| .. _vpp_sswan_doc: |
| |
| VPP-SSWAN |
| ======================= |
| |
| ``VPP-SSWAN`` is a StrongSwan plugin that helps offloading Strongswan IPsec ESP |
| process from Linux Kernel to ``VPP``. |
| |
| The ``VPP-SSWAN`` takes advantage of ``StrongSwan`` extendable plugin design |
| and translates ``StrongSwan`` SA creation/deletion and routing |
| update operations into ``VPP`` C API calls. The successful execution of the |
| API calls means the operations shall be performed by VPP smoothly. |
| |
| Inside ``VPP-SSWAN``, the kernel-vpp plugin is an interface to the IPsec and |
| networking backend for `VPP <https://wiki.fd.io/view/VPP>`__ platform using |
| the `VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__. |
| It provides address and routing lookup functionality and installs routes for |
| IPsec traffic. |
| |
| The plugin also installs and maintains Security Associations and Policies to |
| the `VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__. |
| |
| Since ``StrongSwan`` expects both IKE and IPsec traffic coming through the |
| same network protected interfaces, the ``VPP-SSWAN`` expects the IKE traffic |
| being diverted to Linux Kernel through the help of |
| `VPP Linux Control Plane <https://s3-docs.fd.io/vpp/22.10/developer/plugins/ |
| lcp.html>`__. It is important to notice that due to LCP is a Tun/Tap interface, |
| the IPsec performance will be limited by it if Transport mode of IPsec is used. |
| |
| Prerequisites |
| ------------- |
| |
| ``VPP`` in release mode should be built before compiling ``vpp-swan plugin``. |
| User may install ``StrongSwan`` prior to compile the plugin. However the |
| plugin requires downloading ``StrongSwan`` source to include some of its |
| header files to compile ``VPP-SSWAN``. In addition ``libsystemd-dev`` |
| should be installed prior to compile the plugin. |
| |
| Please Note: ONLY Strongswan version ``5.9.5`` and ``5.9.6`` were tested with |
| this plugin. |
| |
| Build VPP Strongswan Plugin |
| ------------- |
| |
| ``VPP-SSWAN`` requires ``StrongSwan`` source to compile. To obtain |
| ``StrongSwan`` the simplest way is to run the following commands: |
| |
| :: |
| |
| cd path/to/vpp/external/strongswan/vpp_swan/ |
| make all |
| |
| Or you may download ``StrongSwan`` from its github page. It is recommended to |
| use ``Strongswan`` version ``5.9.6`` or ``5.9.5`` for ``VPP-SSWAN`` to be |
| compiled and integrate. The following steps are required for manually download |
| ``Strongswan`` source: |
| |
| - download strongswan source code to: |
| ``path/to/vpp/build/external/downloads`` |
| |
| - unzip source code strongswan to: |
| ``path/to/vpp/build-root/build-vpp-native/external/sswan`` |
| |
| - check if you have installed packages: ``libsystemd-dev`` on your OS |
| |
| - configure strongswan by: |
| ``./autogen.sh`` |
| ``./configure --prefix=/usr --sysconfdir=/etc --enable-libipsec |
| --enable-systemd --enable-swanctl --disable-gmp --enable-openssl`` |
| |
| - compile ``vpp-swan plugin`` by: |
| |
| :: |
| |
| cd path/to/vpp/external/strongswan/vpp_swan/ |
| make |
| |
| Build/install Strongswan (Optional) |
| ------------- |
| |
| In case you haven't installed ``Strongswan`` yet, you may use the following |
| simple command to compile and install ``Strongswan`` from the downloaded source. |
| |
| :: |
| |
| cd path/to/vpp/external/strongswan/vpp_swan/ |
| make pull-swan |
| make install-swan |
| |
| Install VPP-SWAN plugin into StrongSwan |
| ------------- |
| |
| After the ``VPP-SSWAN`` plugin has been built and ``Strongswan`` was installed, |
| the following command will install the ``VPP-SSWAN`` plugin into ``Strongswan``. |
| |
| :: |
| |
| cd path/to/vpp/external/strongswan/vpp_swan/ |
| make install |
| |
| Or you can manually copy ``libstrongswan-kernel-vpp.so`` into: |
| ``/usr/lib/ipsec/plugins``, |
| and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/`` |
| |
| Now you can restart ``Strongswan`` by executing the following command: |
| |
| :: |
| |
| systemctl restart strongswan.service |
| |
| Configuration Strongswan |
| ------------- |
| |
| As an example, ``swanctl.conf`` file provides an example configuration to |
| initialize connections between two endpoints. |
| |
| You may update the file based on your need and Copy into: |
| ``/etc/swanctl/conf.d/swanctl.conf`` |
| |
| Configuration VPP |
| ------------- |
| |
| Some special treatment to VPP are required in your VPP ``startup.conf``. |
| Since we use ``Strongswan`` to process IKE messages, we should disable VPP's |
| IKEv2 plugin. Also as mentioned ``Linux Control Plane`` plugin is needed to |
| route the traffic between VPP interface and Tun/Tap interface. To do so, simply |
| adding the following commands: |
| |
| :: |
| |
| plugins { |
| plugin linux_cp_plugin.so { enable } |
| plugin ikev2_plugin.so { disable } |
| } |
| |
| linux-cp { |
| lcp-sync |
| } |
| |
| Running VPP |
| ------------- |
| |
| Based on the provided sample ``swanctl.conf``, the following commands are |
| required to be executed in ``VPP``: |
| |
| :: |
| |
| lcp create eth2 host-if eth2 |
| set interface state eth2 up |
| set interface ip address eth2 192.168.0.2/24 |
| set int state eth1 up |
| set int ip addr eth1 192.168.200.1/24 |
| |
| In the commands above we assume ``eth2`` is the WAN interface to receive both |
| IKE message and ESP encapsulated packets, and ``eth1`` is the LAN interface to |
| receive plain packets to be encrypted. With the commands a ``Linux CP`` interface |
| is created to mirror the ``eth2`` interface to Linux Kernel, and both interfaces |
| were set the IP addresses followed by the ``swanctl.conf``. |
| |
| With the commands successfully executed and the security policy is succesfully |
| agreed between two IKE daemons (one with VPP as IPsec processing engine), you may |
| see the packets are encrypted/decrypted by VPP smoothly. |
| |
| Misc |
| ------------- |
| This plugin is based on: |
| `https://github.com/matfabia/strongswan |
| <https://github.com/matfabia/strongswan>`__ |
| |
| Author: Matus Fabian <matfabia@cisco.com> |