...
IPSec CR for gateway A:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1 kind: IPSecSite metadata: name: siteA spec: node: node1 gateway: 192.168.1.11 pre_shared_key: test123 auth_method: psk local_identifier: @moon.strongswan.org remote_identifier: @sun.strongswan.org crypto_proposal: "proposal1" force_crypto_proposal: true connection: - name: connA type: tunnel mode: start local_subnet: 10.1.0.1/24 local_sourceip: 192.168.1.10 local_firewall: yes remote_subnet: 10.2.0.1/24 remote_firewall: yes keyexchange: ikev2 crypto_proposal: "proposal1"proposal1 proposals: proposalproposal1: - encryption_algorithm: aes128 hash_algorithm: sha256 dh_group: modp3072 |
IPSec CR for gateway B:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1 kind: IPSecSite metadata: name: siteB spec: node: node2 gateway: 192.168.1.10 pre_shared_key: test123 auth_method: psk local_identifier: @moon.strongswan.org remote_identifier: @sun.strongswan.org crypto_proposal: "proposal1" force_crypto_proposal: true connection: - typename: tunnelconnA modetype: tunnel mode: start local_subnet: 10.2.0.1/24 local_sourceip: 192.168.1.11 local_firewall: yes remote_subnet: 10.1.0.1/24 remote_firewall: yes keyexchange: ikev2 crypto_proposal: "proposal1" proposal: proposal1: - encryption_algorithm: aes128 hash_algorithm: sha256 dh_group: modp3072 |
NAT CR:
| Code Block |
|---|
Rest calls:
Sites settings
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
{ "name": "siteA" "gateway":"192.168.1.11", “siteA": { "node": "node1", //shows the tunnel belongs to which CNF "gateway":"192.168.1.11", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authauthentication_method": "psk", "local_identifier": "@moon.strongswan.org", "remote_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.1.0.1/24", "remote_subnet": "10.2.0.1/24", "keyexchange": "ikev2", "crypto_proposal": "proposal1" } }, { "name ] }, "siteB": { "node": "siteBnode2", "gateway":"192.168.1.10", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authauthentication_method": "psk", "remote_identifier": "@moon.strongswan.org", "local_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.2.0.1/24", "local_sourceip "remote_subnet": "19210.1.1680.1.11", "remote_subnet": "10.1.0.1/24", "keyexchange": "ikev2", "crypto_proposal": "proposal1" } ] } ] } |
|---|
Decomposed Scenario B: Host-to-Site tunnel
...
Proposal settings
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
{ "proposals": { "proposal1": { "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } |
|---|
Decomposed Scenario B: Host-to-Site tunnel
In this scenario, the initiator sends out a request to the responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. After the tunnel is established, the roadwarrior should be able to ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.
...
IPSec CR for Gateway A:
| Code Block | |||||||
|---|---|---|---|---|---|---|---|
| apiVersion:
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1 kind: IPSecSite metadata: name: siteA spec: node: node1 gateway: 192.168.1.15 pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EONtest123 auth_method: psk local_identifier: @sun.strongswan.org remote_identifier: @roadwarrior.strongswan.org crypto_proposal: "proposal1" force_crypto_proposal: true connection: - name: connA type: tunnel mode: start local_subnet: 10.1.0.1/24 local_nat:sourceip: 192.168.1.10 localremote_sourceip: 192.168.1.1015 localcrypto_firewallproposal: yes proposal1 proposal: remote_subnetproposal1: remote encryption_sourceipalgorithm: 192.168.1.15aes128 remote_firewall: yes keyexchange: ikev2 crypto_proposal: "proposal1" proposal: - encryption hash_algorithm: aes128 sha256 hash_algorithm: sha256 dh_group: modp3072 |
IPSec CR for roadwarrior(initiator):
| Code Block | |||||||
|---|---|---|---|---|---|---|---|
| apiVersion:
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1 kind: IPSecSite metadata: name: roadwarrior spec: node: roadwarrior gateway: 192.168.1.10 pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EONtest123 auth_method: psk local_identifier: @roadwarrior.strongswan.org remote_identifier: @sun.strongswan.org crypto_proposal: "proposal1" force_crypto_proposal: true connection: - typename: tunnelconnA modetype: starttunnel local_subnetmode: local_nat:start local_sourceip: 192.168.1.15 local_firewall: yes remote_subnet: 10.1.0.1/24 remote_sourceip: 192.168.1.10 remotecrypto_firewallproposal: yes proposal1 proposal: keyexchangeproposal1: ikev2 crypto_proposal: "proposal1" proposal: - encryption_algorithm: aes128 hash_algorithm: sha256 dh_group: modp3072 |
NAT CR:
| Code Block |
|---|
Decomposed Scenario C: Host-to-Site tunnel when the initiator requests an overlay IP
In this scenario, the initiator sends out a request to the responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. However, this time, the roadwarrior is also going to ask for a virtual IP that assigned by the responder. After the tunnel is established, the roadwarrior should be able to get an overlay IP and ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.
IPSec CR for Gateway A:
| Code Block | ||
|---|---|---|
| ||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: siteA
spec:
node: node1
gateway: any
pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EON
auth_method: psk
local_identifier: @moon.strongswan.org
remote_identifier: @roadwarrior.strongswan.org
crypto_proposal: "proposal1"
force_crypto_proposal: true
connection:
- type: tunnel
mode: start
local_subnet: 10.1.0.1/24
local_nat:
local_sourceip: 192.168.1.10
local_firewall: yes
remote_subnet:
remote_sourceip: 10.3.0.1/24
remote_firewall: yes
keyexchange: ikev2
crypto_proposal: "proposal1"
proposal:
- encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
IPSec CR for roadwarrior(initiator):
| Code Block | ||
|---|---|---|
| ||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: roadwarrior
spec:
node: roadwarrior
gateway: 192.168.1.10
pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EON
auth_method: psk
local_identifier: @roadwarrior.strongswan.org
remote_identifier: @moon.strongswan.org
crypto_proposal: "proposal1"
force_crypto_proposal: true
connection:
- type: tunnel
mode: start
local_subnet:
local_nat:
local_sourceip: %config
local_firewall: yes
remote_subnet: 10.1.0.1/24
remote_sourceip: 192.168.1.10
remote_firewall: yes
keyexchange: ikev2
crypto_proposal: "proposal1"
proposal:
- encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
NAT CR:
...
Rest calls:
Sites settings
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
{ “siteA": { "node": "node1", //shows the tunnel belongs to which CNF "gateway":"192.168.1.11", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "local_identifier": "@moon.strongswan.org", "remote_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.1.0.1/24", "remote_sourceip": "192.168.1.15", "local_sourceip": "192.168.1.10", "crypto_proposal": "proposal1" } ] }, "roadwarrior": { "node": "node2", "gateway":"192.168.1.10", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "remote_identifier": "@moon.strongswan.org", "local_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_sourceip": "192.168.1.15", "remote_sourceip": "192.168.1.10", "remote_subnet": "10.1.0.1/24", "crypto_proposal": "proposal1" } ] } } |
|---|
Proposal settings
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
{ "proposals": { "proposal1": { "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } |
|---|
Decomposed Scenario C: Host-to-Site tunnel when the initiator requests an overlay IP
In this scenario, the initiator sends out a request to the responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. However, this time, the roadwarrior is also going to ask for a virtual IP that assigned by the responder. After the tunnel is established, the roadwarrior should be able to get an overlay IP and ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.
IPSec CR for Gateway A:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: siteA
spec:
node: node1
gateway: any
pre_shared_key: test123
auth_method: psk
local_identifier: @moon.strongswan.org
remote_identifier: @roadwarrior.strongswan.org
crypto_proposal: proposal1
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_subnet: 10.1.0.1/24
local_sourceip: 192.168.1.10
local_firewall: yes
remote_sourceip: 10.3.0.1/24
remote_firewall: yes
crypto_proposal: "proposal1"
proposal:
proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
IPSec CR for roadwarrior(initiator):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: roadwarrior
spec:
node: roadwarrior
gateway: 192.168.1.10
pre_shared_key: test123
auth_method: psk
local_identifier: @roadwarrior.strongswan.org
remote_identifier: @moon.strongswan.org
crypto_proposal: proposal1
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_sourceip: %config
local_firewall: yes
remote_subnet: 10.1.0.1/24
remote_sourceip: 192.168.1.10
remote_firewall: yes
crypto_proposal: "proposal1"
proposal:
proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
NAT CR:
| Code Block |
|---|
Rest calls:
Sites settings
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
{ “siteA": { "node": "node1", //shows the tunnel belongs to which CNF "gateway":"192.168.1.11", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "local_identifier": "@moon.strongswan.org", "remote_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.1.0.1/24", "remote_sourceip": "10.3.0.1/24", "local_sourceip": "192.168.1.10", "crypto_proposal": "proposal1" } ] }, "roadwarrior": { "node": "node2", "gateway":"192.168.1.10", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "remote_identifier": "@moon.strongswan.org", "local_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_sourceip": "%config", "remote_sourceip": "192.168.1.10", "remote_subnet": "10.1.0.1/24", "crypto_proposal": "proposal1" } ] } } |
|---|
Proposal settings
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
{ "proposals": { "proposal1": { "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } |
|---|
Overall Scenario:
Here shows the overall scenario we want to achieve in the ICN SDEWAN case.
...