added ikev2/rw-eap-sim-radius scenario
This commit is contained in:
parent
8c6e6ba4ab
commit
5653249a73
|
@ -0,0 +1,10 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
At the outset the gateway authenticates itself to the client by sending
|
||||
an IKEv2 <b>RSA signature</b> accompanied by a certificate.
|
||||
<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
|
||||
in association with a <i>GSM Subscriber Identity Module</i>
|
||||
(<b>EAP-SIM</b>) to authenticate against the gateway <b>moon</b>.
|
||||
In this scenario triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
|
||||
are used instead of a physical SIM card on the client <b>carol</b> and
|
||||
the gateway forwards all EAP messages to the RADIUS server <b>alice</b>
|
||||
which also uses static triplets.
|
|
@ -0,0 +1,11 @@
|
|||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
|
||||
carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES
|
||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
|
||||
carol::ipsec statusall::home.*ESTABLISHED::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
client PH_IP_MOON1 {
|
||||
secret = gv6URkSs
|
||||
shortname = moon
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
eap {
|
||||
default_eap_type = sim
|
||||
sim {
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
realm strongswan.org {
|
||||
type = radius
|
||||
authhost = LOCAL
|
||||
accthost = LOCAL
|
||||
}
|
|
@ -0,0 +1,123 @@
|
|||
# radiusd.conf -- FreeRADIUS server configuration file.
|
||||
|
||||
prefix = /usr
|
||||
exec_prefix = ${prefix}
|
||||
sysconfdir = /etc
|
||||
localstatedir = /var
|
||||
sbindir = ${exec_prefix}/sbin
|
||||
logdir = ${localstatedir}/log/radius
|
||||
raddbdir = ${sysconfdir}/raddb
|
||||
radacctdir = ${logdir}/radacct
|
||||
|
||||
# name of the running server. See also the "-n" command-line option.
|
||||
name = radiusd
|
||||
|
||||
# Location of config and logfiles.
|
||||
confdir = ${raddbdir}
|
||||
run_dir = ${localstatedir}/run/radiusd
|
||||
|
||||
# Should likely be ${localstatedir}/lib/radiusd
|
||||
db_dir = ${raddbdir}
|
||||
|
||||
# libdir: Where to find the rlm_* modules.
|
||||
libdir = ${exec_prefix}/lib
|
||||
|
||||
# pidfile: Where to place the PID of the RADIUS server.
|
||||
pidfile = ${run_dir}/${name}.pid
|
||||
|
||||
# max_request_time: The maximum time (in seconds) to handle a request.
|
||||
max_request_time = 30
|
||||
|
||||
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
||||
cleanup_delay = 5
|
||||
|
||||
# max_requests: The maximum number of requests which the server keeps
|
||||
max_requests = 1024
|
||||
|
||||
# listen: Make the server listen on a particular IP address, and send
|
||||
listen {
|
||||
type = auth
|
||||
ipaddr = PH_IP_ALICE
|
||||
port = 0
|
||||
}
|
||||
|
||||
# This second "listen" section is for listening on the accounting
|
||||
# port, too.
|
||||
#
|
||||
listen {
|
||||
type = acct
|
||||
ipaddr = PH_IP_ALICE
|
||||
port = 0
|
||||
}
|
||||
|
||||
# hostname_lookups: Log the names of clients or just their IP addresses
|
||||
hostname_lookups = no
|
||||
|
||||
# Core dumps are a bad thing. This should only be set to 'yes'
|
||||
allow_core_dumps = no
|
||||
|
||||
# Regular expressions
|
||||
regular_expressions = yes
|
||||
extended_expressions = yes
|
||||
|
||||
# Logging section. The various "log_*" configuration items
|
||||
log {
|
||||
destination = files
|
||||
file = ${logdir}/radius.log
|
||||
syslog_facility = daemon
|
||||
stripped_names = no
|
||||
auth = yes
|
||||
auth_badpass = yes
|
||||
auth_goodpass = yes
|
||||
}
|
||||
|
||||
# The program to execute to do concurrency checks.
|
||||
checkrad = ${sbindir}/checkrad
|
||||
|
||||
# Security considerations
|
||||
security {
|
||||
max_attributes = 200
|
||||
reject_delay = 1
|
||||
status_server = yes
|
||||
}
|
||||
|
||||
# PROXY CONFIGURATION
|
||||
proxy_requests = yes
|
||||
$INCLUDE proxy.conf
|
||||
|
||||
# CLIENTS CONFIGURATION
|
||||
$INCLUDE clients.conf
|
||||
|
||||
# THREAD POOL CONFIGURATION
|
||||
thread pool {
|
||||
start_servers = 5
|
||||
max_servers = 32
|
||||
min_spare_servers = 3
|
||||
max_spare_servers = 10
|
||||
max_requests_per_server = 0
|
||||
}
|
||||
|
||||
# MODULE CONFIGURATION
|
||||
modules {
|
||||
$INCLUDE ${confdir}/modules/
|
||||
$INCLUDE eap.conf
|
||||
$INCLUDE sql.conf
|
||||
$INCLUDE sql/mysql/counter.conf
|
||||
sim_files {
|
||||
simtriplets = "/etc/raddb/triplets.dat"
|
||||
}
|
||||
}
|
||||
|
||||
# Instantiation
|
||||
instantiate {
|
||||
exec
|
||||
expr
|
||||
expiration
|
||||
logintime
|
||||
}
|
||||
|
||||
# Policies
|
||||
$INCLUDE policy.conf
|
||||
|
||||
# Include all enabled virtual hosts
|
||||
$INCLUDE sites-enabled/
|
|
@ -0,0 +1,62 @@
|
|||
authorize {
|
||||
preprocess
|
||||
chap
|
||||
mschap
|
||||
sim_files
|
||||
suffix
|
||||
eap {
|
||||
ok = return
|
||||
}
|
||||
unix
|
||||
files
|
||||
expiration
|
||||
logintime
|
||||
pap
|
||||
}
|
||||
|
||||
authenticate {
|
||||
Auth-Type PAP {
|
||||
pap
|
||||
}
|
||||
Auth-Type CHAP {
|
||||
chap
|
||||
}
|
||||
Auth-Type MS-CHAP {
|
||||
mschap
|
||||
}
|
||||
unix
|
||||
eap
|
||||
}
|
||||
|
||||
preacct {
|
||||
preprocess
|
||||
acct_unique
|
||||
suffix
|
||||
files
|
||||
}
|
||||
|
||||
accounting {
|
||||
detail
|
||||
unix
|
||||
radutmp
|
||||
attr_filter.accounting_response
|
||||
}
|
||||
|
||||
session {
|
||||
radutmp
|
||||
}
|
||||
|
||||
post-auth {
|
||||
exec
|
||||
Post-Auth-Type REJECT {
|
||||
attr_filter.access_reject
|
||||
}
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
eap
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
|
||||
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
|
||||
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
authby=eap
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,3 @@
|
|||
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
|
||||
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
|
||||
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
|
|
@ -0,0 +1 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file updown
|
||||
}
|
|
@ -0,0 +1,84 @@
|
|||
#!/sbin/runscript
|
||||
# Copyright 1999-2004 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
opts="start stop reload"
|
||||
|
||||
depend() {
|
||||
before net
|
||||
need logger
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting firewall"
|
||||
|
||||
# enable IP forwarding
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# default policy is DROP
|
||||
/sbin/iptables -P INPUT DROP
|
||||
/sbin/iptables -P OUTPUT DROP
|
||||
/sbin/iptables -P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow RADIUS protocol with alice
|
||||
iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
|
||||
iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
|
||||
if [ $a == nat ]; then
|
||||
/sbin/iptables -t nat -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P POSTROUTING ACCEPT
|
||||
/sbin/iptables -t nat -P OUTPUT ACCEPT
|
||||
elif [ $a == mangle ]; then
|
||||
/sbin/iptables -t mangle -P PREROUTING ACCEPT
|
||||
/sbin/iptables -t mangle -P INPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P FORWARD ACCEPT
|
||||
/sbin/iptables -t mangle -P OUTPUT ACCEPT
|
||||
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
|
||||
elif [ $a == filter ]; then
|
||||
/sbin/iptables -t filter -P INPUT ACCEPT
|
||||
/sbin/iptables -t filter -P FORWARD ACCEPT
|
||||
/sbin/iptables -t filter -P OUTPUT ACCEPT
|
||||
fi
|
||||
done
|
||||
eend $?
|
||||
}
|
||||
|
||||
reload() {
|
||||
ebegin "Flushing firewall"
|
||||
for a in `cat /proc/net/ip_tables_names`; do
|
||||
/sbin/iptables -F -t $a
|
||||
/sbin/iptables -X -t $a
|
||||
done;
|
||||
eend $?
|
||||
start
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-eap
|
||||
authby=rsasig
|
||||
eap=radius
|
||||
left=PH_IP_MOON
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftid=@moon.strongswan.org
|
||||
leftcert=moonCert.pem
|
||||
leftfirewall=yes
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius updown
|
||||
plugins {
|
||||
eap_radius {
|
||||
secret = gv6URkSs
|
||||
server = PH_IP_ALICE
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
alice::/etc/init.d/radiusd stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
|
@ -0,0 +1,12 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
alice::cat /etc/raddb/clients.conf
|
||||
alice::cat /etc/raddb/eap.conf
|
||||
alice::cat /etc/raddb/proxy.conf
|
||||
alice::cat /etc/raddb/triplets.dat
|
||||
alice::/etc/init.d/radiusd start
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 1
|
||||
carol::ipsec up home
|
||||
carol::sleep 1
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice carol moon"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
Loading…
Reference in New Issue