Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languageyml
titleSDEWAN IPSec CRDProposal CR
apiVersion: sdewan sdewan.akraino.org/v1alpha1 
kind: IpsecSite IpsecProposal
metadata:
  name: ipsecsite-sample
spec:  name: test_proposal_1
  sitesnamespace: default
  - namelabels: siteA
    gatewaysdewanPurpose: 10.0.1.2cnf-1
spec:
    pre_shared_keyencryption_algorithm: test123aes128
    authenticationhash_methodalgorithm: psksha256
    localdh_identifier: C=CH, O=strongSwan, CN=peergroup: modp3072
status:
    remote_identifier: C=CH, O=strongSwan, CN=peerBappliedVersion: "1"
    crypto_proposal:appliedTime: "2020-04-12T09:28:38Z"
      - proposal1
    force_crypto_proposal: "0"
    connectionsinSync: True


Code Block
languageyml
titleSDEWAN IPSec Site CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecSite
metadata:
  name: ipsecsite-sample
  namespace: default
  labels:
    - name: connA
      sdewanPurpose: cnf-1
spec:
  type: tunnel/transportroute-based/policy-based
  remote: xx.xx.xx.xx
   modeauthentication_method: startpsk
    pre_shared_key: xxx
  local_public_subnetcert: 192.168.1.1/24
  local_private_cert:
  shared_ca:
  local_sourceipidentifier: 10.0.1.1
  remote_identifier:
      remote_subnet: 192.168.0.1/24crypto_proposal: 
    -  remote_sourceip: 10.0.1.2test_proposal_1
  connections:
    - cryptoconnection_proposalname: connection_A
        - proposal2type: tunnel
  proposals:
    - namemode: proposal1start
      encryptionlocal_algorithmsubnet: aes128172.12.0.0/24, 10.239.160.22
      hashremote_algorithmsourceip: sha256172.12.0.30-172.12.0.45
      dhremote_groupsubnet:
 modp3072
    - namemark: proposal2xxx
      encryptioncrypto_algorithmproposal: aes128
      hash_algorithm: sha128
 - test_proposal_1
status:
  appliedVersion: "1"
  appliedTime:  dh_group: modp3072

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

"2020-04-12T09:28:38Z"
  inSync: True


Code Block
languageyml
titleSDEWAN IPSec Host CR
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsechost-sample
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  type: route-based/policy-based
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      remote_subnet: xx.xx.xx.xx/xx
      mark: xxx
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

Draft for route based tunnel

ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 0x01000201
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/16 dev vti0

Code Block
languageyml
titleSDEWAN IPSec Route based
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
  name: ipsec-route-based
  namespace: default
  labels:
    sdewanPurpose: cnf-1
spec:
  remote: xx.xx.xx.xx/%any
  authentication_method: psk
  pre_shared_key: xxx
  local_public_cert: 
  local_private_cert:
  shared_ca:
  local_identifier:
  remote_identifier:
  crypto_proposal: 
    - test_proposal_1
  connections:
    - connection_name: connection_A
      type: tunnel
      mode: start
      local_sourceip: %config
      remote_sourceip: xx.xx.xx.xx
      local_subnet: xx.xx.xx.xx/xx
      remote_subnet: xx.xx.xx.xx/xx
      mark_in: 0xffffffff
      mark_out: 0xffffffff
      crypto_proposal:
        - test_proposal_1 
status:
  appliedVersion: "1"
  appliedTime: "2020-04-12T09:28:38Z"
  inSync: True

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

POST /cgi-bin/luci/sdewan/ipsec/v1/proposals

create a new proposal

Request:

  • Request Parameters: same with PUT's request

  • Request Example: same with PUT's example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

update a proposal

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalsbodyarraya dict of defined proposals


  • Response Example

    {
        "proposals": [

            {

                "name": "proposal1",

                "encryption_algorithm": "aes128",

                "hash_algorithm": "sha256",

                "dh_group": "modp3072"

            }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

Get a proposal

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Response Example

    {

          "name": "proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }


DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

  • Request Parameters

  • Normal response codes: 200
  • Response Parameters

    proposalsbodya dict of defined proposals

    Name

    In

    Type

    Description

    proposal-namepatharraystringproposal name


Response

...

...

{
    "proposals": [

        {

            "name": "proposal1",

            "encryption_algorithm": "aes128",

            "hash_algorithm": "sha256",

            "dh_group": "modp3072"

        }

    ]
}

  • Normal response codes: 200
  • Error response codes: 401, 404


IPSec Site

POST /cgi-bin/luci/sdewan/ipsec/v1/sites

create a new site

Request:

  • Request Parameters: same with PUT's request

  • Request Example: same with PUT's example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT GET /cgi-bin/luci/sdewan/ipsec/v1/proposalssites/{proposalsite-name}

Get update a proposalsite

Request: N/A

  • Request Parameters:

    Name

    In

    Type

    Description

    proposal-namepathstringproposal name

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

Response Example

...

{

      "name": "proposal1",

      "encryption_algorithm": "aes128",

      "hash_algorithm": "sha256",

      "dh_group": "modp3072"

}

  • Required

    Description

    site-namepathstringYSite name
    gatewaybodystringYThe corresponding responder
    pre_shared_keybodystringNOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystringNOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystringNOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal body  listYProposal names used for ike process
    force_crypto_proposal body  boolean NThe flag on forcing the proposal or not
    connectionsbody listYList of connectionArray 

    connectionArray

POST /cgi-bin/luci/sdewan/ipsec/v1/proposals

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

update a proposal

Request:

  • Request Parameters:

    NameInTypeRequiredDescription
    proposal-namepathstringproposal nameencryption_algorithmbodystringencryption algorithmhash_algorithmbodystringhash algorithmdh_groupbodystringDiffie-Hellman group
    Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1

    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}

delete a proposal

Request:

Request Parameters

...

Name

...

In

...

Type

...

Description

...

  • namebodystringYConnection name
    type body string YType of connection. Either "tunnel" or "transport" 
    mode body  string YMode used for connection. Either 'add', 'route' or 'start'
    local_subnet body string NDefines the local subnet. 
    local_natbody string NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string NDefines the local source ip
    local_updown body string NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Request Example

    PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites

    {

         

Response

  • Normal response codes: 200
  • Error response codes: 401, 404

IPSec Site

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

Lists all defined sites

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    sitesbodyarraya list of defined sites

    Response Example

    {
        "sites": [

           {    "name": "site1",

                "gateway": "10.1.0.1.2",

                "authentication_method"name": "psksite1",

                     "crypto_proposal": "proposal1",

                     "connections": [

                        {

                    "name": "connAsite_to_site"          ,

                    "type": "tunnel"

                             "local_subnet": "192.168.1.1/24",

                    "remote_subnet": "192.168.0.1/24",

             "remote_subnet":

                              "crypto_proposal": "proposal1"

                        }

               ]

           }

        ]
    }

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


GET /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}Get a site

Lists all defined sites

Request: N/AA

Response

  • Normal response codes: 200
  • Response Request Parameters

    Name

    In

    Type

    Description

    site-namepathstringremote site name

Response

...

Response Parameters

...

Name

...

In

...

Type

...

Description

...

connectionArray:

...

Response Example

  • sitesbodyarraya list of defined sites


  • Response Example

    {
        "sites": [

           {    "name": "site1",

                "gateway":"10.0.1.2",

                "authentication_method": "psk",

                "crypto_proposal": "proposal1",

                "connections": [

                  {

                    "name": "connA"

                    "type": "tunnel"

                    "local_subnet": "192.168.1.1/24",

                    "remote_subnet": "192.168.0.1/24",

                    "crypto_proposal": "proposal1"

                  }

               ]

           }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

Get a site

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    site-namepathstringremote site name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Required

    Description

    namebody stringYSite name
    gatewaybodystringYThe corresponding responder
    pre_shared_keybodystringNOptional, only if using the PSK authentication mode
    local_public_cert        bodystringNOptional, only if using the public key authentication mode. Public key used for auth.
    local_private_certbodystringNOptional, only if using the public key authentication mode. Private key used for auth.
    shared_cabodystringNOptional, only if using the public key authentication mode. CA information
    authentication_methodbodystringYEither 'psk' or 'pubkey' as the authentication method.
    local_identifier body  string NThe identifier for localhost
    remote_identifier body  string NThe identifier for remote counter party
    crypto_proposal body  listYProposal names used for ike process
    force_crypto_proposal body  boolean NThe flag on forcing the proposal or not
    connectionsbody listYList of connectionArray 

    connectionArray:

    NameInTypeRequiredDescription
    namebodystringYConnection name
    type body string YType of connection. Either "tunnel" or "transport" 
    mode body  string YMode used for connection. Either 'add', 'route' or 'start'
    local_subnet body string NDefines the local subnet. 
    local_natbody string NDefines the local nat, if exists, replace the local_subnet
    local_sourceip body string NDefines the local source ip
    local_updown body string NDefines the local iptable rules.
    local_firewall body string NFlag used to determine whether to enable the local firewall rules or not
    remote_subnet body string NDefines the subnet of the counter party
    remote_sourceip body string NDefines the source ip of the counter party
    remote_updown body string NDefines the iptable rules applied for the counter party
    remote_firewallbodystring NFlag used to determine whether to enable the remote firewall rules or not
    crypto_proposal body string NCrypto proposal used for ESP


  • Response Example

    {

         "name": "site1",

...

{

     "name": "site1",

     "gateway":"10.1.0.2",

     "crypto_proposal": "proposal1"

     "connections": [

      {

         "name": "site_to_site",

         "type": "tunnel",

         "local_subnet":

         "remote_subnet":

          "crypto_proposal": "proposal2"

      }

    ]

}

POST /cgi-bin/luci/sdewan/ipsec/v1/sites

create a new site

Request:

  • Request Parameters: same with PUT's response request

Response

  • Normal response codes: 201
  • Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

update a site

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    site-namepathstringremote site nameother paramsbodySame with Get's responseRequest Example

    PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites

    {

         "gateway":"10.1.0.2",     "name": "site1",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "name": "site_to_site",

             "type": "tunnel",

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1proposal2"

          }

        ]

    }

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

DELETE /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}

...