IPsec Add-on for PCF
Page last updated:
This guide describes the IPsec Add-on for PCF, which secures data transmissions inside Pivotal Cloud Foundry (PCF). Topics covered in this guide include IPsec Add-on for PCF installation and configuration, troubleshooting, and certificate rotation.
Your organization might require IPsec if you transmit sensitive data.
Overview
The IPsec Add-on for PCF provides security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec Add-on provides a strongSwan job in FIPS mode to each BOSH-deployed VM.
IPsec encrypts IP data flow between hosts, between security gateways, between service tiles, and between security gateways and hosts. The IPsec Add-on for PCF secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.
Product Snapshot
The following table provides version and version-support information about the IPsec Add-on for PCF.
| Element | Details |
|---|---|
| Version | v1.9.13 |
| Release date | November 19, 2018 |
| Compatible Ops Manager versions | 2.2, 2.3, 2.4, and 2.5 |
| Compatible Pivotal Application Service (PAS) versions | 2.2, 2.3, 2.4, and 2.5 |
| Compatible BOSH stemcells | Ubuntu Xenial and Trusty |
| IaaS support | vSphere, GCP, AWS, Azure, and Openstack |
IPsec Implementation Details
The IPsec Add-on for PCF implements the following cryptographic suite:
| Key Agreement (Diffie-Hellman) | IKEv2 Main Mode |
|---|---|
| Bulk Encryption | AES128GCM16 |
| Hashing | SHA2 256 |
| Integrity/Authentication Tag | 128 bit GHASH ICV |
| Digital Signing | RSA 3072/4096 |
| Peer Authentication Method | Public/Private Key |
Limitation
IPsec Add-on for PCF has the following limitations:
Due to an issue in Windows Server OS, apps hosted on PAS for Windows cannot route traffic when deployed with the IPsec Add-on for PCF. For more information on the issue, see hcsshim in GitHub.
IPsec is not supported on VMware NSX-T.
Pivotal recommends configuring IPsec to use a self-signed certificate to sign instance certificates. Pivotal does not recommend using a certificate signed by a public or third-party CA.