...
| Section | Option | Type | StrongSwan configuration file | StrongSwan configuration option | Validated values | Description |
|---|---|---|---|---|---|---|
| ipsec | Global configuration | |||||
| debug | int | strongswan.conf | charon.syslog | whether to enable log information | ||
| rtinstall_enabled | boolean | strongswan.conf | charon.install_routes | Install routes into a separate routing table for established IPsec tunnels. | ||
| ignore_routing_tables | list | strongswan.conf | charon.ignore_routing_tables | A space-separated list of routing tables to be excluded from route lookup. | ||
| interface | list | strongswan.conf | charon.interfaces_use | A comma-separated list of network interfaces that should be used by charon. All other interfaces are ignored. | ||
| remote | Define a group remote tunnels with same security configuration | |||||
| tunnel | list | |||||
| transport | list | |||||
| enabled | boolean | whether this configuration is enabled | ||||
| gateway | String | ipsec.secrets ipsec.conf | local_gateway/remote_gateway right | 192.168.0.5 | Defines the counter party ip address here | |
| pre_shared_key | String | ipsec.secrets | PSK | Add the PSK inside the secrets file | ||
| authauthentication_method | String | ipsec.conf | leftauth/rightauth | pubkey, psk, eap, xauth | Defines the auth method that going to be used by two counter parties. | |
| local_identifier | String | ipsec.secrets ipsec.conf | local_identifier leftid | "C=CH, O=strongSwan, CN=peer" | Assigns a specific identifier for the itself (This identity will be send to the counter party inside the request) | |
| remote_identifier | String | ipsec.secrets ipsec.conf | remote_identifier rightid | "C=CH, O=strongSwan, CN=peerB" | Assigns a specific identifier for the counter party | |
| crypto_proposal | list | ipsec.conf | ike | default: aes128-sha256-modp3072 | Defines list of IKE/ISAKMP SA encryption/authentication algorithms to be used | |
| force_crypto_proposal | boolean | |||||
tunnel /transport | Define configuration for a tunnel or transport | |||||
| mode | String | ipsec.conf | auto | add/start/route | Sets the operation for the connection while starts. | |
| local_subnet | String | ipsec.conf | leftsubnet | 192.168.1.1/24 | Mostly used in site-to-site case. Sets the local subnet | |
| local_nat | String | ipsec.conf | leftsubnet | 192.168.1.1/24 | Mostly used in site-to-site case. Sets the local subnet | |
| local_sourceip | String | ipsec.conf | leftsourceip | 192.168.1.2, %config | Sets the ip address of local site. The value can be set to '%config' if the site is going to request a dynamic ip from the counter party | |
| local_updown | String | ipsec.conf | leftupdown | <path_to_script> | The Updown plugin can be used to set custom firewall rules. | |
| local_firewall | String | ipsec.conf | leftfirewall | yes, no(default) | Whether the local site is doing forwarding-firewalling (including masquerading) using iptables for traffic from left|rightsubnet | |
| remote_subnet | String | ipsec.conf | rightsubnet | 192.168.0.1/24 | Mostly used in site-to-site case. Sets the subnet of the counter party | |
| remote_sourceip | String | ipsec.conf | rightsourceip | 192.168.0.2, 192.168.0.3-192.168.0.15 | Sets the ip address of the remote site. An ip pool can also be assigned when using the virtual ip | |
| remote_updown | String | ipsec.conf | rightupdown | <path_to_script> | The path to the updown script to run to adjust routing and/or firewalling when the status of the connection changes | |
| remote_firewall | String | ipsec.conf | rightfirewall | yes, no(default) | Whether the remote site is doing forwarding-firewalling (including masquerading) using iptables for traffic from left|rightsubnet | |
| *ikelifetime | String | ipsec.conf | ikelifetime | 3h(default) | Sets the life time of the ike process before its re-negotiation. (Currently using default value) | |
| *lifetime | String | ipsec.conf | lifetime | 1h(default) | Set the life time of a particular instance would last. (Currently using default value) | |
| *margintime | String | ipsec.conf | margintime | 9m(default) | Sets how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin. (Currently using default value) | |
| *keyingtries | String | ipsec.conf | keyingtries | 3(default) | Sets the maxium attempts to negotiate for a connection. (Currently using default value) | |
| *dpdaction | String | ipsec.conf | dpdaction | clear, hold, restart, none(default) | Sets the action against peer timeout, validated through Dead Peer Protection Protocol. (Currently using default value) | |
| *dpddelay | String | ipsec.conf | dpddelay | 30s(default) | Defines the time interval for the informational exchange sent to peer. (Currently using default value) | |
| *inactivity | boolean | ipsec.conf | inactivity | 30m | Defines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic. (Currently using default value) | |
| *keyexchange | String | ipsec.conf | keyexchange | ikev2, ikev1, ike(default, same as ikev2) | Defines the protocol being used to initialize the connection. (Currently using default value) | |
| crypto_proposal | list | ipsec.conf | esp | aes128-sha256(default) | Defines the comma-separated list of ESP encryption/authentication algorithms to be used for the connection | |
| *local_public_cert | String | ipsec.conf | leftcert | peer.der/peer.pem | Sets the path of the local certificate used for authentication NOTE: This is a key that currently not supported by OpenWrt | |
| *remote_public_cert | String | ipsec.conf | rightcert | peerB.der/peerB.pem | Sets the path of the remote certificate used for authentication NOTE: This is a key that currently not supported by OpenWrt | |
| *local_private_cert | String | /etc/ipsec.d/private | Puts the path of private key for the certificate. Maybe not needed for the CRD. But need to upload the file. NOTE: This is a key that currently not supported by OpenWrt | |||
| *shared_ca | String | /etc/ipsec.d/cacerts | Puts the shared CA for auth. Maybe not needed for CRD, but need to upload the file. NOTE: This is a key that currently not supported by OpenWrt | |||
| proposal | Define configuration for a proposal | |||||
| encryption_algorithm | String | ipsec.conf | ike/esp | aes128 | Defines the encryption algorithm(together in ike) | |
| hash_algorithm | String | ipsec.conf | ike/esp | sha256 | Defines the hash algorithm(together in ike) | |
| dh_group | String | ipsec.conf | ike/esp | modp3072 | Define the Diffie-Hellman group(together in ike) | |
| *proposal_name | String | Define the proposal name. |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: sdewan.akraino.org/v1alpha1 kind: IPSecSite metadata: name: site1siteA spec: node: node1 gateway: 10.0.1.2 pre_shared_key: test123 authauthentication_method: psk local_identifier: "C=CH, O=strongSwan, CN=peer" remote_identifier: "C=CH, O=strongSwan, CN=peerB" crypto_proposal: "proposal1" force_crypto_proposal: true connectionconnections: - name: connA type: tunnel/transport mode: start local_subnet: 192.168.1.1/24 local_nat: local_sourceip: 10.0.1.1 local_updown: local_firewall: remote_subnet: 192.168.0.1/24 remote_sourceip: 10.0.1.2 remote_updown: remote_firewall: crypto_proposal: proposal1proposal2 proposalproposals: - proposal_nameproposal1: proposal1 encryption_algorithm: aes128 hash_algorithm: sha256 dh_group: modp3072 |
IPSec Rest API
...
proposal2:
encryption_algorithm: aes128
hash_algorithm: sha128
dh_group: modp3072 |
IPSec Rest API
SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.
...
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
proposals body array a list dict of defined proposals Response Example
{
"proposals": [ {"nameproposal1": "proposal1",{
"encryption_algorithm": "aes128",
"hash_algorithm": "sha256",
"dh_group": "modp3072"
}
] }
}
GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal_name}
Get a proposal
Request: N/A
Request Parameters
Name
In
Type
Description
proposal_name path string proposal name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name
In
Type
Description
name body stringproposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body string Diffie-Hellman group Response Example
{
"name":"proposal1",
"encryption_algorithm": "aes128",
"hash_algorithm": "sha256",
"dh_group": "modp3072"
}
...
PUT /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal_name}
update a proposal
Request:
Request Parameters:
Name
In
Type
Description
proposal_name path string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body string Diffie-Hellman group - Request Example
{
"encryption_algorithm": "aes256",
"hash_algorithm": "sha256",
"dh_group": "modp4096"
}
...
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
sites body array a list of defined sites Response Example
{
"sites": [{
"name {
"site1": {
"node": "site1nodeA",
"gateway":"10.100.10.101.2",
"authentication_method": "psk",
"crypto_proposal": "proposal1",
"connections": [
{
"name": "connA"
"type": "tunnel"
"local_subnet": "192.168.1.1/24",
"remote_subnet": "192.168.0.1/24",
"crypto_proposal": "proposal1"
}
}
]
}
...
}
}
GET /cgi-bin/luci/sdewan/ipsec/v1/site/{site}
...
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name
In
Type
Description
name body string site namenode body string identifier for CNF gateway body string authauthentication_method body string local_identifier body string remote_identifier body string crypto_proposal body string proposal names used for ike process force_crypto_proposal body boolean connection body list list of connectionArray connectionArray:
Name In Type Description name body string type body string "tunnel" or "transport" mode body string local_subnet body string local_nat body string local_sourceip body string local_updown body string local_firewall body string firewall rule? remote_subnet body string remote_sourceip body string remote_updown body string remote_firewall body string crypto_proposal body string Response Example
{ "name": "site1",
"node": "node1",
"gateway":"10.101.100.102",
"crypto_proposal": "proposal1"
"connections": [
{
"type "name": "tunnelsite_to_site",
"type": "tunnel",
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal1proposal2"
}
]
}
POST /cgi-bin/luci/sdewan/ipsec/v1/site
...
Request Parameters: same with GET's response request
Request Example:
nameName
In
Type
Description
string<site_name> body
namesiteArray site info siteArray:
Name
In
Type
Description
node body string identifier for CNF gateway body string pre_shared_key body string Optional, only if using the PSK authentication mode local_public_cert body string Optional, only if using the public key authentication mode authlocal_private_methodcert body string local_identifier body string Optional, only if using the public key authentication mode shared_ca body string Optional, only if using the public key authentication mode authentication_method body string local_identifier body string remote_identifier body string crypto_proposal body string one/more crypto_proposals force_crypto_proposal body boolean connection body list list of connectionArraylist one/more connectionArray connectionArray:
Name In Type Description name body string connection name type body string "tunnel" or "transport" mode body string local_subnet body string local_nat body string local_sourceip body string local_updown body string local_firewall body string firewall rule? remote_subnet body string remote_sourceip body string remote_updown body string remote_firewall body string crypto_proposal body string body string crypto_proposal body string proposal for esp Request Example:
{ "siteA": {
"node": "node1",
"gateway":"10.1.0.2",
"crypto_proposal": "proposal1"
"connections": [
{
"name": "site_to_site",
"type": "tunnel",
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal2"
}
]
}
}
Response
- Normal response codes: 201
- Error response codes: 400, 401
...
Request Parameters:
Name
In
Type
Description
site path string remote site name other params body Same with Get's response - Request Example
{
"gateway": "10.101.10.100.2",
"node": "nodeA",
"crypto_proposal": "proposal1"
"connections": [
{
"name": "site_to_site",
"type": "tunnel"
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal1"
}
}
...