Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SectionOptionTypeStrongSwan configuration fileStrongSwan configuration optionValidated values Description
ipsec




Global configuration 

debugintstrongswan.confcharon.syslog
whether to enable log information

rtinstall_enabledbooleanstrongswan.confcharon.install_routes
Install routes into a separate routing table for established IPsec tunnels.

ignore_routing_tablesliststrongswan.confcharon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookup.

interfaceliststrongswan.confcharon.interfaces_use
A comma-separated list of network interfaces that should be used by charon. All other interfaces are ignored.
remote 




Define a group remote tunnels with same security configuration

tunnellist 




transport list




enabled boolean 


whether this configuration is enabled 

gateway String 

ipsec.secrets

ipsec.conf

local_gateway/remote_gateway

right 

192.168.0.5Defines the counter party ip address here

pre_shared_key String ipsec.secrets PSK 
Add the PSK inside the secrets file

auth_method String ipsec.conf leftauth/rightauth pubkey, psk, eap, xauthDefines the auth method that going to be used by two counter parties.

local_identifier String 

ipsec.secrets

ipsec.conf

 

local_identifier

leftid 

"C=CH, O=strongSwan, CN=peer"Assigns a specific identifier for the itself (This identity will be send to the counter party inside the request)

remote_identifier String 

ipsec.secrets

ipsec.conf

 

remote_identifier

rightid

"C=CH, O=strongSwan, CN=peerB"Assigns a specific identifier for the counter party

crypto_proposal listipsec.conf ike default: aes128-sha256-modp3072Defines list of IKE/ISAKMP SA encryption/authentication algorithms to be used

force_crypto_proposal boolean



tunnel

/transport






Define configuration for a tunnel or transport

modeString ipsec.conf autoadd/start/routeSets the operation for the connection while starts. 

local_subnetString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_natString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_sourceipString ipsec.conf leftsourceip192.168.1.2, %configSets the ip address of local site. The value can be set to '%config' if the site is going to request a dynamic ip from the counter party

local_updownString ipsec.conf leftupdown<path_to_script>The Updown plugin can be used to set custom firewall rules.

local_firewallString ipsec.conf leftfirewallyes, no(default)Whether the local site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

remote_subnetString ipsec.conf rightsubnet192.168.0.1/24Mostly used in site-to-site case. Sets the subnet of the counter party

remote_sourceipString ipsec.conf rightsourceip192.168.0.2, 192.168.0.3-192.168.0.15Sets the ip address of the remote site. An ip pool can also be assigned when using the virtual ip

remote_updownString ipsec.conf rightupdown<path_to_script>The path to the updown script to run to adjust routing and/or firewalling when the status of the connection
changes

remote_firewallString ipsec.conf rightfirewallyes, no(default)Whether the remote site is doing forwarding-firewalling (including masquerading)
using iptables for traffic from left|rightsubnet

*ikelifetimeString ipsec.conf ikelifetime60m3h(default)

Sets the life time of the ike process before its re-negotiation.

(Currently using default value)


*lifetimeString ipsec.conf lifetime1h(default)

Set the life time of a particular instance would last.

(Currently using default value)


*margintime String  ipsec.conf margintime 9m(default)

Sets how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin.

(Currently using default value)


*keyingtries String  ipsec.conf  keyingtries 3(default)

Sets the maxium attempts to negotiate for a connection.

(Currently using default value)


*dpdaction String  ipsec.conf  dpdaction clear, hold, restart, none(default)Sets the action against peer timeout, validated through Dead Peer Protection Protocol. (Currently using default value)

*dpddelay String  ipsec.conf  dpddelay 30s(default)Defines the time interval for the informational exchange sent to peerinactivity . (Currently using default value)

*inactivity boolean boolean ipsec.conf  inactivity 30mDefines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic. (Currently using default value)

*keyexchange String  ipsec.conf  keyexchange ikev2, ikev1, ike(default, same as ikev2)

Defines the protocol being used to initialize the connection.

(Currently using default value)


crypto_proposal list ipsec.conf  espaes128-sha256(default)Defines the comma-separated list of ESP encryption/authentication algorithms to be used for the connection

*local_public_certStringproposal  Define configuration for a proposal encryption_algorithm String   ipsec.conf   ike/esp aes128Defines the encryption algorithm(together in ike)hash_algorithm leftcertpeer.der/peer.pem

Sets the path of the local certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*remote_public_certStringString   ipsec.conf   ike/esp sha256Defines the hash algorithm(together in ike)dh_groupString  ipsec.conf  ike/espmodp3072Define the Diffie-Hellman group(together in ike)

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

Code Block
languageyml
titleSDEWAN IPSec CRD
apiVersion: sdewan.akraino.org/v1alpha1 
kind: IPSecSite 
metadata: 
  name: site1 
spec:
  node: node1
  gateway: 10.0.1.1
  pre_shared_key:
  auth_method: psk
  local_identifier: "C=CH, O=strongSwan, CN=peer"
  remote_identifier: "C=CH, O=strongSwan, CN=peerB"
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel/transport
    mode: start
    local_subnet: 192.168.1.1/24
    local_nat:
    local_sourceip: 10.0.1.1
    local_updown: 
    local_firewall:
    remote_subnet: 192.168.0.1/24
    remote_sourceip: 10.0.1.2
    remote_updown:
    remote_firewall:
    keyexchange: ikev2
    inactivity: 30m
    crypto_proposal: "proposal1 proposal2"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

rightcertpeerB.der/peerB.pem

Sets the path of the remote certificate used for authentication

NOTE: This is a key that currently not supported by OpenWrt


*local_private_certString/etc/ipsec.d/private

Puts the path of private key for the certificate. Maybe not needed for the CRD. But need to upload the file. NOTE: This is a key that currently not supported by OpenWrt

*shared_caString/etc/ipsec.d/cacerts

Puts the shared CA for auth. Maybe not needed for CRD, but need to upload the file. NOTE: This is a key that currently not supported by OpenWrt
proposal  




Define configuration for a proposal 

encryption_algorithm String   ipsec.conf   ike/esp aes128Defines the encryption algorithm(together in ike)

hash_algorithm String   ipsec.conf   ike/esp sha256Defines the hash algorithm(together in ike)

dh_groupString  ipsec.conf  ike/espmodp3072Define the Diffie-Hellman group(together in ike)

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

Code Block
languageyml
titleSDEWAN IPSec CRD
apiVersion: sdewan.akraino.org/v1alpha1 
kind: IPSecSite 
metadata: 
  name: site1 
spec:
  node: node1
  gateway: 10.0.1.2
  pre_shared_key: test123
  auth_method: psk
  local_identifier: "C=CH, O=strongSwan, CN=peer"
  remote_identifier: "C=CH, O=strongSwan, CN=peerB"
  crypto_proposal: "proposal1"
  force_crypto_proposal: true
  connection:
  - type: tunnel/transport
    mode: start
    local_subnet: 192.168.1.1/24
    local_nat:
    local_sourceip: 10.0.1.1
    local_updown: 
    local_firewall:
    remote_subnet: 192.168.0.1/24
    remote_sourceip: 10.0.1.2
    remote_updown:
    remote_firewall:
    crypto_proposal: "proposal1 proposal2"
  proposal:
  - encryption_algorithm: aes128
    hash_algorithm: sha256
    dh_group: modp3072

IPSec Rest API

SD-EWAN IPSec Restful API provides support to get/create/update/delete IPSec Site, Proposal.

IPSec Proposal

GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalsbodyarraya list of defined proposals


  • Response Example

    {
        "proposals": [

            {

                "name":"proposal1",

                "encryption_algorithm": "aes128",

                "hash_algorithm": "sha256",

                "dh_group": "modp3072"

            }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

Get a proposal

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    proposalpathstringproposal name


Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Response Example

    {

          "name":"proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }


POST /cgi-bin/luci/sdewan/ipsec/v1/proposal

create a new proposal

Request:

  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example

Response

  • Normal response codes: 201
  • Error response codes: 400, 401


PUT /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

update a proposal

Request:

  • Request Parameters:

    Name

    In

    Type

    Description

    proposalpathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group


  • Request Example


    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404


DELETE GET /cgi-bin/luci/sdewan/ipsec/v1/proposals

Lists all defined proposals

Request: N/A

Response

/proposal/{proposal}

delete a proposal

Request:

  • Request

  • Normal response codes: 200
  • Response Parameters

    proposalsbody

    Name

    In

    Type

    Description

    proposalpatharraya list of defined proposals

    Response Example

    {
        "proposals": [

            {

                "name":"proposal1",

                "encryption_algorithm": "aes128",

                "hash_algorithm": "sha256",

                "dh_group": "modp3072"

            }

        ]
    }

    stringproposal name


Response

  • Normal response codes: 200
  • Error response codes: 401, 404


IPSec Site

GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}Get a proposalsites

Lists all defined sites

Request: N/A

Request Parameters

...

Name

...

In

...

Type

...

Description

...

...

Response

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namesitesbodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodystringDiffie-Hellman group

    Response Example

    {

          "name":"proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }

    arraya list of defined sites


  • Response Example

    {
        "sites": [

            {

                "name": "site1"

                "gateway":"10.10.10.10",

                "crypto_proposal": "proposal1",

                "connections": [

                  {

                    "type": "tunnel"

                    "local_subnet": "192.168.1.1/24",

                    "remote_subnet": "192.168.0.1/24",

                    "crypto_proposal": "proposal1"

                  }

            }

        ]
    }



GET POST  /cgi-bin/luci/sdewan/ipsec/v1/proposalsite/{site}

Get a sitecreate a new proposal

Request: N/A

  • Request Parameters: same with GET's response request

    Request Example: same with GET's response example

    Name

    In

    Type

    Description

    sitepathstringremote site name


Response

  • Normal response codes: 201200
  • Error response codes: 400, 401

PUT /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

update a proposal

Request:

Request Parameters:

...

Name

...

In

...

Type

...

Description

...

{

      "encryption_algorithm": "aes256",

      "hash_algorithm": "sha256",

      "dh_group": "modp4096"

}

  • code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringsite name
    nodebodystringidentifier for CNF
    gatewaybodystring
    pre_shared_keybodystringOptional, only if using the PSK authentication mode
    auth_methodbodystring
    local_identifier body  string 
    remote_identifier body  string 
    crypto_proposal body  string 
    force_crypto_proposal body  boolean 
    connection body array 
    type body string "tunnel" or "transport" 
    mode body  string 
    local_subnet body string 
    local_natbody string 
    local_sourceip body string 
    local_updown body string 
    local_firewall body string firewall rule?
    remote_subnet body string 
    remote_sourceip body string 
    remote_updown body string 
    remote_firewallbodystring 
    crypto_proposal body string 


  • Response Example

    {

         "name": "site1",

         "node": "node1",

         

Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

DELETE /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

delete a proposal

Request:

Request Parameters

...

Name

...

In

...

Type

...

Description

...

Response

  • Normal response codes: 200
  • Error response codes: 401, 404

IPSec Site

GET /cgi-bin/luci/sdewan/ipsec/v1/sites

Lists all defined sites

Request: N/A

Response

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    sitesbodyarraya list of defined sites

    Response Example

    {
        "sites": [

            {

                "name": "site1"

                "gateway":"10.10.10.10",

                     "crypto_proposal": "proposal1",

                     "connections": [

                        {

                             "type": "tunnel"

                             "local_subnet": "192.168.1.1/24",               

             "remote_subnet": "192.168.0.1/24",

                              "crypto_proposal": "proposal1"

                  }

                  }

        ]
    }


GET POST /cgi-bin/luci/sdewan/ipsec/v1/site/{site}

Get create a new site

Request: N/A

  • Request Parameters

    Name

    In

    Type

    Description

    sitepathstringremote site name

Response

  • : same with GET's response request

  • Request Example: same with GET's response example
  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

  • Name

    In

    Type

    Description

    namebodystringsite name
    gateway
    nodebodystring
    pre_shared_keybodystringauth_methodbodystringlocal_identifier body  string remote_identifier body  string crypto_proposal body  string force_crypto_proposal body  boolean connection body array type body string "tunnel" or "transport" mode body  string local_subnet body string local_natbody string local_sourceip body string local_updown body string local_firewall body string firewall rule?remote_subnet body string remote_sourceip body string remote_updown body string remote_firewallbodystring keyexchange body string default: ikev2 inactivity body boolean crypto_proposal body string 

    Response Example

    {

         "name": "site1"

         "gateway":"10.10.10.10",

         "crypto_proposal": "proposal1"

         "connections": [

          {

             "type": "tunnel"

             "local_subnet":

             "remote_subnet":

              "crypto_proposal": "proposal1"

          }

    }

POST /cgi-bin/luci/sdewan/ipsec/v1/site

create a new proposal

Request:

  • identifier for CNF
    gatewaybodystring
    pre_shared_keybodystringOptional, only if using the PSK authentication mode
    local_public_certbodystringOptional, only if using the public key authentication mode
    auth_methodbodystring
    local_identifier body  string 
    remote_identifier body  string 
    crypto_proposal body  string 
    force_crypto_proposal body  boolean 
    connection body array 
    type body string "tunnel" or "transport" 
    mode body  string 
    local_subnet body string 
    local_natbody string 
    local_sourceip body string 
    local_updown body string 
    local_firewall body string firewall rule?
    remote_subnet body string 
    remote_sourceip body string 
    remote_updown body string 
    remote_firewallbodystring 
    crypto_proposal body string 
  • Request Parameters: same with GET's response request

  • Request Example: same with GET's response example


Response

  • Normal response codes: 201
  • Error response codes: 400, 401

...