Configuring IPsec encryption using certificate authentication between OpenShift Container Platform and NetApp ONTAP
Table of Contents
Overview
OpenShift documentation explains the basic steps to configure IPSEC encryption for external traffic.
This article will detail the specificities to get this configuration working with NetApp ONTAP.
Challenges
Both sides are not using the same IPsec VPN implementation.
- OpenShift uses libreswan
- ONTAP uses strongswan
Solution
Openshift
Import certificates on OpenShift Nodes
The steps outlined in the official documentation do not require any modification.
The machine config to configure IPSEC is obtained with the following butane file :
variant: openshift
version: 4.19.0
metadata:
name: 99-${role}-import-certs
labels:
machineconfiguration.openshift.io/role: $role
systemd:
units:
- name: ipsec-import.service
enabled: true
contents: |
[Unit]
Description=Import external certs into ipsec NSS
Before=ipsec.service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/ipsec-addcert.sh
RemainAfterExit=false
StandardOutput=journal
[Install]
WantedBy=multi-user.target
storage:
files:
- path: /etc/pki/certs/ca.pem
mode: 0400
overwrite: true
contents:
local: ca.pem
- path: /etc/pki/certs/optional_intermediate_ca.pem
mode: 0400
overwrite: true
contents:
local: optional_intermediate_ca.pem
- path: /etc/pki/certs/left_server.p12
mode: 0400
overwrite: true
contents:
local: left_server.p12
- path: /usr/local/bin/ipsec-addcert.sh
mode: 0740
overwrite: true
contents:
inline: |
#!/bin/bash -e
echo "importing cert to NSS"
certutil -A -n "CA" -t "CT,C,C" -d /var/lib/ipsec/nss/ -i /etc/pki/certs/ca.pem
certutil -A -n "Intermedaite_CA" -t "C,C,C" -d /var/lib/ipsec/nss/ -i /etc/pki/certs/optional_intermediate_ca.pem
pk12util -W "passphrase_if_any" -i /etc/pki/certs/left_server.p12 -d /var/lib/ipsec/nss/
certutil -M -n "left_server" -t "u,u,u" -d /var/lib/ipsec/nss/
EOF
done
Libreswan configuration on OpenShift
This configuration should be applied with nmstate
apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
name: ipsec-config
spec:
nodeSelector:
kubernetes.io/hostname: "<hostname>"
desiredState:
interfaces:
- name: <interface_name>
type: ipsec
libreswan:
authby: rsasig
left: '%defaultroute' #or IP if multiple interfaces
right: <IP_of_remote_endpoint>
type: transport
ikev2: insist
ike: aes256-sha384-ecp384
esp: aes_gcm_c256
leftcert: <certificate name as imported in nss db>
rightid: '%fromcert'
leftid: "%fromcert"
leftrsasigkey: '%cert'
rightca: '%same'
And results in the following ipsec configuration file
conn ontap
authby=rsasig
left=%defaultroute
right=<IP_of_remote_endpoint>
auto=start
type=transport
ikev2=insist
ike=aes256-sha384-ecp384
esp=aes_gcm_c256
leftcert=<certificate name as imported in nss db>
rightid=%fromcert
leftid=%fromcert
leftrsasigkey=%cert
rightca=%same
Currently rightca is not a supported paramater to use with nmstate.
A RFE to address this has been created : RHEL-114237
Configuration can be applied using a machine-configuration instead of nmstate NNCP.
ONTAP
Configure IPSEC
The steps outlined in the official NetApp documentation are describing the process.
More details on the CLI commands can be found here
Here is an example of the resulting IPSEC policy :
> security certificate install -type server-ca -cert-name ca -vserver svm0
> security certificate install -type server-ca -cert-name optional_intermediate_ca -vserver svm0
> security ipsec ca-certificate add -vserver svm0 -ca-certs ca,optional_intermediate_ca
> security certificate install -vserver svm0 -type server -cert-name ontap_certificate
> security ipsec policy create -vserver svm0 -name ipsec-ocp -local-ip-subnets 192.168.1.0/32 -remote-ip-subnets 192.168.1.0/24 -auth-method PKI -action ESP_TRA -cipher-suite SUITEB_GCM256 -cert-name ontap_certificate -local-identity CN=ontap.lab.example.com -remote-identity CN=client.lab.example.com
> security ipsec policy show -vserver svm0 -name ipsec-ocp
Vserver: svm0
Policy creation time secs: 1757579865
Policy creation time nsecs: 916087020
Policy Name: ipsec-ocp
Local IP Subnets: 192.168.1.0/32
Remote IP Subnets: 192.168.1.0/24
Local Ports: 0-0
Remote Ports: 0-0
Protocols: any
Action: ESP_TRA
Cipher Suite: SUITEB_GCM256
IKE Security Association Lifetime: 86400
IPsec Security Association Lifetime: 28800
IPsec Security Association Lifetime (bytes): 0
Is Policy Enabled: true
Local Identity: CN=ontap.lab.example.com
Remote Identity: CN=client.lab.example.com
Authentication Method: PKI
Certificate for Local Identity: ontap_certificate
Local and Remote identities must use the full DN
e.g. -local-identity "C=US, O=The Company, OU=Devices, OU=FOO, CN=host.foo.exmaple.com" -remote-identity ""C=US, O=The Company, OU=Devices, OU=FOO, CN=host2.foo.exmaple.com"
Extra config needed to handle RSA PKCS 1.5 with SHA1 and SHA2 is only supported with RSA PSS
Starting OpenShift 4.19, based on on Red Hat Enterprise Linux 9.6, libreswan is in version 4.15 and works with the configuration above.
If using OpenShift version lower than 4.19, based on Red Hat Enterprise Linux 9.4, libreswan is in version 4.9 and requires the following configuration:
conn ontap
authby=rsa-sha1 # <<<<<<<<<<< enforce rsa-sha1
left=%defaultroute
right=<IP_of_remote_endpoint>
auto=start
type=transport
ikev2=insist
ike=aes256-sha384-ecp384
esp=aes_gcm_c256
leftcert=<certificate name as imported in nss db>
rightid=%fromcert
leftid=%fromcert
leftrsasigkey=%cert
rightca=%same
Comments