Introduction
ICN SDEWAN solution leverages IPSec functionality in SD-EWAN CNF to setup security tunnel to enable communication between ONAP4K8S/APPX Manager with Edge cluster or Edge cluster with Edge cluster. There are several solutions in OpenWRT to implement IPSec, include: Openswan, Racoon, and StrongSwan. ICN will use StrongSwan solution.
OpenWRT StrongSwan Basic
Service Start Flow:
StrongSwan application is run by command: "/etc/init.d/ipsec start", this command will generate StrongSwan's configuration (e.g. /etc/ipsec/*) based on openwrt configuration (e.g. /etc/config/ipsec) then start ipsec application as daemon, below diagram shows its flow
Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table
Section | Option | Type | StrongSwan configuration file | StrongSwan configuration option | Description |
---|---|---|---|---|---|
ipsec | debug | int | syslog | whether to enable log information | |
ipsec | rtinstall_enabled | boolean | install_routes | ||
ipsec | ignore_routing_tables | list | ignore_routing_tables | ||
ipsec | interface | list | interfaces_use |
config ipsec option debug option rtinstall_enabled list ignore_routing_tables list interface config remote "ABC” list tunnel list transport option enabled option gateway option pre_shared_key option auth_method option local_identifier option remote_identifier list crypto_proposal option force_crypto_proposal config tunnel(/transport) 'tunnelA' option mode option local_subnet option local_nat option local_sourceip option local_updown option local_firewall option remote_subnet option remote_sourceip option remote_updown option remote_firewall option ikelifetime option lifetime option margintime option keyingtries option dpdaction option dpddelay option inactivity option keyexchange list crypto_proposal config proposal 'proposal1' option encryption_algorithm option hash_algorithm option dh_group |
---|