Introduction
ICN SDEWAN solution leverages IPSec functionality in SD-EWAN CNF to setup security tunnel to enable communication between ONAP4K8S/APPX Manager with Edge cluster or Edge cluster with Edge cluster. There are several solutions in OpenWRT to implement IPSec, include: Openswan, Racoon, and StrongSwan. ICN will use StrongSwan solution.
OpenWRT StrongSwan Basic
Service Start Flow:
StrongSwan application is run by command: "/etc/init.d/ipsec start", this command will generate StrongSwan's configuration (e.g. /etc/ipsec/*) based on openwrt configuration (e.g. /etc/config/ipsec) then start ipsec application as daemon, below diagram shows its flow
Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table
Section | Option | Type | StrongSwan configuration file | StrongSwan configuration option | Description |
---|---|---|---|---|---|
ipsec | Global configuration | ||||
debug | int | strongswan.conf | syslog | whether to enable log information | |
rtinstall_enabled | boolean | strongswan.conf | install_routes | ||
ignore_routing_tables | list | strongswan.conf | ignore_routing_tables | ||
interface | list | strongswan.conf | interfaces_use | ||
remote | Define a group remote tunnels with same security configuration | ||||
tunnel | list | ||||
transport | list | ||||
enabled | boolean | whether this configuration is enabled | |||
gateway | String | ipsec.secrets ipsec.conf | local_gateway/remote_gateway right | ||
pre_shared_key | String | ipsec.secrets | PSK | ||
auth_method | String | ipsec.conf | leftauth/rightauth | ||
local_identifier | String | ipsec.secrets ipsec.conf | local_identifier leftid | ||
remote_identifier | String | ipsec.secrets ipsec.conf | remote_identifier rightid | ||
crypto_proposal | list | ipsec.conf | ike | ||
force_crypto_proposal | boolean | ||||
config ipsec option debug option rtinstall_enabled list ignore_routing_tables list interface config remote "ABC” list tunnel list transport option enabled option gateway option pre_shared_key option auth_method option local_identifier option remote_identifier list crypto_proposal option force_crypto_proposal config tunnel(/transport) 'tunnelA' option mode option local_subnet option local_nat option local_sourceip option local_updown option local_firewall option remote_subnet option remote_sourceip option remote_updown option remote_firewall option ikelifetime option lifetime option margintime option keyingtries option dpdaction option dpddelay option inactivity option keyexchange list crypto_proposal config proposal 'proposal1' option encryption_algorithm option hash_algorithm option dh_group |
---|