Installation
------------
-To enable the experimental SDN integration, you need to install
-"libpve-network-perl" package
+To enable the experimental SDN integration, you need to install the
+`libpve-network-perl` and `ifupdown2` package on every node:
----
-apt install libpve-network-perl
+apt update
+apt install libpve-network-perl ifupdown2
----
-You need to have `ifupdown2` package installed on each node to manage local
-configuration reloading without reboot:
+After that you need to add the following line:
-----
-apt install ifupdown2
-----
-
-You need to add
----
source /etc/network/interfaces.d/*
----
-at the end of /etc/network/interfaces to have the sdn config included
+at the end of the `/etc/network/interfaces` configuration file, so that the SDN
+config gets included and activated.
Basic Overview
gateway from evpn network through real network. The configured nodes will
announce a default route in the EVPN network.
+Advertise Subnets:: Optional. If you have silent vms/CT (for example, multiples
+ ips by interfaces, and the anycast gateway don't see traffic from theses ips,
+ the ips addresses won't be able to be reach inside the evpn network). This
+ option will announce the full subnet in the evpn network in this case.
+
+Exit Nodes local routing:: Optional. This is a special option if you need to
+ reach a vm/ct service from an exit node. (By default, the exit nodes only
+ allow forwarding traffic between real network and evpn network).
+
MTU:: because VXLAN encapsulation use 50 bytes, the MTU needs to be 50 bytes
lower than the maximal MTU of the outgoing physical interface.
If you have configured an external BGP router, the BGP-EVPN routes (10.0.1.0/24
and 10.0.2.0/24 in this example), will be announced dynamically.
+
+
+Notes
+-----
+
+VXLAN IPSEC Encryption
+~~~~~~~~~~~~~~~~~~~~~~
+If you need to add encryption on top of VXLAN, it's possible to do so with
+IPSEC through `strongswan`. You'll need to reduce the 'MTU' by 60 bytes (IPv4)
+or 80 bytes (IPv6) to handle encryption.
+
+So with default real 1500 MTU, you need to use a MTU of 1370 (1370 + 80 (IPSEC)
++ 50 (VXLAN) == 1500).
+
+.Install strongswan
+----
+apt install strongswan
+----
+
+Add configuration in `/etc/ipsec.conf'. We only need to encrypt traffic from
+the VXLAN UDP port '4789'.
+
+----
+conn %default
+ ike=aes256-sha1-modp1024! # the fastest, but reasonably secure cipher on modern HW
+ esp=aes256-sha1!
+ leftfirewall=yes # this is necessary when using Proxmox VE firewall rules
+
+conn output
+ rightsubnet=%dynamic[udp/4789]
+ right=%any
+ type=transport
+ authby=psk
+ auto=route
+
+conn input
+ leftsubnet=%dynamic[udp/4789]
+ type=transport
+ authby=psk
+ auto=route
+----
+
+Then generate a preshared key with
+
+----
+openssl rand -base64 128
+----
+
+and copy the key in `/etc/ipsec.secrets' so that the file content looks like:
+
+----
+: PSK <generatedbase64key>
+----
+
+You need to copy the PSK and the config on other nodes.