NFS over IPSec with certificate authentication and NetApp ONTAP

Here I go again. I joined NetApp about half a year ago and came across a customer request for IPSec encryption of NFS. The documentation on this topic is scarce and hard to understand and sometimes misleading and I needed a while to get my setup running – this is why I want to share this here.

Please be aware that this is not a guide for absolute beginners. You’ll require some skills on Linux and ONTAP to follow this easily.

First of all let’s start with the doc sources I used:

I was using a NetApp LabOnDemand of ONTAP 9.14.1 for this test. This is a great resource for every employee, partner and customer to learn and play with NetApp products. I can absolutely recommend these labs!

I created a root CA and two TLS client certificates using XCA. For demo purposes I created all certificates and keys from within XCA instead of creating CSRs. Keys are generated with RSA 4096 bit.


The lab has one Linux server, a RHEL 8.9 with IP, and a pre-configured SVM with NFS enabled. The SVM has two data LIFs and I’ll configure IPSec access via

ONTAP Configuration

# Enable IPSec on the cluster
security ipsec config modify -is-enabled true

# Install the SVM certificate. The system will ask to paste the cert, private key and intermediate/root CAs. 
# The last step you can skip as we don't require a chained certificate.
security certificate install -vserver svm1_cluster1 -type client -cert-name svm
# Paste cert and key PEM from XCA, reply NO for root CA certs

# Install the root CA certificate. I've chosen to add it as 'server-ca', but you can also add it as 'client-ca'. 
# The certificate will be linked to ipsec later on, so the type of CA certificate you specify here doesn't matter.
security certificate install -type server-ca -cert-name rootca -vserver svm1_cluster1
# Paste the root CA PEM form XCA

# Now add the CA certificate to the IPSec config so it can be used to validate the peer
security ipsec ca-certificate add -ca-certs rootca -vserver svm1_cluster1

# Create an IPSec policy. It needs to match traffic which should be encrypted.
security ipsec policy create -vserver svm1_cluster1 -name All_NFS -local-ip-subnets -remote-ip-subnets -local-ports 2049 -protocols tcp -auth-method PKI -cert-name svm -remote-identity ANYTHING

The policy defines IPSec is required for any client coming from the subnet and trying to access NFS (-local-ports 2049) on the LIF with IP with certificate authentication (-auth-method PKI). Specifying -remote-identity ANYTHING means that any client which can authenticate itself with a certificate signed by a trusted root CA will be able to create an IPSec connection.

Linux Configuration

I am using RHEL 8.9 as a Linux client. As my customer was using SLES and SLES with strongswan I decided to use strongswan, too.

# Install the required packages on RHEL 8.9
yum install -y strongswan nfs-utils

# Copy the required certificates to /etc/strongswan/ipsec.d
/etc/strongswan/ipsec.d/cacerts/rootca.pem # Root CA certificate PEM from XCA which signed both TLS client certs
/etc/strongswan/ipsec.d/certs/linux.pem # The Linux Client certificate
/etc/strongswan/ipsec.d/private/linux-key.pem # The matching private key for the certificate above

Now we need to configure StrongSwan to use the copied private key for any identifier. Modify /etc/strongswan/ipsec.secrets:

# ipsec.secrets - strongSwan IPsec secrets file

# Line beginning with ":" defines the default key to use. Will be looked up from /etc/strongswan/ipsec.d/private/
: RSA linux-key.pem

Now add a connection definition to /etc/strongswan/ipsec.conf.

conn svm-ipsec
        # The default type is tunnel, but ONTAP only supports a host-to-host transport connection
        # left is the Linux system's IP address
        # leftcert sets automatically leftid
        # right is the IP address of the SVM I want to mount the NFS share from
        # %any here is like ANYTHING on ONTAP. Any peer with a certificate signed by the trusted root CA will be accepted        

That’s it. Config done. Now start strongswan, you can check /var/log/messages for logging from charon to see if the tunnel is working and mount your NFS share:

strongswan start

tail /var/log/messages
Apr 18 03:32:09 rhel1 charon[9476]: 15[IKE] authentication of 'C=DE, ST=BY, L=Munich, O=NetApp, OU=Lab on Demand, CN=svm' with RSA_EMSA_PKCS1_SHA2_384 successful
Apr 18 03:32:09 rhel1 charon[9476]: 15[IKE] IKE_SA svm[1] established between[C=DE, ST=BY, L=Munich, O=NetApp, OU=Lab on Demand, CN=linux]...[C=DE, ST=BY, L=Munich, O=NetApp, OU=Lab on Demand, CN=svm]

mount -t nfs /mnt

You can verify the active IPSec sessions on ONTAP:

cluster1::> security ipsec show-ikesa -node cluster1-01
            Policy Local           Remote
Vserver     Name   Address         Address         Initator-SPI     State
----------- ------ --------------- --------------- ---------------- -----------
             b7f8a5751e1cbd02 ESTABLISHED

cluster1::> security ipsec show-ipsecsa -node cluster1-0
    cluster1-01 cluster1-02
cluster1::> security ipsec show-ipsecsa -node cluster1-01
            Policy  Local           Remote          Inbound  Outbound
Vserver     Name    Address         Address         SPI      SPI      State
----------- ------- --------------- --------------- -------- -------- ---------
              c0e65335 c28f66ce INSTALLED

I hope you enjoyed this guide and it was able to help you. Feel free to reach out when you have questions.

Leave a Reply

Your email address will not be published. Required fields are marked *