Versions Compared

Old Version 11

changes.mady.by.user ruoyu.ying

Saved on

compared with

New Version Current

changes.mady.by.user ruoyu.ying

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Targeted Scenarios

Scenario A: Edge to traffic hub tunnel where inter micro-service communication across edges that attached to same traffic hub.

Sample CR edgeB
Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for edgeA
collapsetrue
CR for sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
title
Strongswan configs for
edgeA
collapsetrue
CR
Strongswan configs
on
for sdewan cnf on
edgeB
edgeA:
apiVersion: sdewan.akraino.org/v1alpha1 kind: IpsecHost metadata: name: edgeB namespace: default labels: sdewanPurpose: cnf-1 spec: remote: 
conn siteA-connA
  left=%any
  right=10.239.160.22
  leftsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
authentication_method: 
leftauth=psk
pre_shared_key: test
rightauth=psk
crypto_proposal:
auto=start
  keyexchange=ikev2
  esp=aes192-
test_proposal_1 connections: - connection_name: connection_A type: tunnel mode: start local_sourceip: %config remote_subnet: 0.0.0.0/0, 
sha1-modp3072
  ike=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for edgeB
collapsetrue
CR on sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
/32

  authentication_method: psk
crypto
pre_shared_
proposal
key: test
  crypto_proposal:
    - test_proposal_1
status:
  connections:
    -
appliedVersion
connection_name:
"1"
connection_A
appliedTime:
"2020-04-12T09:28:38Z"
inSync
type:
True
Code Block
languageyml
titleSample CR for Hub
collapsetrue
CR on sdewan on hub: apiVersion: sdewan.akraino.org/v1alpha1 kind: IpsecSite metadata: name: Hub namespace: default labels: sdewanPurpose: cnf-1 spec: remote: %any authentication_method: psk pre_shared_key: test crypto_proposal: - test_proposal_1 connections: - connection_name: connection_A type: tunnel mode: start local_subnet: 172.12.0
 tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeB
collapsetrue
Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connA
  left=%any
  right=10.239.160.22
  leftsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  esp=aes192-sha1-modp3072
  ike=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for Hub
collapsetrue
CR on sdewan on hub:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: Hub
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_sourceip: 172.12.0.1/24
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for hub
collapsetrue
Strongswan configs for sdewan cnf on hub:

conn tunnel
  left=10.239.160.22
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsourceip=172.12.0.30-172.12.0.45
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Scenario B: Edge to Edge tunnels when micro-service communication happens across edges without involving hubs

Image Added


Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for EdgeA
collapsetrue
CR on sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeA
collapsetrue
Strongswan configs for sdewan cnf on edgeA:

conn edgeA-connection_A
  left=%any
  right=10.239.40.42
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for EdgeB
collapsetrue
CR on sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeB
collapsetrue
Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connection_A
  left=%any
  right=10.239.160.22
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Scenario C: Hub to hub tunnel when inter micro-service communication across edges that attached to different traffic hubs

Image Added

Section
bordertrue


Column
width40%



Code Block
languageyml
titleSample CR for edgeA
collapsetrue
CR for sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeA
collapsetrue
Strongswan configs for sdewan cnf on edgeA:

conn edgeB-connection_A
  left=%any
  right=10.239.160.22
  localsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%



Code Block
languageyml
titleSample CR for edgeB
collapsetrue
CR for sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeB
collapsetrue
Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connection_A
  left=%any
  right=10.239.40.42
  localsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.40.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for HubA
collapsetrue
CR on sdewan on hubA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_sourceip: 172.12.0.30-172.12.0.45
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

---

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_B
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_subnet: 172.12.1.1/24,10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for HubA
collapsetrue
Strongswan configs for sdewan cnf on hub:

conn HubA-connection_A
  left=%any
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsourceip=172.12.0.30-172.12.0.45
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel
conn HubA-connection_B
  left=%any
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsubnet=172.12.1.1/24,10.239.40.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for HubB
collapsetrue
CR on sdewan on hubB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.1.1/24,10.239.40.42/32
      remote_sourceip: 172.12.1.31-172.12.1.35
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

---

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_B
      type: tunnel
      mode: start
      remote_subnet: 172.12.0.1/24,10.239.160.22/32
      local_subnet: 172.12.1.1/24,10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for HubB
collapsetrue
Strongswan configs for sdewan cnf on hub:

conn HubB-connection_A
  left=%any
  leftsubnet=172.12.1.1/24,10.239.40.42/32
  rightsourceip=172.12.1.31-172.12.1.35
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel
conn HubA-connection_B
  left=%any
  leftsubnet=172.12.1.1/24,10.239.
160
40.
22
42/32
remote_sourceip: 
rightsubnet=172.12.0.1/24,10.239.160.42/32
  leftauth=psk
crypto_proposal:
rightauth=psk
  auto=start
  keyexchange=ikev2
  
ike=aes192-sha1-modp3072
test_proposal_1
status: 
 esp=aes192-sha1-modp3072
appliedVersion: "1"
 type=tunnel
appliedTime:
"2020-04-12T09:28:38Z" inSync: True
Scenario B: Inter hub secure traffic tunnels
...


Overall scenarios
Here shows the overall scenario we want to achieve in the ICN SDEWAN case.
...