IPsec Client plugin
The 128T-ipsec-client plugin provides a way to send and encrypt traffic to IPsec endpoints through the 128T router. It is possible to configure the plugin for each router to have multiple destination IPsec endpoints and thus the 128T will failover between them. This is accomplished by performing a Service Function Chain (SFC) with Libreswan, a third-party IPsec client. By enabling this plugin, you can provide IPsec tunnel connectivity to third party providers from your 128T router.
note
The instructions for installing and managing the plugin can be found here.
Configuration
In the below configuration examples, there are two of each plugin configuration element. The first has all configuration elements explicitly configured with the defaults if applicable and the other is the bare minimum using all of the default values. The values enclosed in <> are fields that didn’t have default values specified by the plugin. If any of these optional, non-defaulted fields are unspecified, then they will use the Libreswan defaults which can be found here. The values enclosed in [] are fields that didn't have default values specified by the plugin and will not be included in the generated 128T configuration.
Profiles
Profiles are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint remotes.
note
This plugin can only connect to IPsec endpoints that support pre-shared key authentication.
Clients
Clients are a collection of remote endpoints which can be used for failover purposes.
note
Only one ipsec-client can be configured per node, but two remotes can be configured per client.
Generated 128T Configuration
A KNI per remote is created with the name of the remote and a single egress KNI is created with the name of the ipsec-client.
User-Specific 128T Configuration
To allow the maximum flexibility on getting the traffic into the plugin's network namespace and getting the traffic out, we rely on the user to configure those means (usually through services and service routes).
You will need to have the IPsec endpoint bound traffic sent into the KNIs with the names of the remotes. You can use builtin 128T failover techniques due to the KNIs being reported operationally down when the corresponding tunnel is down. You will also need to configure a way for the traffic to be routed towards the IPsec endpoint after being encrypted. All of this encrypted traffic will be assigned to the tenant configured under ipsec-client.
Complete Example Configuration
Below is an example of a complete, but minimal configuration entered by the user.
warning
This example configuration is good to understand all of the concepts but should not be used on a system as is.
Upon commit, the plugin will generate other configuration as shown below:
Thirdparty Software & Licenses
- Libreswan v3.23-5.el7_5 (GNU GPLv2)
Troubleshooting
Data Model
If the data model doesn’t appear in the PCLI or GUI, make sure that you have restarted the 128T service.
Logging
The /var/log/128technology/persistentDataManager.log file at trace level will hold whether the configuration generation was run as well as output and return code.
The /var/log/128technology/automatedProvisioner.log file at trace level will hold whether the pillar generation was run as well as output and return code.
Configuration and pillar generation logs can be found on the conductor under /var/log/128technology/plugins/ipsec-client-config-generation.log and /var/log/128technology/plugins/ipsec-client-pillar-generation.log respectively.
Salt
Salt status can be found on the conductor by utilizing the PCLI’s show assets and show assets <asset-id> commands.
PCLI Enhancements
To check the status of the IPsec tunnels for a given ingress KNI, extra IPsec tunnel related output will be found in the show device-interface command.
Example output for a healthy tunnel:
Example output for a tunnel that is down:
Systemd Services
To check the status of the IPsec client service on the router, you can run show system services which will show all 128T related services running on the specified node. The one for this plugin is named 128t-ipsec.
To verify that the services are running properly on the 128T router:
systemctl status 128t-ipsec@<client>.service
Failover Alarms
If a tunnel goes down, we set the corresponding ingress KNI to be operationally down. An alarm will be created when this happens.
Example output when the tunnel for rem1 goes down:
Release Notes
Release 2.0.4
Issues Fixed
- PLUGIN-384 Added an MTU configuration option to the ipsec profile.
- PLUGIN-333 The
plugin-networkip prefix setting in the configuration was ignored and would instead use the default ip prefix setting. - PLUGIN-336 Using the
vector-nameconfiguration option would generate invalid configuration. - PLUGIN-400 Added a local subnet configuration option and enhanced the remote subnet configuration option to allow a list of values.
Release 2.0.1
Issues Fixed
- PLUGIN-47 Created generic ipsec client plugin to provide connectivity to remote ipsec endpoints. This version supports a single client with up to two remote endpoints.
Release 1.0.4
Issues Fixed
- PLUGIN-384 Added an MTU configuration option to the ipsec profile.
- PLUGIN-333 The
plugin-networkip prefix setting in the configuration was ignored and would instead use the default ip prefix setting. - PLUGIN-336 Using the
vector-nameconfiguration option would generate invalid configuration. - PLUGIN-400 Added a local subnet configuration option and enhanced the remote subnet configuration option to allow a list of values.
Release 1.0.1
Issues Fixed
- PLUGIN-47 Created generic IPsec client plugin to provide connectivity to remote IPsec endpoints. This version supports a single client with up to two remote endpoints.