Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Introduction

ICN SDEWAN solution leverages IPSec functionality in SD-EWAN CNF to setup security tunnel to enable communication between ONAP4K8S/APPX Manager with Edge cluster or Edge cluster with Edge cluster. There are several solutions in OpenWRT to implement IPSec, include: Openswan, Racoon, and StrongSwan. ICN will use StrongSwan solution.

OpenWRT StrongSwan Basic

Service Start Flow:

StrongSwan application is run by command: "/etc/init.d/ipsec start", this command will generate StrongSwan's configuration (e.g. /etc/ipsec/*) based on openwrt configuration (e.g. /etc/config/ipsec) then start ipsec application as daemon, below diagram shows its flow

Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table

SectionOptionTypeStrongSwan configuration fileStrongSwan configuration option Description
ipsec



Global configuration 

debugintstrongswan.confsyslogwhether to enable log information

rtinstall_enabledbooleanstrongswan.confinstall_routes

ignore_routing_tablesliststrongswan.confignore_routing_tables

interfaceliststrongswan.confinterfaces_use
remote 



Define a group remote tunnels with same security configuration

tunnellist 



transport list



enabled boolean 

whether this configuration is enabled 

gateway String 

ipsec.secrets

ipsec.conf

local_gateway/remote_gateway

right 



pre_shared_key String ipsec.secrets PSK 

auth_method String ipsec.conf leftauth/rightauth 

local_identifier String 

ipsec.secrets

ipsec.conf

 

local_identifier

leftid 



remote_identifier String 

ipsec.secrets

ipsec.conf

 

remote_identifier

rightid



crypto_proposal listipsec.conf ike 

force_crypto_proposal boolean


tunnel

/transport





Define configuration for a tunnel or transport

modeString ipsec.conf auto

local_subnetString ipsec.conf leftsubnet

local_natString ipsec.conf leftsubnet

local_sourceipString ipsec.conf leftsourceip

local_updownString ipsec.conf leftupdown

local_firewallString ipsec.conf leftfirewall

remote_subnetString ipsec.conf rightsubnet

remote_sourceipString ipsec.conf rightsourceip

remote_updownString ipsec.conf rightupdown

remote_firewallString ipsec.conf rightfirewall

ikelifetime String ipsec.conf ikelifetime

lifetime String ipsec.conf lifetime

margintime  String  ipsec.conf margintime 

keyingtries String  ipsec.conf  keyingtries 

dpdaction String  ipsec.conf  dpdaction 

dpddelay String  ipsec.conf  dpddelay 

inactivity  boolean ipsec.conf  inactivity  

keyexchange  String  ipsec.conf  keyexchange  

crypto_proposal list ipsec.conf  esp
proposal  



Define configuration for a proposal 

encryption_algorithm String   ipsec.conf   ike/esp 

hash_algorithm String   ipsec.conf   ike/esp 

dh_groupString  ipsec.conf  ike/esp

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

SDEWAN IPSec CRD
apiVersion: sdewan.akraino.org/v1alpha1 
kind: IPSecSite 
metadata: 
  name: site1 
spec:
  node: node1
  gateway:
  pre_shared_key:
  auth_method:
  local_identifier:
  remote_identifier:
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel/transport
    mode:
    local_subnet:
    local_nat:
    local_sourceip:
    local_updown:
    local_firewall:
    remote_subnet:
    remote_sourceip:
    remote_updown:
    remote_firewall:
    keyexchange: "ikev2"
    inactivity:
    crypto_proposal: "proposal1 proposal2"
  proposal:
  - encryption_algorithm:
    hash_algorithm:
    dh_group:

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalsbodyarraya list of defined proposals
  • Response Example

    {
        "proposals": [

            {

                "name":"proposal1",

                "encryption_algorithm":

                "hash_algorithm":

                "dh_group":

            }

        ]
    }


GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

Get a proposal

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    proposalpathstringproposal name

Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodyint
  • Response Example

    {

          "name":"proposal1",

          "encryption_algorithm":

          "hash_algorithm":

          "dh_group":

    }

POST /cgi-bin/luci/sdewan/ipsec/v1/proposal

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

update a proposal

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    proposalpathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodyint
  • Request Example

    {

          "encryption_algorithm":

          "hash_algorithm":

          "dh_group":

    }

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

delete a proposal

Request:

  • Request Parameters

    Name

    In

    Type

    Description

    proposalpathstringproposal name

Response

  • Normal response codes: 200
  • Error response codes: 401, 404

IPSec Site

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

Lists all defined sites

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    sitesbodyarraya list of defined sites
  • Response Example

    {
        "sites": [

            {

                "name": "site1"

                "gateway":"10.10.10.10",

                "crypto_proposal": "proposal1"

                "connections": [

                  {

                    "type": "tunnel"

                    "local_subnet":

                    "remote_subnet":

                    "crypto_proposal": "proposal1"

                  }

            }

        ]
    }


GET /cgi-bin/luci/sdewan/ipsec/v1/site/{site}

Get a site

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    sitepathstringremote site name

Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringsite name
    gatewaybodystring
    pre_shared_keybodystring
    auth_methodbodystring
    local_identifier body  string 
    remote_identifier body  string 
    crypto_proposal body  string 
    force_crypto_proposal body  boolean 
    connection body array 
    type body string "tunnel" or "transport" 
    mode body  string 
    local_subnet body string 
    local_natbody string 
    local_sourceip body string 
    local_updown body string 
    local_firewall body string firewall rule?
    remote_subnet body string 
    remote_sourceip body string 
    remote_updown body string 
    remote_firewallbodystring 
    keyexchange body string default: ikev2 
    inactivity body boolean 
    crypto_proposal body string 
  • Response Example

    {

         "name": "site1"

         "gateway":"10.10.10.10",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }

POST /cgi-bin/luci/sdewan/ipsec/v1/site

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/site/{site}

update a site

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    sitepathstringremote site name
    other paramsbody
    Same with Get's response
  • Request Example

    {

         "gateway":"10.10.10.10",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


DELETE /cgi-bin/luci/sdewan/ipsec/v1/site/{site}

delete a site

Request:

  • Request Parameters

    Name

    In

    Type

    Description

    sitepathstringremote site name

Response

  • Normal response codes: 200
  • Error response codes: 401, 404
  • No labels