From 938b72eede4e8f6f8b6c32d0a730a226b68bff9a Mon Sep 17 00:00:00 2001 From: "Michael S. Pedersen" Date: Fri, 25 Sep 2020 14:43:21 +0200 Subject: [PATCH] Updated IPsec example Configuration steps updated to work in new VPP --- .../ipsec/ipsec/templates/configmap.yaml | 18 +++++++++++------- examples/use_case/ipsec/ipsec/values.yaml | 10 ++++------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/examples/use_case/ipsec/ipsec/templates/configmap.yaml b/examples/use_case/ipsec/ipsec/templates/configmap.yaml index d2ccc9c..3ea1a87 100644 --- a/examples/use_case/ipsec/ipsec/templates/configmap.yaml +++ b/examples/use_case/ipsec/ipsec/templates/configmap.yaml @@ -21,16 +21,20 @@ data: set ip neighbor static memif1/{{ index .memid 0 }} {{ index .remip 0 }} {{ tpl ( index .remmac 0 ) $ }} set ip neighbor static memif2/{{ index .memid 1 }} {{ index .remip 1 }} {{ tpl ( index .remmac 1 ) $ }} {{ if .ipsec_endpoint }} - create ipsec tunnel local-ip {{ index .ipsec_ip 0 }} remote-ip {{ index .ipsec_ip 1 }} local-spi {{ index .ipsec_spi 0 }} remote-spi {{ index .ipsec_spi 1 }} local-crypto-key {{ index .ipsec_key 0 }} remote-crypto-key {{ index .ipsec_key 1 }} crypto-alg aes-gcm-128 + ipsec sa add 10 spi {{ index .ipsec_spi 0 }} esp crypto-alg aes-cbc-128 crypto-key {{ index .ipsec_key 0 }} integ-alg sha1-96 integ-key {{ index .ipsec_key 1 }} + ipsec sa add 20 spi {{ index .ipsec_spi 1 }} esp crypto-alg aes-cbc-128 crypto-key {{ index .ipsec_key 0 }} integ-alg sha1-96 integ-key {{ index .ipsec_key 1 }} + ipsec spd add 1 {{ if eq .ipsec_direction "right" }} - set interface unnumbered ipsec0 use memif2/{{ index .memid 1 }} - set interface state ipsec0 up + set interface ipsec spd memif2/{{ index .memid 1 }} 1 + ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 172.16.64.0 - 172.16.127.255 remote-ip-range 172.16.192.0 - 172.16.255.255 + ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 172.16.64.0 - 172.16.127.255 remote-ip-range 172.16.192.0 - 172.16.255.255 ip route add 172.16.64.0/18 via {{ index .remip 0 }} - ip route add 172.16.192.0/18 via {{ index .remip 1 }} ipsec0 + ip route add 172.16.192.0/18 via {{ index .remip 1 }} memif2/{{ index .memid 1 }} {{ else }} - set interface unnumbered ipsec0 use memif1/{{ index .memid 0 }} - set interface state ipsec0 up - ip route add 172.16.64.0/18 via {{ index .remip 0 }} ipsec0 + set interface ipsec spd memif1/{{ index .memid 0 }} 1 + ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 172.16.192.0 - 172.16.255.255 remote-ip-range 172.16.64.0 - 172.16.127.255 + ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 172.16.192.0 - 172.16.255.255 remote-ip-range 172.16.64.0 - 172.16.127.255 + ip route add 172.16.64.0/18 via {{ index .remip 0 }} memif1/{{ index .memid 0 }} ip route add 172.16.192.0/18 via {{ index .remip 1 }} {{ end }} {{ else }} diff --git a/examples/use_case/ipsec/ipsec/values.yaml b/examples/use_case/ipsec/ipsec/values.yaml index 1472533..1793758 100644 --- a/examples/use_case/ipsec/ipsec/values.yaml +++ b/examples/use_case/ipsec/ipsec/values.yaml @@ -45,9 +45,8 @@ cnf: remip: ['172.16.31.10','172.16.32.11'] remmac: ['52:54:00:00:01:bb','52:54:00:00:03:aa'] ipsec_endpoint: true - ipsec_ip: ['172.16.32.10','172.16.32.11'] - ipsec_spi: ['200000','100000'] - ipsec_key: ['714c7a456b41476442585353474b586c78796d45','47505069546a6461647565786163726865757346'] + ipsec_spi: ['1000','2000'] + ipsec_key: ['3a7a7f4f39efe793db445de138042031','9275e33a6115a8f4601be957c605765d0f12f6ab'] ipsec_direction: 'right' 3: @@ -62,9 +61,8 @@ cnf: remip: ['172.16.32.10','172.16.33.11'] remmac: ['52:54:00:00:02:bb','52:54:00:00:04:aa'] ipsec_endpoint: true - ipsec_ip: ['172.16.32.11','172.16.32.10'] - ipsec_spi: ['100000','200000'] - ipsec_key: ['47505069546a6461647565786163726865757346','714c7a456b41476442585353474b586c78796d45'] + ipsec_spi: ['2000','1000'] + ipsec_key: ['3a7a7f4f39efe793db445de138042031','9275e33a6115a8f4601be957c605765d0f12f6ab'] ipsec_direction: 'left' 4: