added ikev1/dynamic scenarios using allow-any
This commit is contained in:
Andreas Steffen
parent
7cc65a0376
commit
47f8ae7cfd
|
|
@ -0,0 +1,12 @@
|
|||
The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
|
||||
is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the
|
||||
fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
|
||||
/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
|
||||
<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
|
||||
IP address under the condition that the peer identity remains unchanged. When this happens
|
||||
the old tunnel is replaced by an IPsec connection to the new origin.
|
||||
<p>
|
||||
In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
|
||||
suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
|
||||
old tunnel first (simulated by iptables blocking IKE packets to and from
|
||||
<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
|
||||
moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
|
||||
moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
|
||||
AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
|
||||
6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
|
||||
Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
|
||||
Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
|
||||
I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
|
||||
x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
|
||||
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
|
||||
tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
|
||||
EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
|
||||
d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
|
||||
b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
|
||||
GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
|
||||
ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
|
||||
F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
|
||||
L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
|
||||
ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
|
||||
Rf5Z0GOR
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
|
||||
|
||||
mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
|
||||
i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
|
||||
jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
|
||||
m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
|
||||
pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
|
||||
J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
|
||||
dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
|
||||
h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
|
||||
/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
|
||||
EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
|
||||
pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
|
||||
sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
|
||||
kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
|
||||
gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
|
||||
OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
|
||||
D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
|
||||
bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
|
||||
BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
|
||||
7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
|
||||
UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
|
||||
H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
|
||||
y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
|
||||
zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
|
||||
AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
|
||||
nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn carol
|
||||
left=%any
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%carol.strongswan.org
|
||||
rightid=carol@strongswan.org
|
||||
rightsourceip=PH_IP_CAROL1
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
dave::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::sleep 1
|
||||
moon::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::ip addr del PH_IP_CAROL1/32 dev eth0
|
||||
dave::ip addr del PH_IP_CAROL1/32 dev eth0
|
||||
dave::rm /etc/ipsec.d/certs/*
|
||||
dave::rm /etc/ipsec.d/private/*
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up moon
|
||||
carol::sleep 1
|
||||
carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
dave::ipsec up moon
|
||||
dave::sleep 2
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon alice"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
|
||||
is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the
|
||||
fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
|
||||
/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
|
||||
<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
|
||||
IP address under the condition that the peer identity remains unchanged. When this happens
|
||||
the old tunnel is replaced by an IPsec connection to the new origin.
|
||||
<p>
|
||||
In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
|
||||
the responder <b>carol</b> suddenly changes her IP address and restarts the connection to
|
||||
<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets
|
||||
to and from <b>carol</b> and starting the connection from host <b>dave</b> using
|
||||
<b>carol</b>'s identity).
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
|
||||
moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
|
||||
moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
|
||||
AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
|
||||
6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
|
||||
Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
|
||||
Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
|
||||
I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
|
||||
x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
|
||||
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
|
||||
tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
|
||||
EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
|
||||
d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
|
||||
b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
|
||||
GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
|
||||
ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
|
||||
F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
|
||||
L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
|
||||
ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
|
||||
Rf5Z0GOR
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
|
||||
|
||||
mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
|
||||
i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
|
||||
jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
|
||||
m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
|
||||
pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
|
||||
J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
|
||||
dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
|
||||
h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
|
||||
/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
|
||||
EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
|
||||
pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
|
||||
sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
|
||||
kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
|
||||
gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
|
||||
OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
|
||||
D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
|
||||
bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
|
||||
BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
|
||||
7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
|
||||
UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
|
||||
H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
|
||||
y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
|
||||
zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
|
||||
AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
|
||||
nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn carol
|
||||
left=%any
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%carol.strongswan.org
|
||||
rightid=carol@strongswan.org
|
||||
rightsourceip=PH_IP_CAROL1
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
dave::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::sleep 1
|
||||
moon::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::ip addr del PH_IP_CAROL1/32 dev eth0
|
||||
dave::ip addr del PH_IP_CAROL1/32 dev eth0
|
||||
dave::rm /etc/ipsec.d/certs/*
|
||||
dave::rm /etc/ipsec.d/private/*
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::ipsec start
|
||||
moon::sleep 2
|
||||
moon::ipsec up carol
|
||||
moon::sleep 1
|
||||
carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
dave::ipsec up moon
|
||||
dave::sleep 2
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon alice"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
|
||||
so that the remote end is defined symbolically by <b>right=%<hostname></b>.
|
||||
The ipsec starter resolves the fully-qualified hostname into the current IP address
|
||||
via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
|
||||
expected to change over time, the prefix '%' is used as an implicit alternative to the
|
||||
explicit <b>rightallowany=yes</b> option which will allow an IKE
|
||||
main mode rekeying to arrive from an arbitrary IP address under the condition that
|
||||
the peer identity remains unchanged. When this happens the old tunnel is replaced
|
||||
by an IPsec connection to the new origin.
|
||||
<p>
|
||||
In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
|
||||
<b>moon</b> which has a named connection definition for each peer. Although
|
||||
the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
|
||||
the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
|
||||
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,67 @@
|
|||
# /etc/hosts: This file describes a number of hostname-to-address
|
||||
# mappings for the TCP/IP subsystem. It is mostly
|
||||
# used at boot time, when no name servers are running.
|
||||
# On small systems, this file can be used instead of a
|
||||
# "named" name server. Just add the names, addresses
|
||||
# and any aliases to this file...
|
||||
#
|
||||
|
||||
127.0.0.1 localhost
|
||||
|
||||
192.168.0.254 uml0.strongswan.org uml0
|
||||
10.1.0.254 uml1.strongswan.org uml1
|
||||
10.2.0.254 uml1.strongswan.org uml2
|
||||
|
||||
10.1.0.10 alice.strongswan.org alice
|
||||
10.1.0.20 venus.strongswan.org venus
|
||||
10.1.0.1 moon1.strongswan.org moon1
|
||||
192.168.0.1 moon.strongswan.org moon
|
||||
192.168.0.110 carol.strongswan.org carol
|
||||
10.3.0.1 carol1.strongswan.org carol1
|
||||
192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
|
||||
192.168.0.220 dave.strongswan.org dave
|
||||
10.3.0.2 dave1.strongswan.org dave1
|
||||
192.168.0.2 sun.strongswan.org sun
|
||||
10.2.0.1 sun1.strongswan.org sun1
|
||||
10.2.0.10 bob.strongswan.org bob
|
||||
|
||||
# IPv6 versions of localhost and co
|
||||
::1 ip6-localhost ip6-loopback
|
||||
fe00::0 ip6-localnet
|
||||
ff00::0 ip6-mcastprefix
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
ff02::3 ip6-allhosts
|
||||
|
||||
# IPv6 solicited-node multicast addresses
|
||||
ff02::1:ff00:1 ip6-mcast-1
|
||||
ff02::1:ff00:2 ip6-mcast-2
|
||||
ff02::1:ff00:10 ip6-mcast-10
|
||||
ff02::1:ff00:15 ip6-mcast-15
|
||||
ff02::1:ff00:20 ip6-mcast-20
|
||||
|
||||
# IPv6 site-local addresses
|
||||
fec1::10 ip6-alice.strongswan.org ip6-alice
|
||||
fec1::20 ip6-venus.strongswan.org ip6-venus
|
||||
fec1::1 ip6-moon1.strongswan.org ip6-moon1
|
||||
fec0::1 ip6-moon.strongswan.org ip6-moon
|
||||
fec0::10 ip6-carol.strongswan.org ip6-carol
|
||||
fec3::1 ip6-carol1.strongswan.org ip6-carol1
|
||||
fec0::15 ip6-winnetou.strongswan.org ip6-winnetou
|
||||
fec0::20 ip6-dave.strongswan.org ip6-dave
|
||||
fec3::2 ip6-dave1.strongswan.org ip6-dave1
|
||||
fec0::2 ip6-sun.strongswan.org ip6-sun
|
||||
fec2::1 ip6-sun1.strongswan.org ip6-sun1
|
||||
fec2::10 ip6-bob.strongswan.org ip6-bob
|
||||
|
||||
# IPv6 link-local HW derived addresses
|
||||
fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus
|
||||
fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice
|
||||
fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1
|
||||
fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon
|
||||
fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol
|
||||
fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
|
||||
fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave
|
||||
fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun
|
||||
fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1
|
||||
fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
left=%any
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftsourceip=PH_IP_MOON1
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
|
||||
conn carol
|
||||
right=%carol.strongswan.org
|
||||
rightid=carol@strongswan.org
|
||||
rightsourceip=PH_IP_CAROL1
|
||||
auto=add
|
||||
|
||||
conn dave
|
||||
right=%dave.strongswan.org
|
||||
rightid=dave@strongswan.org
|
||||
rightsourceip=PH_IP_DAVE1
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::sleep 1
|
||||
moon::ipsec stop
|
||||
moon::mv /etc/hosts.ori /etc/hosts
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::ip addr del PH_IP_CAROL1/32 dev eth0
|
||||
dave::ip addr del PH_IP_DAVE1/32 dev eth0
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
moon::mv /etc/hosts /etc/hosts.ori
|
||||
moon::mv /etc/hosts.stale /etc/hosts
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up moon
|
||||
dave::ipsec up moon
|
||||
carol::sleep 1
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon alice"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
Loading…
Reference in New Issue