implemented path length constraint checkinf for IKEv2
This commit is contained in:
parent
fef3b0b7fd
commit
4c68a85a75
6
NEWS
6
NEWS
|
@ -1,3 +1,9 @@
|
|||
strongswan-4.3.6
|
||||
----------------
|
||||
|
||||
- The IKEv1 and IKEV2 daemons now check certificate path length constraints.
|
||||
|
||||
|
||||
strongswan-4.3.5
|
||||
----------------
|
||||
|
||||
|
|
|
@ -28,8 +28,6 @@
|
|||
#include <credentials/certificates/ocsp_request.h>
|
||||
#include <credentials/certificates/ocsp_response.h>
|
||||
|
||||
#define MAX_CA_LEVELS 6
|
||||
|
||||
typedef struct private_credential_manager_t private_credential_manager_t;
|
||||
|
||||
/**
|
||||
|
@ -1067,12 +1065,14 @@ static bool verify_trust_chain(private_credential_manager_t *this,
|
|||
bool trusted, bool crl, bool ocsp)
|
||||
{
|
||||
certificate_t *current, *issuer;
|
||||
x509_t *x509;
|
||||
auth_cfg_t *auth;
|
||||
u_int level = 0;
|
||||
int pathlen, pathlen_constraint;
|
||||
|
||||
auth = auth_cfg_create();
|
||||
current = subject->get_ref(subject);
|
||||
while (level++ < MAX_CA_LEVELS)
|
||||
|
||||
for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
|
||||
{
|
||||
issuer = get_issuer_cert(this, current, TRUE);
|
||||
if (issuer)
|
||||
|
@ -1122,17 +1122,32 @@ static bool verify_trust_chain(private_credential_manager_t *this,
|
|||
issuer->destroy(issuer);
|
||||
break;
|
||||
}
|
||||
|
||||
/* check path length constraint */
|
||||
x509 = (x509_t*)issuer;
|
||||
pathlen_constraint = x509->get_pathLenConstraint(x509);
|
||||
if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
|
||||
pathlen > pathlen_constraint)
|
||||
{
|
||||
DBG1(DBG_CFG, "path length of %d violates constraint of %d",
|
||||
pathlen, pathlen_constraint);
|
||||
trusted = FALSE;
|
||||
issuer->destroy(issuer);
|
||||
break;
|
||||
}
|
||||
current->destroy(current);
|
||||
current = issuer;
|
||||
if (trusted)
|
||||
{
|
||||
DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d",
|
||||
pathlen);
|
||||
break;
|
||||
}
|
||||
}
|
||||
current->destroy(current);
|
||||
if (level > MAX_CA_LEVELS)
|
||||
if (pathlen > X509_MAX_PATH_LEN)
|
||||
{
|
||||
DBG1(DBG_CFG, "maximum ca path length of %d levels reached", level);
|
||||
DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
|
||||
}
|
||||
if (trusted)
|
||||
{
|
||||
|
@ -1377,7 +1392,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
|
|||
{
|
||||
certificate_t *issuer, *current;
|
||||
auth_cfg_t *trustchain;
|
||||
u_int level = 0;
|
||||
int pathlen = 0;
|
||||
|
||||
trustchain = auth_cfg_create();
|
||||
|
||||
|
@ -1406,13 +1421,14 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
|
|||
trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
|
||||
}
|
||||
issuer = get_issuer_cert(this, current, FALSE);
|
||||
if (!issuer || issuer->equals(issuer, current) || level > MAX_CA_LEVELS)
|
||||
if (!issuer || issuer->equals(issuer, current) ||
|
||||
pathlen > X509_MAX_PATH_LEN)
|
||||
{
|
||||
DESTROY_IF(issuer);
|
||||
break;
|
||||
}
|
||||
current = issuer;
|
||||
level++;
|
||||
pathlen++;
|
||||
}
|
||||
trustchain->destroy(trustchain);
|
||||
return NULL;
|
||||
|
|
|
@ -746,7 +746,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
|
|||
|
||||
/* list optional pathLenConstraint */
|
||||
pathlen = x509->get_pathLenConstraint(x509);
|
||||
if (pathlen != NO_PATH_LEN_CONSTRAINT)
|
||||
if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
|
||||
{
|
||||
fprintf(out, " pathlen: %d\n", pathlen);
|
||||
}
|
||||
|
|
|
@ -24,7 +24,8 @@
|
|||
#include <utils/enumerator.h>
|
||||
#include <credentials/certificates/certificate.h>
|
||||
|
||||
#define NO_PATH_LEN_CONSTRAINT -1
|
||||
#define X509_NO_PATH_LEN_CONSTRAINT -1
|
||||
#define X509_MAX_PATH_LEN 7
|
||||
|
||||
typedef struct x509_t x509_t;
|
||||
typedef enum x509_flag_t x509_flag_t;
|
||||
|
|
|
@ -1238,7 +1238,7 @@ static private_x509_cert_t* create_empty(void)
|
|||
this->subjectKeyIdentifier = chunk_empty;
|
||||
this->authKeyIdentifier = chunk_empty;
|
||||
this->authKeySerialNumber = chunk_empty;
|
||||
this->pathLenConstraint = NO_PATH_LEN_CONSTRAINT;
|
||||
this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
|
||||
this->algorithm = 0;
|
||||
this->signature = chunk_empty;
|
||||
this->flags = 0;
|
||||
|
|
|
@ -21,6 +21,7 @@
|
|||
|
||||
#include <debug.h>
|
||||
#include <utils/enumerator.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
|
||||
#include <freeswan.h>
|
||||
|
||||
|
@ -52,14 +53,14 @@ bool trusted_ca(identification_t *a, identification_t *b, int *pathlen)
|
|||
/* no CA b specified -> any CA a is accepted */
|
||||
if (b == NULL)
|
||||
{
|
||||
*pathlen = (a == NULL) ? 0 : MAX_CA_PATH_LEN;
|
||||
*pathlen = (a == NULL) ? 0 : X509_MAX_PATH_LEN;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/* no CA a specified -> trust cannot be established */
|
||||
if (a == NULL)
|
||||
{
|
||||
*pathlen = MAX_CA_PATH_LEN;
|
||||
*pathlen = X509_MAX_PATH_LEN;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -74,7 +75,7 @@ bool trusted_ca(identification_t *a, identification_t *b, int *pathlen)
|
|||
/* CA a might be a subordinate CA of b */
|
||||
lock_authcert_list("trusted_ca");
|
||||
|
||||
while ((*pathlen)++ < MAX_CA_PATH_LEN)
|
||||
while ((*pathlen)++ < X509_MAX_PATH_LEN)
|
||||
{
|
||||
certificate_t *certificate;
|
||||
identification_t *issuer;
|
||||
|
@ -130,7 +131,7 @@ bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca,
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
*our_pathlen = MAX_CA_PATH_LEN + 1;
|
||||
*our_pathlen = X509_MAX_PATH_LEN + 1;
|
||||
|
||||
enumerator = requested_ca->create_enumerator(requested_ca);
|
||||
while (enumerator->enumerate(enumerator, &ca))
|
||||
|
@ -144,9 +145,9 @@ bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca,
|
|||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
if (*our_pathlen > MAX_CA_PATH_LEN)
|
||||
if (*our_pathlen > X509_MAX_PATH_LEN)
|
||||
{
|
||||
*our_pathlen = MAX_CA_PATH_LEN;
|
||||
*our_pathlen = X509_MAX_PATH_LEN;
|
||||
return FALSE;
|
||||
}
|
||||
else
|
||||
|
@ -374,7 +375,7 @@ bool trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chai
|
|||
|
||||
lock_authcert_list("trust_authcert_candidate");
|
||||
|
||||
for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
|
||||
for (pathlen = 0; pathlen < X509_MAX_PATH_LEN; pathlen++)
|
||||
{
|
||||
certificate_t *certificate = cert->cert;
|
||||
x509_t *x509 = (x509_t*)certificate;
|
||||
|
@ -443,7 +444,7 @@ bool trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chai
|
|||
/* go up one step in the trust chain */
|
||||
cert = authcert;
|
||||
}
|
||||
plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
|
||||
plog("maximum ca path length of %d levels exceeded", X509_MAX_PATH_LEN);
|
||||
unlock_authcert_list("trust_authcert_candidate");
|
||||
return FALSE;
|
||||
}
|
||||
|
|
|
@ -21,8 +21,6 @@
|
|||
#include "x509.h"
|
||||
#include "whack.h"
|
||||
|
||||
#define MAX_CA_PATH_LEN 7
|
||||
|
||||
/* CA info structures */
|
||||
|
||||
typedef struct ca_info ca_info_t;
|
||||
|
|
|
@ -3391,8 +3391,8 @@ connection_t *refine_host_connection(const struct state *st,
|
|||
int prio = (ID_MATCH_PERFECT) * !matching_request +
|
||||
ID_MATCH_PERFECT - match_level;
|
||||
|
||||
prio = (MAX_CA_PATH_LEN + 1) * prio + peer_pathlen;
|
||||
prio = (MAX_CA_PATH_LEN + 1) * prio + our_pathlen;
|
||||
prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen;
|
||||
prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen;
|
||||
|
||||
DBG(DBG_CONTROLMORE,
|
||||
DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)"
|
||||
|
@ -3560,7 +3560,7 @@ static bool is_virtual_net_used(const ip_subnet *peer_net,
|
|||
*/
|
||||
|
||||
#define PATH_WEIGHT 1
|
||||
#define WILD_WEIGHT (MAX_CA_PATH_LEN+1)
|
||||
#define WILD_WEIGHT (X509_MAX_PATH_LEN+1)
|
||||
#define PRIO_WEIGHT (ID_MATCH_PERFECT+1) * WILD_WEIGHT
|
||||
|
||||
/* fc_try: a helper function for find_client_connection */
|
||||
|
@ -3691,7 +3691,7 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
|
|||
*/
|
||||
prio = PRIO_WEIGHT * routed(sr->routing)
|
||||
+ WILD_WEIGHT * match_level
|
||||
+ PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen)
|
||||
+ PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen)
|
||||
+ 1;
|
||||
if (prio > best_prio)
|
||||
{
|
||||
|
@ -3797,7 +3797,7 @@ static connection_t *fc_try_oppo(const connection_t *c,
|
|||
*/
|
||||
prio = PRIO_WEIGHT * (d->prio + routed(sr->routing))
|
||||
+ WILD_WEIGHT * match_level
|
||||
+ PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen);
|
||||
+ PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen);
|
||||
if (prio > best_prio)
|
||||
{
|
||||
best = d;
|
||||
|
|
|
@ -961,7 +961,7 @@ chunk_t build_ocsp_request(ocsp_location_t *location)
|
|||
*/
|
||||
static bool valid_ocsp_response(response_t *res)
|
||||
{
|
||||
int pathlen;
|
||||
int pathlen, pathlen_constraint;
|
||||
x509cert_t *authcert;
|
||||
|
||||
lock_authcert_list("valid_ocsp_response");
|
||||
|
@ -990,7 +990,7 @@ static bool valid_ocsp_response(response_t *res)
|
|||
)
|
||||
|
||||
|
||||
for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
|
||||
for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
|
||||
{
|
||||
x509cert_t *cert = authcert;
|
||||
certificate_t *certificate = cert->cert;
|
||||
|
@ -1038,17 +1038,28 @@ static bool valid_ocsp_response(response_t *res)
|
|||
DBG_log("certificate signature is valid")
|
||||
)
|
||||
|
||||
/* check path length constraint */
|
||||
pathlen_constraint = x509->get_pathLenConstraint(x509);
|
||||
if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
|
||||
pathlen > pathlen_constraint)
|
||||
{
|
||||
plog("path length of %d violates constraint of %d",
|
||||
pathlen, pathlen_constraint);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* check if cert is self-signed */
|
||||
if (x509->get_flags(x509) & X509_SELF_SIGNED)
|
||||
{
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("reached self-signed root ca")
|
||||
DBG_log("reached self-signed root ca with a path length of %d",
|
||||
pathlen)
|
||||
)
|
||||
unlock_authcert_list("valid_ocsp_response");
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
|
||||
plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
|
||||
unlock_authcert_list("valid_ocsp_response");
|
||||
return FALSE;
|
||||
}
|
||||
|
|
|
@ -348,7 +348,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
|
|||
|
||||
*until = 0;
|
||||
|
||||
for (pathlen = -1; pathlen < MAX_CA_PATH_LEN; pathlen++)
|
||||
for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
|
||||
{
|
||||
certificate_t *certificate = cert->cert;
|
||||
identification_t *subject = certificate->get_subject(certificate);
|
||||
|
@ -409,7 +409,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
|
|||
|
||||
/* check path length constraint */
|
||||
pathlen_constraint = x509->get_pathLenConstraint(x509);
|
||||
if (pathlen_constraint != NO_PATH_LEN_CONSTRAINT &&
|
||||
if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
|
||||
pathlen > pathlen_constraint)
|
||||
{
|
||||
plog("path length of %d violates constraint of %d",
|
||||
|
@ -490,7 +490,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
|
|||
/* go up one step in the trust chain */
|
||||
cert = issuer_cert;
|
||||
}
|
||||
plog("maximum path length of %d exceeded", MAX_CA_PATH_LEN);
|
||||
plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -603,7 +603,7 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert,
|
|||
|
||||
/* list optional pathLenConstraint */
|
||||
pathlen = x509->get_pathLenConstraint(x509);
|
||||
if (pathlen != NO_PATH_LEN_CONSTRAINT)
|
||||
if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
|
||||
{
|
||||
whack_log(RC_COMMENT, " pathlen: %d", pathlen);
|
||||
}
|
||||
|
|
|
@ -1,19 +1,4 @@
|
|||
moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
|
||||
moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
|
||||
moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
|
||||
moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
|
||||
moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
|
||||
moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
|
||||
carol::ipsec status::alice.*INSTALLED::YES
|
||||
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
|
||||
carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
|
||||
carol::ipsec status::venus.*INSTALLED::NO
|
||||
moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
|
||||
moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
|
||||
moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
|
||||
moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
|
||||
dave::ipsec status::venus.*INSTALLED::YES
|
||||
moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
|
||||
dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
|
||||
dave::ipsec status::alice.*INSTALLED::NO
|
||||
moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
|
||||
moon::cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
|
||||
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
|
||||
carol::ipsec status::alice.*INSTALLED::NO
|
||||
moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA
|
||||
but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn
|
||||
issues an end entity certificate to roadwarrior <b>carol</b> so that the total
|
||||
path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts
|
||||
the negotiation.
|
|
@ -0,0 +1,4 @@
|
|||
moon::cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
|
||||
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
|
||||
carol::ipsec status::home.*INSTALLED::NO
|
||||
moon::ipsec status::duck.*INSTALLED::NO
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftsendcert=ifasked
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
|
||||
BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
|
||||
MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
|
||||
bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
|
||||
c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
|
||||
IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
|
||||
30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
|
||||
jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
|
||||
veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
|
||||
ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
|
||||
7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
|
||||
VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
|
||||
jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
|
||||
c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
|
||||
IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
|
||||
DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
|
||||
TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
|
||||
4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
|
||||
Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
|
||||
3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
|
||||
BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
|
||||
Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
|
||||
w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
|
||||
rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
|
||||
UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
|
||||
aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
|
||||
33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
|
||||
ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
|
||||
zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
|
||||
DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
|
||||
QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
|
||||
5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
|
||||
44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
|
||||
Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
|
||||
2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
|
||||
PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
|
||||
LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
|
||||
Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
|
||||
VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
|
||||
Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
|
||||
6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
|
||||
Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
|
||||
Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
|
||||
Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
|
||||
QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn duck
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftsendcert=ifasked
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
|
||||
auto=add
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
|
||||
BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
|
||||
M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
|
||||
BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
|
||||
MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
|
||||
ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
|
||||
UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
|
||||
h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
|
||||
i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
|
||||
o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
|
||||
KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
|
||||
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
|
||||
YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
|
||||
AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
|
||||
YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
|
||||
rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
|
||||
1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
|
||||
wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
|
||||
DSlBqDpnqK8tEI9V9YeroihTcygrEg==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||
ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
|
||||
FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
|
||||
zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
|
||||
/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
|
||||
C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
|
||||
+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
|
||||
BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
|
||||
VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
|
||||
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
|
||||
bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
|
||||
Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
|
||||
fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
|
||||
3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
|
||||
0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
|
||||
IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
|
||||
Tfcyi+M=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
moon::rm /etc/ipsec.d/cacerts/*
|
|
@ -0,0 +1,5 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice venus moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
Loading…
Reference in New Issue