ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Merge branch 'subnet-identities' 

Implemented IKEv1 IPv4/IPv6 address subnet and range identities to
be used as owners for shared secrets.

swanctl supports configuration of traffic selectors with IPv4/IPv6
address ranges.
This commit is contained in:
Andreas Steffen 2016-03-10 15:26:03 +01:00
parent 709998e106 3f1de98678
commit 6b8acc49ed
9 changed files with 626 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/libcharon/plugins/updown/updown_listener.c
View File

@ -311,11 +311,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
ike_sa->get_unique_id(ike_sa));
push_env(envp, countof(envp), "PLUTO_ME=%H", me);
push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
if (my_ts->to_subnet(my_ts, &host, &mask))
if (!my_ts->to_subnet(my_ts, &host, &mask))
{
push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
host->destroy(host);
DBG1(DBG_CHD, "updown approximates local TS %R "
"by next larger subnet", my_ts);
}
push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
host->destroy(host);
push_env(envp, countof(envp), "PLUTO_MY_PORT=%s",
get_port(my_ts, other_ts, port_buf, TRUE));
push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
@ -323,11 +325,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
ike_sa->get_other_id(ike_sa));
if (other_ts->to_subnet(other_ts, &host, &mask))
if (!other_ts->to_subnet(other_ts, &host, &mask))
{
push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
host->destroy(host);
DBG1(DBG_CHD, "updown approximates remote TS %R "
"by next larger subnet", other_ts);
}
push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
host->destroy(host);
push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s",
get_port(my_ts, other_ts, port_buf, FALSE));
push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",

18
src/libcharon/plugins/vici/vici_config.c
View File

@ -3,7 +3,7 @@
* Copyright (C) 2014 revosec AG
*
* Copyright (C) 2015-2016 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* Copyright (C) 2015-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@ -646,6 +646,22 @@ CALLBACK(parse_ts, bool,
{
ts = traffic_selector_create_dynamic(proto, from, to);
}
else if (strchr(buf, '-'))
{
host_t *lower, *upper;
ts_type_t type;
if (host_create_from_range(buf, &lower, &upper))
{
type = (lower->get_family(lower) == AF_INET) ?
TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
ts = traffic_selector_create_from_bytes(proto, type,
lower->get_address(lower), from,
upper->get_address(upper), to);
lower->destroy(lower);
upper->destroy(upper);
}
}
else
{
ts = traffic_selector_create_from_cidr(buf, proto, from, to);

255
src/libstrongswan/tests/suites/test_identification.c
View File

@ -1,7 +1,8 @@
/*
* Copyright (C) 2013-2015 Tobias Brunner
* Copyright (C) 2016 Andreas Steffen
* Copyright (C) 2009 Martin Willi
* Hochschule fuer Technik Rapperswil
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -122,67 +123,122 @@ static struct {
} data;
} result;
} string_data[] = {
{NULL, ID_ANY, { .type = ENC_CHUNK }},
{"", ID_ANY, { .type = ENC_CHUNK }},
{"%any", ID_ANY, { .type = ENC_CHUNK }},
{"%any6", ID_ANY, { .type = ENC_CHUNK }},
{"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }},
{"0::0", ID_ANY, { .type = ENC_CHUNK }},
{"::", ID_ANY, { .type = ENC_CHUNK }},
{"*", ID_ANY, { .type = ENC_CHUNK }},
{"any", ID_FQDN, { .type = ENC_SIMPLE }},
{"any6", ID_FQDN, { .type = ENC_SIMPLE }},
{"0", ID_FQDN, { .type = ENC_SIMPLE }},
{"**", ID_FQDN, { .type = ENC_SIMPLE }},
{"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
{NULL, ID_ANY, { .type = ENC_CHUNK }},
{"", ID_ANY, { .type = ENC_CHUNK }},
{"%any", ID_ANY, { .type = ENC_CHUNK }},
{"%any6", ID_ANY, { .type = ENC_CHUNK }},
{"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }},
{"0::0", ID_ANY, { .type = ENC_CHUNK }},
{"::", ID_ANY, { .type = ENC_CHUNK }},
{"*", ID_ANY, { .type = ENC_CHUNK }},
{"any", ID_FQDN, { .type = ENC_SIMPLE }},
{"any6", ID_FQDN, { .type = ENC_SIMPLE }},
{"0", ID_FQDN, { .type = ENC_SIMPLE }},
{"**", ID_FQDN, { .type = ENC_SIMPLE }},
{"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
{"192.168.", ID_FQDN, { .type = ENC_SIMPLE }},
{".", ID_FQDN, { .type = ENC_SIMPLE }},
{"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
{"192.168.", ID_FQDN, { .type = ENC_SIMPLE }},
{".", ID_FQDN, { .type = ENC_SIMPLE }},
{"192.168.1.1/33", ID_FQDN, { .type = ENC_SIMPLE }},
{"192.168.1.1/32", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01,0xff,0xff,0xff,0xff) }},
{"192.168.1.1/31", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0xfe) }},
{"192.168.1.8/30", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x08,0xff,0xff,0xff,0xfc) }},
{"192.168.1.128/25", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x80,0xff,0xff,0xff,0x80) }},
{"192.168.1.0/24", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0x00) }},
{"192.168.1.0/23", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x00,0x00,0xff,0xff,0xfe,0x00) }},
{"192.168.4.0/22", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x04,0x00,0xff,0xff,0xfc,0x00) }},
{"0.0.0.0/0", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
{"192.168.1.0-192.168.1.40",ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xc0,0xa8,0x01,0x28) }},
{"0.0.0.0-255.255.255.255", ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff) }},
{"192.168.1.40-192.168.1.0",ID_FQDN, { .type = ENC_SIMPLE }},
{"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
{"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
{"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
{"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }},
{":", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"alice", ID_FQDN, { .type = ENC_SIMPLE }},
{"@", ID_FQDN, { .type = ENC_CHUNK }},
{" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"@strongswan.org", ID_FQDN, { .type = ENC_STRING,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
{"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }},
{":", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"fec0::1/129", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"fec0::1/128", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ) }},
{"fec0::1/127", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe ) }},
{"fec0::4/126", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc ) }},
{"fec0::100/120", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00 ) }},
{"::/0", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ) }},
{"fec0::1-fec0::4fff", ID_IPV6_ADDR_RANGE, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff ) }},
{"fec0::4fff-fec0::1", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"fec0::1-", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"alice", ID_FQDN, { .type = ENC_SIMPLE }},
{"@", ID_FQDN, { .type = ENC_CHUNK }},
{" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
{"@strongswan.org", ID_FQDN, { .type = ENC_STRING,
.data.s = "strongswan.org" }},
{"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
{"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
{"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK,
{"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
{"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
{"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
0x03,0x55,0x04,0x06,0x13,0x00) }},
{"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
{"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
{"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
{"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
{"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
{"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
{"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
{"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }},
{"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
{ "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING,
{ "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING,
.data.s = "tester" }},
{ "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
{ "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
{ "{0x02}:tester", ID_FQDN, { .type = ENC_STRING,
{ "{0x02}:tester", ID_FQDN, { .type = ENC_STRING,
.data.s = "tester" }},
{ "{99}:somedata", 99, { .type = ENC_STRING,
{ "{99}:somedata", 99, { .type = ENC_STRING,
.data.s = "somedata" }},
};
@ -264,14 +320,33 @@ START_TEST(test_printf_hook)
string_equals("192.168.1.1", "192.168.1.1");
string_equals_id("(invalid ID_IPV4_ADDR)",
identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
string_equals("192.168.1.1/32", "192.168.1.1/32");
string_equals("192.168.1.2/31", "192.168.1.2/31");
string_equals("192.168.1.0/24", "192.168.1.0/24");
string_equals("192.168.2.0/23", "192.168.2.0/23");
string_equals("0.0.0.0/0", "0.0.0.0/0");
string_equals_id("(invalid ID_IPV4_ADDR_SUBNET)",
identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty));
string_equals("192.168.1.1-192.168.1.254", "192.168.1.1-192.168.1.254");
string_equals("0.0.0.0-255.255.255.255", "0.0.0.0-255.255.255.255");
string_equals_id("(invalid ID_IPV4_ADDR_RANGE)",
identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty));
string_equals("fec0::1", "fec0::1");
string_equals("fec0::1", "fec0:0:0::1");
string_equals_id("(invalid ID_IPV6_ADDR)",
identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
string_equals("fec0::1/128", "fec0::1/128");
string_equals("fec0::2/127", "fec0::2/127");
string_equals("fec0::100/120", "fec0::100/120");
string_equals("::/0", "::/0");
string_equals_id("(invalid ID_IPV6_ADDR_SUBNET)",
identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty));
string_equals("fec0::1-fec0::4fff", "fec0::1-fec0::4fff");
string_equals_id("(invalid ID_IPV6_ADDR_RANGE)",
identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty));
string_equals_id("(unknown ID type: 255)",
identification_create_from_encoding(255, chunk_empty));
identification_create_from_encoding(255, chunk_empty));
string_equals("moon@strongswan.org", "moon@strongswan.org");
string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
@ -595,6 +670,89 @@ START_TEST(test_matches_binary)
}
END_TEST
START_TEST(test_matches_range)
{
identification_t *a, *b;
/* IPv4 addresses */
a = identification_create_from_string("192.168.1.1");
ck_assert(a->get_type(a) == ID_IPV4_ADDR);
ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_MAX_WILDCARDS));
ck_assert(id_matches(a, "192.168.1.1", ID_MATCH_PERFECT));
ck_assert(id_matches(a, "192.168.1.2", ID_MATCH_NONE));
ck_assert(id_matches(a, "192.168.1.1/32", ID_MATCH_PERFECT));
ck_assert(id_matches(a, "192.168.1.0/32", ID_MATCH_NONE));
ck_assert(id_matches(a, "192.168.1.0/24", ID_MATCH_ONE_WILDCARD));
ck_assert(id_matches(a, "192.168.0.0/24", ID_MATCH_NONE));
ck_assert(id_matches(a, "192.168.1.1-192.168.1.1", ID_MATCH_PERFECT));
ck_assert(id_matches(a, "192.168.1.0-192.168.1.64", ID_MATCH_ONE_WILDCARD));
ck_assert(id_matches(a, "192.168.1.2-192.168.1.64", ID_MATCH_NONE));
ck_assert(id_matches(a, "192.168.0.240-192.168.1.0", ID_MATCH_NONE));
ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
/* Malformed IPv4 subnet and range encoding */
b = identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty);
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
b->destroy(b);
b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty);
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
b->destroy(b);
b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE,
chunk_from_chars(0xc0,0xa8,0x01,0x28,0xc0,0xa8,0x01,0x00));
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
b->destroy(b);
a->destroy(a);
/* IPv6 addresses */
a = identification_create_from_string("fec0::1");
ck_assert(a->get_type(a) == ID_IPV6_ADDR);
ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
ck_assert(id_matches(a, "::/0", ID_MATCH_MAX_WILDCARDS));
ck_assert(id_matches(a, "fec0::1", ID_MATCH_PERFECT));
ck_assert(id_matches(a, "fec0::2", ID_MATCH_NONE));
ck_assert(id_matches(a, "fec0::1/128", ID_MATCH_PERFECT));
ck_assert(id_matches(a, "fec0::/128", ID_MATCH_NONE));
ck_assert(id_matches(a, "fec0::/120", ID_MATCH_ONE_WILDCARD));
ck_assert(id_matches(a, "fec0::100/120", ID_MATCH_NONE));
ck_assert(id_matches(a, "fec0::1-fec0::1", ID_MATCH_PERFECT));
ck_assert(id_matches(a, "fec0::0-fec0::5", ID_MATCH_ONE_WILDCARD));
ck_assert(id_matches(a, "fec0::4001-fec0::4ffe", ID_MATCH_NONE));
ck_assert(id_matches(a, "feb0::1-fec0::0", ID_MATCH_NONE));
ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
/* Malformed IPv6 subnet and range encoding */
b = identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty);
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
b->destroy(b);
b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty);
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
b->destroy(b);
b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE,
chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff,
0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01 ));
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
b->destroy(b);
a->destroy(a);
/* Malformed IPv4 address encoding */
a = identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty);
ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_NONE));
ck_assert(id_matches(a, "0.0.0.0-255.255.255.255", ID_MATCH_NONE));
a->destroy(a);
/* Malformed IPv6 address encoding */
a = identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty);
ck_assert(id_matches(a, "::/0", ID_MATCH_NONE));
ck_assert(id_matches(a, "::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ID_MATCH_NONE));
a->destroy(a);
}
END_TEST
START_TEST(test_matches_string)
{
identification_t *a;
@ -929,6 +1087,7 @@ Suite *identification_suite_create()
tcase_add_test(tc, test_matches);
tcase_add_test(tc, test_matches_any);
tcase_add_test(tc, test_matches_binary);
tcase_add_test(tc, test_matches_range);
tcase_add_test(tc, test_matches_string);
tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1);
tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1);

387
src/libstrongswan/utils/identification.c
View File

@ -1,8 +1,9 @@
/*
* Copyright (C) 2016 Andreas Steffen
* Copyright (C) 2009-2015 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -823,6 +824,154 @@ METHOD(identification_t, matches_dn, id_match_t,
return ID_MATCH_NONE;
}
/**
* Transform netmask to CIDR bits
*/
static int netmask_to_cidr(char *netmask, size_t address_size)
{
uint8_t byte;
int i, netbits = 0;
for (i = 0; i < address_size; i++)
{
byte = netmask[i];
if (byte == 0x00)
{
break;
}
if (byte == 0xff)
{
netbits += 8;
}
else
{
while (byte & 0x80)
{
netbits++;
byte <<= 1;
}
}
}
return netbits;
}
METHOD(identification_t, matches_range, id_match_t,
private_identification_t *this, identification_t *other)
{
chunk_t other_encoding;
uint8_t *address, *from, *to, *network, *netmask;
size_t address_size = 0;
int netbits, range_sign, i;
if (other->get_type(other) == ID_ANY)
{
return ID_MATCH_ANY;
}
if (this->type == other->get_type(other) &&
chunk_equals(this->encoded, other->get_encoding(other)))
{
return ID_MATCH_PERFECT;
}
if ((this->type == ID_IPV4_ADDR &&
other->get_type(other) == ID_IPV4_ADDR_SUBNET))
{
address_size = sizeof(struct in_addr);
}
else if ((this->type == ID_IPV6_ADDR &&
other->get_type(other) == ID_IPV6_ADDR_SUBNET))
{
address_size = sizeof(struct in6_addr);
}
if (address_size)
{
other_encoding = other->get_encoding(other);
if (this->encoded.len != address_size ||
other_encoding.len != 2 * address_size)
{
return ID_MATCH_NONE;
}
address = this->encoded.ptr;
network = other_encoding.ptr;
netmask = other_encoding.ptr + address_size;
netbits = netmask_to_cidr(netmask, address_size);
if (netbits == 0)
{
return ID_MATCH_MAX_WILDCARDS;
}
if (netbits == 8 * address_size)
{
return memeq(address, network, address_size) ?
ID_MATCH_PERFECT : ID_MATCH_NONE;
}
for (i = 0; i < (netbits + 7)/8; i++)
{
if ((address[i] ^ network[i]) & netmask[i])
{
return ID_MATCH_NONE;
}
}
return ID_MATCH_ONE_WILDCARD;
}
if ((this->type == ID_IPV4_ADDR &&
other->get_type(other) == ID_IPV4_ADDR_RANGE))
{
address_size = sizeof(struct in_addr);
}
else if ((this->type == ID_IPV6_ADDR &&
other->get_type(other) == ID_IPV6_ADDR_RANGE))
{
address_size = sizeof(struct in6_addr);
}
if (address_size)
{
other_encoding = other->get_encoding(other);
if (this->encoded.len != address_size ||
other_encoding.len != 2 * address_size)
{
return ID_MATCH_NONE;
}
address = this->encoded.ptr;
from = other_encoding.ptr;
to = other_encoding.ptr + address_size;
range_sign = memcmp(to, from, address_size);
if (range_sign < 0)
{ /* to is smaller than from */
return ID_MATCH_NONE;
}
/* check lower bound */
for (i = 0; i < address_size; i++)
{
if (address[i] != from[i])
{
if (address[i] < from[i])
{
return ID_MATCH_NONE;
}
break;
}
}
/* check upper bound */
for (i = 0; i < address_size; i++)
{
if (address[i] != to[i])
{
if (address[i] > to[i])
{
return ID_MATCH_NONE;
}
break;
}
}
return range_sign ? ID_MATCH_ONE_WILDCARD : ID_MATCH_PERFECT;
}
return ID_MATCH_NONE;
}
/**
* Described in header.
*/
@ -831,7 +980,9 @@ int identification_printf_hook(printf_hook_data_t *data,
{
private_identification_t *this = *((private_identification_t**)(args[0]));
chunk_t proper;
char buf[512];
char buf[BUF_LEN];
char *pos;
size_t written, len, address_size;
if (this == NULL)
{
@ -841,49 +992,115 @@ int identification_printf_hook(printf_hook_data_t *data,
switch (this->type)
{
case ID_ANY:
snprintf(buf, sizeof(buf), "%%any");
snprintf(buf, BUF_LEN, "%%any");
break;
case ID_IPV4_ADDR:
if (this->encoded.len < sizeof(struct in_addr) ||
inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
{
snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)");
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR)");
}
break;
case ID_IPV4_ADDR_SUBNET:
address_size = sizeof(struct in_addr);
if (this->encoded.len < 2 * address_size ||
inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
{
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_SUBNET)");
break;
}
written = strlen(buf);
snprintf(buf + written, BUF_LEN - written, "/%d",
netmask_to_cidr(this->encoded.ptr + address_size,
address_size));
break;
case ID_IPV4_ADDR_RANGE:
address_size = sizeof(struct in_addr);
if (this->encoded.len < 2 * address_size ||
inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
{
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
break;
}
written = strlen(buf);
pos = buf + written;
len = BUF_LEN - written;
written = snprintf(pos, len, "-");
if (written < 0 || written >= len ||
inet_ntop(AF_INET, this->encoded.ptr + address_size,
pos + written, len - written) == NULL)
{
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
}
break;
case ID_IPV6_ADDR:
if (this->encoded.len < sizeof(struct in6_addr) ||
inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
{
snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)");
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR)");
}
break;
case ID_IPV6_ADDR_SUBNET:
address_size = sizeof(struct in6_addr);
if (this->encoded.len < 2 * address_size ||
inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
{
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_SUBNET)");
}
else
{
written = strlen(buf);
snprintf(buf + written, BUF_LEN - written, "/%d",
netmask_to_cidr(this->encoded.ptr + address_size,
address_size));
}
break;
case ID_IPV6_ADDR_RANGE:
address_size = sizeof(struct in6_addr);
if (this->encoded.len < 2 * address_size ||
inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
{
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
break;
}
written = strlen(buf);
pos = buf + written;
len = BUF_LEN - written;
written = snprintf(pos, len, "-");
if (written < 0 || written >= len ||
inet_ntop(AF_INET6, this->encoded.ptr + address_size,
pos + written, len - written) == NULL)
{
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
}
break;
case ID_FQDN:
case ID_RFC822_ADDR:
case ID_DER_ASN1_GN_URI:
chunk_printable(this->encoded, &proper, '?');
snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
snprintf(buf, BUF_LEN, "%.*s", (int)proper.len, proper.ptr);
chunk_free(&proper);
break;
case ID_DER_ASN1_DN:
dntoa(this->encoded, buf, sizeof(buf));
dntoa(this->encoded, buf, BUF_LEN);
break;
case ID_DER_ASN1_GN:
snprintf(buf, sizeof(buf), "(ASN.1 general name)");
snprintf(buf, BUF_LEN, "(ASN.1 general name)");
break;
case ID_KEY_ID:
if (chunk_printable(this->encoded, NULL, '?') &&
this->encoded.len != HASH_SIZE_SHA1)
{ /* fully printable, use ascii version */
snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len,
snprintf(buf, BUF_LEN, "%.*s", (int)this->encoded.len,
this->encoded.ptr);
}
else
{ /* not printable, hex dump */
snprintf(buf, sizeof(buf), "%#B", &this->encoded);
snprintf(buf, BUF_LEN, "%#B", &this->encoded);
}
break;
default:
snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
snprintf(buf, BUF_LEN, "(unknown ID type: %d)", this->type);
break;
}
if (spec->minus)
@ -952,6 +1169,13 @@ static private_identification_t *identification_create(id_type_t type)
this->public.matches = _matches_dn;
this->public.contains_wildcards = _contains_wildcards_dn;
break;
case ID_IPV4_ADDR:
case ID_IPV6_ADDR:
this->public.hash = _hash_binary;
this->public.equals = _equals_binary;
this->public.matches = _matches_range;
this->public.contains_wildcards = return_false;
break;
default:
this->public.hash = _hash_binary;
this->public.equals = _equals_binary;
@ -973,6 +1197,10 @@ static private_identification_t* create_from_string_with_prefix_type(char *str)
} prefixes[] = {
{ "ipv4:", ID_IPV4_ADDR },
{ "ipv6:", ID_IPV6_ADDR },
{ "ipv4net:", ID_IPV4_ADDR_SUBNET },
{ "ipv6net:", ID_IPV6_ADDR_SUBNET },
{ "ipv4range:", ID_IPV4_ADDR_RANGE },
{ "ipv6range:", ID_IPV6_ADDR_RANGE },
{ "rfc822:", ID_RFC822_ADDR },
{ "email:", ID_RFC822_ADDR },
{ "userfqdn:", ID_USER_FQDN },
@ -1038,6 +1266,115 @@ static private_identification_t* create_from_string_with_num_type(char *str)
return this;
}
/**
* Convert to an IPv4/IPv6 host address, subnet or address range
*/
static private_identification_t* create_ip_address_from_string(char *string,
bool is_ipv4)
{
private_identification_t *this;
uint8_t encoding[32];
uint8_t *str, *pos, *address, *to_address, *netmask;
size_t address_size;
int bits, bytes, i;
bool has_subnet = FALSE, has_range = FALSE;
address = encoding;
address_size = is_ipv4 ? sizeof(struct in_addr) : sizeof(struct in6_addr);
str = strdup(string);
pos = strchr(str, '/');
if (pos)
{ /* separate IP address from optional netmask */
*pos = '\0';
has_subnet = TRUE;
}
else
{
pos = strchr(str, '-');
if (pos)
{ /* separate lower address from upper address of IP range */
*pos = '\0';
has_range = TRUE;
}
}
if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, str, address) != 1)
{
free(str);
return NULL;
}
if (has_subnet)
{ /* is IP subnet */
bits = atoi(pos + 1);
if (bits > 8 * address_size)
{
free(str);
return NULL;
}
bytes = bits / 8;
bits -= 8 * bytes;
netmask = encoding + address_size;
for (i = 0; i < address_size; i++)
{
if (bytes)
{
*netmask = 0xff;
bytes--;
}
else if (bits)
{
*netmask = 0xff << (8 - bits);
bits = 0;
}
else
{
*netmask = 0x00;
}
*address++ &= *netmask++;
}
this = identification_create(is_ipv4 ? ID_IPV4_ADDR_SUBNET :
ID_IPV6_ADDR_SUBNET);
this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
}
else if (has_range)
{ /* is IP range */
to_address = encoding + address_size;
if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, pos + 1, to_address) != 1)
{
free(str);
return NULL;
}
for (i = 0; i < address_size; i++)
{
if (address[i] != to_address[i])
{
if (address[i] > to_address[i])
{
free(str);
return NULL;
}
break;
}
}
this = identification_create(is_ipv4 ? ID_IPV4_ADDR_RANGE :
ID_IPV6_ADDR_RANGE);
this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
}
else
{ /* is IP host address */
this = identification_create(is_ipv4 ? ID_IPV4_ADDR : ID_IPV6_ADDR);
this->encoded = chunk_clone(chunk_create(encoding, address_size));
}
free(str);
return this;
}
/*
* Described in header.
*/
@ -1095,15 +1432,9 @@ identification_t *identification_create_from_string(char *string)
{
if (strchr(string, ':') == NULL)
{
struct in_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
if (inet_pton(AF_INET, string, &address) > 0)
{ /* is IPv4 */
this = identification_create(ID_IPV4_ADDR);
this->encoded = chunk_clone(chunk);
}
else
/* IPv4 address or subnet */
this = create_ip_address_from_string(string, TRUE);
if (!this)
{ /* not IPv4, mostly FQDN */
this = identification_create(ID_FQDN);
this->encoded = chunk_from_str(strdup(string));
@ -1112,15 +1443,9 @@ identification_t *identification_create_from_string(char *string)
}
else
{
struct in6_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
if (inet_pton(AF_INET6, string, &address) > 0)
{ /* is IPv6 */
this = identification_create(ID_IPV6_ADDR);
this->encoded = chunk_clone(chunk);
}
else
/* IPv6 address or subnet */
this = create_ip_address_from_string(string, FALSE);
if (!this)
{ /* not IPv4/6 fallback to KEY_ID */
this = identification_create(ID_KEY_ID);
this->encoded = chunk_from_str(strdup(string));

17
testing/tests/swanctl/rw-psk-ikev1/description.txt
View File

@ -1,10 +1,15 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on two <b>pre-shared keys</b>
bound to the two distinct gateway identities <b>moon1.strongswan.org</b> and
<b>moon2.strongswan.org</b>. On the gateway these two identities are bound to
two disjoint sets of client IP address ranges which allows IKEv1 Main Mode
to select the correct connection definition and via the gateway identity the
correct PSK.
to gateway <b>moon</b>. The IKEv1 main mode authentication is based on
<b>pre-shared keys</b> and <b>IPv4 address</b> identities.
On the gateway two connections with differing parameters are defined:
One for peers from the <b>192.168.0.96/28</b> subnet and one for peers from
the range <b>192.168.0.150-192.168.0.200</b>.
<p/>
On the gateway for different shared keys are defined for the following
hierarchcal peer address ranges: <b>0.0.0.0/0 0::0/0</b>,
<b>192.168.0.96/28</b>, <b>192.168.0.150-192.168.0.200</b> and
<b>192.168.0.200</b>. Client <b>carol</b> uses the first and client <b>dave</b>
the fourth PSK.
<p/>
Upon the successful establishment of the IPsec tunnels, <b>carol</b> pings the
client <b>alice</b> and <b>dave</b> the client <b>venus</b> lying in two different

10
testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
View File

@ -1,11 +1,13 @@
dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO
venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon1.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon2.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon1.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon2.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

7
testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
View File

@ -6,11 +6,9 @@ connections {
local {
auth = psk
id = carol@strongswan.org
}
remote {
auth = psk
id = moon1.strongswan.org
}
children {
home {
@ -27,10 +25,9 @@ connections {
secrets {
ike-moon1 {
id = moon1.strongswan.org
ike-moon {
id = 192.168.0.1
# hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
secret = 0x16964066a10de938bdb2ab7864fe4459cab1
}
}

8
testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
View File

@ -6,15 +6,13 @@ connections {
local {
auth = psk
id = dave@strongswan.org
}
remote {
auth = psk
id = moon2.strongswan.org
}
children {
home {
remote_ts = 10.1.0.16/28
remote_ts = 10.1.0.17-10.1.0.20
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes192gcm128-modp3072
@ -27,8 +25,8 @@ connections {
secrets {
ike-moon2 {
id = moon2.strongswan.org
ike-moon {
id = 192.168.0.1
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
}
}

22
testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
View File

@ -6,7 +6,6 @@ connections {
local {
auth = psk
id = moon1.strongswan.org
}
remote {
auth = psk
@ -25,18 +24,17 @@ connections {
rw-2 {
local_addrs = 192.168.0.1
remote_addrs = 192.168.0.192/28
remote_addrs = 192.168.0.150-192.168.0.200
local {
auth = psk
id = moon2.strongswan.org
}
remote {
auth = psk
}
children {
net-2 {
local_ts = 10.1.0.16/28
local_ts = 10.1.0.17-10.1.0.20
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes192gcm128-modp3072
@ -50,12 +48,20 @@ connections {
secrets {
ike-moon1 {
id = moon1.strongswan.org
ike-any {
id = 0.0.0.0/0 0::0/0
secret = 0soBAJZLI7Bwwi61Rl113FqD/3
}
ike-rw-1 {
id = 192.168.0.96/28
secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
}
ike-moon2 {
id = moon2.strongswan.org
ike-rw-2 {
id = 192.168.0.150-192.168.0.200
secret = 0s8qPdxyhDeGfk1l211cS8urXc
}
ike-dave {
id = 192.168.0.200
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
}
}