Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languageyml
titleSDEWAN IPSec CRDProposal CR
apiVersion: sdewan sdewan.akraino.org/v1alpha1 
kind: IpsecProposal
IpsecSite
metadata:
  name: ipsecsite-sample
spec:
  sites:
  - name: siteA  name: test_proposal_1
  namespace: default
  labels:
     gatewaysdewanPurpose: 10.0.1.2
cnf-1
spec:
   pre_shared_keyencryption_algorithm: test123aes128
    authenticationhash_methodalgorithm: psksha256
  dh_group: modp3072
local_identifierstatus:
C=CH, O=strongSwan, CN=peer
    remote_identifier: C=CH, O=strongSwan, CN=peerB
    crypto_proposal:
      - proposal1
    force_crypto_proposal: "0"
    connections:
    - name: connA
    appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSDEWAN IPSec Site CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: ipsecsite-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: tunnel/transportroute-based/policy-based
      moderemote: startxx.xx.xx.xx
  authentication_method: psk
  localpre_shared_subnetkey: 192.168.1.1/24xxx
  local_public_cert: 
  local_sourceipprivate_cert:
10.0.1.1
  shared_ca:
  local_identifier:
  remote_subnetidentifier:
192.168.0.1/24       remote_sourceip: 10.0.1.2crypto_proposal: 
    -  cryptotest_proposal:_1
   connections:
    - proposal2
  proposals:connection_name: connection_A
     - nametype: proposal1tunnel
      encryption_algorithmmode: aes128start
      hashlocal_algorithmsubnet: sha256
172.12.0.0/24, 10.239.160.22
     dh remote_group: modp3072sourceip: 172.12.0.30-172.12.0.45
     - nameremote_subnet: proposal2
      encryption_algorithmmark: aes128xxx
      hashcrypto_algorithmproposal:
sha128        - dh_group: modp3072

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

...

test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSDEWAN IPSec Host CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsechost-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: route-based/policy-based
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      remote_subnet: xx.xx.xx.xx/xx
      mark: xxx
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Draft for route based tunnel

ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 0x01000201
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/16 dev vti0

Code Block
languageyml
titleSDEWAN IPSec Route based
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsec-route-based
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      local_subnet: xx.xx.xx.xx/xx
      remote_subnet: xx.xx.xx.xx/xx
      mark_in: 0xffffffff
      mark_out: 0xffffffff
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

POST /cgi-bin/luci/sdewan/ipsec/v1/proposals

create a new proposal

Request:

  • Request Parameters: same with PUT's request

  • Request Example: same with PUT's example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

update a proposal

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalsbodyarraya dict of defined proposals


  • Response Example

    {
        "proposals": [

            {

                "name": "proposal1",

                "encryption_algorithm": "aes128",

                "hash_algorithm": "sha256",

                "dh_group": "modp3072"

            }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

Get a proposal

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Response Example

    {

          "name": "proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }


DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

  • Request Parameters

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name


Response

  • Normal response codes: 200
  • Error response codes: 401, 404


IPSec Site

POST /cgi-bin/luci/sdewan/ipsec/v1/proposalssites

create a new proposalsite

Request:

  • Request Parameters: same with PUT's response request

  • Request Example: same with PUT's
  • response
  • example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

...

PUT /cgi-bin/luci/sdewan/ipsec/v1/proposalssites/{proposalsite-name}

update a proposalsite

Request:

  • Request Parameters:

    Name

    In

    Type

    Required

    Description

    proposal
    site-namepathstring
    proposal nameencryption_algorithmbodystringencryption algorithmhash_algorithm
    YSite name
    gatewaybodystring
    hash algorithmdh_group

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

Get a proposal

Request: N/A

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type
    YThe corresponding responder
    pre_shared_keybodystring
    Diffie-Hellman group
    Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

Response Example

...

{
    "proposals": [

        {

            "name": "proposal1",

            "encryption_algorithm": "aes128",

            "hash_algorithm": "sha256",

            "dh_group": "modp3072"

        }

    ]
}

  • NOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystringNOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystringNOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal body  listYProposal names used for ike process
    force_crypto_proposal body  boolean NThe flag on forcing the proposal or not
    connectionsbody listYList of connectionArray 

    connectionArray:

    NameInTypeRequiredDescription
    namebodystring
    proposal
    YConnection name
    encryption_algorithmbodystringencryption algorithmhash_algorithmbodystringhash algorithmdh_groupbodystringDiffie-Hellman group

    Response Example

    {

          "name": "proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }

DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

  • Normal response codes: 200
  • Error response codes: 401, 404

IPSec Site

POST /cgi-bin/luci/sdewan/ipsec/v1/sites

create a new site

Request:

  • Request Parameters: same with PUT's response request

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

update a site

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    site-namepathstringremote site nameother paramsbodySame with Get's response
    type body string YType of connection. Either "tunnel" or "transport" 
    mode body  string YMode used for connection. Either 'add', 'route' or 'start'
    local_subnet body string NDefines the local subnet. 
    local_natbody string NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string NDefines the local source ip
    local_updown body string NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites

    {

         "gateway": "10.1.0.2",

         "name": "site1",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "name": "site_to_site",

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }


...

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    sitesbodyarraya list of defined sites


  • Response Example

    {
        "sites": [

           {    "name": "site1",

                "gateway":"10.0.1.2",

                "authentication_method": "psk",

                "crypto_proposal": "proposal1",

                "connections": [

                  {

                    "name": "connA"

                    "type": "tunnel"

                    "local_subnet": "192.168.1.1/24",

                    "remote_subnet": "192.168.0.1/24",

                    "crypto_proposal": "proposal1"

                  }

               ]

           }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

...

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    site-namepathstringremote site name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Required

    Description

    namebody stringYSite name
    gatewaybodystringYThe corresponding responder
    pre_shared_keybodystringNOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystringNOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystringNOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal body  listYProposal names used for ike process
    force_crypto_proposal body  boolean NThe flag on forcing the proposal or not
    connectionsbody listYList of connectionArray 

    connectionArray:

    NameInTypeRequiredDescription
    namebodystringYConnection name
    type body string YType of connection. Either "tunnel" or "transport" 
    mode body  string YMode used for connection. Either 'add', 'route' or 'start'
    local_subnet body string NDefines the local subnet. 
    local_natbody string NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string NDefines the local source ip
    local_updown body string NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Response Example

    {

         "name": "site1",

         "gateway":"10.1.0.2",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "name": "site_to_site",

             "type": "tunnel",

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal2"

          }

        ]

    }


DELETE /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

...