Feature Description
This feature introduces strongSwan, a keying daemon, which uses the Internet Key Exchange (IKE) protocols, IKEv1 and IKEv2, to establish security associations (SA) between two peers in a network. Such an IKE session is denoted as IKE_SA in this chapter. The IKE provides strong authentication for both peers and derives unique cryptographic session keys. Besides authentication and key material, IKE also provides the means to exchange configuration information and to negotiate IPsec SAs, which are often called as CHILD_SAs. IPsec SAs define which network traffic is to be secured and how it has to be encrypted and authenticated.
The strongSwan feature is available as an add-on from the Cluster Manager (CM). Use the CM Ops-Center to configure this add-on. In the current release, the SMI uses strongSwan version 5.9.3.
SMI allows monitoring of IPSec certificates—sends certificate expiry alerts and updates certificate through strongSwan configuration.
Configuration Parameters
In this section, see the description for different configuration parameters available for the strongSwan add-on feature. Use the CM Ops-Center to configure these parameters.
-
name
: Specifies the name of the connection, which can be used for connection specific operations, for example, up or down. -
auto { ignore | add | route | start }
: Specifies the operation, if any, that should be automatically performed at IPsec startup. The add option loads a connection without starting it, whereas route loads a connection and installs kernel traps. If traffic is detected between the leftsubnet and rightsubnet, a connection is established. The start option loads a connection and brings it up immediately. The ignore option ignores the connection and is the same as deleting a connection from the config file.The default value is ignore.
-
keyexchange { ikev1 | ikev2 }
: Specifies the method of key exchange and the protocol to use to initialize the connection. -
type { tunnel | transport | transport_proxy | passthrough | drop }
: Specifies the type of the connection. Currently, the accepted values are tunnel, signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. The transport option signifies a host-to-host transport mode, whereas the transport_proxy option signifies the special Mobile IPv6 transport proxy mode. The passthrough option signifies that no IPsec processing should be done at all and drop signifies that packets must be discarded. -
left or right { ip address ip_address | fqdn fqdn | %any | %any4 | %any6 | range | subnet }
: Specifies the IP address or FQDN of the participant public-network interface. The value %any for the local endpoint signifies an address to be filled in (by automatic keying) during negotiation. If the local peer initiates the connection setup, then the routing table is queried to determine the correct local IP address. If the local peer is responding to a connection setup, then any IP address that is assigned to a local interface is accepted. The value %any4 restricts address selection to IPv4 addresses and %any6 restricts address selection to IPv6 addresses. -
leftsubnet or rightsubnet ip subnet
: Specifies the private subnet behind the left participant, expressed as either network or netmask. -
leftid or rightid id
: Specifies how the left or right participant must be identified for authentication. The default values are left or right or the subject of the certificate configured. It must match the full subject DN or one of the subjectAltName extensions contained in the certificate. -
leftsendcert { never | no | ifasked | always | yes }
: Defines whether a peer must send a certificate request (CR) payload in order to get a certificate in return. -
leftauth or rightauth { pubkey | psk | eap | xauth }
: Specifies the authentication method to use locally (left) or require from the remote (right) side. The acceptable values are pubkey for public key encryption (RSA/ECDSA), psk for pre-shared key authentication, eap to use the Extensible Authentication Protocol, and xauth for IKEv1 eXtended Authentication.Pubkey is the default option.
-
psk pre-shared key
: Specifies the required setting if leftauth or rightauth is configured as psk. -
esp { cipher suites | aes128-sha256 }
: A comma-separated list of ESP encryption or authentication algorithms is used for the connection, for example, aes128-sha256. The notation is encryption-integrity[-dhgroup][-esnmode]. For IKEv2, multiple algorithms (separated by -) of the same type can be included in a single proposal. IKEv1 only includes the first algorithm in a proposal.aes128-sha256 is the default option.
-
ike { cipher suites | aes128-sha256-modp3072 }
: A comma-separated list of IKE/ISAKMP SA encryption or authentication algorithms is used, for example, aes128-sha256-modp3072. The notation is encryption-integrity[-prf]-dhgroup. In IKEv2, multiple algorithms and proposals might be included, such as aes128-aes256-sha1-modp3072-modp2048 or 3des-sha1-md5-modp1024. -
ikelifetime { time time | 3h }
: Specifies how long the keying channel of a connection (ISAKMP or IKE SA) must last before being renegotiated. -
lifetime { time time | 1h }
: Specifies how long a particular instance of a connection should last, from successful negotiation to expiry. -
dpdaction { none | clear | hold | restart }
: Specifies the action to be taken when dead peer is detected.none is the default value.
-
dpddelay { time time | 30s }
: Defines the period time interval with which INFORMATIONAL exchanges are sent to the peer. These are only sent if no other traffic is received. -
dpdtimeout { time time | 150s }
: Defines the timeout interval after which, all the connections to a peer are deleted in case of inactivity. -
inactivity time time
: Defines the timeout interval after which, a CHILD_SA is closed if it did not send or receive any traffic. -
closeaction { none | clear | hold | restart }
: Defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see dpdaction for the description of different options). If the peer uses reauthentication or uniqueids checking, closeaction must not be used, these events might trigger the defined action when it's not desired. -
nodes list_of_node_names
: Specifies the node names on which IPSec connection must be established. -
serverCert server_certificate
: Specifies the content of Server certificate in the pem format to be used for this connection.NoteThis keyword is not supported under strongSwan configuration.
-
serverPrivKey server_private_key
: Specifies the content of server private key in the pem format to be used for this connection.NoteThis keyword is not supported under strongSwan configuration.
-
serverPrivKeyPassphrase passphrase
: Specifies the passphrase used to encrypt the server-priv-key value. -
server-secret
: Pass an existing TLS secret for this connection.