Page Comparison

...

apiVersion: sdewan sdewan.akraino.org/v1alpha1 
kind: IpsecProposal
IpsecSite
metadata:
  name: ipsecsite-sample
spec:
  sites:
  - name: siteA  name: test_proposal_1
  namespace: default
  labels:
     gatewaysdewanPurpose: 10.0.1.2
cnf-1
spec:
   pre_shared_keyencryption_algorithm: test123aes128
    authenticationhash_methodalgorithm: psksha256
  dh_group: modp3072
local_identifierstatus:
C=CH, O=strongSwan, CN=peer
    remote_identifier: C=CH, O=strongSwan, CN=peerB
    crypto_proposal:
      - proposal1
    force_crypto_proposal: "0"
    connections:
    - name: connA
    appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: ipsecsite-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: tunnel/transportroute-based/policy-based
      moderemote: startxx.xx.xx.xx
  authentication_method: psk
  localpre_shared_subnetkey: 192.168.1.1/24xxx
  local_public_cert: 
  local_sourceipprivate_cert:
10.0.1.1
  shared_ca:
  local_identifier:
  remote_subnetidentifier:
192.168.0.1/24       remote_sourceip: 10.0.1.2crypto_proposal: 
    -  cryptotest_proposal:_1
   connections:
    - proposal2
  proposals:connection_name: connection_A
     - nametype: proposal1tunnel
      encryption_algorithmmode: aes128start
      hashlocal_algorithmsubnet: sha256
172.12.0.0/24, 10.239.160.22
     dh remote_group: modp3072sourceip: 172.12.0.30-172.12.0.45
     - nameremote_subnet: proposal2
      encryption_algorithmmark: aes128xxx
      hashcrypto_algorithmproposal:
sha128        - dh_group: modp3072

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

...

test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsechost-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: route-based/policy-based
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      remote_subnet: xx.xx.xx.xx/xx
      mark: xxx
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Draft for route based tunnel

ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 0x01000201
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/16 dev vti0

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsec-route-based
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      local_subnet: xx.xx.xx.xx/xx
      remote_subnet: xx.xx.xx.xx/xx
      mark_in: 0xffffffff
      mark_out: 0xffffffff
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

POST /cgi-bin/luci/sdewan/ipsec/v1/proposals

create a new proposal

Request:

• Request Parameters: same with PUT's request

• Request Example: same with PUT's example

Response

• Normal response codes: 201
• Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

update a proposal

Request:

• Request Parameters:

  Name	In	Type	Description
  proposal-name	path	string	proposal name
  encryption_algorithm	body	string	encryption algorithm
  hash_algorithm	body	string	hash algorithm
  dh_group	body	string	Diffie-Hellman group

  
  

• Request Example

  PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

  {       "encryption_algorithm": "aes256",       "hash_algorithm": "sha256",       "dh_group": "modp4096" }

  
  

Response

• Normal response codes: 204
• Error response codes: 400, 401, 404

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

• Normal response codes: 200

• Response Parameters

  Name	In	Type	Description
  proposals	body	array	a dict of defined proposals

  
  

• Response Example

  {     "proposals": [         {             "name": "proposal1",             "encryption_algorithm": "aes128",             "hash_algorithm": "sha256",             "dh_group": "modp3072"         }     ] }

  
  

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

Get a proposal

Request: N/A

• Request Parameters

  Name	In	Type	Description
  proposal-name	path	string	proposal name

  
  

Response

• Normal response codes: 200
• Error response code: 404

• Response Parameters

  Name	In	Type	Description
  name	body	string	proposal name
  encryption_algorithm	body	string	encryption algorithm
  hash_algorithm	body	string	hash algorithm
  dh_group	body	string	Diffie-Hellman group

  
  

• Response Example

  {       "name": "proposal1",       "encryption_algorithm": "aes128",       "hash_algorithm": "sha256",       "dh_group": "modp3072" }

  
  

DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

• Request Parameters

  proposalsbodya dict of defined proposals

  Name	In	Type	Description
  proposal-name	path	array	string	proposal name

  
  

Response

...

...

{
    "proposals": [

        {

            "name": "proposal1",

            "encryption_algorithm": "aes128",

            "hash_algorithm": "sha256",

            "dh_group": "modp3072"

        }

    ]
}

...

• Normal response codes: 200
• Error response codes: 401, 404

IPSec Site

POST /cgi-bin/luci/sdewan/ipsec/v1/sites

create a new site

Request:

• Request Parameters: same with PUT's request

• Request Example: same with PUT's example

Response

• Normal response codes: 201
• Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/proposalssites/{proposalsite-name}

Get update a proposalsite

Request: N/A

• Request Parameters:

POST /cgi-bin/luci/sdewan/ipsec/v1/proposals

create a new proposal

Request:

• Request Parameters: same with GET's response request

• Request Example: same with GET's response example

Response

• Normal response codes: 201
• Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

update a proposal

Request:

• Request Parameters

  Name	In	Type

  Description

  proposal-namepathstringproposal name

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

Response Example

...

{

      "name": "proposal1",

      "encryption_algorithm": "aes128",

      "hash_algorithm": "sha256",

      "dh_group": "modp3072"

}

• 	Required	Description
  site-name	path	string	Y	Site name
  gateway	body	string	Y	The corresponding responder
  pre_shared_key	body	string	N	Optional, only if using the PSK authentication mode
  local_public_cert	body	string	N	Optional, only if using the public key authentication mode. Public key used for auth.
  local_private_cert	body	string	N	Optional, only if using the public key authentication mode. Private key used for auth.
  shared_ca	body	string	N	Optional, only if using the public key authentication mode. CA information
  authentication_method	body	string	Y	Either 'psk' or 'pubkey' as the authentication method.
  local_identifier	body	string	N	The identifier for localhost
  remote_identifier	body	string	N	The identifier for remote counter party
  crypto_proposal	body	list	Y	Proposal names used for ike process
  force_crypto_proposal	body	boolean	N	The flag on forcing the proposal or not
  connections	body	list	Y	List of connectionArray

  connectionArray:

  Name

  In

  Type

  Required

  Description

  proposal-namepathstringproposal nameencryption_algorithmbodystringencryption algorithmhash_algorithmbodystringhash algorithmdh_groupbodystringDiffie-Hellman group
  Request Example

  PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

  {

        "encryption_algorithm": "aes256",

        "hash_algorithm": "sha256",

        "dh_group": "modp4096"

  }

Response

• Normal response codes: 204
• Error response codes: 400, 401, 404

DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

• Normal response codes: 200
• Error response codes: 401, 404

IPSec Site

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

Lists all defined sites

Request: N/A

Response

• Normal response codes: 200

• Response Parameters

  Name

  In

  Type

  Description

  sitesbodyarraya list of defined sites

  Response Example

  {
      "sites": [

         {    "name": "site1",

             

  name	body	string	Y	Connection name
  type	body	string	Y	Type of connection. Either "tunnel" or "transport"
  mode	body	string	Y	Mode used for connection. Either 'add', 'route' or 'start'
  local_subnet	body	string	N	Defines the local subnet.
  local_nat	body	string	N	Defines the local nat, if exists, replace the local_subnet
  local_sourceip	body	string	N	Defines the local source ip
  local_updown	body	string	N	Defines the local iptable rules.
  local_firewall	body	string	N	Flag used to determine whether to enable the local firewall rules or not
  remote_subnet	body	string	N	Defines the subnet of the counter party
  remote_sourceip	body	string	N	Defines the source ip of the counter party
  remote_updown	body	string	N	Defines the iptable rules applied for the counter party
  remote_firewall	body	string	N	Flag used to determine whether to enable the remote firewall rules or not
  crypto_proposal	body	string	N	Crypto proposal used for ESP

  
  

• Request Example

  PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites

  {      "gateway": "10.1.0.1.2",             "authentication_method"name": "psksite1",                  "crypto_proposal": "proposal1",                  "connections": [                     {                 "name": "connAsite_to_site"                ,          "type": "tunnel"                          "local_subnet": "192.168.1.1/24",                 "remote_subnet": "192.168.0.1/24",                          "remote_subnet":           "crypto_proposal": "proposal1"                     }            ]        }     ] }}

  
  

Response

• Normal response codes: 204
• Error response codes: 400, 401, 404

GET /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}Get a site

Lists all defined sites

Request: N/A

...

A

Response

• Normal response codes: 200

• Response Parameters

Response Example

...

{

     "name": "site1",

     "gateway":"10.1.0.2",

     "crypto_proposal": "proposal1"

     "connections": [

      {

         "name": "site_to_site",

         "type": "tunnel",

         "local_subnet":

         "remote_subnet":

          "crypto_proposal": "proposal2"

      }

    ]

}

POST /cgi-bin/luci/sdewan/ipsec/v1/sites

create a new site

Request:

• Request Parameters: same with PUT's response request

Response

• Normal response codes: 201
• Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

update a site

Request:

• Request Parameters:

  Name

  In

  Type

  Description

  site-namepathstringremote site nameother paramsbodySame with Get's responseRequest Example

  PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites

  Name	In	Type	Description
  site-name	path	string	remote site name

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

connectionArray:

...

• {

  sites

  body

  array

  a list of defined sites

  
  

• Response Example

  {     "sites": [        {    "name": "site1",             "gateway":"10.0.1.2",             "authentication_method": "psk",             "crypto_proposal": "proposal1",             "connections": [               {                 "name": "connA"                 "type": "tunnel"                 "local_subnet": "192.168.1.1/24",                 "remote_subnet": "192.168.0.1/24",                 "crypto_proposal": "proposal1"               }            ]        }     ] }

  
  

GET /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

Get a site

Request: N/A

• Request Parameters

  Name	In	Type	Description
  site-name	path	string	remote site name

  
  

Response

• Normal response codes: 200
• Error response code: 404

• Response Parameters

  Name	In	Type	Required	Description
  name	body	string	Y	Site name
  gateway	body	string	Y	The corresponding responder
  pre_shared_key	body	string	N	Optional, only if using the PSK authentication mode
  local_public_cert	body	string	N	Optional, only if using the public key authentication mode. Public key used for auth.
  local_private_cert	body	string	N	Optional, only if using the public key authentication mode. Private key used for auth.
  shared_ca	body	string	N	Optional, only if using the public key authentication mode. CA information
  authentication_method	body	string	Y	Either 'psk' or 'pubkey' as the authentication method.
  local_identifier	body	string	N	The identifier for localhost
  remote_identifier	body	string	N	The identifier for remote counter party
  crypto_proposal	body	list	Y	Proposal names used for ike process
  force_crypto_proposal	body	boolean	N	The flag on forcing the proposal or not
  connections	body	list	Y	List of connectionArray

  connectionArray:

  Name	In	Type	Required	Description
  name	body	string	Y	Connection name
  type	body	string	Y	Type of connection. Either "tunnel" or "transport"
  mode	body	string	Y	Mode used for connection. Either 'add', 'route' or 'start'
  local_subnet	body	string	N	Defines the local subnet.
  local_nat	body	string	N	Defines the local nat, if exists, replace the local_subnet
  local_sourceip	body	string	N	Defines the local source ip
  local_updown	body	string	N	Defines the local iptable rules.
  local_firewall	body	string	N	Flag used to determine whether to enable the local firewall rules or not
  remote_subnet	body	string	N	Defines the subnet of the counter party
  remote_sourceip	body	string	N	Defines the source ip of the counter party
  remote_updown	body	string	N	Defines the iptable rules applied for the counter party
  remote_firewall	body	string	N	Flag used to determine whether to enable the remote firewall rules or not
  crypto_proposal	body	string	N	Crypto proposal used for ESP

  
  

• Response Example

  {      "name": "site1",      "gateway":"10.1.0.2",     "name": "site1",      "crypto_proposal": "proposal1"      "connections": [       {          "name": "site_to_site",          "type": "tunnel",          "local_subnet":          "remote_subnet":           "crypto_proposal": "proposal1proposal2"       }     ] }

Response

• Normal response codes: 204
Error response codes: 400, 401, 404
• 
  

DELETE /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

...