Introduction
ICN SDEWAN solution leverages IPSec functionality in SD-EWAN CNF to setup security tunnel to enable communication between ONAP4K8S/APPX Manager with Edge cluster or Edge cluster with Edge cluster. There are several solutions in OpenWRT to implement IPSec, include: Openswan, Racoon, and StrongSwan. ICN will use StrongSwan solution.
OpenWRT StrongSwan Basic
Service Start Flow:
StrongSwan application is run by command: "/etc/init.d/ipsec start", this command will generate StrongSwan's configuration (e.g. /etc/ipsec/*) based on openwrt configuration (e.g. /etc/config/ipsec) then start ipsec application as daemon, below diagram shows its flow
Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table
| Section | Option | Type | StrongSwan configuration file | StrongSwan configuration option | Description |
|---|---|---|---|---|---|
| ipsec | Global configuration | ||||
| debug | int | strongswan.conf | syslog | whether to enable log information | |
| rtinstall_enabled | boolean | strongswan.conf | install_routes | ||
| ignore_routing_tables | list | strongswan.conf | ignore_routing_tables | ||
| interface | list | strongswan.conf | interfaces_use | ||
| remote | Define a group remote tunnels with same security configuration | ||||
| tunnel | list | ||||
| transport | list | ||||
| enabled | boolean | whether this configuration is enabled | |||
| gateway | String | ipsec.secrets ipsec.conf | local_gateway/remote_gateway right | ||
| pre_shared_key | String | ipsec.secrets | PSK | ||
| auth_method | String | ipsec.conf | leftauth/rightauth | ||
| local_identifier | String | ipsec.secrets ipsec.conf | local_identifier leftid | ||
| remote_identifier | String | ipsec.secrets ipsec.conf | remote_identifier rightid | ||
| crypto_proposal | list | ipsec.conf | ike | ||
| force_crypto_proposal | boolean | ||||
tunnel /transport | Define configuration for a tunnel or transport | ||||
| mode | String | ipsec.conf | auto | ||
| local_subnet | String | ipsec.conf | leftsubnet | ||
| local_nat | String | ipsec.conf | leftsubnet | ||
| local_sourceip | String | ipsec.conf | leftsourceip | ||
| local_updown | String | ipsec.conf | leftupdown | ||
| local_firewall | String | ipsec.conf | leftfirewall | ||
| remote_subnet | String | ipsec.conf | rightsubnet | ||
| remote_sourceip | String | ipsec.conf | rightsourceip | ||
| remote_updown | String | ipsec.conf | rightupdown | ||
| remote_firewall | String | ipsec.conf | rightfirewall | ||
| ikelifetime | String | ipsec.conf | ikelifetime | ||
| lifetime | String | ipsec.conf | lifetime | ||
| margintime | String | ipsec.conf | margintime | ||
| keyingtries | String | ipsec.conf | keyingtries | ||
| dpdaction | String | ipsec.conf | dpdaction | ||
| dpddelay | String | ipsec.conf | dpddelay | ||
| inactivity | boolean | ipsec.conf | inactivity | ||
| keyexchange | String | ipsec.conf | keyexchange | ||
| crypto_proposal | list | ipsec.conf | esp | ||
| proposal | Define configuration for a proposal | ||||
| encryption_algorithm | String | ipsec.conf | ike/esp | ||
| hash_algorithm | String | ipsec.conf | ike/esp | ||
| dh_group | String | ipsec.conf | ike/esp |
IPSec CRD
IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: site1
spec:
node: node1
gateway:
pre_shared_key:
auth_method:
local_identifier:
remote_identifier:
crypto_proposal: "proposal1"
force_crypto_proposal: true
connection:
- type: tunnel/transport
mode:
local_subnet:
local_nat:
local_sourceip:
local_updown:
local_firewall:
remote_subnet:
remote_sourceip:
remote_updown:
remote_firewall:
keyexchange: "ikev2"
inactivity:
crypto_proposal: "proposal1 proposal2"
proposal:
- encryption_algorithm:
hash_algorithm:
dh_group:
IPSec Rest API
SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.
IPSec Proposal:
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
Lists all defined proposals
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
proposals body array a list of defined proposals Response Example
{
"proposals": [{
"name":"proposal1",
"encryption_algorithm":
"hash_algorithm":
"dh_group":
}
]
}
GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}
Get a proposal
Request: N/A
Request Parameters
Name
In
Type
Description
proposal path string proposal name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name
In
Type
Description
name body string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body int - Response Example
{
"name":"proposal1",
"encryption_algorithm":
"hash_algorithm":
"dh_group":
}
POST /cgi-bin/luci/sdewan/ipsec/v1/proposal
create a new proposal
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}
update a proposal
Request:
Request Parameters:
Name
In
Type
Description
proposal path string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body int - Request Example
{
"encryption_algorithm":
"hash_algorithm":
"dh_group":
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}
delete a proposal
Request:
Request Parameters
Name
In
Type
Description
proposal path string proposal name
Response
- Normal response codes: 200
- Error response codes: 401, 404