Added ikev2/rw-eap-framed-ip-radius scenario
This commit is contained in:
Andreas Steffen
parent
4a3c1cdc2b
commit
0b6c43f038
|
|
@ -0,0 +1,9 @@
|
|||
The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
|
||||
<b>moon</b>. At the outset the gateway authenticates itself to the client by
|
||||
sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
|
||||
<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
|
||||
against the gateway <b>moon</b>.
|
||||
<p/>
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> request a virtual IP which is
|
||||
assigned by the RADIUS server <b>alice</b> using the <b>Framed-IP-Address</b>
|
||||
RADIUS attribute.
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
|
||||
moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
|
||||
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
|
||||
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
|
||||
moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
|
||||
moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
|
||||
moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
|
||||
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
|
||||
moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
|
||||
dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
|
||||
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
|
||||
moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
|
||||
moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
|
||||
dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
|
||||
moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
|
||||
dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
eap {
|
||||
default_eap_type = md5
|
||||
md5 {
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
realm LOCAL {
|
||||
type = radius
|
||||
authhost = LOCAL
|
||||
accthost = LOCAL
|
||||
}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
authorize {
|
||||
eap {
|
||||
ok = return
|
||||
}
|
||||
files
|
||||
}
|
||||
|
||||
authenticate {
|
||||
eap
|
||||
}
|
||||
|
||||
preacct {
|
||||
preprocess
|
||||
acct_unique
|
||||
suffix
|
||||
files
|
||||
}
|
||||
|
||||
accounting {
|
||||
detail
|
||||
unix
|
||||
radutmp
|
||||
attr_filter.accounting_response
|
||||
}
|
||||
|
||||
session {
|
||||
radutmp
|
||||
}
|
||||
|
||||
post-auth {
|
||||
exec
|
||||
Post-Auth-Type REJECT {
|
||||
attr_filter.access_reject
|
||||
}
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
eap
|
||||
}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
carol Cleartext-Password := "Ar3etTnp"
|
||||
Framed-IP-Address = 10.3.0.1
|
||||
dave Cleartext-Password := "W7R0g3do"
|
||||
Framed-IP-Address = 10.3.0.2
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=%any
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
leftsourceip=%config
|
||||
eap_identity=carol
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=pubkey
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol : EAP "Ar3etTnp"
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=%any
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
leftsourceip=%config
|
||||
eap_identity=dave
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=pubkey
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave : EAP "W7R0g3do"
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
|
||||
}
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftid=@moon.strongswan.org
|
||||
leftcert=moonCert.pem
|
||||
leftauth=pubkey
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
rightsendcert=never
|
||||
rightauth=eap-radius
|
||||
rightsourceip=%radius
|
||||
eap_identity=%any
|
||||
right=%any
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow RADIUS protocol with alice
|
||||
-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
|
||||
plugins {
|
||||
eap-radius {
|
||||
class_group = yes
|
||||
secret = gv6URkSs
|
||||
server = PH_IP_ALICE
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
alice::killall radiusd
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
alice::radiusd
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 1
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
||||
dave::sleep 1
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon carol winnetou moon"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS="alice"
|
||||
|
||||
Loading…
Reference in New Issue