Introduction
ICN SDEWAN solution leverages IPSec functionality in SD-EWAN CNF to setup security tunnel to enable communication between ONAP4K8S/APPX Manager with Edge cluster or Edge cluster with Edge cluster. There are several solutions in OpenWRT to implement IPSec, include: Openswan, Racoon, and StrongSwan. ICN will use StrongSwan solution.
OpenWRT StrongSwan Basic
Service Start Flow:
StrongSwan application is run by command: "/etc/init.d/ipsec start", this command will generate StrongSwan's configuration (e.g. /etc/ipsec/*) based on openwrt configuration (e.g. /etc/config/ipsec) then start ipsec application as daemon, below diagram shows its flow
Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table
Section | Option | Type | StrongSwan configuration file | StrongSwan configuration option | Description |
---|---|---|---|---|---|
ipsec | Global configuration | ||||
debug | int | strongswan.conf | syslog | whether to enable log information | |
rtinstall_enabled | boolean | strongswan.conf | install_routes | ||
ignore_routing_tables | list | strongswan.conf | ignore_routing_tables | ||
interface | list | strongswan.conf | interfaces_use | ||
remote | Define a group remote tunnels with same security configuration | ||||
tunnel | list | ||||
transport | list | ||||
enabled | boolean | whether this configuration is enabled | |||
gateway | String | ipsec.secrets ipsec.conf | local_gateway/remote_gateway right | ||
pre_shared_key | String | ipsec.secrets | PSK | ||
auth_method | String | ipsec.conf | leftauth/rightauth | ||
local_identifier | String | ipsec.secrets ipsec.conf | local_identifier leftid | ||
remote_identifier | String | ipsec.secrets ipsec.conf | remote_identifier rightid | ||
crypto_proposal | list | ipsec.conf | ike | ||
force_crypto_proposal | boolean | ||||
tunnel /transport | Define configuration for a tunnel or transport | ||||
mode | String | ipsec.conf | auto | ||
local_subnet | String | ipsec.conf | leftsubnet | ||
local_nat | String | ipsec.conf | leftsubnet | ||
local_sourceip | String | ipsec.conf | leftsourceip | ||
local_updown | String | ipsec.conf | leftupdown | ||
local_firewall | String | ipsec.conf | leftfirewall | ||
remote_subnet | String | ipsec.conf | rightsubnet | ||
remote_sourceip | String | ipsec.conf | rightsourceip | ||
remote_updown | String | ipsec.conf | rightupdown | ||
remote_firewall | String | ipsec.conf | rightfirewall | ||
ikelifetime | String | ipsec.conf | ikelifetime | ||
lifetime | String | ipsec.conf | lifetime | ||
margintime | String | ipsec.conf | margintime | ||
keyingtries | String | ipsec.conf | keyingtries | ||
dpdaction | String | ipsec.conf | dpdaction | ||
dpddelay | String | ipsec.conf | dpddelay | ||
inactivity | boolean | ipsec.conf | inactivity | ||
keyexchange | String | ipsec.conf | keyexchange | ||
crypto_proposal | list | ipsec.conf | esp | ||
proposal | Define configuration for a proposal | ||||
encryption_algorithm | String | ipsec.conf | ike/esp | ||
hash_algorithm | String | ipsec.conf | ike/esp | ||
dh_group | String | ipsec.conf | ike/esp |
IPSec CRD
IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.
apiVersion: sdewan.akraino.org/v1alpha1 kind: IPSecSite metadata: name: site1 spec: node: node1 gateway: pre_shared_key: auth_method: local_identifier: remote_identifier: crypto_proposal: "proposal1" force_crypto_proposal: true connection: - type: tunnel/transport mode: local_subnet: local_nat: local_sourceip: local_updown: local_firewall: remote_subnet: remote_sourceip: remote_updown: remote_firewall: keyexchange: "ikev2" inactivity: crypto_proposal: "proposal1 proposal2" proposal: - encryption_algorithm: hash_algorithm: dh_group:
IPSec Rest API
SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.
IPSec Proposal
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
Lists all defined proposals
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
proposals body array a list of defined proposals Response Example
{
"proposals": [{
"name":"proposal1",
"encryption_algorithm":
"hash_algorithm":
"dh_group":
}
]
}
GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}
Get a proposal
Request: N/A
Request Parameters
Name
In
Type
Description
proposal path string proposal name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name
In
Type
Description
name body string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body int Response Example
{
"name":"proposal1",
"encryption_algorithm":
"hash_algorithm":
"dh_group":
}
POST /cgi-bin/luci/sdewan/ipsec/v1/proposal
create a new proposal
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}
update a proposal
Request:
Request Parameters:
Name
In
Type
Description
proposal path string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body int - Request Example
{
"encryption_algorithm":
"hash_algorithm":
"dh_group":
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}
delete a proposal
Request:
Request Parameters
Name
In
Type
Description
proposal path string proposal name
Response
- Normal response codes: 200
- Error response codes: 401, 404
IPSec Site
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
Lists all defined sites
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
sites body array a list of defined sites Response Example
{
"sites": [{
"name": "site1"
"gateway":"10.10.10.10",
"crypto_proposal": "proposal1"
"connections": [
{
"type": "tunnel"
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal1"
}
}
]
}
GET /cgi-bin/luci/sdewan/ipsec/v1/site/{site}
Get a site
Request: N/A
Request Parameters
Name
In
Type
Description
site path string remote site name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name
In
Type
Description
name body string site name gateway body string pre_shared_key body string auth_method body string local_identifier body string remote_identifier body string crypto_proposal body string force_crypto_proposal body boolean connection body array type body string "tunnel" or "transport" mode body string local_subnet body string local_nat body string local_sourceip body string local_updown body string local_firewall body string firewall rule? remote_subnet body string remote_sourceip body string remote_updown body string remote_firewall body string keyexchange body string default: ikev2 inactivity body boolean crypto_proposal body string Response Example
{
"name": "site1"
"gateway":"10.10.10.10",
"crypto_proposal": "proposal1"
"connections": [
{
"type": "tunnel"
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal1"
}
}
POST /cgi-bin/luci/sdewan/ipsec/v1/site
create a new proposal
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/ipsec/v1/site/{site}
update a site
Request:
Request Parameters:
Name
In
Type
Description
site path string remote site name other params body Same with Get's response - Request Example
{
"gateway":"10.10.10.10",
"crypto_proposal": "proposal1"
"connections": [
{
"type": "tunnel"
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal1"
}
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/ipsec/v1/site/{site}
delete a site
Request:
Request Parameters
Name
In
Type
Description
site path string remote site name
Response
- Normal response codes: 200
- Error response codes: 401, 404