NFS over IPSec with certificate authentication and NetApp ONTAP
Here I go again. I joined NetApp about half a year ago and came across a customer request for IPSec encryption of NFS. The documentation on this topic is scarce and hard to understand and sometimes misleading and I needed a while to get my setup running – this is why I want to share this here.
Please be aware that this is not a guide for absolute beginners. You’ll require some skills on Linux and ONTAP to follow this easily.
First of all let’s start with the doc sources I used:
- Offical ONTAP documentation: Configure IP security (IPSec) over wire encryption
- AWS FSXn: Configuring IPSec using certificate authentication
- StrongSwan: ipsec.conf conn reference
- A lot of googling and hints from all over the web.
I was using a NetApp LabOnDemand of ONTAP 9.14.1 for this test. This is a great resource for every employee, partner and customer to learn and play with NetApp products. I can absolutely recommend these labs!
I created a root CA and two TLS client certificates using XCA. For demo purposes I created all certificates and keys from within XCA instead of creating CSRs. Keys are generated with RSA 4096 bit.
Overview
The lab has one Linux server, a RHEL 8.9 with IP 192.168.0.61, and a pre-configured SVM with NFS enabled. The SVM has two data LIFs 192.168.0.131 and 192.168.0.132. I’ll configure IPSec access via 192.168.0.131.
ONTAP Configuration
# Enable IPSec on the cluster security ipsec config modify -is-enabled true # Install the SVM certificate. The system will ask to paste the cert, private key and intermediate/root CAs. # The last step you can skip as we don't require a chained certificate. security certificate install -vserver svm1_cluster1 -type client -cert-name svm # Paste cert and key PEM from XCA, reply NO for root CA certs # Install the root CA certificate. I've chosen to add it as 'server-ca', but you can also add it as 'client-ca'. # The certificate will be linked to ipsec later on, so the type of CA certificate you specify here doesn't matter. security certificate install -type server-ca -cert-name rootca -vserver svm1_cluster1 # Paste the root CA PEM form XCA # Now add the CA certificate to the IPSec config so it can be used to validate the peer security ipsec ca-certificate add -ca-certs rootca -vserver svm1_cluster1 # Create an IPSec policy. It needs to match traffic which should be encrypted. security ipsec policy create -vserver svm1_cluster1 -name All_NFS -local-ip-subnets 192.168.0.131/32 -remote-ip-subnets 192.168.0.0/24 -local-ports 2049 -protocols tcp -auth-method PKI -cert-name svm -remote-identity ANYTHING
The policy defines IPSec is required for any client coming from the 192.168.0.0/24 subnet and trying to access NFS (-local-ports 2049) on the LIF with IP 192.168.0.131 with certificate authentication (-auth-method PKI). Specifying -remote-identity ANYTHING means that any client which can authenticate itself with a certificate signed by a trusted root CA will be able to create an IPSec connection.
Linux Configuration
I am using RHEL 8.9 as a Linux client. As my customer was using SLES and SLES with strongswan I decided to use strongswan, too.
# Install the required packages on RHEL 8.9 yum install -y strongswan nfs-utils # Copy the required certificates to /etc/strongswan/ipsec.d /etc/strongswan/ipsec.d/cacerts/rootca.pem # Root CA certificate PEM from XCA which signed both TLS client certs /etc/strongswan/ipsec.d/certs/linux.pem # The Linux Client certificate /etc/strongswan/ipsec.d/private/linux-key.pem # The matching private key for the certificate above
Now we need to configure StrongSwan to use the copied private key for any identifier. Modify /etc/strongswan/ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file # Line beginning with ":" defines the default key to use. Will be looked up from /etc/strongswan/ipsec.d/private/ : RSA linux-key.pem
Now add a connection definition to /etc/strongswan/ipsec.conf.
conn svm-ipsec
auto=start
# The default type is tunnel, but ONTAP only supports a host-to-host transport connection
type=transport
# left is the Linux system's IP address
left=192.168.0.61
leftcert=linux.pem
# leftcert sets automatically leftid
# right is the IP address of the SVM I want to mount the NFS share from
right=192.168.0.131
# %any here is like ANYTHING on ONTAP. Any peer with a certificate signed by the trusted root CA will be accepted
rightid=%any
That’s it. Config done. Now start strongswan, you can check /var/log/messages for logging from charon to see if the tunnel is working and mount your NFS share:
strongswan start tail /var/log/messages ... Apr 18 03:32:09 rhel1 charon[9476]: 15[IKE] authentication of 'C=DE, ST=BY, L=Munich, O=NetApp, OU=Lab on Demand, CN=svm' with RSA_EMSA_PKCS1_SHA2_384 successful Apr 18 03:32:09 rhel1 charon[9476]: 15[IKE] IKE_SA svm[1] established between 192.168.0.61[C=DE, ST=BY, L=Munich, O=NetApp, OU=Lab on Demand, CN=linux]...192.168.0.131[C=DE, ST=BY, L=Munich, O=NetApp, OU=Lab on Demand, CN=svm] ... mount -t nfs 192.168.0.131:/ /mnt
You can verify the active IPSec sessions on ONTAP:
cluster1::> security ipsec show-ikesa -node cluster1-01
Policy Local Remote
Vserver Name Address Address Initator-SPI State
----------- ------ --------------- --------------- ---------------- -----------
svm1_cluster1
All_NFS
192.168.0.131 192.168.0.61 b7f8a5751e1cbd02 ESTABLISHED
cluster1::> security ipsec show-ipsecsa -node cluster1-0
cluster1-01 cluster1-02
cluster1::> security ipsec show-ipsecsa -node cluster1-01
Policy Local Remote Inbound Outbound
Vserver Name Address Address SPI SPI State
----------- ------- --------------- --------------- -------- -------- ---------
svm1_cluster1
All_NFS
192.168.0.131 192.168.0.61 c0e65335 c28f66ce INSTALLED
I hope you enjoyed this guide and it was able to help you. Feel free to reach out when you have questions.
