testing: Updated all swanctl scenarios and added some new ones
This commit is contained in:
parent
db69295d2e
commit
73cbd5c7f8
|
@ -0,0 +1,13 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to gateway <b>moon</b> using the <b>IKEv2</b> key exchange protocol. The
|
||||
authentication is based on <b>X.509 certificates</b>. <b>dave</b> advertises
|
||||
the support of the IKEv2 fragmentation protocol defined in <b>RFC 7383</b>
|
||||
which prevents the IP fragmentation of the IKEv2 messages carrying large X.509
|
||||
certificates whereas <b>carol</b> announces support of non-standardized
|
||||
IKEv1 fragmentation.
|
||||
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
|
@ -0,0 +1,19 @@
|
|||
carol:: cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
|
||||
dave:: cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
|
||||
moon:: cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
|
||||
carol:: cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
|
||||
carol:: cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
|
||||
dave:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
|
||||
dave:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
|
||||
moon:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
|
||||
moon:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
|
||||
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
|
||||
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
|
@ -0,0 +1,16 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
fragment_size = 1400
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 1
|
||||
fragmentation = yes
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
fragment_size = 1400
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
mobike = no
|
||||
fragmentation = yes
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
fragment_size = 1400
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
mobike = no
|
||||
fragmentation = yes
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home 2> /dev/null
|
||||
dave::swanctl --terminate --ike home 2> /dev/null
|
||||
carol::service charon stop 2> /dev/null
|
||||
dave::service charon stop 2> /dev/null
|
||||
moon::service charon stop 2> /dev/null
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::service charon start 2> /dev/null
|
||||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -0,0 +1,12 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each
|
||||
to gateway <b>moon</b> using the <b>IKEv1</b> and <b>IKEv2</b> key exchange
|
||||
protocol, respectively. The authentication is based on <b>X.509 certificates</b>.
|
||||
<b>dave</b> advertises the support of the IKEv2 fragmentation protocol defined in
|
||||
<b>RFC 7383</b> which prevents the IP fragmentation of the IKEv2 messages carrying
|
||||
large X.509 certificates whereas <b>carol</b> announces support of non-standardized
|
||||
IKEv1 fragmentation.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPv6 IPsec tunnels, the updown script
|
||||
automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
|
@ -0,0 +1,19 @@
|
|||
carol:: cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
|
||||
dave:: cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
|
||||
moon:: cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
|
||||
carol:: cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
|
||||
carol:: cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
|
||||
dave:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
|
||||
dave:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
|
||||
moon:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
|
||||
moon:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES
|
||||
alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES
|
||||
alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES
|
||||
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
|
|
@ -0,0 +1,17 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
fragment_size = 1400
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
auth = /usr/local/sbin/swanctl --load-authorities
|
||||
}
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = fec0::10
|
||||
remote_addrs = fec0::1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = fec1::/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 1
|
||||
fragmentation = yes
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
|
||||
}
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
fragment_size = 1400
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
auth = /usr/local/sbin/swanctl --load-authorities
|
||||
}
|
||||
}
|
|
@ -0,0 +1,41 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = fec0::20
|
||||
remote_addrs = fec0::1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = fec1::/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
mobike = no
|
||||
fragmentation = yes
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
|
||||
}
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
fragment_size = 1400
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
auth = /usr/local/sbin/swanctl --load-authorities
|
||||
}
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = fec0::1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = fec1::/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
mobike = no
|
||||
fragmentation = yes
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
|
||||
}
|
||||
}
|
|
@ -0,0 +1,14 @@
|
|||
carol::swanctl --terminate --ike home 2> /dev/null
|
||||
dave::swanctl --terminate --ike home 2> /dev/null
|
||||
carol::service charon stop 2> /dev/null
|
||||
dave::service charon stop 2> /dev/null
|
||||
moon::service charon stop 2> /dev/null
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
moon::ip6tables-restore < /etc/ip6tables.flush
|
||||
carol::ip6tables-restore < /etc/ip6tables.flush
|
||||
dave::ip6tables-restore < /etc/ip6tables.flush
|
||||
alice::"ip route del fec0:\:/16 via fec1:\:1"
|
||||
carol::"ip route del fec1:\:/16 via fec0:\:1"
|
||||
dave::"ip route del fec1:\:/16 via fec0:\:1"
|
|
@ -0,0 +1,15 @@
|
|||
moon::iptables-restore < /etc/iptables.drop
|
||||
carol::iptables-restore < /etc/iptables.drop
|
||||
dave::iptables-restore < /etc/iptables.drop
|
||||
moon::ip6tables-restore < /etc/ip6tables.rules
|
||||
carol::ip6tables-restore < /etc/ip6tables.rules
|
||||
dave::ip6tables-restore < /etc/ip6tables.rules
|
||||
alice::"ip route add fec0:\:/16 via fec1:\:1"
|
||||
carol::"ip route add fec1:\:/16 via fec0:\:1"
|
||||
dave::"ip route add fec1:\:/16 via fec0:\:1"
|
||||
moon::service charon start 2> /dev/null
|
||||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# IP protocol used by IPsec is IPv6
|
||||
#
|
||||
IPV6=1
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -5,7 +5,10 @@ swanctl {
|
|||
}
|
||||
|
||||
charon {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,7 +5,10 @@ swanctl {
|
|||
}
|
||||
|
||||
charon {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici
|
||||
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,10 +5,13 @@ swanctl {
|
|||
}
|
||||
|
||||
charon {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown sqlite attr-sql vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
|
||||
plugins {
|
||||
attr-sql {
|
||||
database = sqlite:///etc/ipsec.d/ipsec.db
|
||||
|
|
|
@ -11,11 +11,5 @@ moon::service charon start 2> /dev/null
|
|||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
carol::swanctl --load-conns 2> /dev/null
|
||||
dave::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
carol::swanctl --load-creds 2> /dev/null
|
||||
dave::swanctl --load-creds 2> /dev/null
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,10 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
pools = /usr/local/sbin/swanctl --load-pools
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,12 +5,5 @@ moon::service charon start 2> /dev/null
|
|||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
carol::swanctl --load-conns 2> /dev/null
|
||||
dave::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
carol::swanctl --load-creds 2> /dev/null
|
||||
dave::swanctl --load-creds 2> /dev/null
|
||||
moon::swanctl --load-pools 2> /dev/null
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
|
||||
<b>venus</b> by means of two different Intermediate CAs. Access to
|
||||
<b>alice</b> is granted to users presenting a certificate issued by the Research CA
|
||||
whereas <b>venus</b> can only be reached with a certificate issued by the
|
||||
Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
|
||||
the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
|
||||
<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
|
|
@ -0,0 +1,19 @@
|
|||
moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
|
||||
moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
|
||||
moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
|
||||
moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
|
||||
moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
|
||||
moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
|
||||
carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
|
||||
dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
|
||||
moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
|
||||
moon:: cat /var/log/daemon.log::selected peer config.*research.*inacceptable::YES
|
||||
moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
|
|
@ -0,0 +1,14 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO
|
||||
7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm
|
||||
x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1
|
||||
awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz
|
||||
5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz
|
||||
9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6
|
||||
zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp
|
||||
9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa
|
||||
ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8
|
||||
JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup
|
||||
F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT
|
||||
0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y
|
||||
bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ
|
||||
oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH
|
||||
Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ
|
||||
aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H
|
||||
3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF
|
||||
mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz
|
||||
6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0
|
||||
oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol
|
||||
1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye
|
||||
8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy
|
||||
HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od
|
||||
pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY
|
||||
zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,31 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
cacerts = strongswanCert.pem
|
||||
revocation = strict
|
||||
}
|
||||
children {
|
||||
alice {
|
||||
remote_ts = 10.1.0.10/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
venus {
|
||||
remote_ts = 10.1.0.20/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
|
||||
BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw
|
||||
NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
|
||||
BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF
|
||||
sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK
|
||||
oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L
|
||||
7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib
|
||||
tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA
|
||||
IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C
|
||||
AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd
|
||||
qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
|
||||
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
|
||||
YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
|
||||
YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
|
||||
LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
|
||||
TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i
|
||||
9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI
|
||||
jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX
|
||||
sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K
|
||||
yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3
|
||||
mk0VsDm1jdOf3PK1Xd2PJw==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||
ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
|
||||
FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
|
||||
zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
|
||||
/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
|
||||
C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
|
||||
+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
|
||||
BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
|
||||
VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
|
||||
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
|
||||
bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
|
||||
FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
|
||||
cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
|
||||
POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
|
||||
xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
|
||||
dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
|
||||
8sFmiZI=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,14 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh
|
||||
aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm
|
||||
FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J
|
||||
DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0
|
||||
Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/
|
||||
OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF
|
||||
qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU
|
||||
dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ
|
||||
DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR
|
||||
+9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM
|
||||
BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI
|
||||
JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp
|
||||
L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP
|
||||
VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC
|
||||
Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV
|
||||
b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd
|
||||
6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v
|
||||
zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL
|
||||
BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK
|
||||
mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq
|
||||
s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC
|
||||
Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex
|
||||
iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD
|
||||
L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2
|
||||
mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,31 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
cacerts = strongswanCert.pem
|
||||
revocation = strict
|
||||
}
|
||||
children {
|
||||
alice {
|
||||
remote_ts = 10.1.0.10/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
venus {
|
||||
remote_ts = 10.1.0.20/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
|
||||
BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
|
||||
BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk
|
||||
UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER
|
||||
0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN
|
||||
5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8
|
||||
XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA
|
||||
V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8
|
||||
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/
|
||||
kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
|
||||
EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
|
||||
YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
|
||||
cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB
|
||||
HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5
|
||||
q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B
|
||||
jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF
|
||||
mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb
|
||||
HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
|
||||
MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||
ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
|
||||
GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
|
||||
Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
|
||||
uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
|
||||
sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
|
||||
vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
|
||||
MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
|
||||
VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
|
||||
MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
|
||||
IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
|
||||
Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
|
||||
CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
|
||||
AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
|
||||
RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
|
||||
M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,31 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
crluri=http://crl.strongswan.org/strongswan.crl
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftsendcert=ifasked
|
||||
leftid=@moon.strongswan.org
|
||||
|
||||
conn alice
|
||||
leftsubnet=PH_IP_ALICE/32
|
||||
right=%any
|
||||
rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
|
||||
auto=add
|
||||
|
||||
conn venus
|
||||
leftsubnet=PH_IP_VENUS/32
|
||||
right=%any
|
||||
rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
|
||||
auto=add
|
|
@ -0,0 +1,15 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
auths = /usr/local/sbin/swanctl --load-authorities
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,58 @@
|
|||
connections {
|
||||
|
||||
research {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
cacerts = researchCert.pem
|
||||
revocation = ifuri
|
||||
}
|
||||
children {
|
||||
alice {
|
||||
local_ts = 10.1.0.10/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
|
||||
sales {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
cacerts = salesCert.pem
|
||||
revocation = ifuri
|
||||
}
|
||||
children {
|
||||
venus {
|
||||
local_ts = 10.1.0.20/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
|
||||
strongswan {
|
||||
cacert=strongswanCert.pem
|
||||
crl_uris=http://crl.strongswan.org/strongswan.crl
|
||||
}
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||
ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
|
||||
FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
|
||||
zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
|
||||
/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
|
||||
C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
|
||||
+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
|
||||
BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
|
||||
VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
|
||||
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
|
||||
bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
|
||||
FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
|
||||
cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
|
||||
POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
|
||||
xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
|
||||
dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
|
||||
8sFmiZI=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
|
||||
MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||
ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
|
||||
GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
|
||||
Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
|
||||
uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
|
||||
sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
|
||||
vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
|
||||
MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
|
||||
VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
|
||||
MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
|
||||
IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
|
||||
Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
|
||||
CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
|
||||
AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
|
||||
RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
|
||||
M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home 2> /dev/null
|
||||
dave::swanctl --terminate --ike home 2> /dev/null
|
||||
carol::service charon stop 2> /dev/null
|
||||
dave::service charon stop 2> /dev/null
|
||||
moon::service charon stop 2> /dev/null
|
||||
carol::rm -r /etc/swanctl
|
||||
dave::rm -r /etc/swanctl
|
||||
moon::rm -r /etc/swanctl
|
|
@ -0,0 +1,8 @@
|
|||
moon::service charon start 2> /dev/null
|
||||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
carol::swanctl --initiate --child alice 2> /dev/null
|
||||
carol::swanctl --initiate --child venus 2> /dev/null
|
||||
dave::swanctl --initiate --child alice 2> /dev/null
|
||||
dave::swanctl --initiate --child venus 2> /dev/null
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,8 +3,4 @@ sun::iptables-restore < /etc/iptables.rules
|
|||
moon::service charon start 2> /dev/null
|
||||
sun::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
sun::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
sun::swanctl --load-creds 2> /dev/null
|
||||
moon::swanctl --initiate --child net-net 2> /dev/null
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,8 +3,4 @@ moon::iptables-restore < /etc/iptables.rules
|
|||
sun::service charon start 2> /dev/null
|
||||
moon::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
sun::swanctl --load-creds 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
sun::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
alice::ping -c 3 10.2.0.10
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,8 +3,3 @@ moon::iptables-restore < /etc/iptables.rules
|
|||
sun::service charon start 2> /dev/null
|
||||
moon::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
sun::swanctl --load-creds 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
sun::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
moon::sleep 1
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
|
||||
<b>venus</b> by means of two different Intermediate CAs. Access to
|
||||
<b>alice</b> is granted to users presenting a certificate issued by the Research CA
|
||||
whereas <b>venus</b> can only be reached with a certificate issued by the
|
||||
Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
|
||||
the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
|
||||
<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
|
||||
<p>
|
||||
By setting <b>strictcrlpolicy=yes</b>, the certificate status from the strongSwan, Research and
|
||||
Sales OCSP servers must be fetched first, before the connection setups can be successfully completed.
|
|
@ -0,0 +1,26 @@
|
|||
moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.research.strongswan.org::YES
|
||||
moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.sales.strongswan.org::YES
|
||||
moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES
|
||||
carol::swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES
|
||||
dave:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
|
||||
carol::cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
|
||||
dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::certificate status is good::YES
|
||||
carol::cat /var/log/daemon.log::certificate status is good::YES
|
||||
dave:: cat /var/log/daemon.log::certificate status is good::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
|
||||
carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
|
||||
dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
|
||||
moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
|
||||
moon:: cat /var/log/daemon.log::selected peer config.*research.*inacceptable::YES
|
||||
moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
|
||||
moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
|
|
@ -0,0 +1,15 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
auths = /usr/local/sbin/swanctl --load-authorities
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO
|
||||
7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm
|
||||
x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1
|
||||
awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz
|
||||
5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz
|
||||
9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6
|
||||
zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp
|
||||
9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa
|
||||
ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8
|
||||
JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup
|
||||
F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT
|
||||
0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y
|
||||
bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ
|
||||
oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH
|
||||
Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ
|
||||
aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H
|
||||
3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF
|
||||
mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz
|
||||
6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0
|
||||
oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol
|
||||
1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye
|
||||
8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy
|
||||
HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od
|
||||
pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY
|
||||
zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,39 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
cacerts = strongswanCert.pem
|
||||
revocation = strict
|
||||
}
|
||||
children {
|
||||
alice {
|
||||
remote_ts = 10.1.0.10/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
venus {
|
||||
remote_ts = 10.1.0.20/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
ocsp_uris = http://ocsp.strongswan.org:8880
|
||||
}
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
|
||||
BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw
|
||||
NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
|
||||
BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF
|
||||
sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK
|
||||
oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L
|
||||
7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib
|
||||
tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA
|
||||
IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C
|
||||
AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd
|
||||
qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
|
||||
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
|
||||
YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
|
||||
YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
|
||||
LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
|
||||
TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i
|
||||
9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI
|
||||
jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX
|
||||
sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K
|
||||
yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3
|
||||
mk0VsDm1jdOf3PK1Xd2PJw==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||
ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
|
||||
FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
|
||||
zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
|
||||
/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
|
||||
C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
|
||||
+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
|
||||
BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
|
||||
VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
|
||||
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
|
||||
bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
|
||||
FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
|
||||
cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
|
||||
POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
|
||||
xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
|
||||
dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
|
||||
8sFmiZI=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,15 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
auths = /usr/local/sbin/swanctl --load-authorities
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh
|
||||
aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm
|
||||
FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J
|
||||
DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0
|
||||
Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/
|
||||
OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF
|
||||
qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU
|
||||
dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ
|
||||
DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR
|
||||
+9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM
|
||||
BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI
|
||||
JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp
|
||||
L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP
|
||||
VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC
|
||||
Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV
|
||||
b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd
|
||||
6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v
|
||||
zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL
|
||||
BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK
|
||||
mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq
|
||||
s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC
|
||||
Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex
|
||||
iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD
|
||||
L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2
|
||||
mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w==
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,39 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
cacerts = strongswanCert.pem
|
||||
revocation = strict
|
||||
}
|
||||
children {
|
||||
alice {
|
||||
remote_ts = 10.1.0.10/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
venus {
|
||||
remote_ts = 10.1.0.20/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
ocsp_uris = http://ocsp.strongswan.org:8880
|
||||
}
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
|
||||
BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
|
||||
BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk
|
||||
UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER
|
||||
0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN
|
||||
5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8
|
||||
XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA
|
||||
V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8
|
||||
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/
|
||||
kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
|
||||
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
|
||||
EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
|
||||
YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
|
||||
cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB
|
||||
HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5
|
||||
q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B
|
||||
jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF
|
||||
mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb
|
||||
HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
|
||||
MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||
ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
|
||||
GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
|
||||
Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
|
||||
uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
|
||||
sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
|
||||
vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
|
||||
MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
|
||||
VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
|
||||
MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
|
||||
IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
|
||||
Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
|
||||
CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
|
||||
AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
|
||||
RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
|
||||
M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,31 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
crluri=http://crl.strongswan.org/strongswan.crl
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftsendcert=ifasked
|
||||
leftid=@moon.strongswan.org
|
||||
|
||||
conn alice
|
||||
leftsubnet=PH_IP_ALICE/32
|
||||
right=%any
|
||||
rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
|
||||
auto=add
|
||||
|
||||
conn venus
|
||||
leftsubnet=PH_IP_VENUS/32
|
||||
right=%any
|
||||
rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
|
||||
auto=add
|
|
@ -0,0 +1,15 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
auths = /usr/local/sbin/swanctl --load-authorities
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
|
@ -0,0 +1,68 @@
|
|||
connections {
|
||||
|
||||
research {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
cacerts = researchCert.pem
|
||||
revocation = ifuri
|
||||
}
|
||||
children {
|
||||
alice {
|
||||
local_ts = 10.1.0.10/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
|
||||
sales {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
cacerts = salesCert.pem
|
||||
revocation = ifuri
|
||||
}
|
||||
children {
|
||||
venus {
|
||||
local_ts = 10.1.0.20/32
|
||||
esp_proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
|
||||
strongswan {
|
||||
cacert=strongswanCert.pem
|
||||
ocsp_uris=http://ocsp.strongswan.org:8880
|
||||
}
|
||||
|
||||
research {
|
||||
cacert=researchCert.pem
|
||||
ocsp_uris=http://ocsp.strongswan.org:8881
|
||||
}
|
||||
|
||||
sales {
|
||||
cacert=salesCert.pem
|
||||
ocsp_uris=http://ocsp.strongswan.org:8882
|
||||
}
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
|
||||
cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||
ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
|
||||
FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
|
||||
zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
|
||||
/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
|
||||
C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
|
||||
+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
|
||||
BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
|
||||
VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
|
||||
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
|
||||
bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
|
||||
FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
|
||||
cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
|
||||
POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
|
||||
xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
|
||||
dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
|
||||
8sFmiZI=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDuzCCAqOgAwIBAgIBITANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||
b290IENBMB4XDTEwMDQwNjA5NTQzM1oXDTE5MDQwNDA5NTQzM1owSzELMAkGA1UE
|
||||
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
|
||||
MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||
ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
|
||||
GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
|
||||
Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
|
||||
uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
|
||||
sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
|
||||
vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
|
||||
MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
|
||||
VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
|
||||
MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
|
||||
IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACRlTqXMjHy7r7rWnq/09yFn
|
||||
Td6d+y6KkHj9kvYSA5q7xYdmP3I4+YP2qpPnYjSeyfMCl4ZIyMXnfUbz5OvuXp4S
|
||||
CS0gIUJ6mK6+5f1a3USdB4Ce0Od4mkUIQmLzKFCRSqdhWoVzNJrl+BT1a5d9+aLW
|
||||
AL5S2pqUoQPgG64MPghy3SyUb4qBeplk3JdR/6OgA5LQeNtLiI7Y/dbMM2Rvn284
|
||||
RIIxp2TqN2Hup6BNLHv6fLixdJpM+nG7ZjGYf+7dnuY6ZDhvIt18zr/2n1ELBQPh
|
||||
M5SjYhGQIZVmNzNDrKGVAKta5LG8BwBGi0uXc9fBXWRcffI3N1/IZj/ob5t3WCg=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home 2> /dev/null
|
||||
dave::swanctl --terminate --ike home 2> /dev/null
|
||||
carol::service charon stop 2> /dev/null
|
||||
dave::service charon stop 2> /dev/null
|
||||
moon::service charon stop 2> /dev/null
|
||||
carol::rm -r /etc/swanctl
|
||||
dave::rm -r /etc/swanctl
|
||||
moon::rm -r /etc/swanctl
|
|
@ -0,0 +1,8 @@
|
|||
moon::service charon start 2> /dev/null
|
||||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
carol::swanctl --initiate --child alice 2> /dev/null
|
||||
carol::swanctl --initiate --child venus 2> /dev/null
|
||||
dave::swanctl --initiate --child alice 2> /dev/null
|
||||
dave::swanctl --initiate --child venus 2> /dev/null
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,11 +5,5 @@ moon::service charon start 2> /dev/null
|
|||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
carol::swanctl --load-conns 2> /dev/null
|
||||
dave::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
carol::swanctl --load-creds 2> /dev/null
|
||||
dave::swanctl --load-creds 2> /dev/null
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
|
@ -0,0 +1,14 @@
|
|||
carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
|
||||
dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
|
||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
|
||||
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
|
||||
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
|
@ -0,0 +1,17 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
auths = /usr/local/sbin/swanctl --load-authorities
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
|
||||
hash_and_url = yes
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128gcm128-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
cert_uri_base = http://winnetou.strongswan.org/certs/
|
||||
}
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
auths = /usr/local/sbin/swanctl --load-authorities
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
|
||||
hash_and_url = yes
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128gcm128-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
cert_uri_base = http://winnetou.strongswan.org/certs/
|
||||
}
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
|
||||
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
auths = /usr/local/sbin/swanctl --load-authorities
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
|
||||
hash_and_url = yes
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
start_action = none
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 10m
|
||||
esp_proposals = aes128gcm128-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
version = 2
|
||||
reauth_time = 60m
|
||||
rekey_time = 20m
|
||||
proposals = aes128-sha256-modp2048
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
cert_uri_base = http://winnetou.strongswan.org/certs/
|
||||
}
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home
|
||||
dave::swanctl --terminate --ike home
|
||||
carol::service charon stop 2> /dev/null
|
||||
dave::service charon stop 2> /dev/null
|
||||
moon::service charon stop 2> /dev/null
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::service charon start 2> /dev/null
|
||||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -8,11 +8,5 @@ moon::service charon start 2> /dev/null
|
|||
carol::service charon start 2> /dev/null
|
||||
dave::service charon start 2> /dev/null
|
||||
moon::sleep 1
|
||||
moon::swanctl --load-conns 2> /dev/null
|
||||
carol::swanctl --load-conns 2> /dev/null
|
||||
dave::swanctl --load-conns 2> /dev/null
|
||||
moon::swanctl --load-creds 2> /dev/null
|
||||
carol::swanctl --load-creds 2> /dev/null
|
||||
dave::swanctl --load-creds 2> /dev/null
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,9 @@ swanctl {
|
|||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
start-scripts {
|
||||
creds = /usr/local/sbin/swanctl --load-creds
|
||||
conns = /usr/local/sbin/swanctl --load-conns
|
||||
}
|
||||
}
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue