b/ovn/northd/ovn-northd.c
-@@ -3204,7 +3204,7 @@ ip_address_and_port_from_lb_key(const char *key, char **ip_address,
-                                 uint16_t *port, int *addr_family)
- {
-     struct sockaddr_storage ss;
--    if (!inet_parse_active(key, 0, &ss)) {
-+    if (!inet_parse_active(key, 0, &ss, false)) {
-         static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);
-         VLOG_WARN_RL(&rl, "bad ip address or port for load balancer key %s",
-                      key);
-diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
-index 42aac2251..09bbcf76a 100644
---- a/ovn/utilities/ovn-nbctl.c
-+++ b/ovn/utilities/ovn-nbctl.c
-@@ -2553,7 +2553,7 @@ nbctl_lb_add(struct ctl_context *ctx)
-     }
- 
-     struct sockaddr_storage ss_vip;
--    if (!inet_parse_active(lb_vip, 0, &ss_vip)) {
-+    if (!inet_parse_active(lb_vip, 0, &ss_vip, false)) {
-         ctl_error(ctx, "%s: should be an IP address (or an IP address "
-                   "and a port number with : as a separator).", lb_vip);
-         return;
-@@ -2583,7 +2583,7 @@ nbctl_lb_add(struct ctl_context *ctx)
-         struct sockaddr_storage ss_dst;
- 
-         if (lb_vip_port) {
--            if (!inet_parse_active(token, -1, &ss_dst)) {
-+            if (!inet_parse_active(token, -1, &ss_dst, false)) {
-                 ctl_error(ctx, "%s: should be an IP address and a port "
-                           "number with : as a separator.", token);
-                 goto out;
-@@ -2702,7 +2702,7 @@ lb_info_add_smap(const struct nbrec_load_balancer *lb,
-             const struct smap_node *node = nodes[i];
- 
-             struct sockaddr_storage ss;
--            if (!inet_parse_active(node->key, 0, &ss)) {
-+            if (!inet_parse_active(node->key, 0, &ss, false)) {
-                 continue;
-             }
- 
-diff --git a/ovsdb/raft-private.c b/ovsdb/raft-private.c
-index 07996e35b..e5e2c29cf 100644
---- a/ovsdb/raft-private.c
-+++ b/ovsdb/raft-private.c
-@@ -33,7 +33,7 @@ raft_address_validate(const char *address)
-         return NULL;
-     } else if (!strncmp(address, "ssl:", 4) || !strncmp(address, "tcp:", 4)) {
-         struct sockaddr_storage ss;
--        if (!inet_parse_active(address + 4, -1, &ss)) {
-+        if (!inet_parse_active(address + 4, -1, &ss, true)) {
-             return ovsdb_error(NULL, "%s: syntax error in address", address);
-         }
-         return NULL;
--- 
-2.19.1
-
diff --git a/openvswitch.spec b/openvswitch.spec
index a1ab437..d1194c1 100644
--- a/openvswitch.spec
+++ b/openvswitch.spec
@@ -66,8 +66,8 @@ Epoch:   1
 Name: openvswitch
 Summary: Open vSwitch daemon/database/utilities
 URL: http://www.openvswitch.org/
-Version: 2.10.1
-Release: 2%{?commit0:.%{date}git%{shortcommit0}}%{?dist}
+Version: 2.11.0
+Release: 1%{?commit0:.%{date}git%{shortcommit0}}%{?dist}
 
 # Nearly all of openvswitch is ASL 2.0.  The bugtool is LGPLv2+, and the
 # lib/sflow*.[ch] files are SISSL
@@ -86,7 +86,6 @@ Source: http://openvswitch.org/releases/%{name}-%{version}.tar.gz
 # ovs-patches
 
 # OVS (including OVN) backports (0 - 300)
-Patch10: 0001-ovn-nbctl-Fix-the-ovn-nbctl-test-LBs-daemon-which-fa.patch
 
 BuildRequires: gcc gcc-c++ make
 BuildRequires: autoconf automake libtool
@@ -214,6 +213,19 @@ This provides the ifup and ifdown scripts for use with the legacy network
 service.
 %endif
 
+%package ipsec
+Summary: Open vSwitch IPsec tunneling support
+License: ASL 2.0
+Requires: openvswitch libreswan
+%if %{with_python2}
+Requires: %{_py2}-openvswitch = %{?epoch:%{epoch}:}%{version}-%{release}
+%else
+Requires: python3-openvswitch = %{?epoch:%{epoch}:}%{version}-%{release}
+%endif
+
+%description ipsec
+This package provides IPsec tunneling support for OVS tunnels.
+
 %package ovn-central
 Summary: Open vSwitch - Open Virtual Network support
 License: ASL 2.0
@@ -317,6 +329,7 @@ install -p -D -m 0644 \
         $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/openvswitch
 
 for service in openvswitch ovsdb-server ovs-vswitchd ovs-delete-transient-ports \
+                openvswitch-ipsec \
                 ovn-controller ovn-controller-vtep ovn-northd; do
         install -p -D -m 0644 \
                         rhel/usr_lib_systemd_system_${service}.service \
@@ -619,6 +632,10 @@ chown -R openvswitch:openvswitch /etc/openvswitch
 %{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs
 %endif
 
+%files ipsec
+%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec
+%{_unitdir}/openvswitch-ipsec.service
+
 %files
 %defattr(-,openvswitch,openvswitch)
 %dir %{_sysconfdir}/openvswitch
@@ -665,6 +682,7 @@ chown -R openvswitch:openvswitch /etc/openvswitch
 %{_mandir}/man5/vtep.5*
 %{_mandir}/man7/ovsdb-server.7*
 %{_mandir}/man7/ovsdb.7*
+%{_mandir}/man7/ovs-actions.7*
 %{_mandir}/man7/ovs-fields.7*
 %{_mandir}/man8/vtep-ctl.8*
 %{_mandir}/man8/ovs-appctl.8*
@@ -744,6 +762,9 @@ chown -R openvswitch:openvswitch /etc/openvswitch
 %{_unitdir}/ovn-controller-vtep.service
 
 %changelog
+* Thu Feb 28 2019 Timothy Redaelli <tredaelli@redhat.com> - 2.11.0-1
+- Rebase to 2.11.0
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.10.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
diff --git a/sources b/sources
index a0e812d..dcf1f93 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openvswitch-2.10.1.tar.gz) = 3634bd3e978110cb9e11191a88e4232a7af152a6ddf46e8a32e50e07de866be782b7e753d26b81183ec107816e5af4109badf8f2067a61fd9506ccf81e748e44
+SHA512 (openvswitch-2.11.0.tar.gz) = e02fabe505132b3c1b3fc846b0f58d1b91b307dc51b636f3e1e0cfa74ce02b18fe183dc822172fcac567463bb8fe031160463a6d165484d33861da341bfe2628