Added charon.initiator_only option which causes charon to ignore IKE initiation requests by peers
This commit is contained in:
parent
cf1696cab9
commit
654c88bca8
|
@ -203,6 +203,9 @@ IKE_SA_INIT DROPPING).
|
|||
Limit new connections based on the number of jobs currently queued for
|
||||
processing (see IKE_SA_INIT DROPPING).
|
||||
.TP
|
||||
.BR charon.initiator_only " [no]"
|
||||
Causes charon daemon to ignore IKE initiation requests.
|
||||
.TP
|
||||
.BR charon.install_routes " [yes]"
|
||||
Install routes into a separate routing table for established IPsec tunnels
|
||||
.TP
|
||||
|
|
|
@ -148,6 +148,12 @@ struct private_receiver_t {
|
|||
* Delay response messages?
|
||||
*/
|
||||
bool receive_delay_response;
|
||||
|
||||
/**
|
||||
* Endpoint is allowed to act as an initiator only
|
||||
*/
|
||||
bool initiator_only;
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -541,7 +547,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
|
|||
if (message->get_request(message) &&
|
||||
message->get_exchange_type(message) == IKE_SA_INIT)
|
||||
{
|
||||
if (drop_ike_sa_init(this, message))
|
||||
if (this->initiator_only || drop_ike_sa_init(this, message))
|
||||
{
|
||||
message->destroy(message);
|
||||
return JOB_REQUEUE_DIRECT;
|
||||
|
@ -552,7 +558,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
|
|||
{
|
||||
id = message->get_ike_sa_id(message);
|
||||
if (id->get_responder_spi(id) == 0 &&
|
||||
drop_ike_sa_init(this, message))
|
||||
(this->initiator_only || drop_ike_sa_init(this, message)))
|
||||
{
|
||||
message->destroy(message);
|
||||
return JOB_REQUEUE_DIRECT;
|
||||
|
@ -650,6 +656,8 @@ receiver_t *receiver_create()
|
|||
"%s.receive_delay_request", TRUE, charon->name),
|
||||
this->receive_delay_response = lib->settings->get_bool(lib->settings,
|
||||
"%s.receive_delay_response", TRUE, charon->name),
|
||||
this->initiator_only = lib->settings->get_bool(lib->settings,
|
||||
"%s.initiator_only", FALSE, charon->name),
|
||||
|
||||
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
|
||||
if (!this->hasher)
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
|
||||
but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
|
||||
she ignores the repeated IKE requests sent by <b>dave</b>.
|
||||
<p/>
|
||||
After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
|
||||
connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
|
||||
the gateway <b>moon</b>.
|
|
@ -0,0 +1,8 @@
|
|||
dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
|
||||
initiator_only = yes
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn peer
|
||||
left=PH_IP_DAVE
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_CAROL
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
|
||||
retransmit_timeout = 2
|
||||
retransmit_base = 1.5
|
||||
retransmit_tries = 3
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekey=no
|
||||
keyexchange=ikev1
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 1
|
||||
dave::ipsec up peer
|
||||
carol::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
|
@ -0,0 +1,10 @@
|
|||
The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
|
||||
but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
|
||||
she ignores the repeated IKE requests sent by <b>dave</b>.
|
||||
<p/>
|
||||
After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
|
||||
connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
|
||||
the gateway <b>moon</b>.
|
|
@ -0,0 +1,8 @@
|
|||
dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
|
||||
initiator_only = yes
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn peer
|
||||
left=PH_IP_DAVE
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_CAROL
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
|
||||
retransmit_timeout = 2
|
||||
retransmit_base = 1.5
|
||||
retransmit_tries = 3
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekey=no
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 1
|
||||
dave::ipsec up peer
|
||||
carol::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
Loading…
Reference in New Issue