Installing IPSec on G-vTAP Agent

If IPSec is used to establish secure connection between G-vTAP agents and GigaVUE V Series nodes, then you must install IPSec on G-vTAP agent instances. To install IPSec on G-vTAP agent you need the following files:

StrongSwan binary installer TAR file: The TAR file contains strongSwan binary installer for different platforms. Each platform has its own TAR file. Refer to https://www.strongswan.org/ for more details.
IPSec package file: The package file includes the following:
CA Certificate
Private Key and Certificate for G-vTAP Agent
IPSec configurations

Refer to the following sections for installing IPSec on G-vTAP Agent:

Installing from an Ubuntu/Debian Package
Installing from Red Hat Enterprise Linux and Centos
Installing from Red Hat Enterprise Linux and Centos with Selinux Enabled

Installing from an Ubuntu/Debian Package

1.   Launch the G-vTAP agent AMI.
2. Copy the G-vTAP package files and strongSwan TAR file to the G-vTAP agent:
strongswan5.3.5-1ubuntu3.8_amd64-deb.tar.gz
gvtap-agent_1.7-1_amd64.deb
gvtap-ipsec_1.7-1_amd64.deb
3. Install the G-vTAP agent package file:

sudo dpkg -i gvtap-agent_1.7-1_amd64.deb

4. Edit gvtap-agent.conf file to configure the required interface as source/destination for mirror:

eth0# mirror-src-ingress mirror-src-egress mirror-dst

sudo /etc/init.d/gvtap-agent restart

5. Install strongSwan:

tar -xvf strongswan5.3.5-1ubuntu3.8_amd64-deb.tar.gz

cd strongswan-5.3.5-1ubuntu3.8_amd64/

sudo sh ./swan-install.sh

6. Install IPSec package:

sudo dpkg -i gvtap-ipsec_1.7-1_amd64.deb

Installing from Red Hat Enterprise Linux and Centos

1.   Launch RHEL/Centos agent AMI image.
2. Copy the following package files and strongSwan TAR files to the G-vTAP agent:
strongswan-5.7.1-1.el7.x86_64.tar.gz for rhel7/centos7
strongswan-5.4.0-2.el6.x86_64.tar.gz for rhel6/centos6
gvtap-agent_1.7-1_x86_64.rpm
gvtap-ipsec_1.7-1_x86_64.rpm
3. Install G-vTAP agent package:

sudo rpm -ivh gvtap-agent_1.7-1_x86_64.rpm

4. Edit gvtap-agent.conf file to configure the required interface as source/destination for mirror:

# eth0 mirror-src-ingress mirror-src-egress mirror-dst

# sudo /etc/init.d/gvtap-agent restart

5. Install strongSwan:

tar -xvf strongswan-5.7.1-1.el7.x86_64.tar.gz

cd strongswan-5.7.1-1.el7.x86_64

sudo sh ./swan-install.sh

6. Install IPSec package:

sudo rpm -i gvtap-ipsec_1.7-1_x86_64.rpm

Note:  You must install IPSec package after installing StrongSwan.

Installing from Red Hat Enterprise Linux and Centos with Selinux Enabled

1.   Launch the RHEL/Centos agent AMI image.
2. Copy package files and strongSwan TAR file to G-vTAP agent.
strongswan-5.7.1-1.el7.x86_64.tar.gz for rhel7/centos7
strongswan-5.4.0-2.el6.x86_64.tar.gz for rhel6/centos6
gvtap-agent_1.7-1_x86_64.rpm
gvtap-ipsec_1.7-1_x86_64.rpm
gvtap.te and gvtap_ipsec.te files (type enforcement files)
3. checkmodule -M -m -o gvtap.mod gvtap.te

semodule_package -o gvtap.pp -m gvtap.mod

sudo semodule -i gvtap.pp

4. checkmodule -M -m -o gvtap_ipsec.mod gvtap_ipsec.te

semodule_package -o gvtap_ipsec.pp -m gvtap_ipsec.mod

sudo semodule -i gvtap_ipsec.pp

5. Install G-vTAP agent package:

sudo rpm -ivh gvtap-agent_1.7-1_x86_64.rpm

6. Edit gvtap-agent.conf file to configure the required interface as source/destination for mirror:

# eth0 mirror-src-ingress mirror-src-egress mirror-dst

# sudo /etc/init.d/gvtap-agent restart

7. Install strongSwan:

tar -xvf strongswan-5.7.1-1.el7.x86_64.tar.gz

cd strongswan-5.7.1-1.el7.x86_64

sudo sh ./swan-install.sh

8. Install IPSec package:

sudo rpm -i gvtap-ipsec_1.7-1_x86_64.rpm