...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: siteA
spec:
node: node1
gateway: 192.168.1.11
pre_shared_key: test123
auth_method: psk
local_identifier: @moon.strongswan.org
remote_identifier: @sun.strongswan.org
crypto_proposal: proposal1
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_subnet: 10.1.0.1/24
local_sourceip: 192.168.1.10
local_firewall: yes
remote_subnet: 10.2.0.1/24
remote_firewall: yes
keyexchange: ikev2
crypto_proposal: proposal1
proposals:
- name: proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: siteB
spec:
node: node2
gateway: 192.168.1.10
pre_shared_key: test123
auth_method: psk
local_identifier: @moon.strongswan.org
remote_identifier: @sun.strongswan.org
crypto_proposal: proposal1
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_subnet: 10.2.0.1/24
local_sourceip: 192.168.1.11
local_firewall: yes
remote_subnet: 10.1.0.1/24
remote_firewall: yes
keyexchange: ikev2
crypto_proposal: proposal1
proposal:
- name: proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
...
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
{ “siteA": { "nodename": "node1“siteA", //shows the tunnel belongs to which CNF "gateway":"192.168.1.11", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "local_identifier": "@moon.strongswan.org", "remote_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.1.0.1/24", "remote_subnet": "10.2.0.1/24", "crypto_proposal": "proposal1" } ] }, "siteB": { "nodename": "node2siteB", "gateway":"192.168.1.10", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "remote_identifier": "@moon.strongswan.org", "local_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.2.0.1/24", "remote_subnet": "10.1.0.1/24", "crypto_proposal": "proposal1" } ] } }] |
|---|
Proposal settings
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
{ "proposals": {[ "proposal1": { "crypto_algorithmname": "aes128proposal1", "hashcrypto_algorithm": "sha256aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } ] } |
|---|
Decomposed Scenario B: Host-to-Site tunnel
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: siteA
spec:
node: node1
gateway: 192.168.1.15
pre_shared_key: test123
auth_method: psk
local_identifier: @sun.strongswan.org
remote_identifier: @roadwarrior.strongswan.org
crypto_proposal: proposal1
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_subnet: 10.1.0.1/24
local_sourceip: 192.168.1.10
remote_sourceip: 192.168.1.15
crypto_proposal: proposal1
proposal:
- name: proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: roadwarrior
spec:
node: roadwarrior
gateway: 192.168.1.10
pre_shared_key: test123
auth_method: psk
local_identifier: @roadwarrior.strongswan.org
remote_identifier: @sun.strongswan.org
crypto_proposal: "proposal1"
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_sourceip: 192.168.1.15
remote_subnet: 10.1.0.1/24
remote_sourceip: 192.168.1.10
crypto_proposal: proposal1
proposal:
- name: proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
...
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
{ { "nodename": "node1", //shows the tunnel belongs to which CNFsiteA", " "gateway":"192.168.1.11", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "local_identifier": "@moon.strongswan.org", "remote_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.1.0.1/24", "remote_sourceip": "192.168.1.15", "local_sourceip": "192.168.1.10", "crypto_proposal": "proposal1" } ] }, "roadwarrior": { "nodename": "node2roadwarrior", "gateway":"192.168.1.10", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "remote_identifier": "@moon.strongswan.org", "local_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_sourceip": "192.168.1.15", "remote_sourceip": "192.168.1.10", "remote_subnet": "10.1.0.1/24", "crypto_proposal": "proposal1" } ] } }] |
|---|
Proposal settings
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
{ "proposals": {[ { "name": "proposal1": {, "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } ] } |
|---|
Decomposed Scenario C: Host-to-Site tunnel when the initiator requests an overlay IP
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: siteA
spec:
node: node1
gateway: any
pre_shared_key: test123
auth_method: psk
local_identifier: @moon.strongswan.org
remote_identifier: @roadwarrior.strongswan.org
crypto_proposal: proposal1
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_subnet: 10.1.0.1/24
local_sourceip: 192.168.1.10
local_firewall: yes
remote_sourceip: 10.3.0.1/24
remote_firewall: yes
crypto_proposal: "proposal1"
proposal:
- name: proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
apiVersion: sdewan.akraino.org/v1alpha1
kind: IPSecSite
metadata:
name: roadwarrior
spec:
node: roadwarrior
gateway: 192.168.1.10
pre_shared_key: test123
auth_method: psk
local_identifier: @roadwarrior.strongswan.org
remote_identifier: @moon.strongswan.org
crypto_proposal: proposal1
force_crypto_proposal: true
connection:
- name: connA
type: tunnel
mode: start
local_sourceip: %config
local_firewall: yes
remote_subnet: 10.1.0.1/24
remote_sourceip: 192.168.1.10
remote_firewall: yes
crypto_proposal: "proposal1"
proposal:
- name: proposal1:
encryption_algorithm: aes128
hash_algorithm: sha256
dh_group: modp3072 |
...
GET /cgi-bin/luci/sdewan/ipsec/v1/sites
{ |
|---|
[ { " |
|---|
name": " |
|---|
siteA", |
|---|
"gateway":"192.168.1.11", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "local_identifier": "@moon.strongswan.org", "remote_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_subnet": "10.1.0.1/24", "remote_sourceip": "10.3.0.1/24", "local_sourceip": "192.168.1.10", "crypto_proposal": "proposal1" } ] },
|
|---|
{ |
|---|
|
|---|
" |
|---|
name": " |
|---|
roadwarrior", "gateway":"192.168.1.10", "crypto_proposal": "proposal1", "pre_shared_key": "test123", "authentication_method": "psk", "remote_identifier": "@moon.strongswan.org", "local_identifier": "@sun.strongswan.org", "connections": [ { "name": "connA", "type": "tunnel", "mode": "start", "local_sourceip": "%config", "remote_sourceip": "192.168.1.10", "remote_subnet": "10.1.0.1/24", "crypto_proposal": "proposal1" } ] }
|
|---|
] |
|---|
Proposal settings
GET /cgi-bin/luci/sdewan/ipsec/v1/proposals
{ "proposals": |
|---|
[ { " |
|---|
name": |
|---|
"proposal1", "crypto_algorithm": "aes128", "hash_algorithm": "sha256", "dh_group": "modp3072" } ] } |
|---|
Overall Scenario:
Here shows the overall scenario we want to achieve in the ICN SDEWAN case.
...