starlingx/docs
Code Issues Proposed changes
Files
9919c366eaed5d6958e9ff595202bb2bb71f7ee6
docs/doc/source/security/kubernetes/ipsec-configuration-and-enabling-f70964bc49d1.rst
Suzana Fernandes b029465b58 Protecting against L2 Network Attackers 
Story: 2010940
Task: 50151

Change-Id: If7ffcf0ffb81d0f7952cd92167b992550e7e191e
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-09-05 17:58:02 +00:00

53 lines
2.4 KiB
ReStructuredText
Raw Blame History

.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _ipsec-configuration-and-enabling-f70964bc49d1:
==========================
Configure and Enable IPsec
==========================
IPsec is configured and enabled on management network for multi node systems
by default during system deployment. For the first controller, it is configured
and enabled by ansible playbook during bootstrap. For the rest of the nodes in
the system, it is configured and enabled at first reboot during the host
installation.
IPsec status can be verified by ``swanctl`` CLIs, refer to :ref:`ipsec-clis-5f38181d077f` section for useful commands.
The most useful command to check IPsec status is: :command:`swanctl --list-sa`
This command lists the established IPsec connections and SAs (Security Associations).
An example output is as following:
.. code-block:: none
~(keystone_admin)]$ sudo swanctl --list-sa
Password:
system-nodes: #162, ESTABLISHED, IKEv2, 7e224579c2034a09_i ad8a74ef1621ebcb_r*
local 'CN=ipsec-controller-0' @ 192.168.101.2[500]
remote 'CN=ipsec-controller-1' @ 192.168.101.4[500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
established 1054s ago, rekeying in 1589s, reauth in 9033s
node: #7, reqid 2, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
installed 671s ago, rekeying in 2622s, expires in 3289s
in c61b1765, 1107991 bytes, 10275 packets, 0s ago
out c38189c2, 113928 bytes, 1332 packets, 616s ago
local 192.168.101.2/32
remote 192.168.101.4/32
system-nodes: #161, ESTABLISHED, IKEv2, 7efa2401684f7927_i* d35349b7c7aa2b13_r
local 'CN=ipsec-controller-0' @ 192.168.101.3[500]
remote 'CN=ipsec-controller-1' @ 192.168.101.4[500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
established 1254s ago, rekeying in 1825s, reauth in 8141s
node: #8, reqid 1, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
installed 656s ago, rekeying in 2771s, expires in 3304s
in c8b40c6d, 3337097 bytes, 58557 packets, 0s ago
out cf1b0bdd, 76048257 bytes, 83565 packets, 0s ago
local 192.168.101.3/32
remote 192.168.101.4/32
The above output shows two IPsec connections between the two controllers of
a |AIO-DX| system. In multi nodes system such as standard or storage systems,
there will be IPsec connections among all hosts.
View Git Blame Copy Permalink