Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Introduction

ICN SDEWAN solution leverages IPSec functionality in SD-EWAN CNF to setup security tunnel to enable communication between ONAP4K8S/APPX Manager with Edge cluster or Edge cluster with Edge cluster. There are several solutions in OpenWRT to implement IPSec, include: Openswan, Racoon, and StrongSwan. ICN will use StrongSwan solution.

...

Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table

POST /cgi-bin/luci/sdewan/ipsec/v1/proposal

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

...

SectionOptionTypeStrongSwan configuration fileStrongSwan configuration optionValidated values Description
ipsec




Global configuration 

debugintstrongswan.confcharon.syslog
whether to enable log information

rtinstall_enabledbooleanstrongswan.confcharon.install_routes
Install routes into a separate routing table for established IPsec tunnels.

ignore_routing_tablesliststrongswan.confcharon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookup.

interfaceliststrongswan.confcharon.interfaces_use
A comma-separated list of network interfaces that should be used by charon. All other interfaces are ignored.
remote 




Define a group remote tunnels with same security configuration

tunnellist 




transport list




enabled boolean 


whether this configuration is enabled 

gateway String 

ipsec.secrets

ipsec.conf

local_gateway/remote_gateway

right 

192.168.0.5Defines the counter party ip address here

pre_shared_key String ipsec.secrets PSK 
auth

Add the PSK inside the secrets file

authentication_method String ipsec.conf leftauth/rightauth pubkey, psk, eap, xauthDefines the auth method that going to be used by two counter parties.

local_identifier String 

ipsec.secrets

ipsec.conf

 

local_identifier

leftid 

remote_identifier String 
"C=CH, O=strongSwan, CN=peer"Assigns a specific identifier for the itself (This identity will be send to the counter party inside the request)

remote_identifier String 

ipsec.secrets

ipsec.conf

 

remote_identifier

rightid

"C=CH, O=strongSwan, CN=peerB"Assigns a specific identifier for the counter party

crypto_proposal listipsec.conf ike 
force_
default: aes128-sha256-modp3072Defines list of IKE/ISAKMP SA encryption/authentication algorithms to be used

force_crypto_proposal boolean



tunnel

/transport






Define configuration for a tunnel or transport

modeString ipsec.conf auto
local_subnetString ipsec.conf leftsubnet
add/start/routeSets the operation for the connection while starts. 

local_
nat
subnetString ipsec.conf leftsubnet
local_sourceipString ipsec.conf leftsourceiplocal_updown
192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_natString ipsec.conf 
leftupdownlocal_firewallString ipsec.conf leftfirewallremote_subnet
leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_sourceipString ipsec.conf 
rightsubnetremote_sourceipString ipsec.conf rightsourceipremote
leftsourceip192.168.1.2, %configSets the ip address of local site. The value can be set to '%config' if the site is going to request a dynamic ip from the counter party

local_updownString ipsec.conf 
rightupdown
leftupdown
remote
<path_to_
firewallString ipsec.conf rightfirewallikelifetime
script>The Updown plugin can be used to set custom firewall rules.

local_firewallString ipsec.conf 
ikelifetimelifetimeString ipsec.conf lifetimemargintime String  
leftfirewallyes, no(default)Whether the local site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

remote_subnetString ipsec.conf 
margintime keyingtries String  ipsec.conf  keyingtries dpdaction String  ipsec.conf  dpdaction dpddelay String  ipsec.conf  dpddelay inactivity boolean ipsec.conf  inactivity keyexchange String  ipsec.conf  keyexchange crypto_proposal list ipsec.conf  espproposal  Define configuration for a proposal encryption_algorithm String   ipsec.conf   ike/esp hash_algorithm String   ipsec.conf   ike/esp dh_groupString  ipsec.conf  ike/esp

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

Code Block
languageyml
titleSDEWAN IPSec CRD
apiVersion: sdewan.akraino.org/v1alpha1 
kind: IPSecSite 
metadata: 
  name: site1 
spec:
  node: node1
  gateway:
  pre_shared_key:
  auth_method:
  local_identifier:
  remote_identifier:
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel/transport
    mode:
    local_subnet:
    local_nat:
    local_sourceip:
    local_updown:
    local_firewall:
    remote_subnet:
    remote_sourceip:
    remote_updown:
    remote_firewall:
    keyexchange: "ikev2"
    inactivity:
    crypto_proposal: "proposal1 proposal2"
  proposal:
  - encryption_algorithm:
    hash_algorithm:
    dh_group:

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

Response Example

...

{
    "proposals": [

        {

            "name":"proposal1",

            "encryption_algorithm":

            "hash_algorithm":

            "dh_group":

        }

    ]
}

GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

Get a proposal

Request: N/A

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

Response Example

...

{

      "name":"proposal1",

      "encryption_algorithm":

      "hash_algorithm":

      "dh_group":

}

rightsubnet192.168.0.1/24Mostly used in site-to-site case. Sets the subnet of the counter party

remote_sourceipString ipsec.conf rightsourceip192.168.0.2, 192.168.0.3-192.168.0.15Sets the ip address of the remote site. An ip pool can also be assigned when using the virtual ip

remote_updownString ipsec.conf rightupdown<path_to_script>The path to the updown script to run to adjust routing and/or firewalling when the status of the connection
changes

remote_firewallString ipsec.conf rightfirewallyes, no(default)Whether the remote site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

*ikelifetimeString ipsec.conf ikelifetime3h(default)

Sets the life time of the ike process before its re-negotiation.

(Currently using default value)


*lifetimeString ipsec.conf lifetime1h(default)

Set the life time of a particular instance would last.

(Currently using default value)


*margintime String  ipsec.conf margintime 9m(default)

Sets how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin.

(Currently using default value)


*keyingtries String  ipsec.conf  keyingtries 3(default)

Sets the maxium attempts to negotiate for a connection.

(Currently using default value)


*dpdaction String  ipsec.conf  dpdaction clear, hold, restart, none(default)Sets the action against peer timeout, validated through Dead Peer Protection Protocol. (Currently using default value)

*dpddelay String  ipsec.conf  dpddelay 30s(default)Defines the time interval for the informational exchange sent to peer. (Currently using default value)

*inactivity boolean ipsec.conf  inactivity 30mDefines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic. (Currently using default value)

*keyexchange String  ipsec.conf  keyexchange ikev2, ikev1, ike(default, same as ikev2)

Defines the protocol being used to initialize the connection.

(Currently using default value)


crypto_proposal list ipsec.conf  espaes128-sha256(default)Defines the comma-separated list of ESP encryption/authentication algorithms to be used for the connection

*local_public_certStringipsec.confleftcertpeer.der/peer.pem

Sets the path of the local certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*remote_public_certStringipsec.confrightcertpeerB.der/peerB.pem

Sets the path of the remote certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*local_private_certString/etc/ipsec.d/private

Puts the path of private key for the certificate. Maybe not needed for the CRD. But need to upload the file. NOTE: This is a key that currently not supported by OpenWrt

*shared_caString/etc/ipsec.d/cacerts

Puts the shared CA for auth. Maybe not needed for CRD, but need to upload the file. NOTE: This is a key that currently not supported by OpenWrt
proposal  




Define configuration for a proposal 

encryption_algorithm String   ipsec.conf   ike/esp aes128Defines the encryption algorithm(together in ike)

hash_algorithm String   ipsec.conf   ike/esp sha256Defines the hash algorithm(together in ike)

dh_groupString  ipsec.conf  ike/espmodp3072Define the Diffie-Hellman group(together in ike)

*proposal_nameString


Define the proposal name.

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

Code Block
languageyml
titleSDEWAN IPSec Proposal CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
metadata:
  name: test_proposal_1
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  encryption_algorithm: aes128
  hash_algorithm: sha256
  dh_group: modp3072
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSDEWAN IPSec Site CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: ipsecsite-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: route-based/policy-based
  remote: xx.xx.xx.xx
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.0/24, 10.239.160.22
      remote_sourceip: 172.12.0.30-172.12.0.45
      remote_subnet:
      mark: xxx
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSDEWAN IPSec Host CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsechost-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: route-based/policy-based
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      remote_subnet: xx.xx.xx.xx/xx
      mark: xxx
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Draft for route based tunnel

ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 0x01000201
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/16 dev vti0

Code Block
languageyml
titleSDEWAN IPSec Route based
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsec-route-based
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      local_subnet: xx.xx.xx.xx/xx
      remote_subnet: xx.xx.xx.xx/xx
      mark_in: 0xffffffff
      mark_out: 0xffffffff
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

POST /cgi-bin/luci/sdewan/ipsec/v1/proposals

create a new proposal

Request:

  • Request Parameters: same with PUT's request

  • Request Example: same with PUT's example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

update a proposal

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalsbodyarraya dict of defined proposals


  • Response Example

    {
        "proposals": [

            {

                "name": "proposal1",

                "encryption_algorithm": "aes128",

                "hash_algorithm": "sha256",

                "dh_group": "modp3072"

            }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

Get a proposal

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Response Example

    {

          "name": "proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }


DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

  • Request Parameters

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name


Response

  • Normal response codes: 200
  • Error response codes: 401, 404


IPSec Site

POST /cgi-bin/luci/sdewan/ipsec/v1/sites

create a new site

Request:

  • Request Parameters: same with PUT's request

  • Request Example: same with PUT's example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

update a site

Request:

  • Request Parameters:

    Name

    In

    Type

    Required

    Description

    site-namepathstringYSite name
    gatewaybodystringYThe corresponding responder
    pre_shared_keybodystringNOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystringNOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystringNOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal body  listYProposal names used for ike process
    force_crypto_proposal body  boolean NThe flag on forcing the proposal or not
    connectionsbody listYList of connectionArray 

    connectionArray:

    NameInTypeRequiredDescription
    namebodystringYConnection name
    type body string YType of connection. Either "tunnel" or "transport" 
    mode body  string YMode used for connection. Either 'add', 'route' or 'start'
    local_subnet body string NDefines the local subnet. 
    local_natbody string NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string NDefines the local source ip
    local_updown body string NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites

    {

         "gateway": "10.1.0.2",

         "name": "site1",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "name": "site_to_site",

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

update a proposal

Request:

...

sites

Lists all defined sites

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalpathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodyint
    Request Example

    {

          "encryption_algorithm":

          "hash_algorithm":

          "dh_group":

    }

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

...

  • sitesbodyarraya list of defined sites


  • Response Example

    {
        "sites": [

           {    "name": "site1",

                "gateway":"10.0.1.2",

                "authentication_method": "psk",

                "crypto_proposal": "proposal1",

                "connections": [

                  {

                    "name": "connA"

                    "type": "tunnel"

                    "local_subnet": "192.168.1.1/24",

                    "remote_subnet": "192.168.0.1/24",

                    "crypto_proposal": "proposal1"

                  }

               ]

           }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/proposalsites/{proposalsite-name}delete a proposal

Get a site

Request: N/A

  • Request Parameters

    proposal

    Name

    In

    Type

    Description

    site-namepathstringproposal name

Response

  • Normal response codes: 200
  • Error response codes: 401, 404

IPSec Site

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

Lists all defined sites

...

  • remote site name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Required

    Description

    sites
    name
    body
    body 
    arraya list of defined sites

    Response Example

    {
        "sites": [

            {

                "name": "site1"

                "gateway":"10.10.10.10",

                "crypto_proposal": "proposal1"

                "connections": [

                  {

                    "type": "tunnel"

                    "local_subnet":

                    "remote_subnet":

                    "crypto_proposal": "proposal1"

                  }

            }

        ]
    }

GET /cgi-bin/luci/sdewan/ipsec/v1/site/{site}

Get a site

Request: N/A

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringsite namegatewaybodystringpre_shared_keybodystringauth_methodbodystringlocal_identifier body  string remote_identifier body  string crypto_proposal body  string force_crypto_proposal body  boolean connection body array type body string 
    stringYSite name
    gatewaybodystringYThe corresponding responder
    pre_shared_keybodystringNOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystringNOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystringNOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal body  listYProposal names used for ike process
    force_crypto_proposal body  boolean NThe flag on forcing the proposal or not
    connectionsbody listYList of connectionArray 

    connectionArray:

    NameInTypeRequiredDescription
    namebodystringYConnection name
    type body string YType of connection. Either "tunnel" or "transport" 
    mode body  string 
    local_subnet body string 
    YMode used for connection. Either 'add', 'route' or 'start'
    local_
    nat
    subnet body string 
    local_sourceip body string local_updown body string 
    NDefines the local subnet. 
    local_
    firewall 
    natbody string 
    firewall rule?remote_subnet body string remote_sourceip body string remote_updown body string remote_firewallbodystring keyexchange crypto_proposal 
    NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string 
    default: ikev2 inactivity body boolean 

    Request Parameters:

    Name

    In

    Type

    Description

    sitepathstringremote site nameother paramsbodySame with Get's responseRequest Example
    {
    NDefines the local source ip
    local_updown body string 

    Response Example

    {

         "name": "site1"

         "gateway":"10.10.10.10",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }

POST /cgi-bin/luci/sdewan/ipsec/v1/site

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/site/{site}

update a site

Request:

  • NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Response Example

    {

         "name": "site1",

         "gateway":"10.101.100.102",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "name": "site_to_site",

             "type": "tunnel",

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1proposal2"

          }

        ]

    }

Response

    Normal response codes: 204
  • Error response codes: 400, 401, 404

DELETE /cgi-bin/luci/sdewan/ipsec/v1/sitesites/{site-name}

delete a site

Request:

  • Request Parameters

    Name

    In

    Type

    Description

    site-namepathstringremote site name


...