Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 4e88e041ad47bf422bbb2a0940f77aba11ea2178 / . / extras / strongswan / vpp_sswan / README.rst
blob: 4def8383c2a1e9406e99d7de2689572d7c8211d0 [file] [log] [blame]
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame^]1.. _vpp_sswan_doc:
2
3VPP-SSWAN
4=======================
5
6``VPP-SSWAN`` is a StrongSwan plugin that helps offloading Strongswan IPsec ESP
7process from Linux Kernel to ``VPP``.
8
9The kernel-vpp plugin is an interface to the IPsec and networking backend for
10`VPP <https://wiki.fd.io/view/VPP>`__ platform using the
11`VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__.
12It provides address and routing lookup functionality and installs routes for
13IPsec traffic.
14It installs and maintains Security Associations and Policies to the
15`VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__.
16
17Prerequisites
18-------------
19
20``VPP`` in release mode should be built before compiling ``vpp-swan plugin``.
21The dependencies of ``StrongSwan`` should be installed before building
22``VPP-SSWAN``. In addition ``libsystemd-dev`` should be installed.
23
24Build VPP Strongswan Plugin
25-------------
26
27The following list of things will be done to build ``vpp-swan plugin``:
28
29- download strongswan source code to:
30``path/to/vpp/build/external/downloads``
31
32- unzip source code strongswan to:
33``path/to/vpp/build-root/build-vpp-native/external/sswan``
34
35- check if you have installed packages: ``libsystemd-dev`` on your OS
36
37- configure strongswan by:
38``./configure --prefix=/usr --sysconfdir=/etc --enable-libipsec
39--enable-systemd --enable-swanctl --disable-gmp --enable-openssl``
40
41- compile strongswan in:
42``path/to/vpp/build-root/build-vpp-native/external/sswan``
43
44- compile ``vpp-swan plugin`` by:
45
46::
47
48 ./make all
49
50- if everything it ok, copy the compiled ``vpp-swan plugin`` to:
51``/usr/lib/ipsec/plugins``
52
53Build/install Strongswan
54-------------
55
56It is recommended to use ``Strongswan`` in version ``5.9.6`` or ``5.9.5``
57installed from this script, due to configuration Strongswan that is required.
58Only version ``5.9.5`` and ``5.9.6`` was tested with this plugin.
59
60To install the built Strongswan, please execute the following command:
61
62::
63
64 path/to/vpp/build-root/build-vpp-native/external/sswan/sudo make install
65
66Insert plugin in runtime mode
67-------------
68
69After builded this plugin and also installed Strongswan you can loaded plugin
70into Strongswan directory by:
71
72::
73
74 ./make install
75
76Or you can do manually copy ``libstrongswan-kernel-vpp.so`` into:
77``/usr/lib/ipsec/plugins`` and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/``
78
79And also you should restart Strongswan by:
80
81::
82
83 systemctl restart strongswan.service
84
85Configuration Strongswan
86-------------
87In ``swanctl.conf`` file you can find example configuration to initialize
88connections between two endpoints.
89
90Copy this file into: ``/etc/swanctl/conf.d/swanctl.conf``
91
92Configuration VPP
93-------------
94
95In your ``startup.conf`` add these following commands:
96
97::
98
99 plugins {
100 plugin linux_cp_plugin.so { enable }
101 plugin ikev2_plugin.so { disable }
102 }
103
104 linux-cp {
105 lcp-sync
106 }
107
108To enable ``CP Plugin`` and disable ``IKEv2`` plugin.
109
110These following commands executed in ``VPP``:
111
112::
113
114 lcp create eth2 host-if eth2
115 set interface state eth2 up
116 set interface ip address eth2 192.168.0.2/24
117 set int state eth1 up
118 set int ip addr eth1 192.168.200.1/24
119
120To create interface by ``CP Plugin`` and also setup two ethernet interfaces.
121
122Misc
123-------------
124This plugin is based on:
125`https://github.com/matfabia/strongswan
126<https://github.com/matfabia/strongswan>`__
127
128Author: Matus Fabian <matfabia@cisco.com>