diff options
author | Fan Zhang <fanzhang.oss@gmail.com> | 2023-03-01 14:45:46 +0000 |
---|---|---|
committer | Fan Zhang <fanzhang.oss@gmail.com> | 2023-03-01 15:54:40 +0000 |
commit | ad215f211d73e656a149326651fa2017382e51e0 (patch) | |
tree | d60d44175fb79dff105df2c96569b05b2162ffe8 /extras/strongswan | |
parent | 2073fe49b6977784c39d4a2acb37ba8ad733c2c4 (diff) |
vpp-swan: improve Makefile
Type: improvement
Since VPP-SWAN does not really need StrongSwan to be compiled,
this patch refines the Makefile to reflect the change.
In addition README is updated.
Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
Change-Id: I185957167ac71a44f4d12e78e1dac31c194f80f4
Diffstat (limited to 'extras/strongswan')
-rw-r--r-- | extras/strongswan/vpp_sswan/Makefile | 14 | ||||
-rw-r--r-- | extras/strongswan/vpp_sswan/README.rst | 116 |
2 files changed, 90 insertions, 40 deletions
diff --git a/extras/strongswan/vpp_sswan/Makefile b/extras/strongswan/vpp_sswan/Makefile index 336ea6ad915..254b90b3b09 100644 --- a/extras/strongswan/vpp_sswan/Makefile +++ b/extras/strongswan/vpp_sswan/Makefile @@ -54,7 +54,7 @@ endif SOURCES=$(wildcard *.c) OBJECTS=$(SOURCES:.c=.o) -all: pull-swan $(TARGET) +all: pull-swan install-swan $(TARGET) pull-swan: @if [ -d "${SWANDIR}" ]; then \ @@ -70,8 +70,14 @@ pull-swan: mv ${CURDIR}/../../../build-root/build-vpp-native/external/strongswan-${VERSION_SSWAN} ${SWANDIR} cd ${SWANDIR} && ./autogen.sh cd ${SWANDIR} && ./configure --prefix=${PREFIX} --sysconfdir=${PREFIX_SYS_CONF} --enable-libipsec --enable-systemd --enable-swanctl --disable-gmp --enable-openssl + +install-swan: + @if ! [ -f "${SWANDIR}/configure" ]; then \ + echo "SSWAN not downloaded, please run "make" or "make pull-swan" first." ; \ + exit 1 ; \ + fi cd ${SWANDIR} && make -j$(nproc) -# cd ${SWANDIR} && sudo make install + cd ${SWANDIR} && sudo make install # check if VPP is installed ifneq ($(shell test "$(shell ldconfig -p | grep vppinfra.so | awk 'NR==1{print $$1;}')" && echo "yes"), yes) @@ -103,6 +109,8 @@ install: cp kernel-vpp.conf $(PLUGINCONF) clean: + rm -f ${SWANARCHIVE}/strongswan-${VERSION_SSWAN}.tar.gz + rm -rf ${SWANDIR} rm -f *.so *.o -.PHONY: clean install all
\ No newline at end of file +.PHONY: clean install all diff --git a/extras/strongswan/vpp_sswan/README.rst b/extras/strongswan/vpp_sswan/README.rst index 4def8383c2a..57b30f452e5 100644 --- a/extras/strongswan/vpp_sswan/README.rst +++ b/extras/strongswan/vpp_sswan/README.rst @@ -6,25 +6,54 @@ VPP-SSWAN ``VPP-SSWAN`` is a StrongSwan plugin that helps offloading Strongswan IPsec ESP process from Linux Kernel to ``VPP``. -The kernel-vpp plugin is an interface to the IPsec and networking backend for -`VPP <https://wiki.fd.io/view/VPP>`__ platform using the -`VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__. +The ``VPP-SSWAN`` takes advantage of ``StrongSwan`` extendable plugin design +and translates ``StrongSwan`` SA creation/deletion and routing +update operations into ``VPP`` C API calls. The successful execution of the +API calls means the operations shall be performed by VPP smoothly. + +Inside ``VPP-SSWAN``, the kernel-vpp plugin is an interface to the IPsec and +networking backend for `VPP <https://wiki.fd.io/view/VPP>`__ platform using +the `VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__. It provides address and routing lookup functionality and installs routes for IPsec traffic. -It installs and maintains Security Associations and Policies to the -`VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__. + +The plugin also installs and maintains Security Associations and Policies to +the `VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__. + +Since ``StrongSwan`` expects both IKE and IPsec traffic coming through the +same network protected interfaces, the ``VPP-SSWAN`` expects the IKE traffic +being diverted to Linux Kernel through the help of +`VPP Linux Control Plane <https://s3-docs.fd.io/vpp/22.10/developer/plugins/ +lcp.html>`__. It is important to notice that due to LCP is a Tun/Tap interface, +the IPsec performance will be limited by it if Transport mode of IPsec is used. Prerequisites ------------- ``VPP`` in release mode should be built before compiling ``vpp-swan plugin``. -The dependencies of ``StrongSwan`` should be installed before building -``VPP-SSWAN``. In addition ``libsystemd-dev`` should be installed. +User may install ``StrongSwan`` prior to compile the plugin. However the +plugin requires downloading ``StrongSwan`` source to include some of its +header files to compile ``VPP-SSWAN``. In addition ``libsystemd-dev`` +should be installed prior to compile the plugin. + +Please Note: ONLY Strongswan version ``5.9.5`` and ``5.9.6`` were tested with +this plugin. Build VPP Strongswan Plugin ------------- -The following list of things will be done to build ``vpp-swan plugin``: +``VPP-SSWAN`` requires ``StrongSwan`` source to compile. To obtain +``StrongSwan`` the simplest way is to run the following commands: + +:: + + cd path/to/vpp/external/strongswan/vpp_swan/ + make all + +Or you may download ``StrongSwan`` from its github page. It is recommended to +use ``Strongswan`` version ``5.9.6`` or ``5.9.5`` for ``VPP-SSWAN`` to be +compiled and integrate. The following steps are required for manually download +``Strongswan`` source: - download strongswan source code to: ``path/to/vpp/build/external/downloads`` @@ -35,48 +64,45 @@ The following list of things will be done to build ``vpp-swan plugin``: - check if you have installed packages: ``libsystemd-dev`` on your OS - configure strongswan by: +``./autogen.sh`` ``./configure --prefix=/usr --sysconfdir=/etc --enable-libipsec --enable-systemd --enable-swanctl --disable-gmp --enable-openssl`` -- compile strongswan in: -``path/to/vpp/build-root/build-vpp-native/external/sswan`` - - compile ``vpp-swan plugin`` by: :: - ./make all + cd path/to/vpp/external/strongswan/vpp_swan/ + make -- if everything it ok, copy the compiled ``vpp-swan plugin`` to: -``/usr/lib/ipsec/plugins`` - -Build/install Strongswan +Build/install Strongswan (Optional) ------------- -It is recommended to use ``Strongswan`` in version ``5.9.6`` or ``5.9.5`` -installed from this script, due to configuration Strongswan that is required. -Only version ``5.9.5`` and ``5.9.6`` was tested with this plugin. - -To install the built Strongswan, please execute the following command: +In case you haven't installed ``Strongswan`` yet, you may use the following +simple command to compile and install ``Strongswan`` from the downloaded source. :: - path/to/vpp/build-root/build-vpp-native/external/sswan/sudo make install + cd path/to/vpp/external/strongswan/vpp_swan/ + make pull-swan + make install-swan -Insert plugin in runtime mode +Install VPP-SWAN plugin into StrongSwan ------------- -After builded this plugin and also installed Strongswan you can loaded plugin -into Strongswan directory by: +After the ``VPP-SSWAN`` plugin has been built and ``Strongswan`` was installed, +the following command will install the ``VPP-SSWAN`` plugin into ``Strongswan``. :: - ./make install + cd path/to/vpp/external/strongswan/vpp_swan/ + make install -Or you can do manually copy ``libstrongswan-kernel-vpp.so`` into: -``/usr/lib/ipsec/plugins`` and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/`` +Or you can manually copy ``libstrongswan-kernel-vpp.so`` into: +``/usr/lib/ipsec/plugins``, +and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/`` -And also you should restart Strongswan by: +Now you can restart ``Strongswan`` by executing the following command: :: @@ -84,15 +110,21 @@ And also you should restart Strongswan by: Configuration Strongswan ------------- -In ``swanctl.conf`` file you can find example configuration to initialize -connections between two endpoints. -Copy this file into: ``/etc/swanctl/conf.d/swanctl.conf`` +As an example, ``swanctl.conf`` file provides an example configuration to +initialize connections between two endpoints. + +You may update the file based on your need and Copy into: +``/etc/swanctl/conf.d/swanctl.conf`` Configuration VPP ------------- -In your ``startup.conf`` add these following commands: +Some special treatment to VPP are required in your VPP ``startup.conf``. +Since we use ``Strongswan`` to process IKE messages, we should disable VPP's +IKEv2 plugin. Also as mentioned ``Linux Control Plane`` plugin is needed to +route the traffic between VPP interface and Tun/Tap interface. To do so, simply +adding the following commands: :: @@ -105,9 +137,11 @@ In your ``startup.conf`` add these following commands: lcp-sync } -To enable ``CP Plugin`` and disable ``IKEv2`` plugin. +Running VPP +------------- -These following commands executed in ``VPP``: +Based on the provided sample ``swanctl.conf``, the following commands are +required to be executed in ``VPP``: :: @@ -117,7 +151,15 @@ These following commands executed in ``VPP``: set int state eth1 up set int ip addr eth1 192.168.200.1/24 -To create interface by ``CP Plugin`` and also setup two ethernet interfaces. +In the commands above we assume ``eth2`` is the WAN interface to receive both +IKE message and ESP encapsulated packets, and ``eth1`` is the LAN interface to +receive plain packets to be encrypted. With the commands a ``Linux CP`` interface +is created to mirror the ``eth2`` interface to Linux Kernel, and both interfaces +were set the IP addresses followed by the ``swanctl.conf``. + +With the commands successfully executed and the security policy is succesfully +agreed between two IKE daemons (one with VPP as IPsec processing engine), you may +see the packets are encrypted/decrypted by VPP smoothly. Misc ------------- @@ -125,4 +167,4 @@ This plugin is based on: `https://github.com/matfabia/strongswan <https://github.com/matfabia/strongswan>`__ -Author: Matus Fabian <matfabia@cisco.com>
\ No newline at end of file +Author: Matus Fabian <matfabia@cisco.com> |