Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / c5b0fcd159d471f0422b303a2efa5ba6e8ddfcd6 / . / docs / usecases / ikev2 / vpp_resp_sswan_init.rst
blob: 9f3c7e7cbaf5ffa8eea89e68dd76779fa2bc007f [file] [log] [blame]
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200[diff] [blame]1VPP as IKEv2 responder and strongSwan as initiator
2==================================================
3
4Prerequisites
5-------------
6
7To make the examples easier to configure ``docker`` it is required to
8pull strongSwan docker image. The networking is done using Linux veth
9interfaces and namespaces.
10
11Setup
12-----
13
14First a topology:
15
16::
17
18 192.168.3.2 192.168.5.2
19 + loopback
20 | +
21 +----+----+ 192.168.10.2 +-----+----+
22 | VPP | |initiator |
23 |responder+----------------------+strongSwan|
24 +---------+ +----------+
25 192.168.10.1
26
27Create veth interfaces and namespaces and configure them:
28
29::
30
31 sudo ip link add gw type veth peer name swanif
32 sudo ip link set dev gw up
33
34 sudo ip netns add ns
35 sudo ip link add veth_priv type veth peer name priv
36 sudo ip link set dev priv up
37 sudo ip link set dev veth_priv up netns ns
38
39 sudo ip netns exec ns \
40 bash -c "
41 ip link set dev lo up
42 ip addr add 192.168.3.2/24 dev veth_priv
43 ip route add 192.168.5.0/24 via 192.168.3.1"
44
45Create directory with strongswan configs that will be mounted to the
46docker container
47
48::
49
50 mkdir /tmp/sswan
51
52Create the ``ipsec.conf`` file in the ``/tmp/sswan`` directory with
53following content:
54
55::
56
57 config setup
58 strictcrlpolicy=no
59
60 conn initiator
61 mobike=no
62 auto=add
63 type=tunnel
64 keyexchange=ikev2
65 ike=aes256gcm16-prfsha256-modp2048!
66 esp=aes256gcm16-esn!
67
68 # local:
69 leftauth=psk
70 leftid=@roadwarrior.vpn.example.com
71 leftsubnet=192.168.5.0/24
72
73 # remote: (vpp gateway)
74 rightid=@vpp.home
75 right=192.168.10.2
76 rightauth=psk
77 rightsubnet=192.168.3.0/24
78
79``/tmp/sswan/ipsec.secrets``
80
81::
82
83 : PSK 'Vpp123'
84
85``/tmp/sswan/strongswan.conf``
86
87::
88
89 charon {
90 load_modular = yes
91 plugins {
92 include strongswan.d/charon/*.conf
93 }
94 filelog {
95 /tmp/charon.log {
96 time_format = %b %e %T
97 ike_name = yes
98 append = no
99 default = 2
100 flush_line = yes
101 }
102 }
103 }
104 include strongswan.d/*.conf
105
106Start docker container with strongSwan:
107
108::
109
110 docker run --name sswan -d --privileged --rm --net=none \
111 -v /tmp/sswan:/conf -v /tmp/sswan:/etc/ipsec.d philplckthun/strongswan
112
113Finish configuration of initiator’s private network:
114
115::
116
117 pid=$(docker inspect --format "{{.State.Pid}}" sswan)
118 sudo ip link set netns $pid dev swanif
119
120 sudo nsenter -t $pid -n ip addr add 192.168.10.1/24 dev swanif
121 sudo nsenter -t $pid -n ip link set dev swanif up
122
123 sudo nsenter -t $pid -n ip addr add 192.168.5.2/32 dev lo
124 sudo nsenter -t $pid -n ip link set dev lo up
125
126Start VPP …
127
128::
129
130 sudo /usr/bin/vpp unix { \
131 cli-listen /tmp/vpp.sock \
132 gid $(id -g) } \
133 api-segment { prefix vpp } \
134 plugins { plugin dpdk_plugin.so { disable } }
135
136… and configure it:
137
138::
139
140 create host-interface name gw
141 set interface ip addr host-gw 192.168.10.2/24
142 set interface state host-gw up
143
144 create host-interface name priv
145 set interface ip addr host-priv 192.168.3.1/24
146 set interface state host-priv up
147
148 ikev2 profile add pr1
149 ikev2 profile set pr1 auth shared-key-mic string Vpp123
150 ikev2 profile set pr1 id local fqdn vpp.home
151 ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
152
153 ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
154 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
155
156 create ipip tunnel src 192.168.10.2 dst 192.168.10.1
157 ikev2 profile set pr1 tunnel ipip0
158 ip route add 192.168.5.0/24 via 192.168.10.1 ipip0
159 set interface unnumbered ipip0 use host-gw
160
161Initiate the IKEv2 connection:
162
163::
164
165 $ sudo docker exec sswan ipsec up initiator
166
167 ...
168 CHILD_SA initiator{1} established with SPIs c320c95f_i 213932c2_o and TS 192.168.5.0/24 === 192.168.3.0/24
169 connection 'initiator' established successfully
170
171::
172
173 vpp# show ikev2 sa details
174
175 iip 192.168.10.1 ispi 7849021d9f655f1b rip 192.168.10.2 rspi 5a9ca7469a035205
176 encr:aes-gcm-16 prf:hmac-sha2-256 dh-group:modp-2048
177 nonce i:692ce8fd8f1c1934f63bfa2b167c4de2cff25640dffe938cdfe01a5d7f6820e6
178 r:3ed84a14ea8526063e5aa762312be225d33e866d7152b9ce23e50f0ededca9e3
179 SK_d 9a9b896ed6c35c78134fcd6e966c04868b6ecacf6d5088b4b2aee8b05d30fdda
180 SK_e i:00000000: 1b1619788d8c812ca5916c07e635bda860f15293099f3bf43e8d88e52074b006
181 00000020: 72c8e3e3
182 r:00000000: 89165ceb2cef6a6b3319f437386292d9ef2e96d8bdb21eeb0cb0d3b92733de03
183 00000020: bbc29c50
184 SK_p i:fe35fca30985ee75e7c8bc0d7bc04db7a0e1655e997c0f5974c31458826b6fef
185 r:0dd318662a96a25fcdf4998d8c6e4180c67c03586cf91dab26ed43aeda250272
186 identifier (i) id-type fqdn data roadwarrior.vpn.example.com
187 identifier (r) id-type fqdn data vpp.home
188 child sa 0:encr:aes-gcm-16 esn:yes
189 spi(i) c320c95f spi(r) 213932c2
190 SK_e i:2a6c9eae9dbed202c0ae6ccc001621aba5bb0b01623d4de4d14fd27bd5185435
191 r:15e2913d39f809040ca40a02efd27da298b6de05f67bd8f10210da5e6ae606fb
192 traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 - 192.168.5.255 port 0 - 65535
193 traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 - 192.168.3.255 port 0 - 65535
194
195Now we can generate some traffic between responder’s and initiator’s
196private networks and see it works.
197
198::
199
200 $ sudo ip netns exec ns ping 192.168.5.2
201 PING 192.168.5.2 (192.168.5.2) 56(84) bytes of data.
202 64 bytes from 192.168.5.2: icmp_seq=1 ttl=63 time=1.02 ms
203 64 bytes from 192.168.5.2: icmp_seq=2 ttl=63 time=0.599 ms