search

F5Networks / f5-declarative-onboarding

F5 BIG-IP Declarative Onboarding
Apache License 2.0
58 stars 22 forks source link

RFE - IPsec tunnels #66

Open mofftech opened 5 years ago

mofftech commented 5 years ago

This is a request for enhancement (RFE).

REQUEST

Allow onboarding to create IPsec tunnels in both tunnel mode and interface mode.

BACKGROUND

A lot of customers already automate IPsec configuration setup, but they currently have to use either a bespoke iApp or scripted methods like Ansible.

TECHNICAL DETAILS

The following config objects need to be configured to set up an IPsec tunnel.

In tunnel mode:

In interface mode:

EXAMPLE CONFIG

In these examples, the Virtual Server is omitted because that should be a function of AS3.

Tunnel Mode

net ipsec ike-peer ike-7-0-8-1 {
    dpd-delay 0
    phase1-auth-method pre-shared-key
    phase1-encrypt-algorithm 3des
    phase1-hash-algorithm sha1
    preshared-key-encrypted <secret>
    remote-address 172.16.8.1
    version { v1 }
}
net ipsec ipsec-policy ipsec-7-0-8-1 {
    ike-phase2-auth-algorithm sha1
    ike-phase2-encrypt-algorithm 3des
    ike-phase2-perfect-forward-secrecy modp1024
    mode tunnel
    tunnel-local-address 172.16.7.1
    tunnel-remote-address 172.16.8.1
}
net ipsec traffic-selector selector-7-0-8-1-1 {
    destination-address 10.8.1.1/32
    ipsec-policy ipsec-7-0-8-1
    source-address 10.7.1.1/32
}
net ipsec traffic-selector selector-7-0-8-1-2 {
    destination-address 10.8.1.2/32
    ipsec-policy ipsec-7-0-8-1
    source-address 10.7.1.2/32
}
net route route-7-0-8-1 {
    gw 172.16.8.1
    network 10.8.1.0/24
}

Interface Mode

net ipsec ike-peer ike-1-0-2-2 {
    dpd-delay 0
    my-id-value <arbitrary local IP>
    peers-id-value <arbitrary remote IP>
    phase1-auth-method pre-shared-key
    phase1-encrypt-algorithm 3des
    phase1-hash-algorithm sha256
    preshared-key-encrypted <secretkey>
    prf sha256
    remote-address <remote peer IP>
    version { v1 }
}
net ipsec ipsec-policy ipsec-1-0-2-2 {
    ike-phase2-auth-algorithm sha256
    ike-phase2-encrypt-algorithm aes256
    ike-phase2-perfect-forward-secrecy modp1024
    mode interface
}
net ipsec traffic-selector selector-1-0-2-2-0 {
    destination-address 10.2.2.0/24
    ipsec-policy ipsec-1-0-2-2
    source-address 10.1.2.0/24
}
net tunnels ipsec ipsec_interface {
    defaults-from ipsec
    traffic-selector selector-1-0-2-2-0
}
net tunnels tunnel ipsec_tunnel {
    local-address <local external facing self IP>
    profile ipsec_interface
    remote-address <remote peer IP>
}
net self ipsec_int_self {
    address <arbitrary local IP>/<mask>
    allow-service {
        tcp:bgp # It is possible to do BGP over the tunnel
    }
    traffic-group traffic-group-local-only
    vlan ipsec_tunnel
}
net route to-remote-peer {
    gw <my gateway IP>
    network <peer remote IP>/32
}
net route to-remote-private {
    interface /Common/ipsec_tunnel
    network 10.2.2.0/24
}

SPECIAL NOTES

mofftech commented 5 years ago

Oh dear, github trimmed out all the triangle bracket parameters I added in the IPsec Interface example section...

dstokesf5 commented 5 years ago

Thank you for the thorough RFE. I fixed the formatting problem with the angle brackets, and I am reviewing this RFE for inclusion into our backlog.

dstokesf5 commented 4 years ago

I have added this to our internal product backlog as AUTOTOOL-1684.

csiggydev commented 1 year ago

Hi @dstokesf5 - was this feature ever implemented? This would be extremely useful to manage through DO.

dstokesf5 commented 1 year ago

@csiggydev It looks like AUTOTOOL-1684 is still floating around the backlog and is not currently planned for any release. Please reach out to @mdditt2000 and @sunitharonan if you wish to discuss prioritizing this feature request.