Install IPSec on G-vTAP Agent

If IPSec is used to establish secure connection between G-vTAP Agents andGigaVUE V Seriesnodes, then you must install IPSec on G-vTAP Agent instances. To install IPSec on G-vTAP Agent you need the following files:

  • StrongSwan binary installer TAR file: The TAR file contains StrongSwan binary installer for different platforms. Each platform has its own TAR file. Refer to https://www.strongswan.org/ for more details.
  • IPSec package file: The package file includes the following:
    • CA Certificate
    • Private Key and Certificate for G-vTAP Agent
    • IPSec configurations

Note:  IPSec cannot be installed on G-vTAP Agents that are running on Windows OS. Therefore, if a monitoring session has targets with both Windows and Linux OS, only the Linux agents will communicate over the secure connection. Windows agent will communicate only through the VXLAN Tunnel.

Refer to the following sections for installing IPSec on G-vTAP Agent:

Install G-vTAP from Ubuntu/Debian Package

  1. Launch the Ubuntu/Debian image.
  2. Download the following packages from the Gigamon Customer Portal. For assistance contact Contact Technical Support.
    • strongSwan TAR files
    • gvtap-agent_6.3.00_amd64.deb
    • gvtap-ipsec_6.3.00_amd64.deb
  3. Copy the downloaded G-vTAP package files and strongSwan TAR file to the G-vTAP Agent.
  4. Install the G-vTAP Agent package file:
    sudo dpkg -i gvtap-agent_6.3.00_amd64.deb
  5. Modify the /etc/gvtap-agent/gvtap-agent.conf file to configure and register the source and destination interfaces:

    Note:  Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.

    eth0# mirror-src-ingress mirror-src-egress mirror-dst
    sudo /etc/init.d/gvtap-agent restart
    sudo /etc/init.d/gvtap-agent status

    Note:  You can view the G-vTAP log using cat /var/log/gvtap-agent.log command.

  6. Install strongSwan:
    tar -xvf strongswan5.3.5-1ubuntu3.8_amd64-deb.tar.gz
    cd strongswan-5.3.5-1ubuntu3.8_amd64/
    sudo sh ./swan-install.sh
  7. Install IPSec package:
    sudo dpkg -i gvtap-ipsec_6.3.00_amd64.deb

Install G-vTAP from Red Hat Enterprise Linux and CentOS

  1. Launch RHEL/CentOS agent image.
  2. Download the following packages from the Gigamon Customer Portal. For assistance contact Contact Technical Support.
    • strongSwan TAR files
    • gvtap-agent_6.3.00_x86_64.rpm
    • gvtap-ipsec_6.3.00_x86_64.rpm
  3.  Copy the downloaded G-vTAP package files and strongSwan TAR file to the G-vTAP Agent.
  4. Install G-vTAP Agent package:
    sudo rpm -ivh gvtap-agent_6.3.00_x86_64.rpm
  5. Edit the gvtap-agent.conf file to configure the required interface as source/destination for mirror:

    Note:  Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.

    # eth0 mirror-src-ingress mirror-src-egress mirror-dst
    # sudo /etc/init.d/gvtap-agent restart
  6. Install strongSwan:
    tar -xvf strongswan-5.7.1-1.el7.x86_64.tar.gz
    cd strongswan-5.7.1-1.el7.x86_64
    sudo sh ./swan-install.sh
  7. Install IPSec package:
    sudo rpm -i gvtap-ipsec_6.3.00_x86_64.rpm

Note:  You must install IPSec package after installing StrongSwan.

Install G-vTAP from Red Hat Enterprise Linux and CentOS with Selinux Enabled

  1. Launch the RHEL/CentOS agent image.
  2. Download the following packages from the Gigamon Customer Portal. For assistance contact Contact Technical Support.
    • strongSwan TAR files
    • gvtap-agent_6.3.00_x86_64.rpm
    • gvtap-ipsec_6.3.00_x86_64.rpm
    • gvtap.te and gvtap_ipsec.te files (type enforcement files)
  3. Copy the downloaded G-vTAP package files and strongSwan TAR file to G-vTAP Agent.
  4. Checkmodule -M -m -o gvtap.mod gvtap.te
    semodule_package -o gvtap.pp -m gvtap.mod
    sudo semodule -i gvtap.pp
  5. Checkmodule -M -m -o gvtap_ipsec.mod gvtap_ipsec.te
    semodule_package -o gvtap_ipsec.pp -m gvtap_ipsec.mod
    sudo semodule -i gvtap_ipsec.pp
  6. Install G-vTAP Agent package:
    sudo rpm -ivh gvtap-agent_6.3.00_x86_64.rpm
  7. Edit gvtap-agent.conf file to configure the required interface as source/destination for mirror:

    Note:  Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.

    # eth0 mirror-src-ingress mirror-src-egress mirror-dst
    # sudo /etc/init.d/gvtap-agent restart
  8. Install strongSwan:
    tar -xvf strongswan-5.7.1-1.el7.x86_64.tar.gz
    cd strongswan-5.7.1-1.el7.x86_64
    sudo sh ./swan-install.sh
  9. Install IPSec package:
    sudo rpm -i gvtap-ipsec_6.3.00_x86_64.rpm
  10. Reboot the instance.