StrongWAN configure with CNF.

Download the material

1wget -r -N -nd http://sdewan.sh.intel.com:8888/ipsec-demo/

modify the node selector in cnf-1.yaml and cnf-2.yaml respectively. Create 2 pod on different node with host network.

1  nodeSelector:
2    # change to the specific node
3    kubernetes.io/hostname: node

Copy cert to the CNF Pod.

Find the container id for cnf-1 and cnf-2.

1# For cnf-1, copy sunCert to it
2docker cp ./cert/caCert.pem       $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/cacerts
3docker cp ./cert/sunCert.pem      $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/certs
4docker cp ./cert/sunKey.pem       $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/private
5# For node-2, copy moonCert to it
6
7docker cp ./cert/caCert.pem        $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/cacerts
8docker cp ./cert/moonCert.pem      $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/certs
9docker cp ./cert/moonKey.pem       $(kubectl describe po cnf-2|grep docker:|awk -F / '{print $3}'):/etc/ipsec.d/private

start service in container in cnf-1 and cnf -2

1    /sbin/procd &
2    /sbin/ubusd &
3    sh /etc/init.d/log start
4    sh /etc/init.d/ipsec start

Edit /var/ipsec/ipsec.secrets in cnf-1 and cnf -2

1
2# For cnf-1
3echo '  : RSA /etc/ipsec.d/private/sunKey.pem' > /var/ipsec/ipsec.secrets
4# For cnf-2
5echo '  : RSA /etc/ipsec.d/private/moonKey.pem' > /var/ipsec/ipsec.secrets

edit /var/ipsec/ipsec.conf in cnf-1 and cnf -2

 1# For server side, cnf-1
 2conn connection-11
 3  left=%any
 4  right=%any
 5  rightsubnet=192.168.9.134/32
 6  ikelifetime=3h
 7  lifetime=1h
 8  margintime=9m
 9  keyingtries=%forever
10  dpdaction=restart
11  dpddelay=30s
12  closeaction=restart
13  leftauth=pubkey
14  rightauth=pubkey
15  leftcert=/etc/ipsec.d/certs/sunCert.pem
16  leftsendcert=yes
17  rightsendcert=yes
18  # rightsourceip=192.169.0.1
19  auto=start
20  leftid="C=CH, O=strongSwan, CN=sun.strongswan.org"
21  rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
22  leftupdown=/etc/updown
23  keyexchange=ikev2
24  mark=30
25  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
26  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
27  type=tunnel
28
29
30# For client side, cnf-2
31conn connection12
32  left=%any
33  right=61.240.163.206
34  rightsubnet=61.240.163.206/32
35  # leftsourceip=%config
36  ikelifetime=3h
37  lifetime=1h
38  margintime=9m
39  keyingtries=%forever
40  dpdaction=restart
41  dpddelay=30s
42  closeaction=restart
43  leftauth=pubkey
44  rightauth=pubkey
45  leftcert=/etc/ipsec.d/certs/moonCert.pem
46  leftsendcert=yes
47  rightsendcert=yes
48  auto=start
49  leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
50  rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
51  leftupdown=/usr/lib/ipsec/_updown iptables
52  keyexchange=ikev2
53  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
54  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
55  type=tunnel

run sude ipsec start in the container to start the ipsec tunnel.

Airren Ren

StrongWAN configure with CNF.

Table of Contents