testing: Migrated openssl brainpool scenarios to swanctl
This commit is contained in:
parent
1cab8ed5f8
commit
6ea531d926
|
@ -1,17 +1,17 @@
|
|||
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
|
||||
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
|
||||
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
|
||||
cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
|
||||
cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
|
||||
plugin for the Elliptic Curve Diffie-Hellman groups only.
|
||||
<p>
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_256_BP and ECP_384_BP whereas
|
||||
<b>dave</b> proposes ECP_256_BP and ECP_512_B P. Since <b>moon</b> does not support
|
||||
ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
||||
|
||||
|
|
|
@ -1,19 +1,12 @@
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
|
||||
carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES
|
||||
dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES
|
||||
dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,5 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
|
||||
load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-ecp256bp,aes192gcm16-ecp384bp
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256bp,aes192-sha384-ecp384bp
|
||||
}
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp!
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,5 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
|
||||
load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm16-ecp256bp,aes256gcm16-ecp512bp
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256bp,aes256-sha512-ecp512bp
|
||||
}
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,5 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
|
||||
load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes192gcm16-ecp384bp,aes256gcm16-ecp512bp
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes192-sha384-ecp384bp,aes256-sha512-ecp512bp
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
carol::systemctl stop strongswan-swanctl
|
||||
dave::systemctl stop strongswan-swanctl
|
||||
moon::systemctl stop strongswan-swanctl
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::systemctl start strongswan-swanctl
|
||||
carol::systemctl start strongswan-swanctl
|
||||
dave::systemctl start strongswan-swanctl
|
||||
moon::expect-connection rw
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
|
|||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
|
@ -1,17 +1,16 @@
|
|||
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
|
||||
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
|
||||
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
|
||||
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
|
||||
cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
|
||||
cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
|
||||
plugin for the Elliptic Curve Diffie-Hellman groups only.
|
||||
<p>
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_384_BP and ECP_224_BP whereas
|
||||
<b>dave</b> proposes ECP_192_BP and ECP_256_BP. Since <b>moon</b> does not support
|
||||
<b>dave</b> proposes ECP_384_BP and ECP_256_BP. Since <b>moon</b> does not support
|
||||
ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
||||
|
||||
|
|
|
@ -1,19 +1,12 @@
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
|
||||
carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES
|
||||
dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES
|
||||
dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,5 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
|
||||
load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes192gcm16-ecp384bp,3des-sha256-ecp224bp
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes192-sha384-ecp384bp,3des-sha256-ecp224bp
|
||||
}
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp!
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -1,5 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
|
||||
load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes192gcm16-ecp384bp,aes128gcm16-ecp256bp
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes192-sha384-ecp384bp,aes128-sha256-ecp256bp
|
||||
}
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -1,5 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
|
||||
load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = 3des-sha256-ecp224bp,aes128gcm16-ecp256bp
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = 3des-sha256-ecp224bp,aes128-sha256-ecp256bp
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
carol::systemctl stop strongswan-swanctl
|
||||
dave::systemctl stop strongswan-swanctl
|
||||
moon::systemctl stop strongswan-swanctl
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::systemctl start strongswan-swanctl
|
||||
carol::systemctl start strongswan-swanctl
|
||||
dave::systemctl start strongswan-swanctl
|
||||
moon::expect-connection rw
|
||||
carol::expect-connection home
|
||||
carol::ipsec up home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::ipsec up home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
|
|||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
Loading…
Reference in New Issue