added ikev2/ip-pool-db scenario
This commit is contained in:
parent
231be8df87
commit
441881e1de
|
@ -0,0 +1,10 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
|
||||
Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
|
||||
by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
|
||||
addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
|
||||
<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0</b>.
|
||||
<p>
|
||||
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
|
||||
tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
|
||||
<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
|
||||
virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
|
|
@ -0,0 +1,24 @@
|
|||
carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
|
||||
carol::ip addr list dev eth0::PH_IP_CAROL1::YES
|
||||
carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
|
||||
carol::ipsec status::home.*INSTALLED::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
|
||||
dave::ip addr list dev eth0::PH_IP_DAVE1::YES
|
||||
dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
|
||||
dave::ipsec status::home.*INSTALLED::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
|
||||
moon::cat /var/log/daemon.log::assigning lease with new address from pool bigpool::YES
|
||||
moon::cat /var/log/daemon.log::assigning virtual IP::YES
|
||||
moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES
|
||||
moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
|
||||
moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
|
|
@ -0,0 +1,24 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,24 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftsourceip=%config
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
rightsourceip=%bigpool
|
||||
auto=add
|
|
@ -0,0 +1,201 @@
|
|||
DROP TABLE IF EXISTS identities;
|
||||
CREATE TABLE identities (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL,
|
||||
data BLOB NOT NULL,
|
||||
UNIQUE (type, data)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS child_configs;
|
||||
CREATE TABLE child_configs (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
name TEXT NOT NULL,
|
||||
lifetime INTEGER NOT NULL DEFAULT '1200',
|
||||
rekeytime INTEGER NOT NULL DEFAULT '1020',
|
||||
jitter INTEGER NOT NULL DEFAULT '180',
|
||||
updown TEXT DEFAULT NULL,
|
||||
hostaccess INTEGER NOT NULL DEFAULT '0',
|
||||
mode INTEGER NOT NULL DEFAULT '1',
|
||||
dpd_action INTEGER NOT NULL DEFAULT '0',
|
||||
close_action INTEGER NOT NULL DEFAULT '0',
|
||||
ipcomp INTEGER NOT NULL DEFAULT '0'
|
||||
);
|
||||
DROP INDEX IF EXISTS child_configs_name;
|
||||
CREATE INDEX child_configs_name ON child_configs (
|
||||
name
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS child_config_traffic_selector;
|
||||
CREATE TABLE child_config_traffic_selector (
|
||||
child_cfg INTEGER NOT NULL,
|
||||
traffic_selector INTEGER NOT NULL,
|
||||
kind INTEGER NOT NULL
|
||||
);
|
||||
DROP INDEX IF EXISTS child_config_traffic_selector;
|
||||
CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector (
|
||||
child_cfg, traffic_selector
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS ike_configs;
|
||||
CREATE TABLE ike_configs (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
certreq INTEGER NOT NULL DEFAULT '1',
|
||||
force_encap INTEGER NOT NULL DEFAULT '0',
|
||||
local TEXT NOT NULL,
|
||||
remote TEXT NOT NULL
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS peer_configs;
|
||||
CREATE TABLE peer_configs (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
name TEXT NOT NULL,
|
||||
ike_version INTEGER NOT NULL DEFAULT '2',
|
||||
ike_cfg INTEGER NOT NULL,
|
||||
local_id TEXT NOT NULL,
|
||||
remote_id TEXT NOT NULL,
|
||||
cert_policy INTEGER NOT NULL DEFAULT '1',
|
||||
uniqueid INTEGER NOT NULL DEFAULT '0',
|
||||
auth_method INTEGER NOT NULL DEFAULT '1',
|
||||
eap_type INTEGER NOT NULL DEFAULT '0',
|
||||
eap_vendor INTEGER NOT NULL DEFAULT '0',
|
||||
keyingtries INTEGER NOT NULL DEFAULT '1',
|
||||
rekeytime INTEGER NOT NULL DEFAULT '0',
|
||||
reauthtime INTEGER NOT NULL DEFAULT '3600',
|
||||
jitter INTEGER NOT NULL DEFAULT '180',
|
||||
overtime INTEGER NOT NULL DEFAULT '300',
|
||||
mobike INTEGER NOT NULL DEFAULT '1',
|
||||
dpd_delay INTEGER NOT NULL DEFAULT '120',
|
||||
virtual TEXT DEFAULT NULL,
|
||||
pool TEXT DEFAULT NULL,
|
||||
mediation INTEGER NOT NULL DEFAULT '0',
|
||||
mediated_by INTEGER NOT NULL DEFAULT '0',
|
||||
peer_id INTEGER NOT NULL DEFAULT '0'
|
||||
);
|
||||
DROP INDEX IF EXISTS peer_configs_name;
|
||||
CREATE INDEX peer_configs_name ON peer_configs (
|
||||
name
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS peer_config_child_config;
|
||||
CREATE TABLE peer_config_child_config (
|
||||
peer_cfg INTEGER NOT NULL,
|
||||
child_cfg INTEGER NOT NULL,
|
||||
PRIMARY KEY (peer_cfg, child_cfg)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS traffic_selectors;
|
||||
CREATE TABLE traffic_selectors (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL DEFAULT '7',
|
||||
protocol INTEGER NOT NULL DEFAULT '0',
|
||||
start_addr BLOB DEFAULT NULL,
|
||||
end_addr BLOB DEFAULT NULL,
|
||||
start_port INTEGER NOT NULL DEFAULT '0',
|
||||
end_port INTEGER NOT NULL DEFAULT '65535'
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS certificates;
|
||||
CREATE TABLE certificates (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL,
|
||||
keytype INTEGER NOT NULL,
|
||||
data BLOB NOT NULL
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS certificate_identity;
|
||||
CREATE TABLE certificate_identity (
|
||||
certificate INTEGER NOT NULL,
|
||||
identity INTEGER NOT NULL,
|
||||
PRIMARY KEY (certificate, identity)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS private_keys;
|
||||
CREATE TABLE private_keys (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL,
|
||||
data BLOB NOT NULL
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS private_key_identity;
|
||||
CREATE TABLE private_key_identity (
|
||||
private_key INTEGER NOT NULL,
|
||||
identity INTEGER NOT NULL,
|
||||
PRIMARY KEY (private_key, identity)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS shared_secrets;
|
||||
CREATE TABLE shared_secrets (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL,
|
||||
data BLOB NOT NULL
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS shared_secret_identity;
|
||||
CREATE TABLE shared_secret_identity (
|
||||
shared_secret INTEGER NOT NULL,
|
||||
identity INTEGER NOT NULL,
|
||||
PRIMARY KEY (shared_secret, identity)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS pools;
|
||||
CREATE TABLE pools (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
name TEXT NOT NULL,
|
||||
start BLOB NOT NULL,
|
||||
end BLOB NOT NULL,
|
||||
next BLOB NOT NULL,
|
||||
timeout INTEGER DEFAULT NULL,
|
||||
UNIQUE (name)
|
||||
);
|
||||
DROP INDEX IF EXISTS pools_name;
|
||||
CREATE INDEX pools_name ON pools (
|
||||
name
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS leases;
|
||||
CREATE TABLE leases (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
pool INTEGER NOT NULL,
|
||||
address BLOB NOT NULL,
|
||||
identity INTEGER NOT NULL,
|
||||
acquired INTEGER NOT NULL,
|
||||
released INTEGER DEFAULT NULL
|
||||
);
|
||||
DROP INDEX IF EXISTS leases_pool;
|
||||
CREATE INDEX leases_pool ON leases (
|
||||
pool
|
||||
);
|
||||
DROP INDEX IF EXISTS leases_identity;
|
||||
CREATE INDEX leases_identity ON leases (
|
||||
identity
|
||||
);
|
||||
DROP INDEX IF EXISTS leases_released;
|
||||
CREATE INDEX leases_released ON leases (
|
||||
released
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS ike_sas;
|
||||
CREATE TABLE ike_sas (
|
||||
local_spi BLOB NOT NULL PRIMARY KEY,
|
||||
remote_spi BLOB NOT NULL,
|
||||
id INTEGER NOT NULL,
|
||||
initiator INTEGER NOT NULL,
|
||||
local_id_type INTEGER NOT NULL,
|
||||
local_id_data BLOB NOT NULL,
|
||||
remote_id_type INTEGER NOT NULL,
|
||||
remote_id_data BLOB NOT NULL,
|
||||
host_family INTEGER NOT NULL,
|
||||
local_host_data BLOB NOT NULL,
|
||||
remote_host_data BLOB NOT NULL,
|
||||
created INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS logs;
|
||||
CREATE TABLE logs (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
local_spi BLOB NOT NULL,
|
||||
signal INTEGER NOT NULL,
|
||||
level INTEGER NOT NULL,
|
||||
msg TEXT NOT NULL,
|
||||
time INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP
|
||||
);
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
plugins {
|
||||
sql {
|
||||
database = sqlite:///etc/ipsec.d/ipsec.db
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
moon::rm /etc/ipsec.d/ipsec.*
|
|
@ -0,0 +1,12 @@
|
|||
moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
|
||||
moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0 2> /dev/null
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
||||
carol::sleep 1
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon alice"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
Loading…
Reference in New Issue