testing: Converted tnc scenarios to swanctl
This commit is contained in:
parent
74270c8c86
commit
6aa7703122
|
@ -1,19 +1,18 @@
|
|||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
|
|
|
@ -0,0 +1,158 @@
|
|||
#! /bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: charon
|
||||
# Required-Start: $remote_fs $syslog
|
||||
# Required-Stop: $remote_fs $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: strongSwan charon IKE daemon
|
||||
# Description: with swanctl the strongSwan charon daemon must be
|
||||
# running in the background
|
||||
### END INIT INFO
|
||||
|
||||
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
|
||||
#
|
||||
# Do NOT "set -e"
|
||||
|
||||
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
|
||||
DESC="strongSwan charon IKE daemon"
|
||||
NAME=charon
|
||||
DAEMON=/usr/local/libexec/ipsec/$NAME
|
||||
DAEMON_ARGS=""
|
||||
PIDFILE=/var/run/$NAME.pid
|
||||
SCRIPTNAME=/etc/init.d/charon
|
||||
|
||||
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
|
||||
|
||||
# Exit if the package is not installed
|
||||
[ -x "$DAEMON" ] || exit 0
|
||||
|
||||
# Read configuration variable file if it is present
|
||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||
|
||||
# Load the VERBOSE setting and other rcS variables
|
||||
. /lib/init/vars.sh
|
||||
|
||||
# Define LSB log_* functions.
|
||||
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||||
# and status_of_proc is working.
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
#
|
||||
# Function that starts the daemon/service
|
||||
#
|
||||
do_start()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been started
|
||||
# 1 if daemon was already running
|
||||
# 2 if daemon could not be started
|
||||
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||||
|| return 1
|
||||
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
|
||||
$DAEMON_ARGS \
|
||||
|| return 2
|
||||
# Add code here, if necessary, that waits for the process to be ready
|
||||
# to handle requests from services started subsequently which depend
|
||||
# on this one. As a last resort, sleep for some time.
|
||||
}
|
||||
|
||||
#
|
||||
# Function that stops the daemon/service
|
||||
#
|
||||
do_stop()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been stopped
|
||||
# 1 if daemon was already stopped
|
||||
# 2 if daemon could not be stopped
|
||||
# other if a failure occurred
|
||||
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
|
||||
RETVAL="$?"
|
||||
[ "$RETVAL" = 2 ] && return 2
|
||||
# Wait for children to finish too if this is a daemon that forks
|
||||
# and if the daemon is only ever run from this initscript.
|
||||
# If the above conditions are not satisfied then add some other code
|
||||
# that waits for the process to drop all resources that could be
|
||||
# needed by services started subsequently. A last resort is to
|
||||
# sleep for some time.
|
||||
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
||||
[ "$?" = 2 ] && return 2
|
||||
# Many daemons don't delete their pidfiles when they exit.
|
||||
rm -f $PIDFILE
|
||||
return "$RETVAL"
|
||||
}
|
||||
|
||||
#
|
||||
# Function that sends a SIGHUP to the daemon/service
|
||||
#
|
||||
do_reload() {
|
||||
#
|
||||
# If the daemon can reload its configuration without
|
||||
# restarting (for example, when it is sent a SIGHUP),
|
||||
# then implement that here.
|
||||
#
|
||||
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||
do_start
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
stop)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
status)
|
||||
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||
;;
|
||||
#reload|force-reload)
|
||||
#
|
||||
# If do_reload() is not implemented then leave this commented out
|
||||
# and leave 'force-reload' as an alias for 'restart'.
|
||||
#
|
||||
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||||
#do_reload
|
||||
#log_end_msg $?
|
||||
#;;
|
||||
restart|force-reload)
|
||||
#
|
||||
# If the "reload" option is implemented then remove the
|
||||
# 'force-reload' alias
|
||||
#
|
||||
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1)
|
||||
do_start
|
||||
case "$?" in
|
||||
0) log_end_msg 0 ;;
|
||||
1) log_end_msg 1 ;; # Old process is still running
|
||||
*) log_end_msg 1 ;; # Failed to start
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
# Failed to stop
|
||||
log_end_msg 1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||||
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||
exit 3
|
||||
;;
|
||||
esac
|
||||
|
||||
:
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -1,13 +1,29 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
}
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = carol@strongswan.org
|
||||
secret = "Ar3etTnp"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,158 @@
|
|||
#! /bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: charon
|
||||
# Required-Start: $remote_fs $syslog
|
||||
# Required-Stop: $remote_fs $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: strongSwan charon IKE daemon
|
||||
# Description: with swanctl the strongSwan charon daemon must be
|
||||
# running in the background
|
||||
### END INIT INFO
|
||||
|
||||
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
|
||||
#
|
||||
# Do NOT "set -e"
|
||||
|
||||
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
|
||||
DESC="strongSwan charon IKE daemon"
|
||||
NAME=charon
|
||||
DAEMON=/usr/local/libexec/ipsec/$NAME
|
||||
DAEMON_ARGS=""
|
||||
PIDFILE=/var/run/$NAME.pid
|
||||
SCRIPTNAME=/etc/init.d/charon
|
||||
|
||||
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
|
||||
|
||||
# Exit if the package is not installed
|
||||
[ -x "$DAEMON" ] || exit 0
|
||||
|
||||
# Read configuration variable file if it is present
|
||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||
|
||||
# Load the VERBOSE setting and other rcS variables
|
||||
. /lib/init/vars.sh
|
||||
|
||||
# Define LSB log_* functions.
|
||||
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||||
# and status_of_proc is working.
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
#
|
||||
# Function that starts the daemon/service
|
||||
#
|
||||
do_start()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been started
|
||||
# 1 if daemon was already running
|
||||
# 2 if daemon could not be started
|
||||
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||||
|| return 1
|
||||
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
|
||||
$DAEMON_ARGS \
|
||||
|| return 2
|
||||
# Add code here, if necessary, that waits for the process to be ready
|
||||
# to handle requests from services started subsequently which depend
|
||||
# on this one. As a last resort, sleep for some time.
|
||||
}
|
||||
|
||||
#
|
||||
# Function that stops the daemon/service
|
||||
#
|
||||
do_stop()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been stopped
|
||||
# 1 if daemon was already stopped
|
||||
# 2 if daemon could not be stopped
|
||||
# other if a failure occurred
|
||||
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
|
||||
RETVAL="$?"
|
||||
[ "$RETVAL" = 2 ] && return 2
|
||||
# Wait for children to finish too if this is a daemon that forks
|
||||
# and if the daemon is only ever run from this initscript.
|
||||
# If the above conditions are not satisfied then add some other code
|
||||
# that waits for the process to drop all resources that could be
|
||||
# needed by services started subsequently. A last resort is to
|
||||
# sleep for some time.
|
||||
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
||||
[ "$?" = 2 ] && return 2
|
||||
# Many daemons don't delete their pidfiles when they exit.
|
||||
rm -f $PIDFILE
|
||||
return "$RETVAL"
|
||||
}
|
||||
|
||||
#
|
||||
# Function that sends a SIGHUP to the daemon/service
|
||||
#
|
||||
do_reload() {
|
||||
#
|
||||
# If the daemon can reload its configuration without
|
||||
# restarting (for example, when it is sent a SIGHUP),
|
||||
# then implement that here.
|
||||
#
|
||||
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||
do_start
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
stop)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
status)
|
||||
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||
;;
|
||||
#reload|force-reload)
|
||||
#
|
||||
# If do_reload() is not implemented then leave this commented out
|
||||
# and leave 'force-reload' as an alias for 'restart'.
|
||||
#
|
||||
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||||
#do_reload
|
||||
#log_end_msg $?
|
||||
#;;
|
||||
restart|force-reload)
|
||||
#
|
||||
# If the "reload" option is implemented then remove the
|
||||
# 'force-reload' alias
|
||||
#
|
||||
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1)
|
||||
do_start
|
||||
case "$?" in
|
||||
0) log_end_msg 0 ;;
|
||||
1) log_end_msg 1 ;; # Old process is still running
|
||||
*) log_end_msg 1 ;; # Failed to start
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
# Failed to stop
|
||||
log_end_msg 1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||||
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||
exit 3
|
||||
;;
|
||||
esac
|
||||
|
||||
:
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,13 +1,29 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
}
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = dave@strongswan.org
|
||||
secret = "W7R0g3do"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,158 @@
|
|||
#! /bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: charon
|
||||
# Required-Start: $remote_fs $syslog
|
||||
# Required-Stop: $remote_fs $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: strongSwan charon IKE daemon
|
||||
# Description: with swanctl the strongSwan charon daemon must be
|
||||
# running in the background
|
||||
### END INIT INFO
|
||||
|
||||
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
|
||||
#
|
||||
# Do NOT "set -e"
|
||||
|
||||
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
|
||||
DESC="strongSwan charon IKE daemon"
|
||||
NAME=charon
|
||||
DAEMON=/usr/local/libexec/ipsec/$NAME
|
||||
DAEMON_ARGS=""
|
||||
PIDFILE=/var/run/$NAME.pid
|
||||
SCRIPTNAME=/etc/init.d/charon
|
||||
|
||||
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
|
||||
|
||||
# Exit if the package is not installed
|
||||
[ -x "$DAEMON" ] || exit 0
|
||||
|
||||
# Read configuration variable file if it is present
|
||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||
|
||||
# Load the VERBOSE setting and other rcS variables
|
||||
. /lib/init/vars.sh
|
||||
|
||||
# Define LSB log_* functions.
|
||||
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||||
# and status_of_proc is working.
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
#
|
||||
# Function that starts the daemon/service
|
||||
#
|
||||
do_start()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been started
|
||||
# 1 if daemon was already running
|
||||
# 2 if daemon could not be started
|
||||
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||||
|| return 1
|
||||
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
|
||||
$DAEMON_ARGS \
|
||||
|| return 2
|
||||
# Add code here, if necessary, that waits for the process to be ready
|
||||
# to handle requests from services started subsequently which depend
|
||||
# on this one. As a last resort, sleep for some time.
|
||||
}
|
||||
|
||||
#
|
||||
# Function that stops the daemon/service
|
||||
#
|
||||
do_stop()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been stopped
|
||||
# 1 if daemon was already stopped
|
||||
# 2 if daemon could not be stopped
|
||||
# other if a failure occurred
|
||||
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
|
||||
RETVAL="$?"
|
||||
[ "$RETVAL" = 2 ] && return 2
|
||||
# Wait for children to finish too if this is a daemon that forks
|
||||
# and if the daemon is only ever run from this initscript.
|
||||
# If the above conditions are not satisfied then add some other code
|
||||
# that waits for the process to drop all resources that could be
|
||||
# needed by services started subsequently. A last resort is to
|
||||
# sleep for some time.
|
||||
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
||||
[ "$?" = 2 ] && return 2
|
||||
# Many daemons don't delete their pidfiles when they exit.
|
||||
rm -f $PIDFILE
|
||||
return "$RETVAL"
|
||||
}
|
||||
|
||||
#
|
||||
# Function that sends a SIGHUP to the daemon/service
|
||||
#
|
||||
do_reload() {
|
||||
#
|
||||
# If the daemon can reload its configuration without
|
||||
# restarting (for example, when it is sent a SIGHUP),
|
||||
# then implement that here.
|
||||
#
|
||||
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||
do_start
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
stop)
|
||||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||
esac
|
||||
;;
|
||||
status)
|
||||
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||
;;
|
||||
#reload|force-reload)
|
||||
#
|
||||
# If do_reload() is not implemented then leave this commented out
|
||||
# and leave 'force-reload' as an alias for 'restart'.
|
||||
#
|
||||
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||||
#do_reload
|
||||
#log_end_msg $?
|
||||
#;;
|
||||
restart|force-reload)
|
||||
#
|
||||
# If the "reload" option is implemented then remove the
|
||||
# 'force-reload' alias
|
||||
#
|
||||
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||
do_stop
|
||||
case "$?" in
|
||||
0|1)
|
||||
do_start
|
||||
case "$?" in
|
||||
0) log_end_msg 0 ;;
|
||||
1) log_end_msg 1 ;; # Old process is still running
|
||||
*) log_end_msg 1 ;; # Failed to start
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
# Failed to stop
|
||||
log_end_msg 1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||||
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||
exit 3
|
||||
;;
|
||||
esac
|
||||
|
||||
:
|
|
@ -1,34 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=eap-ttls
|
||||
leftfirewall=yes
|
||||
rightauth=eap-ttls
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
|
@ -1,6 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,10 +1,22 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
||||
|
||||
multiple_authentication = no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-ttls {
|
||||
phase2_method = md5
|
||||
|
@ -17,3 +29,7 @@ charon {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
}
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
connections {
|
||||
|
||||
rw-allow {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = *@strongswan.org
|
||||
groups = allow
|
||||
}
|
||||
children {
|
||||
rw-allow {
|
||||
local_ts = 10.1.0.0/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
|
||||
rw-isolate {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = *@strongswan.org
|
||||
groups = isolate
|
||||
}
|
||||
children {
|
||||
rw-isolate {
|
||||
local_ts = 10.1.0.16/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap-carol {
|
||||
id = carol@strongswan.org
|
||||
secret = "Ar3etTnp"
|
||||
}
|
||||
eap-dave {
|
||||
id = dave@strongswan.org
|
||||
secret = "W7R0g3do"
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
carol::service charon stop
|
||||
dave::service charon stop
|
||||
moon::service charon stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
|
@ -6,11 +6,15 @@ carol::cat /etc/tnc_config
|
|||
dave::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc/dummyimc.file
|
||||
dave::cat /etc/tnc/dummyimc.file
|
||||
moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
|
||||
carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
|
||||
dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
|
||||
carol::rm /etc/swanctl/rsa/*
|
||||
dave::rm /etc/swanctl/rsa/*
|
||||
carol::rm /etc/swanctl/x509/*
|
||||
dave::rm /etc/swanctl/x509/*
|
||||
moon::service charon start
|
||||
carol::service charon start
|
||||
dave::service charon start
|
||||
moon::expect-connection rw-allow
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -23,4 +23,6 @@ IPSECHOSTS="moon carol dave"
|
|||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS=
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
|
||||
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
|
||||
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
|
|
|
@ -15,6 +15,19 @@ session {
|
|||
}
|
||||
|
||||
post-auth {
|
||||
if (control:TNC-Status == "Access") {
|
||||
update reply {
|
||||
Tunnel-Type := ESP
|
||||
Filter-Id := "allow"
|
||||
}
|
||||
}
|
||||
elsif (control:TNC-Status == "Isolate") {
|
||||
update reply {
|
||||
Tunnel-Type := ESP
|
||||
Filter-Id := "isolate"
|
||||
}
|
||||
}
|
||||
|
||||
Post-Auth-Type REJECT {
|
||||
attr_filter.access_reject
|
||||
}
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
libimcv {
|
||||
debug_level = 3
|
||||
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||
debug_level = 3
|
||||
assessment_result = no
|
||||
plugins {
|
||||
imv-scanner {
|
||||
closed_port_policy = no
|
||||
tcp_ports = 80 443
|
||||
}
|
||||
imv-test {
|
||||
rounds = 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -1,10 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap
|
||||
aaa_id = aaa.strongswan.org
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = carol@strongswan.org
|
||||
secret = "Ar3etTnp"
|
||||
}
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,10 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
|
@ -14,6 +27,9 @@ charon {
|
|||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-test {
|
||||
command = none
|
||||
}
|
||||
imc-scanner {
|
||||
push_info = no
|
||||
}
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap
|
||||
aaa_id = aaa.strongswan.org
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = dave@strongswan.org
|
||||
secret = "W7R0g3do"
|
||||
}
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=pubkey
|
||||
leftfirewall=yes
|
||||
rightauth=eap-radius
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
|
@ -1,12 +1,19 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
plugins {
|
||||
eap-radius {
|
||||
secret = gv6URkSs
|
||||
server = PH_IP_ALICE
|
||||
server = 10.1.0.10
|
||||
filter_id = yes
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
certs = moonCert.pem
|
||||
}
|
||||
remote {
|
||||
auth = eap-radius
|
||||
id = *@strongswan.org
|
||||
}
|
||||
children {
|
||||
rw {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
|
@ -1,9 +1,8 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
carol::service charon stop
|
||||
dave::service charon stop
|
||||
moon::service charon stop
|
||||
alice::killall radiusd
|
||||
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
dave::/etc/init.d/apache2 stop 2> /dev/null
|
||||
|
|
|
@ -1,14 +1,20 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
dave::/etc/init.d/apache2 start 2> /dev/null
|
||||
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
alice::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
carol::rm /etc/swanctl/rsa/*
|
||||
dave::rm /etc/swanctl/rsa/*
|
||||
carol::rm /etc/swanctl/x509/*
|
||||
dave::rm /etc/swanctl/x509/*
|
||||
moon::service charon start
|
||||
carol::service charon start
|
||||
dave::service charon start
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
carol::swanctl --initiate --child home
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
||||
dave::swanctl --initiate --child home
|
||||
|
|
|
@ -5,11 +5,11 @@
|
|||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
|
@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
|
|||
#
|
||||
RADIUSHOSTS="alice"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
|
@ -1,19 +1,18 @@
|
|||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -1,21 +1,26 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-test {
|
||||
command = allow
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap
|
||||
aaa_id = aaa.strongswan.org
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-ecp256
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = carol@strongswan.org
|
||||
secret = "Ar3etTnp"
|
||||
}
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,26 +1,27 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
retransmit_tries = 5
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-test {
|
||||
command = allow
|
||||
}
|
||||
imc-scanner {
|
||||
push_info = no
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap
|
||||
aaa_id = aaa.strongswan.org
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-ecp256
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = dave@strongswan.org
|
||||
secret = "W7R0g3do"
|
||||
}
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=pubkey
|
||||
leftfirewall=yes
|
||||
rightauth=eap-radius
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
|
@ -1,12 +1,18 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
||||
load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
plugins {
|
||||
eap-radius {
|
||||
secret = gv6URkSs
|
||||
server = PH_IP_ALICE
|
||||
server = 10.1.0.10
|
||||
filter_id = yes
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
connections {
|
||||
|
||||
rw-allow {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
certs = moonCert.pem
|
||||
}
|
||||
remote {
|
||||
auth = eap-radius
|
||||
id = *@strongswan.org
|
||||
groups = allow
|
||||
}
|
||||
children {
|
||||
rw-allow {
|
||||
local_ts = 10.1.0.0/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-ecp256
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
|
||||
rw-isolate {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-radius
|
||||
id = *@strongswan.org
|
||||
groups = isolate
|
||||
}
|
||||
children {
|
||||
rw-isolate {
|
||||
local_ts = 10.1.0.16/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-ecp256
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
carol::service charon stop
|
||||
dave::service charon stop
|
||||
moon::service charon stop
|
||||
alice::killall radiusd
|
||||
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
|
|
@ -11,12 +11,16 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
|
|||
alice::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
moon::ipsec start
|
||||
dave::ipsec start
|
||||
carol::ipsec start
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
||||
carol::rm /etc/swanctl/rsa/*
|
||||
dave::rm /etc/swanctl/rsa/*
|
||||
carol::rm /etc/swanctl/x509/*
|
||||
dave::rm /etc/swanctl/x509/*
|
||||
moon::service charon start
|
||||
carol::service charon start
|
||||
dave::service charon start
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
carol::swanctl --initiate --child home
|
||||
dave::expect-connection home
|
||||
dave::swanctl --initiate --child home
|
||||
alice::ipsec attest --sessions
|
||||
alice::ipsec attest --devices
|
||||
|
|
|
@ -27,3 +27,7 @@ RADIUSHOSTS="alice"
|
|||
# Guest instances on which databases are used
|
||||
#
|
||||
DBHOSTS="alice"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
|
@ -1,19 +1,18 @@
|
|||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
libimcv {
|
||||
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||
debug_level = 3
|
||||
assessment_result = no
|
||||
plugins {
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -1,10 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap
|
||||
aaa_id = aaa.strongswan.org
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = carol@strongswan.org
|
||||
secret = "Ar3etTnp"
|
||||
}
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightauth=pubkey
|
||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,10 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap
|
||||
aaa_id = aaa.strongswan.org
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = dave@strongswan.org
|
||||
secret = "W7R0g3do"
|
||||
}
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=pubkey
|
||||
leftfirewall=yes
|
||||
rightauth=eap-radius
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
|
@ -1,12 +1,18 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
plugins {
|
||||
eap-radius {
|
||||
secret = gv6URkSs
|
||||
server = PH_IP_ALICE
|
||||
server = 10.1.0.10
|
||||
filter_id = yes
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
connections {
|
||||
|
||||
rw-allow {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
certs = moonCert.pem
|
||||
}
|
||||
remote {
|
||||
auth = eap-radius
|
||||
id = *@strongswan.org
|
||||
groups = allow
|
||||
}
|
||||
children {
|
||||
rw-allow {
|
||||
local_ts = 10.1.0.0/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
|
||||
rw-isolate {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-radius
|
||||
id = *@strongswan.org
|
||||
groups = isolate
|
||||
}
|
||||
children {
|
||||
rw-isolate {
|
||||
local_ts = 10.1.0.16/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
carol::service charon stop
|
||||
dave::service charon stop
|
||||
moon::service charon stop
|
||||
alice::killall radiusd
|
||||
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
|
|
|
@ -7,10 +7,14 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
|
|||
alice::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::rm /etc/swanctl/rsa/*
|
||||
dave::rm /etc/swanctl/rsa/*
|
||||
carol::rm /etc/swanctl/x509/*
|
||||
dave::rm /etc/swanctl/x509/*
|
||||
moon::service charon start
|
||||
carol::service charon start
|
||||
dave::service charon start
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
carol::swanctl --initiate --child home
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
||||
dave::swanctl --initiate --child home
|
||||
|
|
|
@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
|
|||
#
|
||||
RADIUSHOSTS="alice"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
libimcv {
|
||||
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||
debug_level = 3
|
||||
assessment_result = no
|
||||
plugins {
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
@ -1 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
@ -1,6 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
libimcv {
|
||||
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||
debug_level = 3
|
||||
plugins {
|
||||
imc-test {
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
# The strongSwan IMCs are loaded by the WPA supplicant
|
|
@ -1 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
@ -1 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
@ -1,6 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
libimcv {
|
||||
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||
debug_level = 3
|
||||
plugins {
|
||||
imc-test {
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
# The strongSwan IMCs are loaded by the WPA supplicant
|
|
@ -1,33 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=pubkey
|
||||
leftfirewall=yes
|
||||
rightauth=eap-radius
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
|
@ -1,32 +0,0 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow RADIUS protocol with alice
|
||||
-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -1,13 +0,0 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-radius {
|
||||
secret = gv6URkSs
|
||||
server = PH_IP_ALICE
|
||||
filter_id = yes
|
||||
}
|
||||
}
|
||||
}
|
|
@ -13,14 +13,17 @@ DIAGRAM="a-v-m-c-w-d.png"
|
|||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
TCPDUMPHOSTS=
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
IPSECHOSTS="carol dave"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS="alice"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
|
@ -1,19 +1,18 @@
|
|||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
|
||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -1,10 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
|
@ -12,6 +25,10 @@ charon {
|
|||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-test {
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = carol@strongswan.org
|
||||
secret = "Ar3etTnp"
|
||||
}
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,3 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,10 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||
|
||||
multiple_authentication=no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imc = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-1.1
|
||||
|
@ -12,6 +25,10 @@ charon {
|
|||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-test {
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap {
|
||||
id = dave@strongswan.org
|
||||
secret = "W7R0g3do"
|
||||
}
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imv 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=eap-ttls
|
||||
leftfirewall=yes
|
||||
rightauth=eap-ttls
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
|
@ -1,6 +0,0 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -1,10 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
||||
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
||||
|
||||
multiple_authentication = no
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
syslog {
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
daemon {
|
||||
tnc = 3
|
||||
imv = 3
|
||||
}
|
||||
}
|
||||
plugins {
|
||||
eap-ttls {
|
||||
phase2_method = md5
|
||||
|
@ -18,6 +31,10 @@ charon {
|
|||
}
|
||||
}
|
||||
|
||||
libtls {
|
||||
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imv-test {
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
connections {
|
||||
|
||||
rw-allow {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = *@strongswan.org
|
||||
groups = allow
|
||||
}
|
||||
children {
|
||||
rw-allow {
|
||||
local_ts = 10.1.0.0/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
|
||||
rw-isolate {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = eap-ttls
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = eap-ttls
|
||||
id = *@strongswan.org
|
||||
groups = isolate
|
||||
}
|
||||
children {
|
||||
rw-isolate {
|
||||
local_ts = 10.1.0.16/28
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
send_certreq = no
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
eap-carol {
|
||||
id = carol@strongswan.org
|
||||
secret = "Ar3etTnp"
|
||||
}
|
||||
eap-dave {
|
||||
id = dave@strongswan.org
|
||||
secret = "W7R0g3do"
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
carol::service charon stop
|
||||
dave::service charon stop
|
||||
moon::service charon stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
|
@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
|
|||
moon::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::rm /etc/swanctl/rsa/*
|
||||
dave::rm /etc/swanctl/rsa/*
|
||||
carol::rm /etc/swanctl/x509/*
|
||||
dave::rm /etc/swanctl/x509/*
|
||||
moon::service charon start
|
||||
carol::service charon start
|
||||
dave::service charon start
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -24,3 +24,7 @@ IPSECHOSTS="moon carol dave"
|
|||
#
|
||||
RADIUSHOSTS=
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue