Created ikev2/rw-ntru-bliss scenario
This commit is contained in:
Andreas Steffen
parent
0d8a3f5d01
commit
43d9247599
Binary file not shown.
Binary file not shown.
|
|
@ -44,4 +44,6 @@ cd /etc/openssl/rfc3779
|
|||
openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
|
||||
openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
|
||||
cp strongswan_rfc3779.crl ${ROOT}
|
||||
|
||||
cd /etc/openssl/bliss
|
||||
pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl
|
||||
cp strongswan_bliss.crl ${ROOT}
|
||||
|
|
|
|||
|
|
@ -92,7 +92,8 @@ CONFIG_OPTS = \
|
|||
--enable-tkm \
|
||||
--enable-ntru \
|
||||
--enable-lookip \
|
||||
--enable-swanctl
|
||||
--enable-swanctl \
|
||||
--enable-bliss
|
||||
|
||||
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,15 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
|
||||
The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
|
||||
192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS
|
||||
algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
|
||||
<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
|
||||
<p>
|
||||
Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
|
||||
by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
|
||||
IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
|
||||
increasing order.
|
||||
<p>
|
||||
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
|
||||
the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
|
||||
pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS signature successful::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS signature successful::YES
|
||||
dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS signature successful::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS signature successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
|
||||
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-ntru128!
|
||||
esp=aes128-sha256!
|
||||
authby=pubkey
|
||||
fragmentation=yes
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.der
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=moon.strongswan.org
|
||||
auto=add
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: BLISS carolKey.der
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
|
||||
send_vendor_id = yes
|
||||
fragment_size = 1500
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes192-sha384-ntru192!
|
||||
esp=aes192-sha384!
|
||||
authby=pubkey
|
||||
fragmentation=yes
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftsourceip=%config
|
||||
leftcert=daveCert.der
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=moon.strongswan.org
|
||||
auto=add
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: BLISS daveKey.der
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
|
||||
send_vendor_id = yes
|
||||
fragment_size = 1500
|
||||
}
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
|
||||
esp=aes128-sha256,aes192-sha384!
|
||||
authby=pubkey
|
||||
fragmentation=yes
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftcert=moonCert.der
|
||||
leftid=moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
rightsourceip=10.3.0.0/28
|
||||
auto=add
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: BLISS moonKey.der
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
|
||||
send_vendor_id = yes
|
||||
fragment_size = 1500
|
||||
}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
|
||||
carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
|
||||
dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
|
||||
carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
|
||||
dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
||||
carol::sleep 1
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon alice"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
Loading…
Reference in New Issue