testing: Migrated ikev2 scenarios to swanctl
This commit is contained in:
parent
be1c7e3815
commit
030de21b7b
|
@ -1,4 +1,6 @@
|
|||
A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
|
||||
The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
The authentication is based on X.509 certificates.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
|
||||
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
|
||||
Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
|
||||
Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
|
||||
<p/>
|
||||
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
|
||||
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
|
||||
ping the client <b>bob</b> behind the gateway <b>sun</b>.
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
|
||||
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
|
||||
Authentication is based on X.509 certificates.
|
||||
<p/>
|
||||
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
|
||||
the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
|
||||
ping the client <b>bob</b> behind the gateway <b>sun</b>.
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
|
||||
The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
|
||||
establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
|
||||
The authentication is based on <b>Preshared Keys</b> (PSK).
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
|
||||
pings client <b>bob</b> located behind gateway <b>sun</b>.
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
at the outset the gateway authenticates itself to the client by sending an
|
||||
IKEv2 <b>RSA signature</b> accompanied by a certificate.
|
||||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with the <i>Authentication and Key Agreement</i> protocol
|
||||
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
||||
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
|
||||
<p/>
|
||||
Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
|
||||
method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
|
||||
This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
|
||||
is used instead of a USIM/(R)UIM device.
|
||||
<p/>
|
||||
In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b>
|
||||
uses the EAP identity <b>carol</b>.
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with the <i>Authentication and Key Agreement</i> protocol
|
||||
(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
|
||||
in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
|
||||
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||
against <b>carol</b>.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
|
||||
<p/>
|
||||
Next <b>carol</b> uses the <i>Authentication and Key Agreement</i> (<b>EAP-AKA</b>)
|
||||
method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
|
||||
This EAP method used in UMTS, but here a secret defined in <b>ipsec.secrets</b>
|
||||
is used instead of a USIM/(R)UIM device.
|
|
@ -1,7 +1,7 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with an <i>MD5</i> challenge and response protocol
|
||||
(<b>EAP-MD5</b>) to authenticate against the gateway. The user password
|
||||
is kept in <b>ipsec.secrets</b> on both gateway and client
|
||||
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
|
||||
against <b>carol</b>.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
|
||||
<p/>
|
||||
Next <b>carol</b> uses the <i>MD5</i> (<b>EAP-MD5</b>) method of the
|
||||
<i>Extensible Authentication Protocol</i> to authenticate herself.
|
||||
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with the <i>Microsoft CHAP version 2</i> protocol
|
||||
(<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
|
||||
e.g. by the Windows 7 Agile VPN client.
|
||||
In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
|
||||
uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
|
||||
to authenticate itself against <b>carol</b>.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
|
||||
<p/>
|
||||
Next <b>carol</b> uses the <i>Microsoft CHAP version 2</i> (<b>EAP-MSCHAPV2</b>)
|
||||
method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
|
||||
This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client.
|
||||
<p/>
|
||||
In addition to her IKEv2 identity which defaults to her IP address,
|
||||
roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>.
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>RSA signature</b> accompanied by a certificate.
|
||||
<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with a <i>GSM Subscriber Identity Module</i>
|
||||
(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
|
||||
In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
|
||||
are used instead of a physical SIM card on the client <b>carol</b> and
|
||||
the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
|
||||
an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
|
||||
<p/>
|
||||
Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
||||
method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
|
||||
In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
|
||||
instead of a physical SIM card.
|
||||
<p/>
|
||||
The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
|
||||
which also uses static triplets. In addition to her IKEv2 identity
|
||||
<b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP
|
||||
identity <b>228060123456001</b>.
|
||||
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
The gateway <b>moon</b> does not send an AUTH payload thus signalling
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
At the outset the gateway does not send an AUTH payload thus signalling
|
||||
a mutual <b>EAP-only</b> authentication.
|
||||
<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with a <i>GSM Subscriber Identity Module</i>
|
||||
(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
|
||||
In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
|
||||
are used instead of a physical SIM card on the client <b>carol</b>.
|
||||
<p/>
|
||||
Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
||||
method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
|
||||
In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
|
||||
instead of a physical SIM card.
|
||||
<p/>
|
||||
The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
|
||||
which also uses a static triplets file.
|
||||
<p>
|
||||
which also uses static triplets.
|
||||
<p/>
|
||||
The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
|
||||
the radius server <b>alice</b> returns an <b>Access-Reject</b> message
|
||||
and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.
|
||||
the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
|
||||
and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>RSA signature</b> accompanied by a certificate.
|
||||
<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with a <i>GSM Subscriber Identity Module</i>
|
||||
(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
|
||||
In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
|
||||
are used instead of a physical SIM card on the client <b>carol</b>.
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
At the outset the gateway authenticates itself to the clients by sending
|
||||
an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
|
||||
<p/>
|
||||
Next the clients use the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
||||
method of the <i>Extensible Authentication Protocol</i> to authenticate themselves.
|
||||
In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
|
||||
instead of a physical SIM card.
|
||||
<p/>
|
||||
The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
|
||||
which also uses a static triplets file.
|
||||
<p>
|
||||
which also uses static triplets.
|
||||
<p/>
|
||||
The roadwarrior <b>dave</b> sends wrong EAP-SIM triplets. As a consequence
|
||||
the radius server <b>alice</b> returns an <b>Access-Reject</b> message
|
||||
and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>.
|
||||
the RADIUS server <b>alice</b> returns an <b>Access-Reject</b> message
|
||||
and the gateway <b>moon</b> sends back <b>EAP_FAILURE</b>.
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
||||
to authenticate against the gateway. In this scenario triplets from the file
|
||||
<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
|
||||
Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
|
||||
itself against <b>carol</b>.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate.
|
||||
<p/>
|
||||
Next <b>carol</b> uses the GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
|
||||
method of the <i>Extensible Authentication Protocol</i> to authenticate herself.
|
||||
In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b> are used
|
||||
instead of a physical SIM card.
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
|
||||
rightauth=any
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightsendcert=never
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -1,11 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
|
||||
multiple_authentication=no
|
||||
syslog {
|
||||
daemon {
|
||||
tls = 2
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
|
||||
rightauth=any
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightsendcert=never
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "UgaM65Va"
|
|
@ -1,11 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
|
||||
multiple_authentication=no
|
||||
syslog {
|
||||
daemon {
|
||||
tls = 2
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftcert=moonCert.pem
|
||||
leftauth=eap-ttls
|
||||
leftfirewall=yes
|
||||
rightauth=eap-ttls
|
||||
rightsendcert=never
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,6 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,18 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
|
||||
multiple_authentication=no
|
||||
|
||||
syslog {
|
||||
daemon {
|
||||
tls = 2
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-ttls {
|
||||
phase2_method = md5
|
||||
phase2_piggyback = yes
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::expect-connection rw-eap
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
|
@ -1,7 +1,7 @@
|
|||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
|
||||
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
|
||||
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
|
||||
The authentication is based on X.509 certificates.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnel, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
|
|
@ -0,0 +1,6 @@
|
|||
|
||||
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
|
||||
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
|
||||
sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
connections {
|
||||
|
||||
host-host {
|
||||
local_addrs = 192.168.0.1
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
host-host {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
connections {
|
||||
|
||||
host-host {
|
||||
local_addrs = 192.168.0.2
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = sunCert.pem
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
host-host {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
moon::swanctl --terminate --ike host-host 2> /dev/null
|
||||
moon::systemctl stop strongswan-swanctl
|
||||
sun::systemctl stop strongswan-swanctl
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,7 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan-swanctl
|
||||
sun::systemctl start strongswan-swanctl
|
||||
moon::expect-connection host-host
|
||||
sun::expect-connection host-hhost
|
||||
moon::swanctl --initiate --child host-host 2> /dev/null
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="moon winnetou sun"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-w-s.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -0,0 +1,6 @@
|
|||
An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b>
|
||||
is successfully set up. The authentication is based on X.509 certificates.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec connection, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the protected traffic.
|
||||
In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
|
|
@ -0,0 +1,6 @@
|
|||
|
||||
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
|
||||
moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
|
||||
sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
connections {
|
||||
|
||||
host-host {
|
||||
local_addrs = 192.168.0.1
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
host-host {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
mode = transport
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
connections {
|
||||
|
||||
host-host {
|
||||
local_addrs = 192.168.0.2
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = sunCert.pem
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
host-host {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
mode = transport
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
moon::swanctl --terminate --ike host-host 2> /dev/null
|
||||
moon::systemctl stop strongswan-swanctl
|
||||
sun::systemctl stop strongswan-swanctl
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,7 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan-swanctl
|
||||
sun::systemctl start strongswan-swanctl
|
||||
moon::expect-connection host-host
|
||||
sun::expect-connection host-hhost
|
||||
moon::swanctl --initiate --child host-host 2> /dev/null
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="moon winnetou sun"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-w-s.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -1,7 +1,7 @@
|
|||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
|
||||
moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
|
||||
moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
|
||||
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
|
||||
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
The hosts <b>alice</b>, <b>venus</b>, <b>carol</b>, and <b>dave</b> set up tunnel connections
|
||||
to gateway <b>moon</b> in a <b>hub-and-spoke</b> fashion. Each host requests a <b>virtual IP</b>
|
||||
from gateway <b>moon</b> which assigns virtual IP addresses from a pool named <b>extpool</b>
|
||||
[10.3.0.1..10.3.1.244] to hosts connecting to the <b>eth0</b> (PH_IP_MOON) interface and virtual
|
||||
IP addresses from a pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to
|
||||
the <b>eth1</b> (PH_IP_MOON1) interface.
|
||||
Thus <b>carol</b> and <b>dave</b> are assigned <b>PH_IP_CAROL1</b> and <b>PH_IP_DAVE1</b>,
|
||||
respectively, whereas <b>alice</b> and <b>venus</b> get <b>10.4.0.1</b> and <b>10.4.0.2</b>,
|
||||
respectively.
|
||||
<p>
|
||||
By defining the composite traffic selector <b>10.3.0.0/16,10.4.0.0/16</b>, each of the four
|
||||
spokes can securely reach any other spoke via the central hub <b>moon</b>. This is
|
||||
demonstrated by <b>alice</b> and <b>dave</b> pinging the assigned virtual IP addresses
|
||||
of <b>carol</b> and <b>venus</b>.
|
|
@ -0,0 +1,35 @@
|
|||
moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
|
||||
moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
|
||||
moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
|
||||
moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
|
||||
moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
|
||||
moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
|
||||
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
|
||||
dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
|
||||
alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
|
||||
venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
|
||||
carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
|
||||
dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
|
||||
alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
|
||||
venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
|
||||
alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
|
||||
dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES
|
||||
alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
|
||||
dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
|
||||
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
|
||||
alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
|
||||
venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
|
||||
alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
|
||||
dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES
|
||||
venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 10.1.0.10
|
||||
remote_addrs = 10.1.0.1
|
||||
vips = 0.0.0.0
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = aliceCert.pem
|
||||
id = alice@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.3.0.0/16,10.4.0.0/16
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
vips = 0.0.0.0
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.3.0.0/16,10.4.0.0/16
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
vips = 0.0.0.0
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.3.0.0/16,10.4.0.0/16
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
-A INPUT -i eth1 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
||||
*nat
|
||||
|
||||
# masquerade crl fetches to winnetou
|
||||
-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
|
||||
|
||||
plugins {
|
||||
attr-sql {
|
||||
database = sqlite:///etc/db.d/ipsec.db
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pool {
|
||||
load = sqlite
|
||||
database = sqlite:///etc/db.d/ipsec.db
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
connections {
|
||||
|
||||
ext {
|
||||
local_addrs = 192.168.0.1
|
||||
pools = extpool
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
ext {
|
||||
local_ts = 10.3.0.0/16,10.4.0.0/16
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
|
||||
int {
|
||||
local_addrs = 10.1.0.1
|
||||
pools = intpool
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
int {
|
||||
local_ts = 10.3.0.0/16,10.4.0.0/16
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 10.1.0.20
|
||||
remote_addrs = 10.1.0.1
|
||||
vips = 0.0.0.0
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = venusCert.pem
|
||||
id = venus.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.3.0.0/16,10.4.0.0/16
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
carol::systemctl stop strongswan-swanctl
|
||||
dave::systemctl stop strongswan-swanctl
|
||||
alice::systemctl stop strongswan-swanctl
|
||||
venus::systemctl stop strongswan-swanctl
|
||||
moon::systemctl stop strongswan-swanctl
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
alice::iptables-restore < /etc/iptables.flush
|
||||
venus::iptables-restore < /etc/iptables.flush
|
||||
moon::ip route del 10.3.0.0/16 via PH_IP_MOON
|
||||
moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
|
||||
moon::ipsec pool --del extpool 2> /dev/null
|
||||
moon::ipsec pool --del intpool 2> /dev/null
|
||||
moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
|
||||
moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
|
||||
moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
|
||||
moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
|
||||
moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
|
||||
moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null
|
||||
moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
|
||||
moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null
|
||||
moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
|
||||
moon::ipsec pool --statusattr 2> /dev/null
|
||||
moon::ip route add 10.3.0.0/16 via PH_IP_MOON
|
||||
moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
|
||||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
alice::iptables-restore < /etc/iptables.rules
|
||||
venus::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan-swanctl
|
||||
carol::systemctl start strongswan-swanctl
|
||||
dave::systemctl start strongswan-swanctl
|
||||
alice::systemctl start strongswan-swanctl
|
||||
venus::systemctl start strongswan-swanctl
|
||||
moon::expect-connection int
|
||||
moon::expect-connection ext
|
||||
carol::expect-connection home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
alice::expect-connection home
|
||||
alice::swanctl --initiate --child home 2> /dev/null
|
||||
venus::expect-connection home
|
||||
venus::swanctl --initiate --child home 2> /dev/null
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="alice venus carol dave"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="alice venus moon carol dave"
|
||||
|
||||
# Guest instances on which databases are used
|
||||
#
|
||||
DBHOSTS="moon"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -0,0 +1,9 @@
|
|||
The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
|
||||
Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
|
||||
Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
|
||||
<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
|
||||
virtual IP addresses from <b>pool2</b> with an address range of <b>10.4.0.0/28</b> to hosts
|
||||
connecting to the <b>eth1</b> (10.1.0.1) interface.
|
||||
<p>
|
||||
Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
|
||||
both ping the gateway <b>moon</b>.
|
|
@ -0,0 +1,18 @@
|
|||
moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
|
||||
moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES
|
||||
moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
|
||||
moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES
|
||||
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
|
||||
alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
|
||||
carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
|
||||
alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
|
||||
alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
|
||||
carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
|
||||
alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 10.1.0.10
|
||||
remote_addrs = 10.1.0.1
|
||||
vips = 0.0.0.0
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = aliceCert.pem
|
||||
id = alice@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
vips = 0.0.0.0
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
-A INPUT -i eth1 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
||||
*nat
|
||||
|
||||
# masquerade crl fetches to winnetou
|
||||
-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
connections {
|
||||
|
||||
rw1 {
|
||||
local_addrs = 192.168.0.1
|
||||
pools = pool1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
rw1 {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
|
||||
rw2 {
|
||||
local_addrs = 10.1.0.1
|
||||
pools = pool2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
rw2 {
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
pools {
|
||||
pool1 {
|
||||
addrs = 10.3.0.0/28
|
||||
}
|
||||
pool2 {
|
||||
addrs = 10.4.0.0/28
|
||||
}
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home
|
||||
alice::swanctl --terminate --ike home
|
||||
carol::systemctl stop strongswan-swanctl
|
||||
alice::systemctl stop strongswan-swanctl
|
||||
moon::systemctl stop strongswan-swanctl
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
alice::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,11 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
alice::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan-swanctl
|
||||
carol::systemctl start strongswan-swanctl
|
||||
alice::systemctl start strongswan-swanctl
|
||||
moon::expect-connection rw
|
||||
carol::expect-connection home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
alice::expect-connection home
|
||||
alice::swanctl --initiate --child home 2> /dev/null
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="carol alice"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol alice"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -0,0 +1,8 @@
|
|||
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
|
||||
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
|
||||
Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway <b>sun</b>.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
|
||||
ping the client <b>bob</b> behind the gateway <b>sun</b>.
|
|
@ -0,0 +1,14 @@
|
|||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
moon:: sleep 6::no output expected::NO
|
||||
bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
|
||||
bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
|
||||
alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
|
||||
venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
|
||||
sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
|
||||
sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
|
||||
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
|
||||
moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
|
||||
alice::cat /var/log/daemon.log::sending keep alive::YES
|
||||
venus::cat /var/log/daemon.log::sending keep alive::YES
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
connections {
|
||||
|
||||
nat-t {
|
||||
local_addrs = 10.1.0.10
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = psk
|
||||
id = 10.1.0.10
|
||||
}
|
||||
remote {
|
||||
auth = psk
|
||||
id = 192.168.0.2
|
||||
}
|
||||
children {
|
||||
nat-t {
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
ike-sun {
|
||||
id = 192.168.0.2
|
||||
secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
}
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,36 @@
|
|||
connections {
|
||||
|
||||
nat-t {
|
||||
local_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = psk
|
||||
id = 192.168.0.2
|
||||
}
|
||||
remote {
|
||||
auth = psk
|
||||
}
|
||||
children {
|
||||
nat-t {
|
||||
local_ts = 10.2.0.0/16
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
ike-alice {
|
||||
id = 10.1.0.10
|
||||
secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
}
|
||||
ike-venus {
|
||||
id = 10.1.0.20
|
||||
secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
|
||||
}
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
connections {
|
||||
|
||||
nat-t {
|
||||
local_addrs = 10.1.0.20
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = psk
|
||||
id = 10.1.0.20
|
||||
}
|
||||
remote {
|
||||
auth = psk
|
||||
id = 192.168.0.2
|
||||
}
|
||||
children {
|
||||
nat-t {
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
ike-sun {
|
||||
id = 192.168.0.2
|
||||
secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
sun::systemctl stop strongswan-swanctl
|
||||
alice::systemctl stop strongswan-swanctl
|
||||
venus::systemctl stop strongswan-swanctl
|
||||
alice::iptables-restore < /etc/iptables.flush
|
||||
venus::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
moon::iptables -t nat -F
|
|
@ -0,0 +1,16 @@
|
|||
alice::iptables-restore < /etc/iptables.rules
|
||||
venus::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
|
||||
venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
|
||||
sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/*
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
|
||||
sun::systemctl start strongswan-swanctl
|
||||
alice::systemctl start strongswan-swanctl
|
||||
venus::systemctl start strongswan-swanctl
|
||||
sun::expect-connection nat-t
|
||||
alice::expect-connection nat-t
|
||||
alice::swanctl --initiate --child nat-t
|
||||
venus::expect-connection nat-t
|
||||
venus::swanctl --initiate --child nat-t
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-w-s-b.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="alice venus sun"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -0,0 +1,8 @@
|
|||
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
|
||||
tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
|
||||
Authentication is based on X.509 certificates.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
|
||||
ping the client <b>bob</b> behind the gateway <b>sun</b>.
|
|
@ -0,0 +1,14 @@
|
|||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
moon:: sleep 6::no output expected::NO
|
||||
bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
|
||||
bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
|
||||
alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
|
||||
venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
|
||||
sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
|
||||
sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
|
||||
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
|
||||
moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
|
||||
alice::cat /var/log/daemon.log::sending keep alive::YES
|
||||
venus::cat /var/log/daemon.log::sending keep alive::YES
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
nat-t {
|
||||
local_addrs = 10.1.0.10
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = aliceCert.pem
|
||||
id = alice@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
nat-t {
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
connections {
|
||||
|
||||
nat-t {
|
||||
local_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = sunCert.pem
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
nat-t {
|
||||
local_ts = 10.2.0.0/16
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
nat-t {
|
||||
local_addrs = 10.1.0.20
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = venusCert.pem
|
||||
id = venus.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
nat-t {
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
sun::systemctl stop strongswan-swanctl
|
||||
alice::systemctl stop strongswan-swanctl
|
||||
venus::systemctl stop strongswan-swanctl
|
||||
alice::iptables-restore < /etc/iptables.flush
|
||||
venus::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
moon::iptables -t nat -F
|
|
@ -0,0 +1,13 @@
|
|||
alice::iptables-restore < /etc/iptables.rules
|
||||
venus::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
|
||||
sun::systemctl start strongswan-swanctl
|
||||
alice::systemctl start strongswan-swanctl
|
||||
venus::systemctl start strongswan-swanctl
|
||||
sun::expect-connection nat-t
|
||||
alice::expect-connection nat-t
|
||||
alice::swanctl --initiate --child nat-t
|
||||
venus::expect-connection nat-t
|
||||
venus::swanctl --initiate --child nat-t
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-w-s-b.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="alice venus sun"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -0,0 +1,7 @@
|
|||
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
|
||||
The authentication is based on <b>Preshared Keys</b> (PSK).
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnel, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
|
||||
pings client <b>bob</b> located behind gateway <b>sun</b>.
|
|
@ -0,0 +1,5 @@
|
|||
moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
|
||||
sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
connections {
|
||||
|
||||
gw-gw {
|
||||
local_addrs = 192.168.0.1
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = psk
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = psk
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = 10.1.0.0/16
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
ike-1 {
|
||||
id-1 = moon.strongswan.org
|
||||
secret = 0x45a30759df97dc26a15b88ff
|
||||
}
|
||||
ike-2 {
|
||||
id-2 = sun.strongswan.org
|
||||
secret = "This is a strong password"
|
||||
}
|
||||
ike-3 {
|
||||
id-3a = moon.strongswan.org
|
||||
id-3b =sun.strongswan.org
|
||||
secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
}
|
||||
ike-4 {
|
||||
secret = 'My "home" is my "castle"!'
|
||||
}
|
||||
ike-5 {
|
||||
id-5 = 192.168.0.1
|
||||
secret = "Andi's home"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue