Versions Compared

Old Version 8

changes.mady.by.user ruoyu.ying

Saved on

compared with

New Version Current

changes.mady.by.user ruoyu.ying

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page intend to list bunch of scenarios for our SD-EWAN case, including the decomposed scenarios and the overall integrated scenario.


Table of Contents


Decomposed scenarios

Decomposed Scenario A: Site-to-Site tunnel with static public IP address

In this scenario, both sites have static public IP address and setup a tunnel between sites. After the tunnel is established, the clients within the site should be able to ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.

...

Scenario Description:

...

languageyml
titleSample CR for gatewayA
collapsetrue

...

Tunnel between site A and site B
Suppose there are two sites A and B. A comes with the subnet 10.1.0.1/24, B comes with the subnet 10.2.0.1/24
Gateway for A is 192.168.1.10
Gateway for B is 192.168.1.11
A and B would like to establish a tunnel
10.1.0.1/24 == 10.2.0.1/24

CRs for the scenario

Code Block
languageyml
titleProposal CR
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
IPSecSite
metadata:
  name: test_proposal_1
 name namespace: siteAdefault
spec: - gatewaylabels:
192.168.1.11    pre_shared_keysdewanPurpose: test123
  auth_methodcnf-1
spec:
psk   localencryption_identifieralgorithm: @moon.strongswan.orgaes128
  remotehash_identifieralgorithm: @sun.strongswan.orgsha256
  cryptodh_proposalgroup: proposal1
  force_crypto_proposalmodp3072
status:
true   connectionappliedVersion: "1"
 - nameappliedTime: connA"2020-04-12T09:28:38Z"
  inSync:  type: tunnel
    mode: startTrue


Code Block
languageyml
titleSample CR for gateway A
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: siteA
  namespace: default
  labels:
    local_subnetsdewanPurpose: 10.1.0.1/24
cnf-1
spec:
   local_sourceipremote: 192.168.1.1011
  authentication_method: psk
remote_subnet: 10.2.0.1/24  pre_shared_key: test123
  crypto_proposal: 
keyexchange: ikev2   -  cryptotest_proposal_1
  connections:
  proposal1  - proposalsconnection_name: connection_A
   -   nametype: proposal1tunnel
      encryption_algorithmmode: aes128start
      hashlocal_algorithmsubnet: sha25610.1.0.1/24
      dhremote_group: modp3072

IPSec CR for gateway B:

Code Block
languageyml
titleSample CR for gatewayB
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: siteB
spec:
- gateway: 192.168.1.10
  pre_shared_key: test123
  auth_method: psk
  local_identifier: @moon.strongswan.org
  remote_identifier: @sun.strongswan.org
  crypto_proposal: proposal1
  force_crypto_proposal: true
  connection:
  - name: connA
    type: tunnel
    mode: start
    local_subnet: 10.2.0.1/24
    local_sourceip: 192.168.1.11
    remote_subnet: 10.1.0.1/24
    keyexchange: ikev2
    crypto_proposal: proposal1
  proposal:
    - name: proposal1subnet: 10.2.0.1/24
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSample CR for gateway B
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: siteB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 192.168.1.10
  authentication_method: psk
  pre_shared_key: test123
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_B
      type: tunnel
      mode: start
      local_subnet: 10.2.0.1/24
      encryptionremote_algorithmsubnet: aes12810.1.0.1/24
      hashcrypto_algorithmproposal:
sha256        dh_group: modp3072

NAT CR:

...

Rest calls:

- test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Rest calls

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
    "sites": [

     {

            "name": “siteA",

            "gatewayremote":"192.168.1.11",

            "crypto_proposal": "proposal1test_proposal_1",

            "pre_shared_key": "test123",

            "authentication_method": "psk",            "local_identifier": "@moon.strongswan.org",

            "remote_identifier": "@sun.strongswan.org",

            "connections": [

              { "name": "connAconnection_A",

                "type": "tunnel",

                "mode": "start",

                "local_subnet": "10.1.0.1/24",

                "remote_subnet": "10.2.0.1/24",

                "crypto_proposal": "proposal1test_proposal_1"

              }

            ]

        },

       {    "name": "siteB",

            "gateway":"192.168.1.10",

            "crypto_proposal": "proposal1test_proposal_1",

            "pre_shared_key": "test123",

            "authentication_method": "psk",

            "remote_identifier": "@moon.strongswan.org",

            "local_identifier": "@sun.strongswan.org",

            "connections": [

              { "name": "connAconnection_B",

                "type": "tunnel",

                "mode": "start",

                "local_subnet": "10.2.0.1/24",

                "remote_subnet": "10.1.0.1/24",

                "crypto_proposal": "proposal1test_proposal_1"

              }

        ]

      }

   ]
}

...

{ "proposals": [

           {

              "name": "proposal1",

              "crypto_algorithm": "aes128",

              "hash_algorithm": "sha256",

              "dh_group": "modp3072"

           }

     ]

}

Decomposed Scenario B: Host-to-Site

...

tunnel when the initiator requests an overlay IP

In this scenario, the initiator sends out a request to the responderthe responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. However, this time, the roadwarrior is also going to ask for a virtual IP that assigned by the responder. After the tunnel is established, the roadwarrior should be able to get an overlay IP and ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.

Image Removed

IPSec CR for Gateway A:

Code Block
languageyml
titleSample CR for gatewayA
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: siteA
spec:
- gateway: 192.168.1.15
  pre_shared_key: test123
  auth_method: psk
  local_identifier: @sun.strongswan.org
  remote_identifier: @roadwarrior.strongswan.org
  crypto_proposal: proposal1
  force_crypto_proposal: true
  connection:
  - name: connA
    type: tunnel
    mode: start
    local_subnet: 10.1.0.1/24
    local_sourceip: 192.168.1.10
    remote_sourceip: 192.168.1.15
    crypto_proposal: proposal1
  proposal:
    - name: proposal1
      encryption_algorithm: aes128
      hash_algorithm: sha256
      dh_group: modp3072

IPSec CR for roadwarrior(initiator):

...

languageyml
titlesample CR for roadwarrior
collapsetrue

...

Image Added

Scenario Description:

Tunnel between site A and host B(Responder and Initiator)
Suppose there is one site A and one host B. A comes with the subnet 10.1.0.1/24.
Gateway for A is 192.168.1.10 which is a public ip address
Host B has no public address and want to request one from the peer(suppose the vip assigned is 10.3.0.12)
A and B would like to establish a tunnel
10.1.0.1/24 == 10.3.0.12/32

CRs for the scenario

Code Block
languageyml
titleProposal CR
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
metadata:
  name: test_proposal_1
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  encryption_algorithm: aes128
  hash_algorithm: sha256
  dh_group: modp3072
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSample CR for gateway A
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
IPSecSitemetadata:
metadata  name: siteA
  namenamespace: roadwarriordefault
spec: - gatewaylabels:
 192.168.1.10   pre_shared_keysdewanPurpose: test123cnf-1
spec:
  auth_methodremote: psk%any
  localauthentication_identifiermethod: @roadwarrior.strongswan.orgpsk
  remotepre_shared_identifierkey: @sun.strongswan.orgtest
  crypto_proposal: 
  "proposal1"  - forcetest_cryptoproposal_proposal:1
 true connections:
 connection:   - connection_name: connAconnection_A
      type: tunnel
      mode: start
      local_sourceipsubnet: 19210.1.1680.1.15/24
      remote_subnetsourceip: 10.13.0.1/24
    remote_sourceip: 192.168.1.10     crypto_proposal:
proposal1   proposal:     - name test_proposal_1
status:
proposal1  appliedVersion: "1"
   encryption_algorithm: aes128
      hash_algorithm: sha256
      dh_group: modp3072

NAT CR:

...

Rest calls:

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
    "sites": [

       {    "name": "siteA",

            "gateway":"192.168.1.11",

            "crypto_proposal": "proposal1",

            "pre_shared_key": "test123",

            "authentication_method": "psk",

            "local_identifier": "@moon.strongswan.org",

            "remote_identifier": "@sun.strongswan.org",

            "connections": [

              { "name": "connA",

                "type": "tunnel",

                "mode": "start",

                "local_subnet": "10.1.0.1/24",

                "remote_sourceip": "192.168.1.15",

                "local_sourceip": "192.168.1.10",

                "crypto_proposal": "proposal1"

              }

            ]

...

appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSample CR for host B
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: hostB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 192.168.1.10
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Rest calls

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
    "sites": [

       {    "name": "roadwarriorsiteA",

                        "gatewayremote":"192.168.1.10%any",

            "crypto_proposal": "proposal1test_proposal_1",

            "pre_shared_key": "test123",

            "authentication_method": "psk",

            "remotelocal_identifier": "@moon.strongswan.org",

            "localremote_identifier": "@sun.strongswan.org",

            "connections": [

              { "name": "connA",

                "type": "tunnel",

                "mode": "start",

                "local_sourceipsubnet": "192.16810.1.15",                "remote_sourceip": "192.168.1.100.1/24",

                "remote_subnetsourceip": "10.13.0.1/24",

                "crypto_proposal": "proposal1test_proposal_1"

              }

            ]

        },

      } {    ]
}

Proposal settings

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

{ "proposals": [

        {     "name": "proposal1

"name": "hostB",

            "remote":"192.168.1.10",

            "crypto_proposal": "test_proposal_1",

           

 

"

crypto

pre_shared_

algorithm

key": "

aes128

test123",

 

            "

hash

authentication_

algorithm

method": "

sha256

psk",

           

 

"

dh

remote_

group

identifier": "

modp3072" 

@moon.strongswan.org",

       

}

    ]

}

Decomposed Scenario C: Host-to-Site tunnel when the initiator requests an overlay IP

In this scenario, the initiator sends out a request to the responder(either a site gateway/remote host) which has a static public ip address(or dynamic pubic IP with static domain name) in order to setup a tunnel between. However, this time, the roadwarrior is also going to ask for a virtual IP that assigned by the responder. After the tunnel is established, the roadwarrior should be able to get an overlay IP and ping the clients on the other side through the tunnel. The tunnel is authenticated through pre-shared key.

Image Removed

IPSec CR for Gateway A:

Code Block
languageyml
titleSample CR for gatewayA
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
  name: siteA
spec:
- gateway: any
  pre_shared_key: test123
  auth_method: psk
  local_identifier: @moon.strongswan.org
  remote_identifier: @roadwarrior.strongswan.org
  crypto_proposal: proposal1
  force_crypto_proposal: true
  connection:
  - name: connA
    type: tunnel
    mode: start
    local_subnet: 10.1.0.1/24
    local_sourceip: 192.168.1.10
    remote_sourceip: 10.3.0.1/24
    crypto_proposal: "proposal1"
  proposal:
    - name: proposal1
      encryption_algorithm: aes128
      hash_algorithm: sha256
      dh_group: modp3072

IPSec CR for roadwarrior(initiator):

    "local_identifier": "@sun.strongswan.org",

            "connections": [

              { "name": "connA",

                "type": "tunnel",

                "mode": "start",

                "local_sourceip": "%config",

                "remote_subnet": "10.1.0.1/24",

                "crypto_proposal": "test_proposal_1"

              }

        ]

      }

   ]
}

Proposal settings

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

{ "proposals": [

        {

              "crypto_algorithm": "aes128",

              "hash_algorithm": "sha256",

              "dh_group": "modp3072"

         }

     ]

}

Decomposed Scenario C: Host to host tunnel

Setup a tunnel between the host who got assigned the virtual IP and another host with PIP.

Image Added

Scenario Description:

Tunnel between host A and host B
Suppose there are two hosts A and B.
A has a public ip which is 192.168.3.1
B is a host which already get a vip 10.3.0.12
A and B would like to establish a tunnel
192.168.3.1/32 == 10.3.0.12/32

CRs for the scenario

Code Block
languageyml
titleProposal CR
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecProposal
metadata:
  name: test_proposal_1
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  encryption_algorithm: aes128
  hash_algorithm: sha256
  dh_group: modp3072
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSample CR for roadwarriorhost A
collapsetrue
apiVersion: sdewan sdewan.akraino.org/v1alpha1
kind: IpsecHost
IPSecSitemetadata:
metadata  name: hostA
  namenamespace: default
 roadwarrior speclabels:
   - gatewaysdewanPurpose: 192.168.1.10cnf-1
spec:
  pre_shared_keyremote: test123%any
  authauthentication_method: psk
  localpre_shared_identifierkey: @roadwarrior.strongswan.orgtest
  remotecrypto_identifier: @moon.strongswan.orgproposal: 
 crypto_proposal: proposal1  - forcetest_cryptoproposal_proposal:1
 true connections:
 connection:   - connection_name: connection_A
 connA     type: tunnel
      mode: start
 
  local_sourceip: %config     remote_subnetsourceip: 10.13.0.1/2412
    remote_sourceip: 192.168.1.10     crypto_proposal:
"proposal1"   proposal:     - name: proposal1
test_proposal_1 
status:
     encryption_algorithmappliedVersion: aes128"1"
      hash_algorithm: sha256
      dh_group: modp3072

NAT CR:

...

Rest calls:

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
    "sites": [

       {    "name": "siteA",

            "gateway":"192.168.1.11",

            "crypto_proposal": "proposal1",

            "pre_shared_key": "test123",

            "authentication_method": "psk",

            "local_identifier": "@moon.strongswan.org",

            "remote_identifier": "@sun.strongswan.org",

            "connections": [

              { "name": "connA",

                "type": "tunnel",

                "mode": "start",

                "local_subnet": "10.1.0.1/24",

                "remote_sourceip": "10.3.0.1/24",

                "local_sourceip": "192.168.1.10",

                "crypto_proposal": "proposal1"

              }

            ]

...

appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSample CR for host B
collapsetrue
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: hostB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 192.168.3.1
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: 10.3.0.13
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True


Rest calls

Sites settings

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

{
    "sites": [

       { 

 

  "name": "

roadwarrior

hostA",

           

            "

gateway

remote":"

192.168.1.10

%any",

            "crypto_proposal": "

proposal1

test_proposal_1",

            "pre_shared_key": "test123",

            "authentication_method": "psk",

            "

remote

local_identifier": "@moon.strongswan.org",

            "

local

remote_identifier": "@sun.strongswan.org",

            "connections": [

              { "name": "connA",

                "type": "tunnel",

                "mode": "start",

                

                "

local

remote_sourceip": "

%config

10.3.0.12",

                "crypto_proposal": "test_proposal_1"

              }

            ]

        },

       {    "

remote_sourceip

name": "

192.168.1.10

hostB",

               

            "remote

_subnet

":"

10

192.

1

168.

0

3.1

/24

",

               

            "crypto_proposal": "

proposal1"              }

test_proposal_1",

       

]

      }

   ]
}

Proposal settings

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

{ "proposals": [

        {     "name": "proposal1

    "pre_shared_key": "test123",

           

 

"

crypto

authentication_

algorithm

method": "

aes128

psk",

           

 

"

hash

remote_

algorithm

identifier": "

sha256

@moon.strongswan.org",

           

 

"

dh

local_

group

identifier": "

modp3072"

@sun.strongswan.org",

            "connections": [

              { "name": "connA",

                "type": "tunnel",

                "mode": "start",

                "local_sourceip": "10.3.0.12",

                "crypto_proposal": "test_proposal_1"

              }

     

]

}

...

  ]

      }

   ]
}

Proposal settings

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

{ "proposals": [

        {

              "crypto_algorithm": "aes128",

              "hash_algorithm": "sha256",

              "dh_group": "modp3072"

         }

     ]

}

Targeted Scenarios

Scenario A: Edge to traffic hub tunnel where inter micro-service communication across edges that attached to same traffic hub.

Image Added

Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for edgeA
collapsetrue
CR for sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeA
collapsetrue
Strongswan configs for sdewan cnf on edgeA:

conn siteA-connA
  left=%any
  right=10.239.160.22
  leftsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  esp=aes192-sha1-modp3072
  ike=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for edgeB
collapsetrue
CR on sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeB
collapsetrue
Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connA
  left=%any
  right=10.239.160.22
  leftsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  esp=aes192-sha1-modp3072
  ike=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for Hub
collapsetrue
CR on sdewan on hub:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: Hub
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_sourceip: 172.12.0.1/24
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for hub
collapsetrue
Strongswan configs for sdewan cnf on hub:

conn tunnel
  left=10.239.160.22
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsourceip=172.12.0.30-172.12.0.45
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Scenario B: Edge to Edge tunnels when micro-service communication happens across edges without involving hubs

Image Added


Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for EdgeA
collapsetrue
CR on sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeA
collapsetrue
Strongswan configs for sdewan cnf on edgeA:

conn edgeA-connection_A
  left=%any
  right=10.239.40.42
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for EdgeB
collapsetrue
CR on sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeB
collapsetrue
Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connection_A
  left=%any
  right=10.239.160.22
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Scenario C: Hub to hub tunnel when inter micro-service communication across edges that attached to different traffic hubs

Image Added

Section
bordertrue


Column
width40%



Code Block
languageyml
titleSample CR for edgeA
collapsetrue
CR for sdewan cnf on edgeA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.160.22/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeA
collapsetrue
Strongswan configs for sdewan cnf on edgeA:

conn edgeB-connection_A
  left=%any
  right=10.239.160.22
  localsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.160.22/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%



Code Block
languageyml
titleSample CR for edgeB
collapsetrue
CR for sdewan cnf on edgeB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: edgeB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_subnet: 0.0.0.0/0, 10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for edgeB
collapsetrue
Strongswan configs for sdewan cnf on edgeB:

conn edgeB-connection_A
  left=%any
  right=10.239.40.42
  localsourceip=%config
  rightsubnet=0.0.0.0/0,10.239.40.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for HubA
collapsetrue
CR on sdewan on hubA:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_sourceip: 172.12.0.30-172.12.0.45
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

---

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubA
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.40.42
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_B
      type: tunnel
      mode: start
      local_subnet: 172.12.0.1/24,10.239.160.22/32
      remote_subnet: 172.12.1.1/24,10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for HubA
collapsetrue
Strongswan configs for sdewan cnf on hub:

conn HubA-connection_A
  left=%any
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsourceip=172.12.0.30-172.12.0.45
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel
conn HubA-connection_B
  left=%any
  leftsubnet=172.12.0.1/24,10.239.160.22/32
  rightsubnet=172.12.1.1/24,10.239.40.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel




Section
bordertrue


Column
width40%


Code Block
languageyml
titleSample CR for HubB
collapsetrue
CR on sdewan on hubB:

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: %any
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_subnet: 172.12.1.1/24,10.239.40.42/32
      remote_sourceip: 172.12.1.31-172.12.1.35
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

---

apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: HubB
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: 10.239.160.22
  authentication_method: psk
  pre_shared_key: test
  crypto_proposal:
    - test_proposal_1
  connections:
    - connection_name: connection_B
      type: tunnel
      mode: start
      remote_subnet: 172.12.0.1/24,10.239.160.22/32
      local_subnet: 172.12.1.1/24,10.239.40.42/32
      crypto_proposal:
        - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True



Column
width20%

The CRs defined will then be interpreted into some IPSec configuration that could be recognized by Openwrt and then translate to Strongswan configs


Column
width40%


Code Block
languageyml
titleStrongswan configs for HubB
collapsetrue
Strongswan configs for sdewan cnf on hub:

conn HubB-connection_A
  left=%any
  leftsubnet=172.12.1.1/24,10.239.40.42/32
  rightsourceip=172.12.1.31-172.12.1.35
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel
conn HubA-connection_B
  left=%any
  leftsubnet=172.12.1.1/24,10.239.40.42/32
  rightsubnet=172.12.0.1/24,10.239.160.42/32
  leftauth=psk
  rightauth=psk
  auto=start
  keyexchange=ikev2
  ike=aes192-sha1-modp3072
  esp=aes192-sha1-modp3072
  type=tunnel



Overall scenarios

Here shows the overall scenario we want to achieve in the ICN SDEWAN case.

...