Introduction
ICN SDEWAN solution leverages IPSec functionality in SD-EWAN CNF to setup security tunnel to enable communication between ONAP4K8S/APPX Manager with Edge cluster or Edge cluster with Edge cluster. There are several solutions in OpenWRT to implement IPSec, include: Openswan, Racoon, and StrongSwan. ICN will use StrongSwan solution.
OpenWRT StrongSwan Basic
Service Start Flow:
StrongSwan application is run by command: "/etc/init.d/ipsec start", this command will generate StrongSwan's configuration (e.g. /etc/ipsec/*) based on openwrt configuration (e.g. /etc/config/ipsec) then start ipsec application as daemon, below diagram shows its flow
Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table
| Section | Option | Type | StrongSwan configuration file | StrongSwan configuration option | Description |
|---|---|---|---|---|---|
| ipsec | Global configuration | ||||
| debug | int | strongswan.conf | syslog | whether to enable log information | |
| rtinstall_enabled | boolean | strongswan.conf | install_routes | ||
| ignore_routing_tables | list | strongswan.conf | ignore_routing_tables | ||
| interface | list | strongswan.conf | interfaces_use | ||
| remote | Define a group remote tunnels with same security configuration | ||||
| tunnel | list | ||||
| transport | list | ||||
| enabled | boolean | whether this configuration is enabled | |||
| gateway | String | ipsec.secrets ipsec.conf | local_gateway/remote_gateway right | ||
| pre_shared_key | String | ipsec.secrets | PSK | ||
| auth_method | String | ipsec.conf | leftauth/rightauth | ||
| local_identifier | String | ipsec.secrets ipsec.conf | local_identifier leftid | ||
| remote_identifier | String | ipsec.secrets ipsec.conf | remote_identifier rightid | ||
| crypto_proposal | list | ipsec.conf | ike | ||
| force_crypto_proposal | boolean | ||||
config ipsec option debug option rtinstall_enabled list ignore_routing_tables list interface config remote "ABC” list tunnel list transport option enabled option gateway option pre_shared_key option auth_method option local_identifier option remote_identifier list crypto_proposal option force_crypto_proposal config tunnel(/transport) 'tunnelA' option mode option local_subnet option local_nat option local_sourceip option local_updown option local_firewall option remote_subnet option remote_sourceip option remote_updown option remote_firewall option ikelifetime option lifetime option margintime option keyingtries option dpdaction option dpddelay option inactivity option keyexchange list crypto_proposal config proposal 'proposal1' option encryption_algorithm option hash_algorithm option dh_group |
|---|