blob: 4def8383c2a1e9406e99d7de2689572d7c8211d0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
.. _vpp_sswan_doc:
VPP-SSWAN
=======================
``VPP-SSWAN`` is a StrongSwan plugin that helps offloading Strongswan IPsec ESP
process from Linux Kernel to ``VPP``.
The kernel-vpp plugin is an interface to the IPsec and networking backend for
`VPP <https://wiki.fd.io/view/VPP>`__ platform using the
`VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__.
It provides address and routing lookup functionality and installs routes for
IPsec traffic.
It installs and maintains Security Associations and Policies to the
`VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__.
Prerequisites
-------------
``VPP`` in release mode should be built before compiling ``vpp-swan plugin``.
The dependencies of ``StrongSwan`` should be installed before building
``VPP-SSWAN``. In addition ``libsystemd-dev`` should be installed.
Build VPP Strongswan Plugin
-------------
The following list of things will be done to build ``vpp-swan plugin``:
- download strongswan source code to:
``path/to/vpp/build/external/downloads``
- unzip source code strongswan to:
``path/to/vpp/build-root/build-vpp-native/external/sswan``
- check if you have installed packages: ``libsystemd-dev`` on your OS
- configure strongswan by:
``./configure --prefix=/usr --sysconfdir=/etc --enable-libipsec
--enable-systemd --enable-swanctl --disable-gmp --enable-openssl``
- compile strongswan in:
``path/to/vpp/build-root/build-vpp-native/external/sswan``
- compile ``vpp-swan plugin`` by:
::
./make all
- if everything it ok, copy the compiled ``vpp-swan plugin`` to:
``/usr/lib/ipsec/plugins``
Build/install Strongswan
-------------
It is recommended to use ``Strongswan`` in version ``5.9.6`` or ``5.9.5``
installed from this script, due to configuration Strongswan that is required.
Only version ``5.9.5`` and ``5.9.6`` was tested with this plugin.
To install the built Strongswan, please execute the following command:
::
path/to/vpp/build-root/build-vpp-native/external/sswan/sudo make install
Insert plugin in runtime mode
-------------
After builded this plugin and also installed Strongswan you can loaded plugin
into Strongswan directory by:
::
./make install
Or you can do manually copy ``libstrongswan-kernel-vpp.so`` into:
``/usr/lib/ipsec/plugins`` and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/``
And also you should restart Strongswan by:
::
systemctl restart strongswan.service
Configuration Strongswan
-------------
In ``swanctl.conf`` file you can find example configuration to initialize
connections between two endpoints.
Copy this file into: ``/etc/swanctl/conf.d/swanctl.conf``
Configuration VPP
-------------
In your ``startup.conf`` add these following commands:
::
plugins {
plugin linux_cp_plugin.so { enable }
plugin ikev2_plugin.so { disable }
}
linux-cp {
lcp-sync
}
To enable ``CP Plugin`` and disable ``IKEv2`` plugin.
These following commands executed in ``VPP``:
::
lcp create eth2 host-if eth2
set interface state eth2 up
set interface ip address eth2 192.168.0.2/24
set int state eth1 up
set int ip addr eth1 192.168.200.1/24
To create interface by ``CP Plugin`` and also setup two ethernet interfaces.
Misc
-------------
This plugin is based on:
`https://github.com/matfabia/strongswan
<https://github.com/matfabia/strongswan>`__
Author: Matus Fabian <matfabia@cisco.com>
|
