Page Comparison

This page intend to list bunch of scenarios for our SD-EWAN case, including the decomposed scenarios and the overall integrated scenario.

Table of Contents

Decomposed scenarios

Decomposed Scenario A: Site-to-Site tunnel with static public IP address

In this scenario, both sites have static public IP address and setup a tunnel between sites. After the tunnel is established, the clients within the site should be able to ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.

...

Scenario Description:

Code Block

language	yml

apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: siteA
spec:
  node: node1
  gateway: 192.168.1.11
  pre_shared_key: test123
  auth_method: psk
  local_identifier: @moon.strongswan.org
  remote_identifier: @sun.strongswan.org
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel
    mode: start
    local_subnet: 10.1.0.1/24
    local_sourceip: 192.168.1.10
    local_firewall: yes
    remote_subnet: 10.2.0.1/24
    remote_firewall: yes
    keyexchange: ikev2
    crypto_proposal: "proposal1"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

IPSec CR for gateway B:

Code Block

language	yml

apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: siteB
spec:
  node: node2
  gateway: 192.168.1.10
  pre_shared_key: test123
  auth_method: psk
  local_identifier: @moon.strongswan.org
  remote_identifier: @sun.strongswan.org
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel
    mode: start
    local_subnet: 10.2.0.1/24
    local_sourceip: 192.168.1.11
    local_firewall: yes
    remote_subnet: 10.1.0.1/24
    remote_firewall: yes
    keyexchange: ikev2
    crypto_proposal: "proposal1"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

NAT CR:

...

Rest calls:

GET /cgi-bin/luci/Tunnel between site A and site B
Suppose there are two sites A and B. A comes with the subnet 10.1.0.1/24, B comes with the subnet 10.2.0.1/24
Gateway for A is 192.168.1.10
Gateway for B is 192.168.1.11
A and B would like to establish a tunnel
10.1.0.1/24 == 10.2.0.1/24

CRs for the scenario

Code Block

language	yml
title	Proposal CR
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
metadata:
  name: test_proposal_1
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  encryption_algorithm: aes128
  hash_algorithm: sha256
  dh_group: modp3072
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Code Block

language	yml
title	Sample CR for gateway A
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: siteA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 192.168.1.11
  authentication_method: psk
  pre_shared_key: test123
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 10.1.0.1/24
      remote_subnet: 10.2.0.1/24
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Code Block

language	yml
title	Sample CR for gateway B
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: siteB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 192.168.1.10
  authentication_method: psk
  pre_shared_key: test123
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_B
      type: tunnel
      mode: start
      local_subnet: 10.2.0.1/24
      remote_subnet: 10.1.0.1/24
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Rest calls

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
"sites": [

{

"name": “siteA"siteA",

"gatewayremote":"192.168.1.11",

"crypto_proposal": "proposal1test_proposal_1",

"pre_shared_key": "test123",

"authauthentication_method": "psk",

"local_identifier": "@moon.strongswan.org",

"connections": [

{ "name": "connection_A",

"type": "tunnel",

"remote_identifiermode": "@sun.strongswan.orgstart",

"connections": [

{

"type": "tunnel",

"mode": "start",

" "local_subnet": "10.1.0.1/24",

"remote_subnet": "10.2.0.1/24", "keyexchange": "ikev2",

"crypto_proposal": "proposal1test_proposal_1"

}

]

},

{ "name": "siteB",

"gateway":"192.168.1.10",

"crypto_proposal": "proposal1"test_proposal_1",

"pre_shared_key": "test123",

"authauthentication_method": "psk",

"remote_identifier": "@moon.strongswan.org",

"local_identifier": "@sun.strongswan.org",

"connections": [

{ "name": "connection_B",

"type": "tunnel",

"mode": "start",

"local_subnet": "10.2.0.1/24", "local_sourceip": "192.168.1.11",

"remote_subnet": "10.1.0.1/24", "keyexchange": "ikev2",

"crypto_proposal": "proposal1test_proposal_1"

}

]

}

]
}

Decomposed Scenario B: Host-to-Site tunnel

In this scenario, the initiator sends out a request to the responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. After the tunnel is established, the roadwarrior should be able to ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.

Image Removed

IPSec CR for Gateway A:

...

language	yml

Proposal settings

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

{ "proposals": [ { "name": "proposal1", "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } ] }

Decomposed Scenario B: Host-to-Site tunnel when the initiator requests an overlay IP

In this scenario, the initiator sends out a request to the responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. However, this time, the roadwarrior is also going to ask for a virtual IP that assigned by the responder. After the tunnel is established, the roadwarrior should be able to get an overlay IP and ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.

Image Added

Scenario Description:

Tunnel between site A and host B(Responder and Initiator)
Suppose there is one site A and one host B. A comes with the subnet 10.1.0.1/24.
Gateway for A is 192.168.1.10 which is a public ip address
Host B has no public address and want to request one from the peer(suppose the vip assigned is 10.3.0.12)
A and B would like to establish a tunnel
10.1.0.1/24 == 10.3.0.12/32

CRs for the scenario

Code Block

language	yml
title	Proposal CR
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
metadata:
  name: test_proposal_1
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  encryption_algorithm: aes128
  hash_algorithm: sha256
  dh_group: modp3072
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Code Block

language	yml
title	Sample CR for gateway A
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: siteA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 10.1.0.1/24
      remote_sourceip: 10.3.0.1/24
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Code Block

language	yml
title	Sample CR for host B
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: hostB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 192.168.1.10
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Rest calls

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
"sites": [

{ "name": "siteA",

"remote":"%any",

"crypto_proposal": "test_proposal_1",

"pre_shared_key": "test123",

"authentication_method": "psk",

"local_identifier": "@moon.strongswan.org",

"remote_identifier": "@sun.strongswan.org",

"connections": [

{ "name": "connA",

"type": "tunnel",

"mode": "start",

"local_subnet": "10.1.0.1/24",

"remote_sourceip": "10.3.0.1/24",

"crypto_proposal": "test_proposal_1"

}

]

},

{ "name": "hostB",

"remote":"192.168.1.10",

"crypto_proposal": "test_proposal_1",

"pre_shared_key": "test123",

"authentication_method": "psk",

"remote_identifier": "@moon.strongswan.org",

"local_identifier": "@sun.strongswan.org",

"connections": [

{ "name": "connA",

"type": "tunnel",

"mode": "start",

"local_sourceip": "%config",

"remote_subnet": "10.1.0.1/24",

"crypto_proposal": "test_proposal_1"

}

]

}

]
}

Proposal settings

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

{ "proposals": [ { "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } ] }

Decomposed Scenario C: Host to host tunnel

Setup a tunnel between the host who got assigned the virtual IP and another host with PIP.

Image Added

Scenario Description:

Tunnel between host A and host B
Suppose there are two hosts A and B.
A has a public ip which is 192.168.3.1
B is a host which already get a vip 10.3.0.12
A and B would like to establish a tunnel
192.168.3.1/32 == 10.3.0.12/32

CRs for the scenario

Code Block

language	yml
title	Proposal CR
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
metadata:
  name: test_proposal_1
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  encryption_algorithm: aes128
  hash_algorithm: sha256
  dh_group: modp3072
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Code Block

language	yml
title	Sample CR for host A
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: hostA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      remote_sourceip: 10.3.0.12
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Code Block

language	yml
title	Sample CR for host B
collapse	true

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: hostB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 192.168.3.1
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: 10.3.0.13
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Rest calls

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
"sites": [

{ "name": "hostA",

"remote":"%any",

"crypto_proposal": "test_proposal_1",

"pre_shared_key": "test123",

"authentication_method": "psk",

"local_identifier": "@moon.strongswan.org",

"remote_identifier": "@sun.strongswan.org",

"connections": [

{ "name": "connA",

"type": "tunnel",

"mode": "start",

"remote_sourceip": "10.3.0.12",

"crypto_proposal": "test_proposal_1"

}

]

},

{ "name": "hostB",

"remote":"192.168.3.1",

"crypto_proposal": "test_proposal_1",

"pre_shared_key": "test123",

"authentication_method": "psk",

"remote_identifier": "@moon.strongswan.org",

"local_identifier": "@sun.strongswan.org",

"connections": [

{ "name": "connA",

"type": "tunnel",

"mode": "start",

"local_sourceip": "10.3.0.12",

"crypto_proposal": "test_proposal_1"

}

]

}

]
}

Proposal settings

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

{ "proposals": [ { "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } ] }

Targeted Scenarios

Scenario A: Edge to traffic hub tunnel where inter micro-service communication across edges that attached to same traffic hub.

Image Added

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for edgeA
collapse	true

CR for sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for edgeA
collapse	true

Strongswan configs for sdewan cnf on edgeA:

conn siteA-connA
  left=%any
  right=10.239.160.22
  leftsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  esp=aes192-sha1-modp3072
  ike=aes192-sha1-modp3072
  type=tunnel

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for edgeB
collapse	true

CR on sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for edgeB
collapse	true

Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connA
  left=%any
  right=10.239.160.22
  leftsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  esp=aes192-sha1-modp3072
  ike=aes192-sha1-modp3072
  type=tunnel

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for Hub
collapse	true

CR on sdewan on hub:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: Hub
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_sourceip: 172.12.0.1/24
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for hub
collapse	true

Strongswan configs for sdewan cnf on hub:

conn tunnel
  left=10.239.160.22
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsourceip=172.12.0.30-172.12.0.45
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel

Scenario B: Edge to Edge tunnels when micro-service communication happens across edges without involving hubs

Image Added

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for EdgeA
collapse	true

CR on sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for edgeA
collapse	true

Strongswan configs for sdewan cnf on edgeA:

conn edgeA-connection_A
  left=%any
  right=10.239.40.42
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for EdgeB
collapse	true

CR on sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for edgeB
collapse	true

Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connection_A
  left=%any
  right=10.239.160.22
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel

Scenario C: Hub to hub tunnel when inter micro-service communication across edges that attached to different traffic hubs

Image Added

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for edgeA
collapse	true

CR for sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for edgeA
collapse	true

Strongswan configs for sdewan cnf on edgeA:

conn edgeB-connection_A
  left=%any
  right=10.239.160.22
  localsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for edgeB
collapse	true

CR for sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for edgeB
collapse	true

Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connection_A
  left=%any
  right=10.239.40.42
  localsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.40.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for HubA
collapse	true

CR on sdewan on hubA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_sourceip: 172.12.0.30-172.12.0.45
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

---

apiVersion: sdewan.akraino.org/v1alpha1
kind:

IPSecSite

IpsecSite
metadata:
  name:

siteA

HubA

spec:

node

namespace:

node1

default

gateway: 192.168.1.15 pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EON

labels:

auth_method

sdewanPurpose:

psk local_identifier: @sun.strongswan.org

cnf-1
spec:
  remote

_identifier

@roadwarrior

10.239.

strongswan

40.

org

crypto

authentication_

proposal

method:

"proposal1"

psk

force

pre_

crypto

shared_

proposal

key:

true

test

connection

crypto_proposal:

-

type:

tunnel

- test_proposal_1

mode

connections:

start

local

connection_

subnet

name:

10.1.0.1/24

connection_B

local_nat:

   type:

local_sourceip: 192.168.1.10

tunnel

local_firewall: yes

mode: start

remote

local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_

sourceip

subnet:

192

172.12.

168

1.1

.15

/24,10.239.40.42/32

remote

crypto_

firewall

proposal:

yes

keyexchange:

ikev2

  - test_proposal_1

crypto_proposal

status:
  appliedVersion: "

proposal1

1"

proposal

appliedTime:

- encryption_algorithm: aes128 hash_algorithm: sha256 dh_group: modp3072

...

"2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml

apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: roadwarrior
spec:
  node: roadwarrior
  gateway: 192.168.1.10
  pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EON
  auth_method: psk
  local_identifier: @roadwarrior.strongswan.org
  remote_identifier: @sun.strongswan.org
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel
    mode: start
    local_subnet: 
    local_nat:
    local_sourceip: 192.168.1.15
    local_firewall: yes
    remote_subnet: 10.1.0.1/24
    remote_sourceip: 192.168.1.10
    remote_firewall: yes
    keyexchange: ikev2
    crypto_proposal: "proposal1"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

NAT CR:

...

Decomposed Scenario C: Host-to-Site tunnel when the initiator requests an overlay IP

In this scenario, the initiator sends out a request to the responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. However, this time, the roadwarrior is also going to ask for a virtual IP that assigned by the responder. After the tunnel is established, the roadwarrior should be able to get an overlay IP and ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.

Image Removed

IPSec CR for Gateway A:

Code Block

language	yml

apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: siteA
spec:
  node: node1
  gateway: any
  pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EON
  auth_method: psk
  local_identifier: @moon.strongswan.org
  remote_identifier: @roadwarrior.strongswan.org
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel
    mode: start
    local_subnet: 10.1.0.1/24
    local_nat:
    local_sourceip: 192.168.1.10
    local_firewall: yes
    remote_subnet: 
    remote_sourceip: 10.3.0.1/24
    remote_firewall: yes
    keyexchange: ikev2
    crypto_proposal: "proposal1"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

IPSec CR for roadwarrior(initiator):

Code Block

language	yml

apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: roadwarrior
spec:
  node: roadwarrior
  gateway: 192.168.1.10
  pre_shared_key: W1xnGqoBZizf2iQN6OwoEGhdFNnQQ81KnqaPNY9fdr3zFV72fFDLlXmWnjXk5EON
  auth_method: psk
  local_identifier: @roadwarrior.strongswan.org
  remote_identifier: @moon.strongswan.org
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel
    mode: start
    local_subnet: 
    local_nat:
    local_sourceip: %config
    local_firewall: yes
    remote_subnet: 10.1.0.1/24
    remote_sourceip: 192.168.1.10
    remote_firewall: yes
    keyexchange: ikev2
    crypto_proposal: "proposal1"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

NAT CR:


title	Strongswan configs for HubA
collapse	true

Strongswan configs for sdewan cnf on hub:

conn HubA-connection_A
  left=%any
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsourceip=172.12.0.30-172.12.0.45
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel
conn HubA-connection_B
  left=%any
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsubnet=172.12.1.1/24,10.239.40.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel

Section

border	true

Column

width	40%

Code Block

language	yml
title	Sample CR for HubB
collapse	true

CR on sdewan on hubB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.1.1/24,10.239.40.42/32
      remote_sourceip: 172.12.1.31-172.12.1.35
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

---

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_B
      type: tunnel
      mode: start
      remote_subnet: 172.12.0.1/24,10.239.160.22/32
      local_subnet: 172.12.1.1/24,10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Column

width	20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs

Column

width	40%

Code Block

language	yml
title	Strongswan configs for HubB
collapse	true

Strongswan configs for sdewan cnf on hub:

conn HubB-connection_A
  left=%any
  leftsubnet=172.12.1.1/24,10.239.40.42/32
  rightsourceip=172.12.1.31-172.12.1.35
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel
conn HubA-connection_B
  left=%any
  leftsubnet=172.12.1.1/24,10.239.40.42/32
  rightsubnet=172.12.0.1/24,10.239.160.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel

Overall scenarios

Here shows the overall scenario we want to achieve in the ICN SDEWAN case.

...

Versions Compared

Old Version 5

New Version Current

Key

Decomposed scenarios

Decomposed Scenario A: Site-to-Site tunnel with static public IP address

IPSec CR for gateway B:

NAT CR:

Rest calls:

CRs for the scenario

Rest calls

Decomposed Scenario B: Host-to-Site tunnel

IPSec CR for Gateway A:

Decomposed Scenario B: Host-to-Site tunnel when the initiator requests an overlay IP

CRs for the scenario

Rest calls

Decomposed Scenario C: Host to host tunnel

CRs for the scenario

Rest calls

Targeted Scenarios

Scenario A: Edge to traffic hub tunnel where inter micro-service communication across edges that attached to same traffic hub.

Scenario B: Edge to Edge tunnels when micro-service communication happens across edges without involving hubs

Scenario C: Hub to hub tunnel when inter micro-service communication across edges that attached to different traffic hubs

Image Added

NAT CR:

Decomposed Scenario C: Host-to-Site tunnel when the initiator requests an overlay IP

IPSec CR for Gateway A:

IPSec CR for roadwarrior(initiator):

NAT CR:

Overall scenarios