testing: Converted tnc scenarios to swanctl
This commit is contained in:
parent
74270c8c86
commit
6aa7703122
|
@ -1,19 +1,18 @@
|
||||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
|
||||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
|
||||||
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||||
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,158 @@
|
||||||
|
#! /bin/sh
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: charon
|
||||||
|
# Required-Start: $remote_fs $syslog
|
||||||
|
# Required-Stop: $remote_fs $syslog
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: strongSwan charon IKE daemon
|
||||||
|
# Description: with swanctl the strongSwan charon daemon must be
|
||||||
|
# running in the background
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
|
||||||
|
#
|
||||||
|
# Do NOT "set -e"
|
||||||
|
|
||||||
|
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||||
|
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
|
||||||
|
DESC="strongSwan charon IKE daemon"
|
||||||
|
NAME=charon
|
||||||
|
DAEMON=/usr/local/libexec/ipsec/$NAME
|
||||||
|
DAEMON_ARGS=""
|
||||||
|
PIDFILE=/var/run/$NAME.pid
|
||||||
|
SCRIPTNAME=/etc/init.d/charon
|
||||||
|
|
||||||
|
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
|
||||||
|
|
||||||
|
# Exit if the package is not installed
|
||||||
|
[ -x "$DAEMON" ] || exit 0
|
||||||
|
|
||||||
|
# Read configuration variable file if it is present
|
||||||
|
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||||
|
|
||||||
|
# Load the VERBOSE setting and other rcS variables
|
||||||
|
. /lib/init/vars.sh
|
||||||
|
|
||||||
|
# Define LSB log_* functions.
|
||||||
|
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||||||
|
# and status_of_proc is working.
|
||||||
|
. /lib/lsb/init-functions
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that starts the daemon/service
|
||||||
|
#
|
||||||
|
do_start()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been started
|
||||||
|
# 1 if daemon was already running
|
||||||
|
# 2 if daemon could not be started
|
||||||
|
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||||||
|
|| return 1
|
||||||
|
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
|
||||||
|
$DAEMON_ARGS \
|
||||||
|
|| return 2
|
||||||
|
# Add code here, if necessary, that waits for the process to be ready
|
||||||
|
# to handle requests from services started subsequently which depend
|
||||||
|
# on this one. As a last resort, sleep for some time.
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that stops the daemon/service
|
||||||
|
#
|
||||||
|
do_stop()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been stopped
|
||||||
|
# 1 if daemon was already stopped
|
||||||
|
# 2 if daemon could not be stopped
|
||||||
|
# other if a failure occurred
|
||||||
|
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
|
||||||
|
RETVAL="$?"
|
||||||
|
[ "$RETVAL" = 2 ] && return 2
|
||||||
|
# Wait for children to finish too if this is a daemon that forks
|
||||||
|
# and if the daemon is only ever run from this initscript.
|
||||||
|
# If the above conditions are not satisfied then add some other code
|
||||||
|
# that waits for the process to drop all resources that could be
|
||||||
|
# needed by services started subsequently. A last resort is to
|
||||||
|
# sleep for some time.
|
||||||
|
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
||||||
|
[ "$?" = 2 ] && return 2
|
||||||
|
# Many daemons don't delete their pidfiles when they exit.
|
||||||
|
rm -f $PIDFILE
|
||||||
|
return "$RETVAL"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that sends a SIGHUP to the daemon/service
|
||||||
|
#
|
||||||
|
do_reload() {
|
||||||
|
#
|
||||||
|
# If the daemon can reload its configuration without
|
||||||
|
# restarting (for example, when it is sent a SIGHUP),
|
||||||
|
# then implement that here.
|
||||||
|
#
|
||||||
|
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||||
|
do_start
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||||
|
;;
|
||||||
|
#reload|force-reload)
|
||||||
|
#
|
||||||
|
# If do_reload() is not implemented then leave this commented out
|
||||||
|
# and leave 'force-reload' as an alias for 'restart'.
|
||||||
|
#
|
||||||
|
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||||||
|
#do_reload
|
||||||
|
#log_end_msg $?
|
||||||
|
#;;
|
||||||
|
restart|force-reload)
|
||||||
|
#
|
||||||
|
# If the "reload" option is implemented then remove the
|
||||||
|
# 'force-reload' alias
|
||||||
|
#
|
||||||
|
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
case "$?" in
|
||||||
|
0|1)
|
||||||
|
do_start
|
||||||
|
case "$?" in
|
||||||
|
0) log_end_msg 0 ;;
|
||||||
|
1) log_end_msg 1 ;; # Old process is still running
|
||||||
|
*) log_end_msg 1 ;; # Failed to start
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Failed to stop
|
||||||
|
log_end_msg 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||||||
|
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||||
|
exit 3
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
:
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_CAROL
|
|
||||||
leftid=carol@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightauth=any
|
|
||||||
rightsendcert=never
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
|
@ -1,13 +1,29 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libtls {
|
||||||
|
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.100
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = carol@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = carol@strongswan.org
|
||||||
|
secret = "Ar3etTnp"
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,158 @@
|
||||||
|
#! /bin/sh
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: charon
|
||||||
|
# Required-Start: $remote_fs $syslog
|
||||||
|
# Required-Stop: $remote_fs $syslog
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: strongSwan charon IKE daemon
|
||||||
|
# Description: with swanctl the strongSwan charon daemon must be
|
||||||
|
# running in the background
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
|
||||||
|
#
|
||||||
|
# Do NOT "set -e"
|
||||||
|
|
||||||
|
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||||
|
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
|
||||||
|
DESC="strongSwan charon IKE daemon"
|
||||||
|
NAME=charon
|
||||||
|
DAEMON=/usr/local/libexec/ipsec/$NAME
|
||||||
|
DAEMON_ARGS=""
|
||||||
|
PIDFILE=/var/run/$NAME.pid
|
||||||
|
SCRIPTNAME=/etc/init.d/charon
|
||||||
|
|
||||||
|
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
|
||||||
|
|
||||||
|
# Exit if the package is not installed
|
||||||
|
[ -x "$DAEMON" ] || exit 0
|
||||||
|
|
||||||
|
# Read configuration variable file if it is present
|
||||||
|
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||||
|
|
||||||
|
# Load the VERBOSE setting and other rcS variables
|
||||||
|
. /lib/init/vars.sh
|
||||||
|
|
||||||
|
# Define LSB log_* functions.
|
||||||
|
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||||||
|
# and status_of_proc is working.
|
||||||
|
. /lib/lsb/init-functions
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that starts the daemon/service
|
||||||
|
#
|
||||||
|
do_start()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been started
|
||||||
|
# 1 if daemon was already running
|
||||||
|
# 2 if daemon could not be started
|
||||||
|
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||||||
|
|| return 1
|
||||||
|
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
|
||||||
|
$DAEMON_ARGS \
|
||||||
|
|| return 2
|
||||||
|
# Add code here, if necessary, that waits for the process to be ready
|
||||||
|
# to handle requests from services started subsequently which depend
|
||||||
|
# on this one. As a last resort, sleep for some time.
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that stops the daemon/service
|
||||||
|
#
|
||||||
|
do_stop()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been stopped
|
||||||
|
# 1 if daemon was already stopped
|
||||||
|
# 2 if daemon could not be stopped
|
||||||
|
# other if a failure occurred
|
||||||
|
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
|
||||||
|
RETVAL="$?"
|
||||||
|
[ "$RETVAL" = 2 ] && return 2
|
||||||
|
# Wait for children to finish too if this is a daemon that forks
|
||||||
|
# and if the daemon is only ever run from this initscript.
|
||||||
|
# If the above conditions are not satisfied then add some other code
|
||||||
|
# that waits for the process to drop all resources that could be
|
||||||
|
# needed by services started subsequently. A last resort is to
|
||||||
|
# sleep for some time.
|
||||||
|
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
||||||
|
[ "$?" = 2 ] && return 2
|
||||||
|
# Many daemons don't delete their pidfiles when they exit.
|
||||||
|
rm -f $PIDFILE
|
||||||
|
return "$RETVAL"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that sends a SIGHUP to the daemon/service
|
||||||
|
#
|
||||||
|
do_reload() {
|
||||||
|
#
|
||||||
|
# If the daemon can reload its configuration without
|
||||||
|
# restarting (for example, when it is sent a SIGHUP),
|
||||||
|
# then implement that here.
|
||||||
|
#
|
||||||
|
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||||
|
do_start
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||||
|
;;
|
||||||
|
#reload|force-reload)
|
||||||
|
#
|
||||||
|
# If do_reload() is not implemented then leave this commented out
|
||||||
|
# and leave 'force-reload' as an alias for 'restart'.
|
||||||
|
#
|
||||||
|
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||||||
|
#do_reload
|
||||||
|
#log_end_msg $?
|
||||||
|
#;;
|
||||||
|
restart|force-reload)
|
||||||
|
#
|
||||||
|
# If the "reload" option is implemented then remove the
|
||||||
|
# 'force-reload' alias
|
||||||
|
#
|
||||||
|
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
case "$?" in
|
||||||
|
0|1)
|
||||||
|
do_start
|
||||||
|
case "$?" in
|
||||||
|
0) log_end_msg 0 ;;
|
||||||
|
1) log_end_msg 1 ;; # Old process is still running
|
||||||
|
*) log_end_msg 1 ;; # Failed to start
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Failed to stop
|
||||||
|
log_end_msg 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||||||
|
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||||
|
exit 3
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
:
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_DAVE
|
|
||||||
leftid=dave@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightauth=any
|
|
||||||
rightsendcert=never
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
|
@ -1,13 +1,29 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libtls {
|
||||||
|
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.200
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = dave@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = dave@strongswan.org
|
||||||
|
secret = "W7R0g3do"
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,158 @@
|
||||||
|
#! /bin/sh
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: charon
|
||||||
|
# Required-Start: $remote_fs $syslog
|
||||||
|
# Required-Stop: $remote_fs $syslog
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: strongSwan charon IKE daemon
|
||||||
|
# Description: with swanctl the strongSwan charon daemon must be
|
||||||
|
# running in the background
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# Author: Andreas Steffen <andreas.steffen@strongswa.org>
|
||||||
|
#
|
||||||
|
# Do NOT "set -e"
|
||||||
|
|
||||||
|
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||||
|
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
|
||||||
|
DESC="strongSwan charon IKE daemon"
|
||||||
|
NAME=charon
|
||||||
|
DAEMON=/usr/local/libexec/ipsec/$NAME
|
||||||
|
DAEMON_ARGS=""
|
||||||
|
PIDFILE=/var/run/$NAME.pid
|
||||||
|
SCRIPTNAME=/etc/init.d/charon
|
||||||
|
|
||||||
|
export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
|
||||||
|
|
||||||
|
# Exit if the package is not installed
|
||||||
|
[ -x "$DAEMON" ] || exit 0
|
||||||
|
|
||||||
|
# Read configuration variable file if it is present
|
||||||
|
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||||
|
|
||||||
|
# Load the VERBOSE setting and other rcS variables
|
||||||
|
. /lib/init/vars.sh
|
||||||
|
|
||||||
|
# Define LSB log_* functions.
|
||||||
|
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||||||
|
# and status_of_proc is working.
|
||||||
|
. /lib/lsb/init-functions
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that starts the daemon/service
|
||||||
|
#
|
||||||
|
do_start()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been started
|
||||||
|
# 1 if daemon was already running
|
||||||
|
# 2 if daemon could not be started
|
||||||
|
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||||||
|
|| return 1
|
||||||
|
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
|
||||||
|
$DAEMON_ARGS \
|
||||||
|
|| return 2
|
||||||
|
# Add code here, if necessary, that waits for the process to be ready
|
||||||
|
# to handle requests from services started subsequently which depend
|
||||||
|
# on this one. As a last resort, sleep for some time.
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that stops the daemon/service
|
||||||
|
#
|
||||||
|
do_stop()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been stopped
|
||||||
|
# 1 if daemon was already stopped
|
||||||
|
# 2 if daemon could not be stopped
|
||||||
|
# other if a failure occurred
|
||||||
|
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
|
||||||
|
RETVAL="$?"
|
||||||
|
[ "$RETVAL" = 2 ] && return 2
|
||||||
|
# Wait for children to finish too if this is a daemon that forks
|
||||||
|
# and if the daemon is only ever run from this initscript.
|
||||||
|
# If the above conditions are not satisfied then add some other code
|
||||||
|
# that waits for the process to drop all resources that could be
|
||||||
|
# needed by services started subsequently. A last resort is to
|
||||||
|
# sleep for some time.
|
||||||
|
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
||||||
|
[ "$?" = 2 ] && return 2
|
||||||
|
# Many daemons don't delete their pidfiles when they exit.
|
||||||
|
rm -f $PIDFILE
|
||||||
|
return "$RETVAL"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that sends a SIGHUP to the daemon/service
|
||||||
|
#
|
||||||
|
do_reload() {
|
||||||
|
#
|
||||||
|
# If the daemon can reload its configuration without
|
||||||
|
# restarting (for example, when it is sent a SIGHUP),
|
||||||
|
# then implement that here.
|
||||||
|
#
|
||||||
|
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||||
|
do_start
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||||
|
;;
|
||||||
|
#reload|force-reload)
|
||||||
|
#
|
||||||
|
# If do_reload() is not implemented then leave this commented out
|
||||||
|
# and leave 'force-reload' as an alias for 'restart'.
|
||||||
|
#
|
||||||
|
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||||||
|
#do_reload
|
||||||
|
#log_end_msg $?
|
||||||
|
#;;
|
||||||
|
restart|force-reload)
|
||||||
|
#
|
||||||
|
# If the "reload" option is implemented then remove the
|
||||||
|
# 'force-reload' alias
|
||||||
|
#
|
||||||
|
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
case "$?" in
|
||||||
|
0|1)
|
||||||
|
do_start
|
||||||
|
case "$?" in
|
||||||
|
0) log_end_msg 0 ;;
|
||||||
|
1) log_end_msg 1 ;; # Old process is still running
|
||||||
|
*) log_end_msg 1 ;; # Failed to start
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Failed to stop
|
||||||
|
log_end_msg 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||||||
|
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||||
|
exit 3
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
:
|
|
@ -1,34 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn rw-allow
|
|
||||||
rightgroups=allow
|
|
||||||
leftsubnet=10.1.0.0/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-isolate
|
|
||||||
rightgroups=isolate
|
|
||||||
leftsubnet=10.1.0.16/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-eap
|
|
||||||
left=PH_IP_MOON
|
|
||||||
leftcert=moonCert.pem
|
|
||||||
leftid=@moon.strongswan.org
|
|
||||||
leftauth=eap-ttls
|
|
||||||
leftfirewall=yes
|
|
||||||
rightauth=eap-ttls
|
|
||||||
rightid=*@strongswan.org
|
|
||||||
rightsendcert=never
|
|
||||||
right=%any
|
|
|
@ -1,6 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
: RSA moonKey.pem
|
|
||||||
|
|
||||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
||||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
|
@ -1,10 +1,22 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
||||||
|
|
||||||
multiple_authentication = no
|
multiple_authentication = no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-ttls {
|
eap-ttls {
|
||||||
phase2_method = md5
|
phase2_method = md5
|
||||||
|
@ -17,3 +29,7 @@ charon {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libtls {
|
||||||
|
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
rw-allow {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = allow
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-allow {
|
||||||
|
local_ts = 10.1.0.0/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
|
||||||
|
rw-isolate {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = isolate
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-isolate {
|
||||||
|
local_ts = 10.1.0.16/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap-carol {
|
||||||
|
id = carol@strongswan.org
|
||||||
|
secret = "Ar3etTnp"
|
||||||
|
}
|
||||||
|
eap-dave {
|
||||||
|
id = dave@strongswan.org
|
||||||
|
secret = "W7R0g3do"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
moon::ipsec stop
|
carol::service charon stop
|
||||||
carol::ipsec stop
|
dave::service charon stop
|
||||||
dave::ipsec stop
|
moon::service charon stop
|
||||||
moon::iptables-restore < /etc/iptables.flush
|
moon::iptables-restore < /etc/iptables.flush
|
||||||
carol::iptables-restore < /etc/iptables.flush
|
carol::iptables-restore < /etc/iptables.flush
|
||||||
dave::iptables-restore < /etc/iptables.flush
|
dave::iptables-restore < /etc/iptables.flush
|
||||||
|
|
|
@ -6,11 +6,15 @@ carol::cat /etc/tnc_config
|
||||||
dave::cat /etc/tnc_config
|
dave::cat /etc/tnc_config
|
||||||
carol::cat /etc/tnc/dummyimc.file
|
carol::cat /etc/tnc/dummyimc.file
|
||||||
dave::cat /etc/tnc/dummyimc.file
|
dave::cat /etc/tnc/dummyimc.file
|
||||||
moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
|
carol::rm /etc/swanctl/rsa/*
|
||||||
carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
|
dave::rm /etc/swanctl/rsa/*
|
||||||
dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
|
carol::rm /etc/swanctl/x509/*
|
||||||
|
dave::rm /etc/swanctl/x509/*
|
||||||
|
moon::service charon start
|
||||||
|
carol::service charon start
|
||||||
|
dave::service charon start
|
||||||
moon::expect-connection rw-allow
|
moon::expect-connection rw-allow
|
||||||
carol::expect-connection home
|
carol::expect-connection home
|
||||||
carol::ipsec up home
|
carol::swanctl --initiate --child home 2> /dev/null
|
||||||
dave::expect-connection home
|
dave::expect-connection home
|
||||||
dave::ipsec up home
|
dave::swanctl --initiate --child home 2> /dev/null
|
||||||
|
|
|
@ -23,4 +23,6 @@ IPSECHOSTS="moon carol dave"
|
||||||
# Guest instances on which FreeRadius is started
|
# Guest instances on which FreeRadius is started
|
||||||
#
|
#
|
||||||
RADIUSHOSTS=
|
RADIUSHOSTS=
|
||||||
|
# charon controlled by swanctl
|
||||||
|
#
|
||||||
|
SWANCTL=1
|
||||||
|
|
|
@ -1,14 +1,15 @@
|
||||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
|
|
||||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
|
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
|
||||||
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
|
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
|
||||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
|
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||||
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
|
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
|
||||||
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
|
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
|
||||||
|
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||||
|
dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
|
||||||
|
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
|
||||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,19 @@ session {
|
||||||
}
|
}
|
||||||
|
|
||||||
post-auth {
|
post-auth {
|
||||||
|
if (control:TNC-Status == "Access") {
|
||||||
|
update reply {
|
||||||
|
Tunnel-Type := ESP
|
||||||
|
Filter-Id := "allow"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
elsif (control:TNC-Status == "Isolate") {
|
||||||
|
update reply {
|
||||||
|
Tunnel-Type := ESP
|
||||||
|
Filter-Id := "isolate"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Post-Auth-Type REJECT {
|
Post-Auth-Type REJECT {
|
||||||
attr_filter.access_reject
|
attr_filter.access_reject
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
debug_level = 3
|
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||||
|
debug_level = 3
|
||||||
assessment_result = no
|
assessment_result = no
|
||||||
plugins {
|
plugins {
|
||||||
imv-scanner {
|
imv-test {
|
||||||
closed_port_policy = no
|
rounds = 1
|
||||||
tcp_ports = 80 443
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_CAROL
|
|
||||||
leftid=carol@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
rightauth=pubkey
|
|
||||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
|
@ -1,10 +1,23 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.100
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap
|
||||||
|
aaa_id = aaa.strongswan.org
|
||||||
|
id = carol@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = carol@strongswan.org
|
||||||
|
secret = "Ar3etTnp"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_DAVE
|
|
||||||
leftid=dave@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
rightauth=pubkey
|
|
||||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
|
@ -1,10 +1,23 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
|
@ -14,6 +27,9 @@ charon {
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
plugins {
|
plugins {
|
||||||
|
imc-test {
|
||||||
|
command = none
|
||||||
|
}
|
||||||
imc-scanner {
|
imc-scanner {
|
||||||
push_info = no
|
push_info = no
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.200
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap
|
||||||
|
aaa_id = aaa.strongswan.org
|
||||||
|
id = dave@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = dave@strongswan.org
|
||||||
|
secret = "W7R0g3do"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn rw-eap
|
|
||||||
left=PH_IP_MOON
|
|
||||||
leftsubnet=10.1.0.0/16
|
|
||||||
leftcert=moonCert.pem
|
|
||||||
leftid=@moon.strongswan.org
|
|
||||||
leftauth=pubkey
|
|
||||||
leftfirewall=yes
|
|
||||||
rightauth=eap-radius
|
|
||||||
rightid=*@strongswan.org
|
|
||||||
rightsendcert=never
|
|
||||||
right=%any
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
: RSA moonKey.pem
|
|
|
@ -1,12 +1,19 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-radius {
|
eap-radius {
|
||||||
secret = gv6URkSs
|
secret = gv6URkSs
|
||||||
server = PH_IP_ALICE
|
server = 10.1.0.10
|
||||||
|
filter_id = yes
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
rw {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
certs = moonCert.pem
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-radius
|
||||||
|
id = *@strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw {
|
||||||
|
local_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,9 +1,8 @@
|
||||||
moon::ipsec stop
|
carol::service charon stop
|
||||||
carol::ipsec stop
|
dave::service charon stop
|
||||||
dave::ipsec stop
|
moon::service charon stop
|
||||||
alice::killall radiusd
|
alice::killall radiusd
|
||||||
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||||
moon::iptables-restore < /etc/iptables.flush
|
moon::iptables-restore < /etc/iptables.flush
|
||||||
carol::iptables-restore < /etc/iptables.flush
|
carol::iptables-restore < /etc/iptables.flush
|
||||||
dave::iptables-restore < /etc/iptables.flush
|
dave::iptables-restore < /etc/iptables.flush
|
||||||
dave::/etc/init.d/apache2 stop 2> /dev/null
|
|
||||||
|
|
|
@ -1,14 +1,20 @@
|
||||||
moon::iptables-restore < /etc/iptables.rules
|
moon::iptables-restore < /etc/iptables.rules
|
||||||
carol::iptables-restore < /etc/iptables.rules
|
carol::iptables-restore < /etc/iptables.rules
|
||||||
dave::iptables-restore < /etc/iptables.rules
|
dave::iptables-restore < /etc/iptables.rules
|
||||||
dave::/etc/init.d/apache2 start 2> /dev/null
|
|
||||||
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
|
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||||
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
|
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||||
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
|
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
|
||||||
moon::ipsec start
|
alice::cat /etc/tnc_config
|
||||||
carol::ipsec start
|
carol::cat /etc/tnc_config
|
||||||
dave::ipsec start
|
dave::cat /etc/tnc_config
|
||||||
|
carol::rm /etc/swanctl/rsa/*
|
||||||
|
dave::rm /etc/swanctl/rsa/*
|
||||||
|
carol::rm /etc/swanctl/x509/*
|
||||||
|
dave::rm /etc/swanctl/x509/*
|
||||||
|
moon::service charon start
|
||||||
|
carol::service charon start
|
||||||
|
dave::service charon start
|
||||||
carol::expect-connection home
|
carol::expect-connection home
|
||||||
carol::ipsec up home
|
carol::swanctl --initiate --child home
|
||||||
dave::expect-connection home
|
dave::expect-connection home
|
||||||
dave::ipsec up home
|
dave::swanctl --initiate --child home
|
||||||
|
|
|
@ -5,11 +5,11 @@
|
||||||
|
|
||||||
# All guest instances that are required for this test
|
# All guest instances that are required for this test
|
||||||
#
|
#
|
||||||
VIRTHOSTS="alice moon carol winnetou dave"
|
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||||
|
|
||||||
# Corresponding block diagram
|
# Corresponding block diagram
|
||||||
#
|
#
|
||||||
DIAGRAM="a-m-c-w-d.png"
|
DIAGRAM="a-v-m-c-w-d.png"
|
||||||
|
|
||||||
# Guest instances on which tcpdump is to be started
|
# Guest instances on which tcpdump is to be started
|
||||||
#
|
#
|
||||||
|
@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
|
||||||
#
|
#
|
||||||
RADIUSHOSTS="alice"
|
RADIUSHOSTS="alice"
|
||||||
|
|
||||||
|
# charon controlled by swanctl
|
||||||
|
#
|
||||||
|
SWANCTL=1
|
||||||
|
|
|
@ -1,19 +1,18 @@
|
||||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
|
||||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
|
||||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
|
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||||
|
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_CAROL
|
|
||||||
leftid=carol@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
rightauth=pubkey
|
|
||||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
|
@ -1,21 +1,26 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
libimcv {
|
|
||||||
plugins {
|
|
||||||
imc-test {
|
|
||||||
command = allow
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.100
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap
|
||||||
|
aaa_id = aaa.strongswan.org
|
||||||
|
id = carol@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-ecp256
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-ecp256
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = carol@strongswan.org
|
||||||
|
secret = "Ar3etTnp"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_DAVE
|
|
||||||
leftid=dave@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
rightauth=pubkey
|
|
||||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
|
@ -1,26 +1,27 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
retransmit_tries = 5
|
retransmit_tries = 5
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
libimcv {
|
|
||||||
plugins {
|
|
||||||
imc-test {
|
|
||||||
command = allow
|
|
||||||
}
|
|
||||||
imc-scanner {
|
|
||||||
push_info = no
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.200
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap
|
||||||
|
aaa_id = aaa.strongswan.org
|
||||||
|
id = dave@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-ecp256
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-ecp256
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = dave@strongswan.org
|
||||||
|
secret = "W7R0g3do"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,33 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn rw-allow
|
|
||||||
rightgroups=allow
|
|
||||||
leftsubnet=10.1.0.0/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-isolate
|
|
||||||
rightgroups=isolate
|
|
||||||
leftsubnet=10.1.0.16/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-eap
|
|
||||||
left=PH_IP_MOON
|
|
||||||
leftcert=moonCert.pem
|
|
||||||
leftid=@moon.strongswan.org
|
|
||||||
leftauth=pubkey
|
|
||||||
leftfirewall=yes
|
|
||||||
rightauth=eap-radius
|
|
||||||
rightid=*@strongswan.org
|
|
||||||
rightsendcert=never
|
|
||||||
right=%any
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
: RSA moonKey.pem
|
|
|
@ -1,12 +1,18 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-radius {
|
eap-radius {
|
||||||
secret = gv6URkSs
|
secret = gv6URkSs
|
||||||
server = PH_IP_ALICE
|
server = 10.1.0.10
|
||||||
filter_id = yes
|
filter_id = yes
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
rw-allow {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
certs = moonCert.pem
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-radius
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = allow
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-allow {
|
||||||
|
local_ts = 10.1.0.0/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-ecp256
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-ecp256
|
||||||
|
}
|
||||||
|
|
||||||
|
rw-isolate {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-radius
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = isolate
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-isolate {
|
||||||
|
local_ts = 10.1.0.16/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-ecp256
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-ecp256
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
moon::ipsec stop
|
carol::service charon stop
|
||||||
carol::ipsec stop
|
dave::service charon stop
|
||||||
dave::ipsec stop
|
moon::service charon stop
|
||||||
alice::killall radiusd
|
alice::killall radiusd
|
||||||
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||||
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
|
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
|
@ -11,12 +11,16 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
|
||||||
alice::cat /etc/tnc_config
|
alice::cat /etc/tnc_config
|
||||||
carol::cat /etc/tnc_config
|
carol::cat /etc/tnc_config
|
||||||
dave::cat /etc/tnc_config
|
dave::cat /etc/tnc_config
|
||||||
moon::ipsec start
|
carol::rm /etc/swanctl/rsa/*
|
||||||
dave::ipsec start
|
dave::rm /etc/swanctl/rsa/*
|
||||||
carol::ipsec start
|
carol::rm /etc/swanctl/x509/*
|
||||||
dave::expect-connection home
|
dave::rm /etc/swanctl/x509/*
|
||||||
dave::ipsec up home
|
moon::service charon start
|
||||||
|
carol::service charon start
|
||||||
|
dave::service charon start
|
||||||
carol::expect-connection home
|
carol::expect-connection home
|
||||||
carol::ipsec up home
|
carol::swanctl --initiate --child home
|
||||||
|
dave::expect-connection home
|
||||||
|
dave::swanctl --initiate --child home
|
||||||
alice::ipsec attest --sessions
|
alice::ipsec attest --sessions
|
||||||
alice::ipsec attest --devices
|
alice::ipsec attest --devices
|
||||||
|
|
|
@ -27,3 +27,7 @@ RADIUSHOSTS="alice"
|
||||||
# Guest instances on which databases are used
|
# Guest instances on which databases are used
|
||||||
#
|
#
|
||||||
DBHOSTS="alice"
|
DBHOSTS="alice"
|
||||||
|
|
||||||
|
# charon controlled by swanctl
|
||||||
|
#
|
||||||
|
SWANCTL=1
|
||||||
|
|
|
@ -1,19 +1,18 @@
|
||||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
|
||||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
|
||||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
|
||||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
|
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||||
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
|
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||||
debug_level = 3
|
debug_level = 3
|
||||||
assessment_result = no
|
assessment_result = no
|
||||||
plugins {
|
plugins {
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_CAROL
|
|
||||||
leftid=carol@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
rightauth=pubkey
|
|
||||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
|
@ -1,10 +1,23 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.100
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap
|
||||||
|
aaa_id = aaa.strongswan.org
|
||||||
|
id = carol@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = carol@strongswan.org
|
||||||
|
secret = "Ar3etTnp"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_DAVE
|
|
||||||
leftid=dave@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
rightauth=pubkey
|
|
||||||
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
|
@ -1,10 +1,23 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.200
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap
|
||||||
|
aaa_id = aaa.strongswan.org
|
||||||
|
id = dave@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = dave@strongswan.org
|
||||||
|
secret = "W7R0g3do"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,33 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn rw-allow
|
|
||||||
rightgroups=allow
|
|
||||||
leftsubnet=10.1.0.0/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-isolate
|
|
||||||
rightgroups=isolate
|
|
||||||
leftsubnet=10.1.0.16/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-eap
|
|
||||||
left=PH_IP_MOON
|
|
||||||
leftcert=moonCert.pem
|
|
||||||
leftid=@moon.strongswan.org
|
|
||||||
leftauth=pubkey
|
|
||||||
leftfirewall=yes
|
|
||||||
rightauth=eap-radius
|
|
||||||
rightid=*@strongswan.org
|
|
||||||
rightsendcert=never
|
|
||||||
right=%any
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
: RSA moonKey.pem
|
|
|
@ -1,12 +1,18 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-radius {
|
eap-radius {
|
||||||
secret = gv6URkSs
|
secret = gv6URkSs
|
||||||
server = PH_IP_ALICE
|
server = 10.1.0.10
|
||||||
filter_id = yes
|
filter_id = yes
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
rw-allow {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
certs = moonCert.pem
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-radius
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = allow
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-allow {
|
||||||
|
local_ts = 10.1.0.0/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
|
||||||
|
rw-isolate {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-radius
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = isolate
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-isolate {
|
||||||
|
local_ts = 10.1.0.16/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
moon::ipsec stop
|
carol::service charon stop
|
||||||
carol::ipsec stop
|
dave::service charon stop
|
||||||
dave::ipsec stop
|
moon::service charon stop
|
||||||
alice::killall radiusd
|
alice::killall radiusd
|
||||||
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
|
||||||
moon::iptables-restore < /etc/iptables.flush
|
moon::iptables-restore < /etc/iptables.flush
|
||||||
|
|
|
@ -7,10 +7,14 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
|
||||||
alice::cat /etc/tnc_config
|
alice::cat /etc/tnc_config
|
||||||
carol::cat /etc/tnc_config
|
carol::cat /etc/tnc_config
|
||||||
dave::cat /etc/tnc_config
|
dave::cat /etc/tnc_config
|
||||||
moon::ipsec start
|
carol::rm /etc/swanctl/rsa/*
|
||||||
carol::ipsec start
|
dave::rm /etc/swanctl/rsa/*
|
||||||
dave::ipsec start
|
carol::rm /etc/swanctl/x509/*
|
||||||
|
dave::rm /etc/swanctl/x509/*
|
||||||
|
moon::service charon start
|
||||||
|
carol::service charon start
|
||||||
|
dave::service charon start
|
||||||
carol::expect-connection home
|
carol::expect-connection home
|
||||||
carol::ipsec up home
|
carol::swanctl --initiate --child home
|
||||||
dave::expect-connection home
|
dave::expect-connection home
|
||||||
dave::ipsec up home
|
dave::swanctl --initiate --child home
|
||||||
|
|
|
@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
|
||||||
#
|
#
|
||||||
RADIUSHOSTS="alice"
|
RADIUSHOSTS="alice"
|
||||||
|
|
||||||
|
# charon controlled by swanctl
|
||||||
|
#
|
||||||
|
SWANCTL=1
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
|
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||||
debug_level = 3
|
debug_level = 3
|
||||||
assessment_result = no
|
assessment_result = no
|
||||||
plugins {
|
plugins {
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
|
@ -1 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
|
@ -1,6 +1,7 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
|
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||||
debug_level = 3
|
debug_level = 3
|
||||||
plugins {
|
plugins {
|
||||||
imc-test {
|
imc-test {
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
# The strongSwan IMCs are loaded by the WPA supplicant
|
|
@ -1 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
|
@ -1 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
|
@ -1,6 +1,7 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
|
load = random nonce sha1 sha2 md5 gmp pubkey x509
|
||||||
debug_level = 3
|
debug_level = 3
|
||||||
plugins {
|
plugins {
|
||||||
imc-test {
|
imc-test {
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
# The strongSwan IMCs are loaded by the WPA supplicant
|
|
@ -1,33 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn rw-allow
|
|
||||||
rightgroups=allow
|
|
||||||
leftsubnet=10.1.0.0/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-isolate
|
|
||||||
rightgroups=isolate
|
|
||||||
leftsubnet=10.1.0.16/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-eap
|
|
||||||
left=PH_IP_MOON
|
|
||||||
leftcert=moonCert.pem
|
|
||||||
leftid=@moon.strongswan.org
|
|
||||||
leftauth=pubkey
|
|
||||||
leftfirewall=yes
|
|
||||||
rightauth=eap-radius
|
|
||||||
rightid=*@strongswan.org
|
|
||||||
rightsendcert=never
|
|
||||||
right=%any
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
: RSA moonKey.pem
|
|
|
@ -1,32 +0,0 @@
|
||||||
*filter
|
|
||||||
|
|
||||||
# default policy is DROP
|
|
||||||
-P INPUT DROP
|
|
||||||
-P OUTPUT DROP
|
|
||||||
-P FORWARD DROP
|
|
||||||
|
|
||||||
# allow esp
|
|
||||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
|
||||||
|
|
||||||
# allow IKE
|
|
||||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
|
||||||
|
|
||||||
# allow MobIKE
|
|
||||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
|
||||||
|
|
||||||
# allow ssh
|
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
||||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
|
||||||
|
|
||||||
# allow crl fetch from winnetou
|
|
||||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
|
||||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
|
||||||
|
|
||||||
# allow RADIUS protocol with alice
|
|
||||||
-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
|
|
||||||
-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
|
|
||||||
|
|
||||||
COMMIT
|
|
|
@ -1,13 +0,0 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
|
||||||
|
|
||||||
charon {
|
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
|
|
||||||
multiple_authentication=no
|
|
||||||
plugins {
|
|
||||||
eap-radius {
|
|
||||||
secret = gv6URkSs
|
|
||||||
server = PH_IP_ALICE
|
|
||||||
filter_id = yes
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -13,14 +13,17 @@ DIAGRAM="a-v-m-c-w-d.png"
|
||||||
|
|
||||||
# Guest instances on which tcpdump is to be started
|
# Guest instances on which tcpdump is to be started
|
||||||
#
|
#
|
||||||
TCPDUMPHOSTS="moon"
|
TCPDUMPHOSTS=
|
||||||
|
|
||||||
# Guest instances on which IPsec is started
|
# Guest instances on which IPsec is started
|
||||||
# Used for IPsec logging purposes
|
# Used for IPsec logging purposes
|
||||||
#
|
#
|
||||||
IPSECHOSTS="moon carol dave"
|
IPSECHOSTS="carol dave"
|
||||||
|
|
||||||
# Guest instances on which FreeRadius is started
|
# Guest instances on which FreeRadius is started
|
||||||
#
|
#
|
||||||
RADIUSHOSTS="alice"
|
RADIUSHOSTS="alice"
|
||||||
|
|
||||||
|
# charon controlled by swanctl
|
||||||
|
#
|
||||||
|
SWANCTL=1
|
||||||
|
|
|
@ -1,19 +1,18 @@
|
||||||
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
|
||||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
|
||||||
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
|
||||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
|
||||||
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||||
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
|
||||||
|
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
|
||||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||||
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||||
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||||
|
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_CAROL
|
|
||||||
leftid=carol@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightauth=any
|
|
||||||
rightsendcert=never
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
|
@ -1,10 +1,23 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
|
@ -12,6 +25,10 @@ charon {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libtls {
|
||||||
|
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
}
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
plugins {
|
plugins {
|
||||||
imc-test {
|
imc-test {
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.100
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = carol@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = carol@strongswan.org
|
||||||
|
secret = "Ar3etTnp"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,23 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imc 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn home
|
|
||||||
left=PH_IP_DAVE
|
|
||||||
leftid=dave@strongswan.org
|
|
||||||
leftauth=eap
|
|
||||||
leftfirewall=yes
|
|
||||||
right=PH_IP_MOON
|
|
||||||
rightid=@moon.strongswan.org
|
|
||||||
rightauth=any
|
|
||||||
rightsendcert=never
|
|
||||||
rightsubnet=10.1.0.0/16
|
|
||||||
auto=add
|
|
|
@ -1,3 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
|
@ -1,10 +1,23 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
|
||||||
|
|
||||||
multiple_authentication=no
|
multiple_authentication=no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imc = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-tnc {
|
eap-tnc {
|
||||||
protocol = tnccs-1.1
|
protocol = tnccs-1.1
|
||||||
|
@ -12,6 +25,10 @@ charon {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libtls {
|
||||||
|
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
}
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
plugins {
|
plugins {
|
||||||
imc-test {
|
imc-test {
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.200
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = dave@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap {
|
||||||
|
id = dave@strongswan.org
|
||||||
|
secret = "W7R0g3do"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,34 +0,0 @@
|
||||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
|
||||||
|
|
||||||
config setup
|
|
||||||
charondebug="tnc 3, imv 3"
|
|
||||||
|
|
||||||
conn %default
|
|
||||||
ikelifetime=60m
|
|
||||||
keylife=20m
|
|
||||||
rekeymargin=3m
|
|
||||||
keyingtries=1
|
|
||||||
keyexchange=ikev2
|
|
||||||
|
|
||||||
conn rw-allow
|
|
||||||
rightgroups=allow
|
|
||||||
leftsubnet=10.1.0.0/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-isolate
|
|
||||||
rightgroups=isolate
|
|
||||||
leftsubnet=10.1.0.16/28
|
|
||||||
also=rw-eap
|
|
||||||
auto=add
|
|
||||||
|
|
||||||
conn rw-eap
|
|
||||||
left=PH_IP_MOON
|
|
||||||
leftcert=moonCert.pem
|
|
||||||
leftid=@moon.strongswan.org
|
|
||||||
leftauth=eap-ttls
|
|
||||||
leftfirewall=yes
|
|
||||||
rightauth=eap-ttls
|
|
||||||
rightid=*@strongswan.org
|
|
||||||
rightsendcert=never
|
|
||||||
right=%any
|
|
|
@ -1,6 +0,0 @@
|
||||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
||||||
|
|
||||||
: RSA moonKey.pem
|
|
||||||
|
|
||||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
||||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
|
@ -1,10 +1,23 @@
|
||||||
# /etc/strongswan.conf - strongSwan configuration file
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
charon {
|
charon {
|
||||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
|
||||||
|
|
||||||
multiple_authentication = no
|
multiple_authentication = no
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
tnc = 3
|
||||||
|
imv = 3
|
||||||
|
}
|
||||||
|
}
|
||||||
plugins {
|
plugins {
|
||||||
eap-ttls {
|
eap-ttls {
|
||||||
phase2_method = md5
|
phase2_method = md5
|
||||||
|
@ -18,6 +31,10 @@ charon {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
libtls {
|
||||||
|
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
}
|
||||||
|
|
||||||
libimcv {
|
libimcv {
|
||||||
plugins {
|
plugins {
|
||||||
imv-test {
|
imv-test {
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
rw-allow {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = allow
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-allow {
|
||||||
|
local_ts = 10.1.0.0/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
|
||||||
|
rw-isolate {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = eap-ttls
|
||||||
|
id = *@strongswan.org
|
||||||
|
groups = isolate
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
rw-isolate {
|
||||||
|
local_ts = 10.1.0.16/28
|
||||||
|
|
||||||
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
|
esp_proposals = aes128gcm16-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128-sha256-modp3072
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
|
||||||
|
eap-carol {
|
||||||
|
id = carol@strongswan.org
|
||||||
|
secret = "Ar3etTnp"
|
||||||
|
}
|
||||||
|
eap-dave {
|
||||||
|
id = dave@strongswan.org
|
||||||
|
secret = "W7R0g3do"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
moon::ipsec stop
|
carol::service charon stop
|
||||||
carol::ipsec stop
|
dave::service charon stop
|
||||||
dave::ipsec stop
|
moon::service charon stop
|
||||||
moon::iptables-restore < /etc/iptables.flush
|
moon::iptables-restore < /etc/iptables.flush
|
||||||
carol::iptables-restore < /etc/iptables.flush
|
carol::iptables-restore < /etc/iptables.flush
|
||||||
dave::iptables-restore < /etc/iptables.flush
|
dave::iptables-restore < /etc/iptables.flush
|
||||||
|
|
|
@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
|
||||||
moon::cat /etc/tnc_config
|
moon::cat /etc/tnc_config
|
||||||
carol::cat /etc/tnc_config
|
carol::cat /etc/tnc_config
|
||||||
dave::cat /etc/tnc_config
|
dave::cat /etc/tnc_config
|
||||||
moon::ipsec start
|
carol::rm /etc/swanctl/rsa/*
|
||||||
carol::ipsec start
|
dave::rm /etc/swanctl/rsa/*
|
||||||
dave::ipsec start
|
carol::rm /etc/swanctl/x509/*
|
||||||
|
dave::rm /etc/swanctl/x509/*
|
||||||
|
moon::service charon start
|
||||||
|
carol::service charon start
|
||||||
|
dave::service charon start
|
||||||
carol::expect-connection home
|
carol::expect-connection home
|
||||||
carol::ipsec up home
|
carol::swanctl --initiate --child home 2> /dev/null
|
||||||
dave::expect-connection home
|
dave::expect-connection home
|
||||||
dave::ipsec up home
|
dave::swanctl --initiate --child home 2> /dev/null
|
||||||
|
|
|
@ -24,3 +24,7 @@ IPSECHOSTS="moon carol dave"
|
||||||
#
|
#
|
||||||
RADIUSHOSTS=
|
RADIUSHOSTS=
|
||||||
|
|
||||||
|
# charon controlled by swanctl
|
||||||
|
#
|
||||||
|
SWANCTL=1
|
||||||
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue