Open Stack

See inline PCM:

On May 28, 2013, at 12:37 PM, Eleouet Francois wrote:

>> I think you want to test $file, right?
> 
> Yes, sorry for that, shouldn't have add it as it was meaningless for
> the example.
> 
>> Does sound like we want to use Strongswan, if at all possible. This sounds like it'll do that, huh?
> 
> To my opinion, It would be better regarding its documentation and support.
> 
> The only concern is about strongswan requiring some extra information in
> /etc or /var/run (as it will only see its own files in it). It isn't a
> problem for the current use case, but it may be required for some extra
> plugin we may want to use in the future (lots of may...)
> 
> By the way, I tested it against an actual quantum router deployment,

PCM: I'd be interested in hearing more about how you set this up.  Are you using DevStack?



> it
> works fine but requires some extra tricks: we have to insert iptables
> rules for traffic to be correctly encrypted. Strongswan is able to insert
> its own filter rules using "leftfirewall" parameter. Anyway, it doesn't
> manages nat rules, so IPsec traffic from VMs won't cross the router until
> we add this kind of iptables rule:
> 
> iptables -t nat -D POSTROUTING -s local_cidr -d peer_cidr -m policy \
> --dir out --pol ipsec --reqid 16384 --proto 50 -j ACCEPT

PCM: Just so I better understand the rule…

Is this applying an IPSec policy on a new connection creation between the source/dest?

How does it modify the packet (POSTROUTING/output direction)?

Can you elaborate on the --reqid?
Is that the specific policy that is to be applied?
How does that relate to what we are setting up in StrongSwan?


> 
> Strongswan can set it automatically if we provide it with a custom _updown
> script (using "leftupdown" parameter).

PCM: Can you elaborate on this more?


> IptablesManager could also be an
> option (reqid is also configurable).
> 
> Note: this extra driver complexity is probably not specific to strongswan,
> it's probably the same in openswan (not tested).

PCM: Great stuff Francois! I was on vacation and have been trying to catch up since the long holiday weekend.

Sounds like we're going to try StrongSwan. I had been peeking at OpenSwan a bit and found a book (reading through it to get some background on all this).

I see you provided another script too. Will try that out. Does that have the mapping that Nachi is looking for, to support our primary use case (site to site), or do we need to work on the mapping?

Would like to coordinate who's doing what, so we don't duplicate effort here. Nachi/Francois, just let me know what you're working through and what you'd like me to look into (I'm new to IPSec and Free/Open/StrongSwan, but can help out as needed).


Regards,

PCM




> 
> Francois.