testing: Add pfkey/shunt-policies-nat-rw scenario
This commit is contained in:
parent
f22add05f6
commit
73211f9b74
|
@ -1,3 +1,5 @@
|
|||
alice::ipsec status 2> /dev/null::local-net.*PASS::YES
|
||||
venus::ipsec status 2> /dev/null::local-net.*PASS::YES
|
||||
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
|
||||
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
|
||||
tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway. In order to prevent
|
||||
local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
|
||||
shunt policy with <b>type=pass</b>.
|
||||
<p/>
|
||||
In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
|
||||
ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
|
|
@ -0,0 +1,12 @@
|
|||
alice::ipsec status 2> /dev/null::local-net.*PASS::YES
|
||||
venus::ipsec status 2> /dev/null::local-net.*PASS::YES
|
||||
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
|
||||
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
|
||||
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
|
||||
alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
|
|
@ -0,0 +1,27 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn nat-t
|
||||
left=%any
|
||||
leftcert=aliceCert.pem
|
||||
leftid=alice@strongswan.org
|
||||
leftsourceip=%config
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
rightsubnet=0.0.0.0/0
|
||||
auto=add
|
||||
|
||||
conn local-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
rightsubnet=10.1.0.0/16
|
||||
authby=never
|
||||
type=pass
|
||||
auto=route
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn nat-t
|
||||
left=PH_IP_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftfirewall=yes
|
||||
leftsubnet=0.0.0.0/0
|
||||
right=%any
|
||||
rightsourceip=10.3.0.0/28
|
||||
auto=add
|
|
@ -0,0 +1,24 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn nat-t
|
||||
left=%any
|
||||
leftcert=venusCert.pem
|
||||
leftid=@venus.strongswan.org
|
||||
leftsourceip=%config
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
rightsubnet=0.0.0.0/0
|
||||
auto=add
|
||||
|
||||
conn local-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
rightsubnet=10.1.0.0/16
|
||||
authby=never
|
||||
type=pass
|
||||
auto=route
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
sun::ipsec stop
|
||||
alice::ipsec stop
|
||||
venus::ipsec stop
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
moon::iptables -t nat -F
|
|
@ -0,0 +1,11 @@
|
|||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
|
||||
alice::ipsec start
|
||||
venus::ipsec start
|
||||
sun::ipsec start
|
||||
alice::expect-connection nat-t
|
||||
venus::expect-connection nat-t
|
||||
sun::expect-connection nat-t
|
||||
alice::ipsec up nat-t
|
||||
venus::ipsec up nat-t
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-w-s-b.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="alice moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="alice venus sun"
|
Loading…
Reference in New Issue