Installing strongSwan

This section describes how to install the strongSwan feature.

Install strongSwan as an Add-on from the CM

Use the following steps to install strongSwan as an add-on from the CM Ops-Center:

  1. Use the following CLI commands to enable the strongSwan add-on:

    clusters cluster_name addons strongswan enabled

  2. Set all the strongSwan parameters for connection (refer to the Configuration Parameters section for more details on available parameters).

  3. Trigger the cluster sync operation.

    Note

    The strongSwan pods run on all the nodes, however traffic is accepted only on those nodes, which are configured by using the "nodes" parameter in the CM Ops-Center. strongSwan does not accept or send any traffic on non-configured nodes.

Configuring IPSec Certificates

To configure IPSec certificates under strongSwan configuration, use the following procedure:

  1. Create TLS associated secret for server and CA certificate.

    Note: Create strongSwan-related secrets inside the smi-strongswan namespace.

    Example:

    [test-cm-controlplane] SMI Cluster Deployer# show running-config clusters secrets ca-cert
    clusters test-aio
     secrets ca-cert smi-strongswan 134-ca
      certificate "-----BEGIN CERTIFICATE-----\nMIIDqzCzQubm..................1Ac1L+s4M3ug==\n-----END CERTIFICATE-----\n"
     exit
     secrets ca-cert smi-strongswan 135-ca
      certificate "-----BEGIN CERTIFICATE-----\nMIIFqzCCA5Og..................9XdMDiQANHgf7w\n-----END CERTIFICATE-----\n"
     exit
     secrets ca-cert smi-strongswan ca-1
      certificate "-----BEGIN CERTIFICATE-----\nMIID0TCCArmg..................UNvF0nAmIX0qxg4\n-----END CERTIFICATE-----\n"
     exit
     secrets ca-cert smi-strongswan ca-2
      certificate "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADAN..................tbNDzGAnF29nus=\n-----END PRIVATE KEY-----\n"
     exit
    exit
  2. Refer the secrets in strongSwan configuration. The strongSwan configuration shows the available TLS and certificates.

    Example:

    [test-cm-controlplane] SMI Cluster Deployer# show running-config clusters karan-aio strongswan connections server-secret
    clusters test-aio
     strongswan connections a-to-b
      server-secret a-to-b
     exit
    exit
     
    [test-cm-controlplane] SMI Cluster Deployer# show running-config clusters karan-aio strongswan ca-certs
    clusters test-aio
    strongswan ca-certs [ 134-ca 135-ca ]
    exit