testing: Added ha/active-passive scenario
This commit is contained in:
parent
eb423ebb54
commit
1047d44b57
|
@ -0,0 +1,8 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to the virtual gateway <b>mars</b> implemented by the two real gateways
|
||||
<b>alice</b> and <b>moon</b> in a <b>High Availability</b> (HA) setup
|
||||
based on <b>ClusterIP</b>. The HA synchronisation link between the two
|
||||
gatways is secured by an IPsec transport connection. At the outset
|
||||
<b>alice</b> is the active and <b>moon</b> is the passive gateway.
|
||||
After <b>alice</b> gets killed <b>moon</b> automatically takes over
|
||||
all existing IKE_SAs and CHILD_SAs.
|
|
@ -0,0 +1,32 @@
|
|||
alice::cat /var/log/daemon.log::HA segment 1 was not handled, taking::YES
|
||||
moon:: cat /var/log/daemon.log::remote node takes segment 1::YES
|
||||
alice::ipsec status 2> /dev/null::ha.*ESTABLISHED.*10.1.0.10.*10.1.0.1::YES
|
||||
alice::ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES
|
||||
alice::ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::ha.*ESTABLISHED.*10.1.0.1.*10.1.0.10::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*PASSIVE.*mars.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*PASSIVE.*mars.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*mars.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*mars.strongswan.org::YES
|
||||
alice::cat /var/log/daemon.log::HA segment 1 activated::YES
|
||||
alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES
|
||||
moon:: cat /var/log/daemon.log::installed HA CHILD_SA::YES
|
||||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
alice::ip xfrm policy flush::no output expected::NO
|
||||
alice::ip xfrm state flush::no output expected::NO
|
||||
alice::killall -9 starter charon::no output expected::NO
|
||||
carol::sleep 3::no output expected::NO
|
||||
moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
|
||||
carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES
|
||||
dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES
|
||||
venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES
|
||||
venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES
|
||||
venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
|
|
@ -0,0 +1,19 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn rw
|
||||
left=192.168.0.5
|
||||
leftcert=marsCert.pem
|
||||
leftid=@mars.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
keyexchange=ikev2
|
||||
auto=add
|
|
@ -0,0 +1,25 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1
|
||||
YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D
|
||||
l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU
|
||||
j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+
|
||||
E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB
|
||||
QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG
|
||||
7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB
|
||||
AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D
|
||||
ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou
|
||||
Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
|
||||
MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy
|
||||
cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw
|
||||
MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js
|
||||
MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/
|
||||
n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R
|
||||
atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7
|
||||
ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1
|
||||
b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le
|
||||
i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE
|
||||
UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl
|
||||
sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w
|
||||
YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j
|
||||
ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g
|
||||
cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D
|
||||
bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS
|
||||
AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD
|
||||
5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u
|
||||
DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km
|
||||
KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB
|
||||
UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK
|
||||
QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt
|
||||
AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG
|
||||
3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b
|
||||
M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv
|
||||
2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9
|
||||
4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO
|
||||
KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd
|
||||
D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU
|
||||
nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe
|
||||
bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD
|
||||
7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa
|
||||
qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX
|
||||
onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA marsKey.pem
|
|
@ -0,0 +1,57 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# forward ESP-tunneled traffic
|
||||
-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
|
||||
-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT
|
||||
-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
|
||||
|
||||
# clusterip rules
|
||||
-A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 1 --local-node 0
|
||||
-A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 1 --local-node 0
|
||||
|
||||
# allow esp
|
||||
-A INPUT -p 50 -j ACCEPT
|
||||
-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
|
||||
-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
|
||||
|
||||
# allow esp on internal interface
|
||||
-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE on internal interface
|
||||
-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow heartbeat
|
||||
-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
|
||||
|
||||
# allow ICMP type 3
|
||||
-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
|
||||
|
||||
# allow IGMP multicasts
|
||||
-A INPUT -d 224.0.0.1 -p igmp -j ACCEPT
|
||||
-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,16 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha
|
||||
plugins {
|
||||
ha {
|
||||
local = PH_IP_ALICE
|
||||
remote = PH_IP_MOON1
|
||||
secret = 123456
|
||||
segment_count = 1
|
||||
fifo_interface = yes
|
||||
monitor = yes
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=192.168.0.5
|
||||
rightid=@mars.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
keyexchange=ikev2
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=192.168.0.5
|
||||
rightid=@mars.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
keyexchange=ikev2
|
||||
auto=add
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn rw
|
||||
left=192.168.0.5
|
||||
leftcert=marsCert.pem
|
||||
leftid=@mars.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
keyexchange=ikev2
|
||||
auto=add
|
|
@ -0,0 +1,25 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1
|
||||
YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D
|
||||
l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU
|
||||
j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+
|
||||
E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB
|
||||
QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG
|
||||
7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB
|
||||
AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D
|
||||
ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou
|
||||
Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
|
||||
MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy
|
||||
cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw
|
||||
MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js
|
||||
MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/
|
||||
n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R
|
||||
atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7
|
||||
ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1
|
||||
b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le
|
||||
i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE
|
||||
UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl
|
||||
sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w
|
||||
YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j
|
||||
ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g
|
||||
cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D
|
||||
bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS
|
||||
AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD
|
||||
5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u
|
||||
DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km
|
||||
KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB
|
||||
UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK
|
||||
QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt
|
||||
AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG
|
||||
3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b
|
||||
M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv
|
||||
2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9
|
||||
4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO
|
||||
KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd
|
||||
D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU
|
||||
nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe
|
||||
bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD
|
||||
7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa
|
||||
qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX
|
||||
onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA marsKey.pem
|
|
@ -0,0 +1,57 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# forward ESP-tunneled traffic
|
||||
-A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
|
||||
-A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT
|
||||
-A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
|
||||
|
||||
# clusterip rules
|
||||
-A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 1 --local-node 0
|
||||
-A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 1 --local-node 0
|
||||
|
||||
# allow esp
|
||||
-A INPUT -p 50 -j ACCEPT
|
||||
-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
|
||||
-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
|
||||
|
||||
# allow esp on internal interface
|
||||
-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE on internal interface
|
||||
-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow heartbeat
|
||||
-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
|
||||
|
||||
# allow ICMP type 3
|
||||
-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
|
||||
-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
|
||||
|
||||
# allow IGMP multicasts
|
||||
-A INPUT -d 224.0.0.1 -p igmp -j ACCEPT
|
||||
-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,15 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha
|
||||
plugins {
|
||||
ha {
|
||||
local = PH_IP_MOON1
|
||||
remote = PH_IP_ALICE
|
||||
secret = 123456
|
||||
segment_count = 1
|
||||
fifo_interface = yes
|
||||
monitor = yes
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::ipsec stop
|
||||
alice::rm /var/run/charon.pid /var/run/starter.charon.pid
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
alice::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
moon::ip addr del 192.168.0.5/24 dev eth0
|
||||
moon::ip addr del 10.1.0.5/16 dev eth1
|
||||
alice::ip addr del 192.168.0.5/24 dev eth1
|
||||
alice::ip addr del 10.1.0.5/16 dev eth0
|
||||
alice::ifdown eth1
|
||||
venus::ip route del default via 10.1.0.5 dev eth0
|
||||
venus::ip route add default via 10.1.0.1 dev eth0
|
|
@ -0,0 +1,21 @@
|
|||
moon::ip addr add 192.168.0.5/24 dev eth0
|
||||
moon::ip addr add 10.1.0.5/16 dev eth1
|
||||
alice::ifup eth1
|
||||
alice::ip addr add 192.168.0.5/24 dev eth1
|
||||
alice::ip addr add 10.1.0.5/16 dev eth0
|
||||
venus::ip route del default via 10.1.0.1 dev eth0
|
||||
venus::ip route add default via 10.1.0.5 dev eth0
|
||||
moon::iptables-restore < /etc/iptables.rules
|
||||
alice::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::ipsec start
|
||||
alice::ipsec start
|
||||
moon::ipsec start
|
||||
moon::sleep 2
|
||||
alice::echo "+1" > /var/run/charon.ha
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 1
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="venus carol dave"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="alice moon carol dave"
|
Loading…
Reference in New Issue