Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table

SectionOptionTypeStrongSwan configuration fileStrongSwan configuration optionValidated values Description
ipsec




Global configuration 

debugintstrongswan.confcharon.syslog
whether to enable log information

rtinstall_enabledbooleanstrongswan.confcharon.install_routes
Install routes into a separate routing table for established IPsec tunnels.

ignore_routing_tablesliststrongswan.confcharon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookup.

interfaceliststrongswan.confcharon.interfaces_use
A comma-separated list of network interfaces that should be used by charon. All other interfaces are ignored.
remote 




Define a group remote tunnels with same security configuration

tunnellist 




transport list




enabled boolean 


whether this configuration is enabled 

gateway String 

ipsec.secrets

ipsec.conf

local_gateway/remote_gateway

right 

192.168.0.5Defines the counter party ip address here

pre_shared_key String ipsec.secrets PSK 
Add the PSK inside the secrets file
auth

authentication_method String ipsec.conf leftauth/rightauth pubkey, psk, eap, xauthDefines the auth method that going to be used by two counter parties.

local_identifier String 

ipsec.secrets

ipsec.conf

 

local_identifier

leftid 

"C=CH, O=strongSwan, CN=peer"Assigns a specific identifier for the itself (This identity will be send to the counter party inside the request)

remote_identifier String 

ipsec.secrets

ipsec.conf

 

remote_identifier

rightid

"C=CH, O=strongSwan, CN=peerB"Assigns a specific identifier for the counter party

crypto_proposal listipsec.conf ike default: aes128-sha256-modp3072Defines list of IKE/ISAKMP SA encryption/authentication algorithms to be used

force_crypto_proposal boolean



tunnel

/transport






Define configuration for a tunnel or transport

modeString ipsec.conf autoadd/start/routeSets the operation for the connection while starts. 

local_subnetString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_natString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_sourceipString ipsec.conf leftsourceip192.168.1.2, %configSets the ip address of local site. The value can be set to '%config' if the site is going to request a dynamic ip from the counter party

local_updownString ipsec.conf leftupdown<path_to_script>The Updown plugin can be used to set custom firewall rules.

local_firewallString ipsec.conf leftfirewallyes, no(default)Whether the local site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

remote_subnetString ipsec.conf rightsubnet192.168.0.1/24Mostly used in site-to-site case. Sets the subnet of the counter party

remote_sourceipString ipsec.conf rightsourceip192.168.0.2, 192.168.0.3-192.168.0.15Sets the ip address of the remote site. An ip pool can also be assigned when using the virtual ip

remote_updownString ipsec.conf rightupdown<path_to_script>The path to the updown script to run to adjust routing and/or firewalling when the status of the connection
changes

remote_firewallString ipsec.conf rightfirewallyes, no(default)Whether the remote site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

*ikelifetimeString ipsec.conf ikelifetime
60m
3h(default)

Sets the life time of the ike process before its re-negotiation.

(Currently using default value)


*lifetimeString ipsec.conf lifetime1h(default)

Set the life time of a particular instance would last.

(Currently using default value)


*margintime String  ipsec.conf margintime 9m(default)

Sets how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin.

(Currently using default value)


*keyingtries String  ipsec.conf  keyingtries 3(default)

Sets the maxium attempts to negotiate for a connection.

(Currently using default value)


*dpdaction String  ipsec.conf  dpdaction clear, hold, restart, none(default)Sets the action against peer timeout, validated through Dead Peer Protection Protocol. (Currently using default value)

*dpddelay String  ipsec.conf  dpddelay 30s(default)Defines the time interval for the informational exchange sent to peer. (Currently using default value)

*inactivity boolean ipsec.conf  inactivity 30mDefines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic
keyexchange 
. (Currently using default value)

*keyexchange String  ipsec.conf  keyexchange ikev2, ikev1, ike(default, same as ikev2)

Defines the protocol being used to initialize the connection.

(Currently using default value)


crypto_proposal list ipsec.conf  espaes128-sha256(default)Defines the comma-separated list of ESP encryption/authentication algorithms to be used for the connection
proposal  Define configuration for a proposal encryption_algorithm String   

*local_public_certStringipsec.conf
   ike/esp aes128Defines the encryption algorithm(together in ike)hash_algorithm String   
leftcertpeer.der/peer.pem

Sets the path of the local certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*remote_public_certStringipsec.conf
   
ike/esp sha256Defines the hash algorithm(together in ike)dh_groupString  ipsec.conf  ike/espmodp3072Define the Diffie-Hellman group(together in ike)

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

Code Block
languageyml
titleSDEWAN IPSec CRD
apiVersion: sdewan.akraino.org/v1alpha1 
kind: IPSecSite 
metadata: 
  name: site1 
spec:
  node: node1
  gateway: 10.0.1.1
  pre_shared_key:
  auth_method: psk
  local_identifier: "C=CH, O=strongSwan, CN=peer"
  remote_identifier: "C=CH, O=strongSwan, CN=peerB"
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel/transport
    mode: start
    local_subnet: 192.168.1.1/24
    local_nat:
    local_sourceip: 10.0.1.1
    local_updown: 
    local_firewall:
    remote_subnet: 192.168.0.1/24
    remote_sourceip: 10.0.1.2
    remote_updown:
    remote_firewall:
    keyexchange: ikev2
    inactivity: 30m
    crypto_proposal: "proposal1 proposal2"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

Response Example

...

{
    "proposals": [

        {

            "name":"proposal1",

            "encryption_algorithm": "aes128",

            "hash_algorithm": "sha256",

            "dh_group": "modp3072"

        }

    ]
}

GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

Get a proposal

Request: N/A

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

Response Example

...

{

      "name":"proposal1",

      "encryption_algorithm": "aes128",

      "hash_algorithm": "sha256",

      "dh_group": "modp3072"

}

POST /cgi-bin/luci/sdewan/ipsec/v1/proposal

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

update a proposal

Request:

Request Parameters:

...

Name

...

In

...

Type

...

Description

...

{

      "encryption_algorithm": "aes256",

      "hash_algorithm": "sha256",

      "dh_group": "modp4096"

}

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

delete a proposal

Request:

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

  • Normal response codes: 200
  • Error response codes: 401, 404

...

rightcertpeerB.der/peerB.pem

Sets the path of the remote certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*local_private_certString/etc/ipsec.d/private

Puts the path of private key for the certificate. Maybe not needed for the CRD. But need to upload the file. NOTE: This is a key that currently not supported by OpenWrt

*shared_caString/etc/ipsec.d/cacerts

Puts the shared CA for auth. Maybe not needed for CRD, but need to upload the file. NOTE: This is a key that currently not supported by OpenWrt
proposal  




Define configuration for a proposal 

encryption_algorithm String   ipsec.conf   ike/esp aes128Defines the encryption algorithm(together in ike)

hash_algorithm String   ipsec.conf   ike/esp sha256Defines the hash algorithm(together in ike)

dh_groupString  ipsec.conf  ike/espmodp3072Define the Diffie-Hellman group(together in ike)

*proposal_nameString


Define the proposal name.

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

Code Block
languageyml
titleSDEWAN IPSec Proposal CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
metadata:
  name: test_proposal_1
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  encryption_algorithm: aes128
  hash_algorithm: sha256
  dh_group: modp3072
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSDEWAN IPSec Site CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: ipsecsite-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: route-based/policy-based
  remote: xx.xx.xx.xx
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.0/24, 10.239.160.22
      remote_sourceip: 172.12.0.30-172.12.0.45
      remote_subnet:
      mark: xxx
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSDEWAN IPSec Host CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsechost-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: route-based/policy-based
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      remote_subnet: xx.xx.xx.xx/xx
      mark: xxx
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Draft for route based tunnel

ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 0x01000201
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/16 dev vti0

Code Block
languageyml
titleSDEWAN IPSec Route based
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsec-route-based
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      local_subnet: xx.xx.xx.xx/xx
      remote_subnet: xx.xx.xx.xx/xx
      mark_in: 0xffffffff
      mark_out: 0xffffffff
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

POST /cgi-bin/luci/sdewan/ipsec/v1/proposals

create a new proposal

Request:

  • Request Parameters: same with PUT's request

  • Request Example: same with PUT's example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

update a proposal

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalsbodyarraya dict of defined proposals


  • Response Example

    {
        "proposals": [

            {

                "name": "proposal1",

                "encryption_algorithm": "aes128",

                "hash_algorithm": "sha256",

                "dh_group": "modp3072"

            }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

Get a proposal

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Response Example

    {

          "name": "proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }


DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

  • Request Parameters

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name


Response

  • Normal response codes: 200
  • Error response codes: 401, 404


IPSec Site

POST /cgi-bin/luci/sdewan/ipsec/v1/sites

create a new site

Request:

  • Request Parameters: same with PUT's request

  • Request Example: same with PUT's example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

update a site

Request:

  • Request Parameters:

    Name

    In

    Type

    Required

    Description

    site-namepathstringYSite name
    gatewaybodystringYThe corresponding responder
    pre_shared_keybodystringNOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystringNOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystringNOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal body  listYProposal names used for ike process
    force_crypto_proposal body  boolean NThe flag on forcing the proposal or not
    connectionsbody listYList of connectionArray 

    connectionArray:

    NameInTypeRequiredDescription
    namebodystringYConnection name
    type body string YType of connection. Either "tunnel" or "transport" 
    mode body  string YMode used for connection. Either 'add', 'route' or 'start'
    local_subnet body string NDefines the local subnet. 
    local_natbody string NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string NDefines the local source ip
    local_updown body string NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites

    {

         "gateway": "10.1.0.2",

         "name": "site1",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "name": "site_to_site",

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


GET /cgi-bin/luci/sdewan/ipsec/v1/sites

...

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    sitesbodyarraya list of defined sites


  • Response Example

    {
        "sites": [

            {

                       {    "name": "site1",

                "gateway":"10.100.10.101.2",

                "authentication_method": "psk",

                "crypto_proposal": "proposal1",

                "connections": [

                  {

                                    "name": "connA"

                    "type": "tunnel"

                    "local_subnet": "192.168.1.1/24",

                    "remote_subnet": "192.168.0.1/24",

                    "crypto_proposal": "proposal1"

                  }       

               ]

           }

            ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/sitesites/{site-name}

Get a site

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    site-namepathstringremote site name


...

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    name
  • 404
  • Response Parameters

    gatewaybodystringpre_shared_key

    Name

    In

    Type

    Required

    Description

    namebody stringYSite name
    gatewaybodystringYThe corresponding responder
    pre_shared_keybodystringNOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystring
    site name
    NOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystring
    auth
    NOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal 
    body  string 
    body  listYProposal names used for ike process
    force_crypto_proposal body  boolean 
    connection 
    NThe flag on forcing the proposal or not
    connectionsbody 
    array 
    list
    type 
    Y
    body 
    List of connectionArray 
    string "tunnel" or "transport" mode body  string local_subnet body string local_natbody string local_sourceip 

    connectionArray:

    NameInTypeRequiredDescription
    namebodystringYConnection name
    type body string 
    local_updown body string local_firewall body string firewall rule?remote
    YType of connection. Either "tunnel" or "transport" 
    mode body  string YMode used for connection. Either 'add', 'route' or 'start'
    local_subnet body string 
    remote_sourceip body string remote_updown 
    NDefines the local subnet. 
    local_natbody string 
    remote_firewallbodystring keyexchange crypto_proposal 
    NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string 
    default: ikev2 inactivity body boolean 

    Request Parameters:

    Name

    In

    Type

    Description

    sitepathstringremote site nameother paramsbodySame with Get's responseRequest Example

    {

    NDefines the local source ip
    local_updown body string 

    Response Example

    {

         "name": "site1"

         "gateway":"10.10.10.10",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }

POST /cgi-bin/luci/sdewan/ipsec/v1/site

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/site/{site}

update a site

Request:

  • NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Response Example

    {

         "name": "site1",

         "gateway":"10.101.100.102",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "name": "site_to_site",

             "type": "tunnel",

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1proposal2"

          }

        ]

    }

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

DELETE /cgi-bin/luci/sdewan/ipsec/v1/sitesites/{site-name}

delete a site

Request:

  • Request Parameters

    Name

    In

    Type

    Description

    site-namepathstringremote site name


...