4 =======================
6 ``VPP-SSWAN`` is a StrongSwan plugin that helps offloading Strongswan IPsec ESP
7 process from Linux Kernel to ``VPP``.
9 The kernel-vpp plugin is an interface to the IPsec and networking backend for
10 `VPP <https://wiki.fd.io/view/VPP>`__ platform using the
11 `VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__.
12 It provides address and routing lookup functionality and installs routes for
14 It installs and maintains Security Associations and Policies to the
15 `VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__.
20 ``VPP`` in release mode should be built before compiling ``vpp-swan plugin``.
21 The dependencies of ``StrongSwan`` should be installed before building
22 ``VPP-SSWAN``. In addition ``libsystemd-dev`` should be installed.
24 Build VPP Strongswan Plugin
27 The following list of things will be done to build ``vpp-swan plugin``:
29 - download strongswan source code to:
30 ``path/to/vpp/build/external/downloads``
32 - unzip source code strongswan to:
33 ``path/to/vpp/build-root/build-vpp-native/external/sswan``
35 - check if you have installed packages: ``libsystemd-dev`` on your OS
37 - configure strongswan by:
38 ``./configure --prefix=/usr --sysconfdir=/etc --enable-libipsec
39 --enable-systemd --enable-swanctl --disable-gmp --enable-openssl``
41 - compile strongswan in:
42 ``path/to/vpp/build-root/build-vpp-native/external/sswan``
44 - compile ``vpp-swan plugin`` by:
50 - if everything it ok, copy the compiled ``vpp-swan plugin`` to:
51 ``/usr/lib/ipsec/plugins``
53 Build/install Strongswan
56 It is recommended to use ``Strongswan`` in version ``5.9.6`` or ``5.9.5``
57 installed from this script, due to configuration Strongswan that is required.
58 Only version ``5.9.5`` and ``5.9.6`` was tested with this plugin.
60 To install the built Strongswan, please execute the following command:
64 path/to/vpp/build-root/build-vpp-native/external/sswan/sudo make install
66 Insert plugin in runtime mode
69 After builded this plugin and also installed Strongswan you can loaded plugin
70 into Strongswan directory by:
76 Or you can do manually copy ``libstrongswan-kernel-vpp.so`` into:
77 ``/usr/lib/ipsec/plugins`` and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/``
79 And also you should restart Strongswan by:
83 systemctl restart strongswan.service
85 Configuration Strongswan
87 In ``swanctl.conf`` file you can find example configuration to initialize
88 connections between two endpoints.
90 Copy this file into: ``/etc/swanctl/conf.d/swanctl.conf``
95 In your ``startup.conf`` add these following commands:
100 plugin linux_cp_plugin.so { enable }
101 plugin ikev2_plugin.so { disable }
108 To enable ``CP Plugin`` and disable ``IKEv2`` plugin.
110 These following commands executed in ``VPP``:
114 lcp create eth2 host-if eth2
115 set interface state eth2 up
116 set interface ip address eth2 192.168.0.2/24
117 set int state eth1 up
118 set int ip addr eth1 192.168.200.1/24
120 To create interface by ``CP Plugin`` and also setup two ethernet interfaces.
124 This plugin is based on:
125 `https://github.com/matfabia/strongswan
126 <https://github.com/matfabia/strongswan>`__
128 Author: Matus Fabian <matfabia@cisco.com>