heat/vIPsec/vIPsec/base_vipsec.yaml

   1 ##########################################################################
   2 #
   3 #==================LICENSE_START==========================================
   4 #
   5 # Copyright © Intel Corporation 2019
   6 #
   7 # Licensed under the Apache License, Version 2.0 (the "License");
   8 # you may not use this file except in compliance with the License.
   9 # You may obtain a copy of the License at
  10 #
  11 #     http://www.apache.org/licenses/LICENSE-2.0
  12 #
  13 # Unless required by applicable law or agreed to in writing, software
  14 # distributed under the License is distributed on an "AS IS" BASIS,
  15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16 # See the License for the specific language governing permissions and
  17 # limitations under the License.
  18 #
  19 #==================LICENSE_END============================================
  20 #
  21 ##########################################################################
  22
  23 heat_template_version: 2013-05-23
  24
  25 description: Heat template that deploys vIPsec demo app for ONAP
  26
  27 ##############
  28 #            #
  29 # PARAMETERS #
  30 #            #
  31 ##############
  32
  33 parameters:
  34   vipsec_image_name:
  35     type: string
  36     label: Image name or ID
  37     description: Image to be used for compute instance
  38   ipsec_flavor_name:
  39     type: string
  40     label: IPsec Flavor
  41     description: Type of instance (flavor) to be used for IPsec VM
  42   sink_flavor_name:
  43     type: string
  44     label: Flavor
  45     description: Type of instance (flavor) to be used for vSink VM
  46   packetgen_flavor_name:
  47     type: string
  48     label: Flavor
  49     description: Type of instance (flavor) to be used for packet generator
  50   public_net_id:
  51     type: string
  52     label: Public network name or ID
  53     description: Public network that enables remote connection to VNF
  54   external_net_id:
  55     type: string
  56     label: External network name or ID
  57     description: External network that connects the two IPsec gateways
  58   protected_clientA_private_net_id:
  59     type: string
  60     label: Unprotected private network name or ID
  61     description: Private network that connects vPacketGenerator with vIPsec gateway A
  62   protected_clientB_private_net_id:
  63     type: string
  64     label: Protected private network name or ID
  65     description: Private network that connects vIPsec gateway B with vSink
  66   onap_private_net_id:
  67     type: string
  68     label: ONAP management network name or ID
  69     description: Private network that connects ONAP components and the VNF
  70   onap_private_subnet_id:
  71     type: string
  72     label: ONAP management sub-network name or ID
  73     description: Private sub-network that connects ONAP components and the VNF
  74   ipsec_private_net_id:
  75     type: string
  76     label: IPsec private network name or ID
  77     description: Private network that connects the two IPsec VNFs
  78   ipsec_private_subnet_id:
  79     type: string
  80     label: IPsec sub-network name or ID
  81     description: Private sub-network that connects the two IPsec VNFs
  82   protected_clientA_private_net_cidr:
  83     type: string
  84     label: Unprotected private network CIDR
  85     description: The CIDR of the protected private network for clientA
  86   protected_clientB_private_net_cidr:
  87     type: string
  88     label: Protected private network CIDR
  89     description: The CIDR of the protected private network for clientB
  90   onap_private_net_cidr:
  91     type: string
  92     label: ONAP private network CIDR
  93     description: The CIDR of the protected private network
  94   ipsec_private_net_cidr:
  95     type: string
  96     label: IPsec private network CIDR
  97     description: The CIDR of the protected IPsec private network
  98   vipsec_A_private_ip_0:
  99     type: string
 100     label: vIPsec private IP address towards the protected network A
 101     description: Private IP address that is assigned to the vIPsec gateway A to communicate with the vPacketGenerator
 102   vipsec_A_private_ip_1:
 103     type: string
 104     label: vIPsec private IP address towards the ONAP management network
 105     description: Private IP address that is assigned to the vIPsec A to communicate with ONAP components
 106   vipsec_A_private_ip_2:
 107     type: string
 108     label: vIPsec private IP address towards the IPsec external network
 109     description: Private IP address that is assigned to the vIPsec A to communicate with vIPsec B
 110   vipsec_B_private_ip_0:
 111     type: string
 112     label: vIPsec private IP address towards the protected network B
 113     description: Private IP address that is assigned to the vIPsec gateway B to communicate with the vSink
 114   vipsec_B_private_ip_1:
 115     type: string
 116     label: vIPsec private IP address towards the ONAP management network
 117     description: Private IP address that is assigned to the vIPsec B to communicate with ONAP components
 118   vipsec_B_private_ip_2:
 119     type: string
 120     label: vIPsec private IP address towards the IPsec external network
 121     description: Private IP address that is assigned to the vIPsec B to communicate with vIPsec A
 122   vpg_private_ip_0:
 123     type: string
 124     label: vPacketGenerator private IP address towards the protected network A
 125     description: Private IP address that is assigned to the vPacketGenerator to communicate with the vIPsec gateway A
 126   vpg_private_ip_1:
 127     type: string
 128     label: vPacketGenerator private IP address towards the ONAP management network
 129     description: Private IP address that is assigned to the vPacketGenerator to communicate with ONAP components
 130   vsn_private_ip_0:
 131     type: string
 132     label: vSink private IP address towards the protected network
 133     description: Private IP address that is assigned to the vSink to communicate with the vIPsec gateway B
 134   vsn_private_ip_1:
 135     type: string
 136     label: vSink private IP address towards the ONAP management network
 137     description: Private IP address that is assigned to the vSink to communicate with ONAP components
 138   vipsec_A_private_0_port_vnic_type:
 139     type: string
 140     description: vipsec port 0 vnic type (normal, direct)
 141     default: normal
 142   vipsec_private_1_port_vnic_type:
 143     type: string
 144     description: vipsec port 1 vnic type (normal, direct)
 145     default: normal
 146   vipsec_B_private_0_port_vnic_type:
 147     type: string
 148     description: vipsec port 0 vnic type (normal, direct)
 149     default: normal
 150   vipsec_private_2_port_vnic_type:
 151     type: string
 152     description: vipsec port 2 vnic type (normal, direct)
 153     default: normal
 154   vsn_private_0_port_vnic_type:
 155     type: string
 156     description: vsn port 0 vnic type (normal, direct)
 157     default: normal
 158   vsn_private_1_port_vnic_type:
 159     type: string
 160     description: vsn port 1 vnic type (normal, direct)
 161     default: normal
 162   vpg_private_0_port_vnic_type:
 163     type: string
 164     description: vpg port 0 vnic type (normal, direct)
 165     default: normal
 166   vpg_private_1_port_vnic_type:
 167     type: string
 168     description: vpg port 1 vnic type (normal, direct)
 169     default: normal
 170   vipsec_name_0:
 171     type: string
 172     label: vIPsec name
 173     description: Name of the vIPsec gateway A
 174   vipsec_name_1:
 175     type: string
 176     label: vIPsec name
 177     description: Name of the vIPsec gateway B
 178   vpg_name_0:
 179     type: string
 180     label: vPacketGenerator name
 181     description: Name of the vPacketGenerator
 182   vsn_name_0:
 183     type: string
 184     label: vSink name
 185     description: Name of the vSink
 186   vnf_id:
 187     type: string
 188     label: VNF ID
 189     description: The VNF ID is provided by ONAP
 190   vf_module_id:
 191     type: string
 192     label: vIPsec module ID
 193     description: The vIPsec Module ID is provided by ONAP
 194   dcae_collector_ip:
 195     type: string
 196     label: DCAE collector IP address
 197     description: IP address of the DCAE collector
 198   dcae_collector_port:
 199     type: string
 200     label: DCAE collector port
 201     description: Port of the DCAE collector
 202   key_name:
 203     type: string
 204     label: Key pair name
 205     description: Public/Private key pair name
 206   pub_key:
 207     type: string
 208     label: Public key
 209     description: Public key to be installed on the compute instance
 210   install_script_version:
 211     type: string
 212     label: Installation script version number
 213     description: Version number of the scripts that install the vIPsec demo app
 214   demo_artifacts_version:
 215     type: string
 216     label: Artifacts version used in demo vnfs
 217     description: Artifacts (jar, tar.gz) version used in demo vnfs
 218   nexus_artifact_repo:
 219     type: string
 220     description: Root URL for the Nexus repository for Maven artifacts.
 221     default: "https://nexus.onap.org"
 222   cloud_env:
 223     type: string
 224     label: Cloud environment
 225     description: Cloud environment (e.g., openstack, rackspace)
 226   sec_group:
 227     type: string
 228     description: ONAP Security Group
 229   sdnc_model_name:
 230     type: string
 231     description: SDNC Model Name metatada
 232   sdnc_model_version:
 233     type: string
 234     description: SDNC Model Version metatada
 235   sdnc_artifact_name:
 236     type: string
 237     description: SDNC Artifact Name metatada
 238   input_device_interface_A:
 239     type: string
 240     description: Device BDF name for the interface
 241   input_device_interface_B:
 242     type: string
 243     description: Device BDF name for the interface
 244   output_device_interface_A:
 245     type: string
 246     description: Device BDF name for the interface
 247   output_device_interface_B:
 248     type: string
 249     description: Device BDF name for the interface
 250   input_interface_A:
 251     type: string
 252     description: Device BDF num for the interface
 253   input_interface_B:
 254     type: string
 255     description: Device BDF num for the interface
 256   output_interface_A:
 257     type: string
 258     description: Device BDF num for the interface
 259   output_interface_B:
 260     type: string
 261     description: Device BDF num for the interface
 262   vpp_config:
 263     type: string
 264     description: Name of the vpp config
 265   ipsec_config:
 266     type: string
 267     description: Name of the ipsec config
 268   ipsec_A_MAC_address:
 269     type: string
 270     description: MAC address of ipsec gateway A
 271   ipsec_B_MAC_address:
 272     type: string
 273     description: MAC address of ipsec gateway B
 274
 275 #############
 276 #           #
 277 # RESOURCES #
 278 #           #
 279 #############
 280
 281 resources:
 282   random-str:
 283     type: OS::Heat::RandomString
 284     properties:
 285       length: 4
 286
 287   my_keypair:
 288     type: OS::Nova::KeyPair
 289     properties:
 290       name:
 291         str_replace:
 292           template: base_rand
 293           params:
 294             base: { get_param: key_name }
 295             rand: { get_resource: random-str }
 296       public_key: { get_param: pub_key }
 297       save_private_key: false
 298
 299   protected_clientA_private_network:
 300     type: OS::Neutron::Net
 301     properties:
 302       name: { get_param: protected_clientA_private_net_id }
 303
 304   protected_clientB_private_network:
 305     type: OS::Neutron::Net
 306     properties:
 307       name: { get_param: protected_clientB_private_net_id }
 308
 309   protected_clientA_private_subnet:
 310     type: OS::Neutron::Subnet
 311     properties:
 312       network_id: { get_resource: protected_clientA_private_network }
 313       cidr: { get_param: protected_clientA_private_net_cidr }
 314
 315   protected_clientB_private_subnet:
 316     type: OS::Neutron::Subnet
 317     properties:
 318       network_id: { get_resource: protected_clientB_private_network }
 319       cidr: { get_param: protected_clientB_private_net_cidr }
 320
 321   # Virtual IPsec instantiation
 322   vipsec_A_private_0_port:
 323     type: OS::Neutron::Port
 324     properties:
 325       network: { get_resource: protected_clientA_private_network }
 326       binding:vnic_type: { get_param: vipsec_A_private_0_port_vnic_type}
 327       fixed_ips: [{"subnet": { get_resource: protected_clientA_private_subnet}, "ipaddress": { get_param: vipsec_A_private_ip_0 }}]
 328       security_groups:
 329       - { get_param: sec_group }
 330
 331   vipsec_A_private_1_port:
 332     type: OS::Neutron::Port
 333     properties:
 334       #allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}]
 335       network: { get_param: onap_private_net_id }
 336       binding:vnic_type: { get_param: vipsec_private_1_port_vnic_type}
 337       fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vipsec_A_private_ip_1 }}]
 338       security_groups:
 339       - { get_param: sec_group }
 340
 341   vipsec_A_private_2_port:
 342     type: OS::Neutron::Port
 343     properties:
 344       #allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}]
 345       network: { get_param: ipsec_private_net_id }
 346       binding:vnic_type: { get_param: vipsec_private_2_port_vnic_type}
 347       fixed_ips: [{"subnet": { get_param: ipsec_private_subnet_id }, "ip_address": { get_param: vipsec_A_private_ip_2 }}]
 348       security_groups:
 349       - { get_param: sec_group }
 350
 351   vipsec_B_private_0_port:
 352     type: OS::Neutron::Port
 353     properties:
 354       network: { get_resource: protected_clientB_private_network }
 355       binding:vnic_type: { get_param: vipsec_B_private_0_port_vnic_type}
 356       fixed_ips: [{"subnet": { get_resource: protected_clientB_private_subnet}, "ipaddress": { get_param: vipsec_B_private_ip_0 }}]
 357       security_groups:
 358       - { get_param: sec_group }
 359
 360   vipsec_B_private_1_port:
 361     type: OS::Neutron::Port
 362     properties:
 363       #allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}]
 364       network: { get_param: onap_private_net_id }
 365       binding:vnic_type: { get_param: vipsec_private_1_port_vnic_type}
 366       fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vipsec_B_private_ip_1 }}]
 367       security_groups:
 368       - { get_param: sec_group }
 369
 370   vipsec_B_private_2_port:
 371     type: OS::Neutron::Port
 372     properties:
 373       network: { get_param: ipsec_private_net_id }
 374       binding:vnic_type: { get_param: vipsec_private_2_port_vnic_type}
 375       fixed_ips: [{"subnet": { get_param: ipsec_private_subnet_id }, "ip_address": { get_param: vipsec_B_private_ip_2 }}]
 376       security_groups:
 377       - { get_param: sec_group }
 378
 379   vipsec_0:
 380     type: OS::Nova::Server
 381     properties:
 382       image: { get_param: vipsec_image_name }
 383       flavor: { get_param: ipsec_flavor_name }
 384       name: { get_param: vipsec_name_0 }
 385       key_name: { get_resource: my_keypair }
 386       networks:
 387         - network: { get_param: public_net_id }
 388         - port: { get_resource: vipsec_A_private_0_port }
 389         - port: { get_resource: vipsec_A_private_1_port }
 390       metadata: { vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }}
 391       user_data_format: RAW
 392       user_data:
 393         str_replace:
 394           params:
 395             __dcae_collector_ip__ : { get_param: dcae_collector_ip }
 396             __dcae_collector_port__ : { get_param: dcae_collector_port }
 397             __demo_artifacts_version__ : { get_param: demo_artifacts_version }
 398             __install_script_version__ : { get_param: install_script_version }
 399             __vipsec_A_private_ip_0__ : { get_param: vipsec_A_private_ip_0 }
 400             __vipsec_A_private_ip_1__ : { get_param: vipsec_A_private_ip_1 }
 401             __protected_clientA_private_net_cidr__ : { get_param: protected_clientA_private_net_cidr }
 402             __onap_private_net_cidr__ : { get_param: onap_private_net_cidr }
 403             __cloud_env__ : { get_param: cloud_env }
 404             __nexus_artifact_repo__: { get_param: nexus_artifact_repo }
 405             __vpp_config__: { get_param: vpp_config }
 406             __ipsec_config__: { get_param: ipsec_config }
 407             __input_interface_num__: { get_param: input_interface_A }
 408             __output_interface_num__: { get_param: output_interface_A }
 409             __input_interface__: { get_param: input_device_interface_A }
 410             __output_interface__: { get_param: output_device_interface_A }
 411             __ipsec_B_MAC_address__: { get_param: ipsec_B_MAC_address }
 412           template: |
 413             #!/bin/bash
 414
 415             # Create configuration files
 416             mkdir /opt/config
 417             echo "__dcae_collector_ip__" > /opt/config/dcae_collector_ip.txt
 418             echo "__dcae_collector_port__" > /opt/config/dcae_collector_port.txt
 419             echo "__demo_artifacts_version__" > /opt/config/demo_artifacts_version.txt
 420             echo "__install_script_version__" > /opt/config/install_script_version.txt
 421             echo "__vipsec_A_private_ip_0__" > /opt/config/vipsec_A_private_ip_0.txt
 422             echo "__vipsec_A_private_ip_1__" > /opt/config/vipsec_A_private_ip_1.txt
 423             echo "__protected_clientA_private_net_cidr__" > /opt/config/protected_clientA_private_net_cidr.txt
 424             echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt
 425             echo "__cloud_env__" > /opt/config/cloud_env.txt
 426             echo "__nexus_artifact_repo__" > /opt/config/nexus_artifact_repo.txt
 427             echo "__input_interface_num__" > /opt/config/input_interface_A_BDF_num.txt
 428             echo "__output_interface_num__" > /opt/config/output_interface_A_BDF_num.txt
 429             echo "__input_interface__" > /opt/config/input_interface_A.txt
 430             echo "__output_interface__" > /opt/config/output_interface_A.txt
 431             echo "__ipsec_B_MAC_address__" > /opt/config/ipsec_B_mac_address.txt
 432             echo "__vpp_config__" > /opt/config/vpp_config.txt
 433             echo "__ipsec_config__" > /opt/config/ipsec_config.txt
 434
 435             # Download and run install script
 436             apt-get update
 437             cd /root/comms/dpdk/x86_64-native-linuxapp-gcc/kmod
 438             modeprobe uio
 439             insmod igb_uio.ko
 440             cd /opt
 441             cat > __vpp_config__<< NEWFILE
 442
 443             unix {
 444                     exec __ipsec_config__
 445                     nodaemon
 446                     cli-listen /run/vpp/cli.sock
 447                     log /tmp/vpp.log
 448                  }
 449
 450             cpu {
 451                    main-core 0
 452                    corelist-workers 1
 453                 }
 454
 455             dpdk {
 456                     socket-mem 512
 457                     log-level debug
 458                     no-tx-checksum-offload
 459                     dev default{
 460                             num-tx-desc 512
 461                             num-rx-desc 512
 462                     }
 463                     dev __input_interface_num__
 464                     {
 465                             workers 0
 466                     }
 467                     dev __output_interface_num__
 468                     {
 469                             workers 0
 470                     }
 471                     vdev crypto_aesni_gcm0
 472
 473                     num-mbufs 370000
 474                     no-multi-seg
 475                  }
 476
 477             NEWFILE
 478
 479             cat > __ipsec_config__<< NEWFILE
 480
 481             set interface state __input_interface__ up
 482             set interface state __output_interface__ up
 483
 484             set interface ip address __input_interface__ 1.0.0.1/8
 485             set interface ip address __output_interface__ 255.0.0.128/8
 486
 487             set int promiscuous on __input_interface__
 488             set int promiscuous on __output_interface__
 489
 490             set ip arp __output_interface__ 255.0.0.129 __ipsec_B_MAC_address
 491             set ip arp __input_interface__ 1.0.0.2 11:11:11:11:00:11
 492
 493             ip route add count 1 104.0.0.0/32 via 255.0.0.129 __output_interface__
 494             ip route add count 1 004.0.0.0/32 via 1.0.0.2 __input_interface__
 495
 496             ipsec spd add 1
 497             set interface ipsec spd __output_interface__ 1
 498             ipsec sa add 1 spi 25500128 esp tunnel-src 255.0.0.128 tunnel-dst 255.0.0.129 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
 499             ipsec sa add 2 spi 25500129 esp tunnel-src 255.0.0.129 tunnel-dst 255.0.0.128 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
 500             ipsec policy add spd 1 outbound priority 100 action protect sa 1 remote-ip-range 104.0.0.0-104.0.0.0
 501             ipsec policy add spd 1 inbound priority 100 action protect sa 2 remote-ip-range 004.0.0.0-004.0.0.0
 502             ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass
 503             ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass
 504
 505             NEWFILE
 506
 507             vpp -c __vpp_config__
 508
 509   vipsec_1:
 510     type: OS::Nova::Server
 511     properties:
 512       image: { get_param: vipsec_image_name }
 513       flavor: { get_param: ipsec_flavor_name }
 514       name: { get_param: vipsec_name_1 }
 515       key_name: { get_resource: my_keypair }
 516       networks:
 517         - network: { get_param: public_net_id }
 518         - port: { get_resource: vipsec_B_private_0_port }
 519         - port: { get_resource: vipsec_B_private_1_port }
 520       metadata: { vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }}
 521       user_data_format: RAW
 522       user_data:
 523         str_replace:
 524           params:
 525             __dcae_collector_ip__ : { get_param: dcae_collector_ip }
 526             __dcae_collector_port__ : { get_param: dcae_collector_port }
 527             __demo_artifacts_version__ : { get_param: demo_artifacts_version }
 528             __install_script_version__ : { get_param: install_script_version }
 529             __vipsec_A_private_ip_0__ : { get_param: vipsec_B_private_ip_0 }
 530             __vipsec_A_private_ip_1__ : { get_param: vipsec_B_private_ip_1 }
 531             __protected_clientA_private_net_cidr__ : { get_param: protected_clientB_private_net_cidr }
 532             __onap_private_net_cidr__ : { get_param: onap_private_net_cidr }
 533             __cloud_env__ : { get_param: cloud_env }
 534             __nexus_artifact_repo__: { get_param: nexus_artifact_repo }
 535             __vpp_config__: { get_param: vpp_config }
 536             __ipsec_config__: { get_param: ipsec_config }
 537             __input_interface_num__: { get_param: input_interface_B }
 538             __output_interface_num__: { get_param: output_interface_B }
 539             __input_interface__: { get_param: input_device_interface_B }
 540             __output_interface__: { get_param: output_device_interface_B }
 541             __ipsec_A_MAC_address__: { get_param: ipsec_A_MAC_address }
 542           template: |
 543             #!/bin/bash
 544
 545             # Create configuration files
 546             mkdir /opt/config
 547             echo "__dcae_collector_ip__" > /opt/config/dcae_collector_ip.txt
 548             echo "__dcae_collector_port__" > /opt/config/dcae_collector_port.txt
 549             echo "__demo_artifacts_version__" > /opt/config/demo_artifacts_version.txt
 550             echo "__install_script_version__" > /opt/config/install_script_version.txt
 551             echo "__vipsec_B_private_ip_0__" > /opt/config/vipsec_B_private_ip_0.txt
 552             echo "__vipsec_B_private_ip_1__" > /opt/config/vipsec_B_private_ip_1.txt
 553             echo "__protected_clientA_private_net_cidr__" > /opt/config/protected_clientB_private_net_cidr.txt
 554             echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt
 555             echo "__cloud_env__" > /opt/config/cloud_env.txt
 556             echo "__nexus_artifact_repo__" > /opt/config/nexus_artifact_repo.txt
 557             echo "__input_interface_num__" > /opt/config/input_interface_B_BDF_num.txt
 558             echo "__output_interface_num__" > /opt/config/output_interface_B_BDF_num.txt
 559             echo "__input_interface__" > /opt/config/input_interface_B.txt
 560             echo "__output_interface__" > /opt/config/output_interface_B.txt
 561             echo "__ipsec_A_MAC_address__" > /opt/config/ipsec_A_mac_address.txt
 562             echo "__vpp_config__" > /opt/config/vpp_config.txt
 563             echo "__ipsec_config__" > /opt/config/ipsec_config.txt
 564
 565             # Download and run install script
 566             apt-get update
 567             cd /root/comms/dpdk/x86_64-native-linuxapp-gcc/kmod
 568             modeprobe uio
 569             insmod igb_uio.ko
 570             cd /opt
 571             cat > __vpp_config__<< NEWFILE
 572
 573             unix {
 574                     exec __ipsec_config__
 575                     nodaemon
 576                     cli-listen /run/vpp/cli.sock
 577                     log /tmp/vpp.log
 578                  }
 579
 580             cpu {
 581                    main-core 0
 582                    corelist-workers 1
 583                 }
 584
 585             dpdk {
 586                     socket-mem 512
 587                     log-level debug
 588                     no-tx-checksum-offload
 589                     dev default{
 590                             num-tx-desc 512
 591                             num-rx-desc 512
 592                     }
 593                     dev __input_interface_num__
 594                     {
 595                             workers 0
 596                     }
 597                     dev __output_interface_num__
 598                     {
 599                             workers 0
 600                     }
 601                     vdev crypto_aesni_gcm0
 602
 603                     num-mbufs 370000
 604                     no-multi-seg
 605                  }
 606
 607             NEWFILE
 608
 609             cat > __ipsec_config__<< NEWFILE
 610
 611             set interface state __input_interface__ up
 612             set interface state __output_interface__ up
 613
 614             set interface ip address __input_interface__ 1.0.0.1/8
 615             set interface ip address __output_interface__ 255.0.0.128/8
 616
 617             set int promiscuous on __input_interface__
 618             set int promiscuous on __output_interface__
 619
 620             set ip arp __output_interface__ 255.0.0.129 __ipsec_A_MAC_address
 621             set ip arp __input_interface__ 1.0.0.2 11:11:11:11:00:11
 622
 623             ip route add count 1 104.0.0.0/32 via 255.0.0.129 __output_interface__
 624             ip route add count 1 004.0.0.0/32 via 1.0.0.2 __input_interface__
 625
 626             ipsec spd add 1
 627             set interface ipsec spd __output_interface__ 1
 628             ipsec sa add 1 spi 25500128 esp tunnel-src 255.0.0.128 tunnel-dst 255.0.0.129 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
 629             ipsec sa add 2 spi 25500129 esp tunnel-src 255.0.0.129 tunnel-dst 255.0.0.128 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
 630             ipsec policy add spd 1 outbound priority 100 action protect sa 1 remote-ip-range 104.0.0.0-104.0.0.0
 631             ipsec policy add spd 1 inbound priority 100 action protect sa 2 remote-ip-range 004.0.0.0-004.0.0.0
 632             ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass
 633             ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass
 634
 635             NEWFILE
 636
 637             vpp -c __vpp_config__
 638
 639
 640   # Virtual Packet Generator instantiation
 641   vpg_private_0_port:
 642     type: OS::Neutron::Port
 643     properties:
 644       network: { get_resource: protected_clientA_private_network}
 645       binding:vnic_type: { get_param: vpg_private_0_port_vnic_type}
 646       fixed_ips: [{"subnet": { get_resource: protected_clientA_private_subnet }, "ip_address": { get_param: vpg_private_ip_0 }}]
 647       security_groups:
 648       - { get_param: sec_group }
 649
 650   vpg_private_1_port:
 651     type: OS::Neutron::Port
 652     properties:
 653       network: { get_param: onap_private_net_id }
 654       binding:vnic_type: { get_param: vpg_private_1_port_vnic_type}
 655       fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vpg_private_ip_1 }}]
 656       security_groups:
 657       - { get_param: sec_group }
 658
 659   vpg_0:
 660     type: OS::Nova::Server
 661     properties:
 662       image: { get_param: vipsec_image_name }
 663       flavor: { get_param: packetgen_flavor_name }
 664       name: { get_param: vpg_name_0 }
 665       key_name: { get_resource: my_keypair }
 666       networks:
 667         - network: { get_param: public_net_id }
 668         - port: { get_resource: vpg_private_0_port }
 669         - port: { get_resource: vpg_private_1_port }
 670       metadata: {vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }}
 671       user_data_format: RAW
 672       user_data:
 673         str_replace:
 674           params:
 675             __ipsec_ipaddr__: { get_param: vipsec_A_private_ip_0 }
 676             __protected_clientB_net_cidr__: { get_param: protected_clientB_private_net_cidr }
 677             __sink_ipaddr__: { get_param: vsn_private_ip_0 }
 678             __demo_artifacts_version__ : { get_param: demo_artifacts_version }
 679             __install_script_version__ : { get_param: install_script_version }
 680             __vpg_private_ip_0__ : { get_param: vpg_private_ip_0 }
 681             __vpg_private_ip_1__ : { get_param: vpg_private_ip_1 }
 682             __protected_clientA_net_cidr__ : { get_param: protected_clientA_private_net_cidr }
 683             __onap_private_net_cidr__ : { get_param: onap_private_net_cidr }
 684             __cloud_env__ : { get_param: cloud_env }
 685             __nexus_artifact_repo__: { get_param: nexus_artifact_repo }
 686           template: |
 687             #!/bin/bash
 688
 689             # Create configuration files
 690             mkdir /opt/config
 691             echo "__ipsec_ipaddr__" > /opt/config/vipsec_ipaddr.txt
 692             echo "__protected_clientB_net_cidr__" > /opt/config/protected_clientB_net_cidr.txt
 693             echo "__sink_ipaddr__" > /opt/config/sink_ipaddr.txt
 694             echo "__demo_artifacts_version__" > /opt/config/demo_artifacts_version.txt
 695             echo "__install_script_version__" > /opt/config/install_script_version.txt
 696             echo "__vpg_private_ip_0__" > /opt/config/vpg_private_ip_0.txt
 697             echo "__vpg_private_ip_1__" > /opt/config/vpg_private_ip_1.txt
 698             echo "__protected_clientA__net_cidr__" > /opt/config/protected_clientA_net_cidr.txt
 699             echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt
 700             echo "__cloud_env__" > /opt/config/cloud_env.txt
 701             echo "__nexus_artifact_repo__" > /opt/config/nexus_artifact_repo.txt
 702
 703             # Download and run install script
 704             apt-get update
 705             apt-get -y install unzip
 706             if [[ "__install_script_version__" =~ "SNAPSHOT" ]]; then REPO=snapshots; else REPO=releases; fi
 707             curl -k -L "__nexus_artifact_repo__/service/local/artifact/maven/redirect?r=${REPO}&g=org.onap.demo.vnf.vipsec&a=vipsec-scripts&e=zip&v=__install_script_version__" -o /opt/vipsec-scripts-__install_script_version__.zip
 708             unzip -j /opt/vipsec-scripts-__install_script_version__.zip -d /opt v_packetgen_install.sh
 709             cd /opt
 710             chmod +x v_packetgen_install.sh
 711             ./v_packetgen_install.sh
 712
 713
 714   # Virtual Sink instantiation
 715   vsn_private_0_port:
 716     type: OS::Neutron::Port
 717     properties:
 718       network: { get_resource: protected_clientB_private_network }
 719       binding:vnic_type: { get_param: vsn_private_0_port_vnic_type}
 720       fixed_ips: [{"subnet": { get_resource: protected_clientB_private_subnet }, "ip_address": { get_param: vsn_private_ip_0 }}]
 721       security_groups:
 722       - { get_param: sec_group }
 723
 724   vsn_private_1_port:
 725     type: OS::Neutron::Port
 726     properties:
 727       network: { get_param: onap_private_net_id }
 728       binding:vnic_type: { get_param: vsn_private_1_port_vnic_type}
 729       fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vsn_private_ip_1 }}]
 730       security_groups:
 731       - { get_param: sec_group }
 732
 733   vsn_0:
 734     type: OS::Nova::Server
 735     properties:
 736       image: { get_param: vipsec_image_name }
 737       flavor: { get_param: sink_flavor_name }
 738       name: { get_param: vsn_name_0 }
 739       key_name: { get_resource: my_keypair }
 740       networks:
 741         - network: { get_param: public_net_id }
 742         - port: { get_resource: vsn_private_0_port }
 743         - port: { get_resource: vsn_private_1_port }
 744       metadata: {vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }}
 745       user_data_format: RAW
 746       user_data:
 747         str_replace:
 748           params:
 749             __protected_net_gw__: { get_param: vipsec_B_private_ip_0 }
 750             __protected_net_A__: { get_param: protected_clientA_private_net_cidr }
 751             __install_script_version__ : { get_param: install_script_version }
 752             __vsn_private_ip_0__ : { get_param: vsn_private_ip_0 }
 753             __vsn_private_ip_1__ : { get_param: vsn_private_ip_1 }
 754             __protected_clientB_private_net_cidr__ : { get_param: protected_clientB_private_net_cidr }
 755             __onap_private_net_cidr__ : { get_param: onap_private_net_cidr }
 756             __cloud_env__ : { get_param: cloud_env }
 757             __nexus_artifact_repo__: { get_param: nexus_artifact_repo }
 758           template: |
 759             #!/bin/bash
 760
 761             # Create configuration files
 762             mkdir /opt/config
 763             echo "__protected_net_gw__" > /opt/config/protected_net_gw.txt
 764             echo "__protected_net_A__" > /opt/config/protected_net_A.txt
 765             echo "__install_script_version__" > /opt/config/install_script_version.txt
 766             echo "__vsn_private_ip_0__" > /opt/config/vsn_private_ip_0.txt
 767             echo "__vsn_private_ip_1__" > /opt/config/vsn_private_ip_1.txt
 768             echo "__protected_clientB_private_net_cidr__" > /opt/config/protected_clientB_private_net_cidr.txt
 769             echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt
 770             echo "__cloud_env__" > /opt/config/cloud_env.txt
 771             echo "__nexus_artifact_repo__" > /opt/config/nexus_artifact_repo.txt
 772
 773             # Download and run install script
 774             apt-get update
 775             apt-get -y install unzip
 776             if [[ "__install_script_version__" =~ "SNAPSHOT" ]]; then REPO=snapshots; else REPO=releases; fi
 777             curl -k -L "__nexus_artifact_repo__/service/local/artifact/maven/redirect?r=${REPO}&g=org.onap.demo.vnf.vipsec&a=vipsec-scripts&e=zip&v=__install_script_version__" -o /opt/vipsec-scripts-__install_script_version__.zip
 778             unzip -j /opt/vipsec-scripts-__install_script_version__.zip -d /opt v_sink_install.sh
 779             cd /opt
 780             chmod +x v_sink_install.sh
 781             ./v_sink_install.sh