Added swanctl/net2net-start scenario
This commit is contained in:
parent
4402bae77d
commit
3f5f0b8940
|
@ -0,0 +1,6 @@
|
|||
A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
|
||||
respectively, is automatically established by means of the setting
|
||||
<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
|
||||
behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
|
||||
gateway <b>sun</b>. The updown script automatically inserts iptables-based
|
||||
firewall rules that let pass the tunneled traffic.
|
|
@ -0,0 +1,5 @@
|
|||
moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
|
||||
sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
|
@ -0,0 +1,13 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
connections {
|
||||
|
||||
gw-gw {
|
||||
local_addrs = 192.168.0.1
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = 10.1.0.0/16
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
start_action = start
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128gcm128-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-modp2048
|
||||
}
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
connections {
|
||||
|
||||
gw-gw {
|
||||
local_addrs = 192.168.0.2
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = sunCert.pem
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = 10.2.0.0/16
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128gcm128-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-modp2048
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
moon::swanctl --terminate --ike gw-gw 2> /dev/null
|
||||
moon::service charon stop 2> /dev/null
|
||||
sun::service charon stop 2> /dev/null
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,9 @@
|
|||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::iptables-restore < /etc/iptables.rules
|
||||
sun::service charon start 2> /dev/null
|
||||
moon::service charon start 2> /dev/null
|
||||
sun::swanctl --load-creds 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
sun::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
moon::sleep 1
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-w-s-b.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
Loading…
Reference in New Issue