...
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: sdewan sdewan.akraino.org/v1alpha1 kind: IpsecSite IpsecProposal metadata: name: ipsecsite-sample spec: name: test_proposal_1 sitesnamespace: default - namelabels: siteA gatewaysdewanPurpose: 10.0.1.2cnf-1 spec: pre_shared_keyencryption_algorithm: test123aes128 authenticationhash_methodalgorithm: psksha256 localdh_identifier: C=CH, O=strongSwan, CN=peergroup: modp3072 status: remote_identifier: C=CH, O=strongSwan, CN=peerBappliedVersion: "1" crypto_proposal:appliedTime: "2020-04-12T09:28:38Z" - proposal1 force_crypto_proposal: "0" connectionsinSync: True |
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: sdewan.akraino.org/v1alpha1 kind: IpsecSite metadata: name: ipsecsite-sample namespace: default labels: - name: connA sdewanPurpose: cnf-1 spec: type: tunnel/transportroute-based/policy-based remote: xx.xx.xx.xx modeauthentication_method: startpsk pre_shared_key: xxx local_public_subnetcert: 192.168.1.1/24 local_private_cert: shared_ca: local_sourceipidentifier: 10.0.1.1 remote_identifier: remote_subnet: 192.168.0.1/24crypto_proposal: - remote_sourceip: 10.0.1.2test_proposal_1 connections: - cryptoconnection_proposalname: connection_A - proposal2type: tunnel proposals: - namemode: proposal1start encryptionlocal_algorithmsubnet: aes128172.12.0.0/24, 10.239.160.22 hashremote_algorithmsourceip: sha256172.12.0.30-172.12.0.45 dhremote_groupsubnet: modp3072 - namemark: proposal2xxx encryptioncrypto_algorithmproposal: aes128 hash_algorithm: sha128 - test_proposal_1 status: appliedVersion: "1" appliedTime: dh_group: modp3072 |
IPSec Rest API
SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.
IPSec Proposal
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
Lists all defined proposals
Request: N/A
Response
"2020-04-12T09:28:38Z"
inSync: True
|
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
name: ipsechost-sample
namespace: default
labels:
sdewanPurpose: cnf-1
spec:
type: route-based/policy-based
remote: xx.xx.xx.xx/%any
authentication_method: psk
pre_shared_key: xxx
local_public_cert:
local_private_cert:
shared_ca:
local_identifier:
remote_identifier:
crypto_proposal:
- test_proposal_1
connections:
- connection_name: connection_A
type: tunnel
mode: start
local_sourceip: %config
remote_sourceip: xx.xx.xx.xx
remote_subnet: xx.xx.xx.xx/xx
mark: xxx
crypto_proposal:
- test_proposal_1
status:
appliedVersion: "1"
appliedTime: "2020-04-12T09:28:38Z"
inSync: True
|
Draft for route based tunnel
ip tunnel add vti0 local 192.168.0.1 remote 192.168.0.2 mode vti key 0x01000201 sysctl -w net.ipv4.conf.vti0.disable_policy=1 ip link set vti0 up ip route add 10.1.0.0/16 dev vti0
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IpsecHost
metadata:
name: ipsec-route-based
namespace: default
labels:
sdewanPurpose: cnf-1
spec:
remote: xx.xx.xx.xx/%any
authentication_method: psk
pre_shared_key: xxx
local_public_cert:
local_private_cert:
shared_ca:
local_identifier:
remote_identifier:
crypto_proposal:
- test_proposal_1
connections:
- connection_name: connection_A
type: tunnel
mode: start
local_sourceip: %config
remote_sourceip: xx.xx.xx.xx
local_subnet: xx.xx.xx.xx/xx
remote_subnet: xx.xx.xx.xx/xx
mark_in: 0xffffffff
mark_out: 0xffffffff
crypto_proposal:
- test_proposal_1
status:
appliedVersion: "1"
appliedTime: "2020-04-12T09:28:38Z"
inSync: True
|
IPSec Rest API
SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.
IPSec Proposal
POST /cgi-bin/luci/sdewan/ipsec/v1/proposals
create a new proposal
Request:
Request Parameters: same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}
update a proposal
Request:
Request Parameters:
Name
In
Type
Description
proposal-name path string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body string Diffie-Hellman group - Request Example
PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1
{
"encryption_algorithm": "aes256",
"hash_algorithm": "sha256",
"dh_group": "modp4096"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
Lists all defined proposals
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
proposals body array a dict of defined proposals Response Example
{
"proposals": [{
"name": "proposal1",
"encryption_algorithm": "aes128",
"hash_algorithm": "sha256",
"dh_group": "modp3072"
}
]
}
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}
Get a proposal
Request: N/A
Request Parameters
Name
In
Type
Description
proposal-name path string proposal name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name
In
Type
Description
name body string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body string Diffie-Hellman group Response Example
{
"name": "proposal1",
"encryption_algorithm": "aes128",
"hash_algorithm": "sha256",
"dh_group": "modp3072"
}
DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}
delete a proposal
Request:
Request Parameters
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
proposals proposal-name bodypath array a dict of defined proposalsstring proposal name
Response
...
...
{
"proposals": [
{
"name": "proposal1",
"encryption_algorithm": "aes128",
"hash_algorithm": "sha256",
"dh_group": "modp3072"
}
]
}
- Normal response codes: 200
- Error response codes: 401, 404
IPSec Site
POST /cgi-bin/luci/sdewan/ipsec/v1/sites
create a new site
Request:
Request Parameters: same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT GET /cgi-bin/luci/sdewan/ipsec/v1/proposalssites/{proposalsite-name}
Get update a proposalsite
Request: N/A
Request Parameters:
Name
In
Type
Description
proposal-name path string proposal name
Response
...
Response Parameters
...
Name
...
In
...
Type
...
Description
...
Response Example
...
{
"name": "proposal1",
"encryption_algorithm": "aes128",
"hash_algorithm": "sha256",
"dh_group": "modp3072"
}
Required Description
site-name path string Y Site name gateway body string Y The corresponding responder pre_shared_key body string N Optional, only if using the PSK authentication mode local_public_cert body string N Optional, only if using the public key authentication mode. Public key used for auth. local_private_cert body string N Optional, only if using the public key authentication mode. Private key used for auth. shared_ca body string N Optional, only if using the public key authentication mode. CA information authentication_method body string Y Either 'psk' or 'pubkey' as the authentication method. local_identifier body string N The identifier for localhost remote_identifier body string N The identifier for remote counter party crypto_proposal body list Y Proposal names used for ike process force_crypto_proposal body boolean N The flag on forcing the proposal or not connections body list Y List of connectionArray connectionArray
POST /cgi-bin/luci/sdewan/ipsec/v1/proposals
create a new proposal
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}
update a proposal
Request:
Request Parameters:
Request ExampleName In Type Required Description proposal-name path string proposal name encryption_algorithm body string encryption algorithm hash_algorithm body string hash algorithm dh_group body string Diffie-Hellman group PUT /cgi-bin/luci/sdewan/ipsec/proposals/proposal1
{
"encryption_algorithm": "aes256",
"hash_algorithm": "sha256",
"dh_group": "modp4096"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposals/{proposal-name}
delete a proposal
Request:
Request Parameters
...
Name
...
In
...
Type
...
Description
...
name body string Y Connection name type body string Y Type of connection. Either "tunnel" or "transport" mode body string Y Mode used for connection. Either 'add', 'route' or 'start' local_subnet body string N Defines the local subnet. local_nat body string N Defines the local nat, if exists, replace the local_subnet local_sourceip body string N Defines the local source ip local_updown body string N Defines the local iptable rules. local_firewall body string N Flag used to determine whether to enable the local firewall rules or not remote_subnet body string N Defines the subnet of the counter party remote_sourceip body string N Defines the source ip of the counter party remote_updown body string N Defines the iptable rules applied for the counter party remote_firewall body string N Flag used to determine whether to enable the remote firewall rules or not crypto_proposal body string N Crypto proposal used for ESP - Request Example
PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites
{
Response
- Normal response codes: 200
- Error response codes: 401, 404
IPSec Site
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
Lists all defined sites
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name
In
Type
Description
sites body array a list of defined sites Response Example
{
"sites": [{ "name": "site1",
"gateway": "10.1.0.1.2",
"authentication_method"name": "psksite1",
"crypto_proposal": "proposal1",
"connections": [
{
"name": "connAsite_to_site" ,
"type": "tunnel"
"local_subnet": "192.168.1.1/24",
"remote_subnet": "192.168.0.1/24",
"remote_subnet":
"crypto_proposal": "proposal1"
}
]
}
]
}}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
GET /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}Get a site
Lists all defined sites
Request: N/AA
Response
- Normal response codes: 200
Response Request Parameters
Name
In
Type
Description
site-name path string remote site name
Response
...
Response Parameters
...
Name
...
In
...
Type
...
Description
...
connectionArray:
...
Response Example
sites body array a list of defined sites Response Example
{
"sites": [{ "name": "site1",
"gateway":"10.0.1.2",
"authentication_method": "psk",
"crypto_proposal": "proposal1",
"connections": [
{
"name": "connA"
"type": "tunnel"
"local_subnet": "192.168.1.1/24",
"remote_subnet": "192.168.0.1/24",
"crypto_proposal": "proposal1"
}
]
}
]
}
GET /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}
Get a site
Request: N/A
Request Parameters
Name
In
Type
Description
site-name path string remote site name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name
In
Type
Required Description
name body string Y Site name gateway body string Y The corresponding responder pre_shared_key body string N Optional, only if using the PSK authentication mode local_public_cert body string N Optional, only if using the public key authentication mode. Public key used for auth. local_private_cert body string N Optional, only if using the public key authentication mode. Private key used for auth. shared_ca body string N Optional, only if using the public key authentication mode. CA information authentication_method body string Y Either 'psk' or 'pubkey' as the authentication method. local_identifier body string N The identifier for localhost remote_identifier body string N The identifier for remote counter party crypto_proposal body list Y Proposal names used for ike process force_crypto_proposal body boolean N The flag on forcing the proposal or not connections body list Y List of connectionArray connectionArray:
Name In Type Required Description name body string Y Connection name type body string Y Type of connection. Either "tunnel" or "transport" mode body string Y Mode used for connection. Either 'add', 'route' or 'start' local_subnet body string N Defines the local subnet. local_nat body string N Defines the local nat, if exists, replace the local_subnet local_sourceip body string N Defines the local source ip local_updown body string N Defines the local iptable rules. local_firewall body string N Flag used to determine whether to enable the local firewall rules or not remote_subnet body string N Defines the subnet of the counter party remote_sourceip body string N Defines the source ip of the counter party remote_updown body string N Defines the iptable rules applied for the counter party remote_firewall body string N Flag used to determine whether to enable the remote firewall rules or not crypto_proposal body string N Crypto proposal used for ESP Response Example
{
"name": "site1",
...
{
"name": "site1",
"gateway":"10.1.0.2",
"crypto_proposal": "proposal1"
"connections": [
{
"name": "site_to_site",
"type": "tunnel",
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal2"
}
]
}
POST /cgi-bin/luci/sdewan/ipsec/v1/sites
create a new site
Request:
Request Parameters: same with PUT's response request
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}
update a site
Request:
Request Parameters:
Name
In
Type
Description
site-name path string remote site name other params body Same with Get's response Request ExamplePUT /cgi-bin/luci/sdewan/ipsec/v1/sites/sites
{
"gateway":"10.1.0.2", "name": "site1",
"crypto_proposal": "proposal1"
"connections": [
{
"name": "site_to_site",
"type": "tunnel",
"local_subnet":
"remote_subnet":
"crypto_proposal": "proposal1proposal2"
}
]
}
Response
- Normal response codes: 204 Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/ipsec/v1/sites/{site-name}
...