Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Managed Services Configuration

    Topology

    Contrail Cloud 10.0 managed services architecture is described in Figure 1.

    Figure 1: Topology

    Topology

    Requirements

    • AWS Virtual Private Cloud (VPC)
    • One publicly routable IP address for the AWS EC2 instance running strongSwan
    • Multiple Subnets in VPC—strongSwan VM must be placed in a separate subnet
    • CentOS Amazon Machine Image (AMI)
    • KVM on the on-premise host to create a CentOS VM and install strongSwan
    • Two publicly routable and private network-interfaces

    Installing and Configuring strongSwan

    Before You Begin

    Ensure that CentOS is running on a VM or a physical host.

    [root@ipsec ~]# cat /etc/redhat-release 
    CentOS Linux release 7.3.1611 (Core)

    To install strongSwan:

    1. Get the latest epel release and install it.
      wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-10.noarch.rpm
      rpm -Uvh epel-release-7-10.noarch.rpm
    2. Install strongSwan by running the following command:

      yum install strongswan -y

    3. Configure the strongSwan IPsec configuration files.

      You can modify the values in the on-premise host and AWS configuration files as shown in the following samples.

      On-premise host sample configuration:

      cat /etc/strongswan/ipsec.conf
      config setup
          plutodebug=none #change to "control" if you want to register what happens
          charonstart=yes
          plutostart=yes
      conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          keyexchange=ikev2
          authby=secret
      conn live
          left=%defaultroute
          leftsubnet=203.3.113.0/24
          leftid=192.0.2.133
          leftfirewall=yes
          right=203.3.113.127
          rightsubnet=198.51.100.0/16
          rightid=203.3.113.127
          dpdaction=restart
          auto=start

      AWS sample configuration:

      cat /etc/strongswan/ipsec.conf
      config setup
          plutodebug=none #change to "control" if you want to register what happens
          charonstart=yes
          plutostart=yes
      
      conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          keyexchange=ikev2
          authby=secret
      
      conn staging
          left=%defaultroute
          leftsubnet=198.51.100.0/16
          leftid=203.3.113.127
          leftfirewall=yes
          right=192.0.2.133
          rightsubnet=203.3.113.0/24
          rightid=192.0.2.133
          dpdaction=restart
          auto=start
    4. Configure secrets on the on-premise host and AWS.

      A PSK is used for the IKEv2 authentication. The key should be the same on both on-premise host and AWS for tunnel initiation.

      1. Run the following command on the on-premise host:
        cat ipsec.secrets
        # ipsec.secrets - strongSwan IPsec secrets file
        203.3.113.127 192.0.2.133 : PSK "3fccYTknKQGZPSVfFaiKtImfd0RYjqce"
        
      2. Run the following command on the on the AWS strongSwan instance:
        cat ipsec.secrets
        # ipsec.secrets - strongSwan IPsec secrets file
        192.0.2.133 203.3.113.127 : PSK "3fccYTknKQGZPSVfFaiKtImfd0RYjqce"
        
    5. Write the above configuration in sysctl file of both the instances to enable ip_forwarding:
      cat  /etc/sysctl.conf
      
      net.ipv4.ip_forward=1
      net.ipv4.conf.all.accept_redirects = 0
      net.ipv4.conf.all.send_redirects = 0
      
      sysctl -p to reload
      
    6. Restart strongSwan service on both instances to activate the new configuration.

      service strongswan restart (or) systemctl restart strongswan

    7. Check the status of strongSwan on the on-premise host and AWS and ensure the following:
      • The status of tunnel connection is shown as up.
      • The status of the tunnel between the subnets is shown as configured in the configuration files above.
      • To check status on the on-premise host, run the following command on the on-premise host:

        strongswan statusall

        Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-514.el7.x86_64, x86_64):
          uptime: 35 minutes, since Oct 03 03:21:37 2017
          malloc: sbrk 2703360, mmap 0, used 541184, free 2162176
          worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
          loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation
        constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf
        gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default
        farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
        xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
        Listening IP addresses:
          203.3.113.127
          203.3.113.12
        Connections:
                live: %any...192.0.2.133 IKEv2, dpddelay=30s
                live: local: [203.3.113.127] uses pre-shared key authentication
                live: remote: [192.0.2.133] uses pre-shared key authentication
                live: child: 203.3.113.0/24 === 198.51.100.0/16 TUNNEL, dpdaction=restart
        Security Associations (1 up , 0 connecting):
                live[2]: ESTABLISHED 34 minutes ago,
                203.3.113.127[203.3.113.127]...192.0.2.133[192.0.2.133]
                live[2]: IKEv2 SPIs: bdd7522265ff6773_i 131f351df83241ad_r*, pre-shared key reauthentication in 19 minutes
                live[2]: IKE proposal:
        AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
                live{5}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce679555_i c13d9d36_o
                live{5}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 9 minutes
                live{5}: 203.3.113.0/24 === 198.51.100.0/16
                live{6}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbecdd18_i c44519a9_o
                live{6}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 12 minutes
                live{6}: 203.3.113.0/24 === 198.51.100.0/16
        
      • To check status on AWS, run the following command on AWS:

        strongswan statusall

        Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-514.16.1.el7.x86_64, x86_64):
          uptime: 35 minutes, since Oct 03 10:21:09 2017
          malloc: sbrk 2260992, mmap 0, used 190480, free 2070512
          worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
          loaded plugins: charon random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
        Listening IP addresses:
          203.3.113.3
        Connections:
             staging: %any...203.3.113.127 IKEv2, dpddelay=30s
             staging: local: [192.0.2.133] uses pre-shared key authentication
             staging: remote: [203.3.113.127] uses pre-shared key authentication
             staging: child: 198.51.100.0/16 === 203.3.113.0/24 TUNNEL, dpdaction=restart
        Security Associations (1 up , 0 connecting):
             staging[1]: ESTABLISHED 35 minutes ago,
        203.3.113.3[192.0.2.133]...203.3.113.127[203.3.113.127]
             staging[1]: IKEv2 SPIs: bdd7522265ff6773_i* 131f351df83241ad_r, pre-shared key reauthentication in 15 minutes
             staging[1]: IKE proposal:
        AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
             staging{5}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c13d9d36_i ce679555_o
             staging{5}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 10 minutes
             staging{5}: 198.51.100.0/16 === 203.3.113.0/24
             staging{6}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c44519a9_i cbecdd18_o
             staging{6}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 12 minutes
             staging{6}: 198.51.100.0/16 === 203.3.113.0/24

        Note: The parameter dpdaction=restart in the above configuration handles the dead-peer detection process and automatically re-initiates the tunnel in case of failure.

    Monitoring

    OpenSource monitoring platforms such as Nagios and Zabbix already have plugins to monitor strongSwan IPsec connections. As AppFormix can use most of the Nagios plugins, you can create a specific plugin for monitoring the tunnels. A sample plugin for Nagios is shown in the following example:

    Usage: check_ipsec --tunnels
    ./check_ipsec --tunnels 10
    OK - All 10 tunnels are up an running
    You have to run this plugin with nrpe.
    Add these lines to /etc/sudoers:
    Cmnd_Alias IPSEC = /usr/lib/nagios/plugins/check_ipsec
    nagios ALL=NOPASSWD:IPSEC

    A sample plugin for Zabbix is shown in the following example:

    {
    "data":[
    {
    "{#TUNNEL}":"tunnel1","{#TARGETIP}":"192.0.35.1","{#SOURCEIP}":"192.0.234.4","{#RTT_TIME_WARN
    }":"80","{#RTT_TIME_ERR}":"150" },
    {
    "{#TUNNEL}":"tunnel2","{#TARGETIP}":"203.0.5.1","{#SOURCEIP}":"192.0.234.4","{#RTT_TIME_WARN}":
    "80","{#RTT_TIME_ERR}":"150"}
    ]
    }

    For more information, see:

    Automation (Enhancement)

    We can automate the provisioning and configuration of strongSwan as a part of other playbooks that constitute the overall installation. Below is the structure and sample of an Ansible role for strongSwan:

    Role Variables:

    strongswan_packages:

    –strongswan

    Current list of packages to be installed is Arch Linux specific.

    strongswan_conn_default:
         auto: add
         type: tunnel
         authby: psk
         keyexchange: ike
         ikelifetime: 3h
         lifetime: 60m
         margintime: 15m
         keyingtries: 3
         dpdaction: restart
         dpddelay: 30

    Current defaults placed into the %default connection follow the typical defaults for strongSwan version 5.0.0.

         strongswan_conn: []
         # - name: connection_name
         # conn:
         # # connection options go here, e.g.
         # ike: aes256gcm16-modp2048!
         # esp: aes256gcm16-modp2048!
    # left:
    # address: local_address
         # # further left-hand options here
         # right:
         # address: remote_address
         # # further right-hand options here
         # secret: abcde...z

    Connection information must be installed into strongSwan.

    Example Playbook

    - hosts: ipsec_server
    roles:
    - { role: contrail.strongswan, tags: ['ipsec'] }
    ---
    strongswan_hosts:
    - name: example
      conn:
         auto: route
         type: tunnel
         authby: psk
         keyexchange: ikev2
         lifetime: 3h
         ike: aes256gcm16-modp2048!
         esp: aes256gcm16-modp2048!
         ikelifetime: 24h
    left:
         address: 203.4.113.12 
         protoport: 47
    right:
         address: 203.4.113.14
         protoport: 47
         secret: something_needs_to_go_here

    Modified: 2017-12-21