Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SectionOptionTypeStrongSwan configuration fileStrongSwan configuration optionValidated values Description
ipsec




Global configuration 

debugintstrongswan.confcharon.syslog
whether to enable log information

rtinstall_enabledbooleanstrongswan.confcharon.install_routes
Install routes into a separate routing table for established IPsec tunnels.

ignore_routing_tablesliststrongswan.confcharon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookup.

interfaceliststrongswan.confcharon.interfaces_use
A comma-separated list of network interfaces that should be used by charon. All other interfaces are ignored.
remote 




Define a group remote tunnels with same security configuration

tunnellist 




transport list




enabled boolean 


whether this configuration is enabled 

gateway String 

ipsec.secrets

ipsec.conf

local_gateway/remote_gateway

right 

192.168.0.5Defines the counter party ip address here

pre_shared_key String ipsec.secrets PSK 
Add the PSK inside the secrets file

auth_method String ipsec.conf leftauth/rightauth pubkey, psk, eap, xauthDefines the auth method that going to be used by two counter parties.

local_identifier String 

ipsec.secrets

ipsec.conf

 

local_identifier

leftid 

"C=CH, O=strongSwan, CN=peer"Assigns a specific identifier for the itself (This identity will be send to the counter party inside the request)

remote_identifier String 

ipsec.secrets

ipsec.conf

 

remote_identifier

rightid

"C=CH, O=strongSwan, CN=peerB"Assigns a specific identifier for the counter party

crypto_proposal listipsec.conf ike default: aes128-sha256-modp3072Defines list of IKE/ISAKMP SA encryption/authentication algorithms to be used

force_crypto_proposal boolean



tunnel

/transport






Define configuration for a tunnel or transport

modeString ipsec.conf autoadd/start/routeSets the operation for the connection while starts. 

local_subnetString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_natString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_sourceipString ipsec.conf leftsourceip192.168.1.2, %configSets the ip address of local site. The value can be set to '%config' if the site is going to request a dynamic ip from the counter party

local_updownString ipsec.conf leftupdown<path_to_script>The Updown plugin can be used to set custom firewall rules.

local_firewallString ipsec.conf leftfirewallyes, no(default)Whether the local site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

remote_subnetString ipsec.conf rightsubnet192.168.0.1/24Mostly used in site-to-site case. Sets the subnet of the counter party

remote_sourceipString ipsec.conf rightsourceip192.168.0.2, 192.168.0.3-192.168.0.15Sets the ip address of the remote site. An ip pool can also be assigned when using the virtual ip

remote_updownString ipsec.conf rightupdown<path_to_script>The path to the updown script to run to adjust routing and/or firewalling when the status of the connection
changes

remote_firewallString ipsec.conf rightfirewallyes, no(default)Whether the remote site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

*ikelifetimeString ipsec.conf ikelifetime3h(default)

Sets the life time of the ike process before its re-negotiation.

(Currently using default value)


*lifetimeString ipsec.conf lifetime1h(default)

Set the life time of a particular instance would last.

(Currently using default value)


*margintime String  ipsec.conf margintime 9m(default)

Sets how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin.

(Currently using default value)


*keyingtries String  ipsec.conf  keyingtries 3(default)

Sets the maxium attempts to negotiate for a connection.

(Currently using default value)


*dpdaction String  ipsec.conf  dpdaction clear, hold, restart, none(default)Sets the action against peer timeout, validated through Dead Peer Protection Protocol. (Currently using default value)

*dpddelay String  ipsec.conf  dpddelay 30s(default)Defines the time interval for the informational exchange sent to peer. (Currently using default value)

*inactivity boolean ipsec.conf  inactivity 30mDefines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic. (Currently using default value)

*keyexchange String  ipsec.conf  keyexchange ikev2, ikev1, ike(default, same as ikev2)

Defines the protocol being used to initialize the connection.

(Currently using default value)


crypto_proposal list ipsec.conf  espaes128-sha256(default)Defines the comma-separated list of ESP encryption/authentication algorithms to be used for the connection

*local_public_certStringipsec.confleftcertpeer.der/peer.pem

Sets the path of the local certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*remote_public_certStringipsec.confrightcertpeerB.der/peerB.pem

Sets the path of the remote certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*local_private_certString/etc/ipsec.d/private

Puts the path of private key for the certificate. Maybe not needed for the CRD. But need to upload the file. NOTE: This is a key that currently not supported by OpenWrt

*shared_caString/etc/ipsec.d/cacerts

Puts the shared CA for auth. Maybe not needed for CRD, but need to upload the file. NOTE: This is a key that currently not supported by OpenWrt
proposal  




Define configuration for a proposal 

encryption_algorithm String   ipsec.conf   ike/esp aes128Defines the encryption algorithm(together in ike)

hash_algorithm String   ipsec.conf   ike/esp sha256Defines the hash algorithm(together in ike)

dh_groupString  ipsec.conf  ike/espmodp3072Define the Diffie-Hellman group(together in ike)

*proposal_nameString


Define the proposal name.

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

Code Block
languageyml
titleSDEWAN IPSec CRD
apiVersion: sdewan.akraino.org/v1alpha1 
kind: IPSecSite 
metadata: 
  name: site1 
spec:
  node: node1
  gateway: 10.0.1.2
  pre_shared_key: test123
  auth_method: psk
  local_identifier: "C=CH, O=strongSwan, CN=peer"
  remote_identifier: "C=CH, O=strongSwan, CN=peerB"
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel/transport
    mode: start
    local_subnet: 192.168.1.1/24
    local_nat:
    local_sourceip: 10.0.1.1
    local_updown: 
    local_firewall:
    remote_subnet: 192.168.0.1/24
    remote_sourceip: 10.0.1.2
    remote_updown:
    remote_firewall:
    crypto_proposal: "proposal1 proposal2"
  proposal:
  - proposal_name: proposal1
  -  encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

...

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringsite name
    nodebodystringidentifier for CNF
    gatewaybodystringpre_shared_keybodystringOptional, only if using the PSK authentication mode
    auth_methodbodystring
    local_identifier body  string 
    remote_identifier body  string 
    crypto_proposal body  string 
    force_crypto_proposal body  boolean 
    connection body array listlist of connectionArray 

    connectionArray:

    NameInTypeDescription
    type body string "tunnel" or "transport" 
    mode body  string 
    local_subnet body string 
    local_natbody string 
    local_sourceip body string 
    local_updown body string 
    local_firewall body string firewall rule?
    remote_subnet body string 
    remote_sourceip body string 
    remote_updown body string 
    remote_firewallbodystring 
    crypto_proposal body string 


  • Response Example

    {

         "name": "site1",

         "node": "node1",

         "gateway":"10.10.10.10",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }


...

  • Request Parameters: same with GET's response request

  • Request Example:

    same with GET's response example

     

    Name

    In

    Type

    Description

    namebodystringsite name
    nodebodystringidentifier for CNF
    gatewaybodystring
    pre_shared_keybodystringOptional, only if using the PSK authentication mode
    local_public_certbodystringOptional, only if using the public key authentication mode
    auth_methodbodystring
    local_identifier body  string 
    remote_identifier body  string 
    crypto_proposal body  string 
    force_crypto_proposal body  boolean 
    connection body array list list of connectionArray

    connectionArray:

    NameInTypeDescription
    type body string "tunnel" or "transport" 
    mode body  string 
    local_subnet body string 
    local_natbody string 
    local_sourceip body string 
    local_updown body string 
    local_firewall body string firewall rule?
    remote_subnet body string 
    remote_sourceip body string 
    remote_updown body string 
    remote_firewallbodystring 
    crypto_proposal body string 


Response

  • Normal response codes: 201
  • Error response codes: 400, 401

...