1. Download the material

    1wget -r -N -nd http://sdewan.sh.intel.com:8888/ipsec-demo/
    
  2. modify the node selector in cnf-1.yaml and cnf-2.yaml respectively. Create 2 pod on different node with host network.

1  nodeSelector:
2    # change to the specific node
3    kubernetes.io/hostname: node
  1. Copy cert to the CNF Pod.

    Find the container id for cnf-1 and cnf-2.

1# For cnf-1, copy sunCert to it
2docker cp ./cert/caCert.pem       $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/cacerts
3docker cp ./cert/sunCert.pem      $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/certs
4docker cp ./cert/sunKey.pem       $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/private
5# For node-2, copy moonCert to it
6
7docker cp ./cert/caCert.pem        $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/cacerts
8docker cp ./cert/moonCert.pem      $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/certs
9docker cp ./cert/moonKey.pem       $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/private
  1. start service in container in cnf-1 and cnf -2
1    /sbin/procd &
2    /sbin/ubusd &
3    sh /etc/init.d/log start
4    sh /etc/init.d/ipsec start
  1. Edit /var/ipsec/ipsec.secrets in cnf-1 and cnf -2

    1
    2# For cnf-1
    3echo '  : RSA /etc/ipsec.d/private/sunKey.pem' > /var/ipsec/ipsec.secrets
    4# For cnf-2
    5echo '  : RSA /etc/ipsec.d/private/moonKey.pem' > /var/ipsec/ipsec.secrets
    
  2. edit /var/ipsec/ipsec.conf in cnf-1 and cnf -2

     1# For server side, cnf-1
     2conn connection-11
     3  left=%any
     4  right=%any
     5  rightsubnet=192.168.9.134/32
     6  ikelifetime=3h
     7  lifetime=1h
     8  margintime=9m
     9  keyingtries=%forever
    10  dpdaction=restart
    11  dpddelay=30s
    12  closeaction=restart
    13  leftauth=pubkey
    14  rightauth=pubkey
    15  leftcert=/etc/ipsec.d/certs/sunCert.pem
    16  leftsendcert=yes
    17  rightsendcert=yes
    18  # rightsourceip=192.169.0.1
    19  auto=start
    20  leftid="C=CH, O=strongSwan, CN=sun.strongswan.org"
    21  rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
    22  leftupdown=/etc/updown
    23  keyexchange=ikev2
    24  mark=30
    25  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
    26  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
    27  type=tunnel
    28
    29
    30# For client side, cnf-2
    31conn connection12
    32  left=%any
    33  right=61.240.163.206
    34  rightsubnet=61.240.163.206/32
    35  # leftsourceip=%config
    36  ikelifetime=3h
    37  lifetime=1h
    38  margintime=9m
    39  keyingtries=%forever
    40  dpdaction=restart
    41  dpddelay=30s
    42  closeaction=restart
    43  leftauth=pubkey
    44  rightauth=pubkey
    45  leftcert=/etc/ipsec.d/certs/moonCert.pem
    46  leftsendcert=yes
    47  rightsendcert=yes
    48  auto=start
    49  leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
    50  rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
    51  leftupdown=/usr/lib/ipsec/_updown iptables
    52  keyexchange=ikev2
    53  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
    54  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
    55  type=tunnel
    
  3. run sude ipsec start in the container to start the ipsec tunnel.