StrongWAN configure with CNF.
-
Download the material
1wget -r -N -nd http://sdewan.sh.intel.com:8888/ipsec-demo/
-
modify the node selector in
cnf-1.yaml
andcnf-2.yaml
respectively. Create 2 pod on different node with host network.
1 nodeSelector:
2 # change to the specific node
3 kubernetes.io/hostname: node
-
Copy cert to the CNF Pod.
Find the container id for
cnf-1
andcnf-2
.
1# For cnf-1, copy sunCert to it
2docker cp ./cert/caCert.pem $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/cacerts
3docker cp ./cert/sunCert.pem $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/certs
4docker cp ./cert/sunKey.pem $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/private
5# For node-2, copy moonCert to it
6
7docker cp ./cert/caCert.pem $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/cacerts
8docker cp ./cert/moonCert.pem $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/certs
9docker cp ./cert/moonKey.pem $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/private
- start service in container in
cnf-1
andcnf -2
1 /sbin/procd &
2 /sbin/ubusd &
3 sh /etc/init.d/log start
4 sh /etc/init.d/ipsec start
-
Edit
/var/ipsec/ipsec.secrets
incnf-1
andcnf -2
1 2# For cnf-1 3echo ' : RSA /etc/ipsec.d/private/sunKey.pem' > /var/ipsec/ipsec.secrets 4# For cnf-2 5echo ' : RSA /etc/ipsec.d/private/moonKey.pem' > /var/ipsec/ipsec.secrets
-
edit
/var/ipsec/ipsec.conf
incnf-1
andcnf -2
1# For server side, cnf-1 2conn connection-11 3 left=%any 4 right=%any 5 rightsubnet=192.168.9.134/32 6 ikelifetime=3h 7 lifetime=1h 8 margintime=9m 9 keyingtries=%forever 10 dpdaction=restart 11 dpddelay=30s 12 closeaction=restart 13 leftauth=pubkey 14 rightauth=pubkey 15 leftcert=/etc/ipsec.d/certs/sunCert.pem 16 leftsendcert=yes 17 rightsendcert=yes 18 # rightsourceip=192.169.0.1 19 auto=start 20 leftid="C=CH, O=strongSwan, CN=sun.strongswan.org" 21 rightid="C=CH, O=strongSwan, CN=moon.strongswan.org" 22 leftupdown=/etc/updown 23 keyexchange=ikev2 24 mark=30 25 esp=aes128-sha256-modp3072,aes256-sha256-modp3072 26 ike=aes128-sha256-modp3072,aes256-sha256-modp3072 27 type=tunnel 28 29 30# For client side, cnf-2 31conn connection12 32 left=%any 33 right=61.240.163.206 34 rightsubnet=61.240.163.206/32 35 # leftsourceip=%config 36 ikelifetime=3h 37 lifetime=1h 38 margintime=9m 39 keyingtries=%forever 40 dpdaction=restart 41 dpddelay=30s 42 closeaction=restart 43 leftauth=pubkey 44 rightauth=pubkey 45 leftcert=/etc/ipsec.d/certs/moonCert.pem 46 leftsendcert=yes 47 rightsendcert=yes 48 auto=start 49 leftid="C=CH, O=strongSwan, CN=moon.strongswan.org" 50 rightid="C=CH, O=strongSwan, CN=sun.strongswan.org" 51 leftupdown=/usr/lib/ipsec/_updown iptables 52 keyexchange=ikev2 53 esp=aes128-sha256-modp3072,aes256-sha256-modp3072 54 ike=aes128-sha256-modp3072,aes256-sha256-modp3072 55 type=tunnel
-
run
sude ipsec start
in the container to start the ipsec tunnel.