Skip to content

Commit

Permalink
ipsec: Add document for ipsec P2P use case
Browse files Browse the repository at this point in the history
Signed-off-by: Gris Ge <[email protected]>
  • Loading branch information
cathay4t committed Jan 9, 2024
1 parent 8c223ee commit 2e68afc
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 0 deletions.
4 changes: 4 additions & 0 deletions devel/yaml_api.md
Original file line number Diff line number Diff line change
Expand Up @@ -1400,6 +1400,10 @@ The `libreswan` section, nmstate provides these properties:
* `psk`: String. The Pre-Shared-Key. Please consider to use x509/PKI
authentication in production system. In query, this property will be
shown as `<_password_hid_by_nmstate>` for security concern.
* `rightsubnet`: String. Please explicitly set it when using in host-to-host
mode.
* `leftmodecfgclient`: yes|no. Please explicitly set it to `no` when using in
host-to-host mode.

Except the `psk` property, all other properties are libreswan specific options,
please refer to the manpage of `ipsec.conf` for detail meaning of them.
Expand Down
44 changes: 44 additions & 0 deletions features/ipsec.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
* [IPsec x509/PKI authentication example](#ipsec-x509pki-authentication-example)
* [IPsec RSA authentication example](#ipsec-rsa-authentication-example)
* [IPsec PSK authentication example](#ipsec-psk-authentication-example)
* [IPSec Host-to-Host/P2P tunnel](#ipsec-host-to-hostp2p-tunnel)

<!-- vim-markdown-toc -->

Expand Down Expand Up @@ -76,3 +77,46 @@ interfaces:
```

The PSK method should be only used for test/develop purpose.

# IPSec Host-to-Host/P2P tunnel

By default, NetworkManager libreswan plugin is expecting client-server IPSec
tunnel. In order to get it works for P2P(Host-to-Host) IPSec tunnel, please
explicitly set `rightsubnet` to remote /32 IPv4 address and
`leftmodecfgclient: no`.

For example, assuming remote IPSec host IP is `192.0.2.155` and local IP is
`192.0.2.248`

```yml
interfaces:
- name: hosta_conn
type: ipsec
libreswan:
left: 192.0.2.248
leftid: 'hosta.example.org'
leftcert: hosta.example.org
leftmodecfgclient: no
right: 192.0.2.155
rightid: 'hostb.example.org'
rightsubnet: 192.0.2.155/32
ikev2: insist
```

This result in P2P policy been created in `ip xfrm`:

```bash
[fge@c9s ~]$ sudo ip xfrm policy
src 192.0.2.248/32 dst 192.0.2.155/32
dir out priority 1753281 ptype main
tmpl src 192.0.2.248 dst 192.0.2.155
proto esp reqid 16389 mode tunnel
src 192.0.2.155/32 dst 192.0.2.248/32
dir fwd priority 1753281 ptype main
tmpl src 192.0.2.155 dst 192.0.2.248
proto esp reqid 16389 mode tunnel
src 192.0.2.155/32 dst 192.0.2.248/32
dir in priority 1753281 ptype main
tmpl src 192.0.2.155 dst 192.0.2.248
proto esp reqid 16389 mode tunnel
```

0 comments on commit 2e68afc

Please sign in to comment.