testing: Converted ipv6/net2net-rfc3779-ikev2 to swanctl
This commit is contained in:
parent
04b79bc98c
commit
8215681a4a
|
@ -1,11 +1,14 @@
|
|||
An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
|
||||
It connects the two subnets hiding behind their respective gateways. The authentication is based on
|
||||
<b>X.509 certificates</b> containing <b>RFC 3779 IP address block constraints</b>.
|
||||
Both <b>moon</b> and <b>sun</b> set <b>rightsubnet=::/0</b> thus allowing the peers to narrow down
|
||||
the address range to their actual subnets <b>fec1::/16</b> and <b>fec2::/16</b>, respectively.
|
||||
These unilaterally proposed traffic selectors must be validated by corresponding IP address block constraints.
|
||||
An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is
|
||||
successfully set up. It connects the two subnets hiding behind their respective
|
||||
gateways. The authentication is based on <b>X.509 certificates</b> containing
|
||||
<b>RFC 3779 IP address block constraints</b>. Both <b>moon</b> and <b>sun</b> set
|
||||
<b>rightsubnet=::/0</b> thus allowing the peers to narrow down the address range
|
||||
to their actual subnets <b>fec1::/16</b> and <b>fec2::/16</b>, respectively.
|
||||
These unilaterally proposed traffic selectors must be validated by corresponding
|
||||
IP address block constraints.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
|
||||
automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
|
||||
sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
|
||||
Upon the successful establishment of the IPsec tunnel, automatically inserted
|
||||
ip6tables-based firewall rules let pass the tunneled traffic. In order to test
|
||||
both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind
|
||||
<b>moon</b> sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b>
|
||||
using the ping6 command.
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
|
||||
sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
|
||||
sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
|
||||
moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
|
||||
sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
|
||||
alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
|
||||
moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES
|
||||
sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES
|
||||
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
|
||||
|
|
|
@ -1,31 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
|
||||
crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
mobike=no
|
||||
|
||||
conn net-net
|
||||
also=host-host
|
||||
leftsubnet=fec1::0/16
|
||||
rightsubnet=0::0/0
|
||||
|
||||
conn host-host
|
||||
left=PH_IP6_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP6_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
auto=add
|
|
@ -1,6 +1,18 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
hash_and_url = yes
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
|
||||
|
||||
syslog {
|
||||
daemon {
|
||||
default = 1
|
||||
}
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
connections {
|
||||
|
||||
net-net {
|
||||
local_addrs = fec0::1
|
||||
remote_addrs = fec0::2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = fec1::0/16
|
||||
remote_ts = 0::0/0
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
|
||||
}
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/
|
||||
crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
mobike=no
|
||||
|
||||
conn net-net
|
||||
also=host-host
|
||||
leftsubnet=fec2::0/16
|
||||
rightsubnet=0::0/0
|
||||
|
||||
conn host-host
|
||||
left=PH_IP6_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP6_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -1,6 +1,19 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
hash_and_url = yes
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
|
||||
|
||||
syslog {
|
||||
daemon {
|
||||
default = 1
|
||||
}
|
||||
auth {
|
||||
default = 0
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
connections {
|
||||
|
||||
net-net {
|
||||
local_addrs = fec0::2
|
||||
remote_addrs = fec0::1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = sunCert.pem
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = fec2::0/16
|
||||
remote_ts = 0::0/0
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
authorities {
|
||||
strongswan {
|
||||
cacert = strongswanCert.pem
|
||||
crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl
|
||||
}
|
||||
}
|
|
@ -1,5 +1,5 @@
|
|||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
moon::systemctl stop strongswan-swanctl
|
||||
sun::systemctl stop strongswan-swanctl
|
||||
alice::"ip route del fec2:\:/16 via fec1:\:1"
|
||||
moon::"ip route del fec2:\:/16 via fec0:\:2"
|
||||
sun::"ip route del fec1:\:/16 via fec0:\:1"
|
||||
|
|
|
@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1"
|
|||
moon::"ip route add fec2:\:/16 via fec0:\:2"
|
||||
sun::"ip route add fec1:\:/16 via fec0:\:1"
|
||||
bob::"ip route add fec1:\:/16 via fec2:\:1"
|
||||
moon::ipsec start
|
||||
sun::ipsec start
|
||||
moon::systemctl start strongswan-swanctl
|
||||
sun::systemctl start strongswan-swanctl
|
||||
moon::expect-connection net-net
|
||||
sun::expect-connection net-net
|
||||
moon::ipsec up net-net
|
||||
moon::swanctl --initiate --child net-net
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon winnetou sun bob"
|
||||
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-w-s-b-ip6.png"
|
||||
|
@ -23,3 +23,7 @@ IPSECHOSTS="moon sun"
|
|||
# IP protocol used by IPsec is IPv6
|
||||
#
|
||||
IPV6=1
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
Loading…
Reference in New Issue