upgraded openssl-ikev1 scenarios to 5.0.0
This commit is contained in:
Andreas Steffen
parent
3805e569f6
commit
90e941fb97
|
|
@ -1,4 +1,4 @@
|
|||
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
|
||||
<b>CAMELLIA_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and
|
||||
<b>CAMELLIA_CBC_192 / HMAC_SHA2_384_192 </b> for ESP packets. A ping from <b>carol</b> to
|
||||
<b>alice</b> successfully checks the established tunnel.
|
||||
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
|
||||
HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
|
||||
the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
|
||||
in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
|
||||
moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
|
||||
moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
|
||||
moon:: ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
|
||||
carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
|
||||
moon:: ip xfrm state::enc cbc(camellia)::YES
|
||||
carol::ip xfrm state::enc cbc(camellia)::YES
|
||||
moon::ip xfrm state::enc cbc(camellia)::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
@ -12,11 +9,12 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=camellia192-sha384-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
ike=camellia256-sha512-modp2048!
|
||||
esp=camellia192-sha1!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftfirewall=yes
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,25 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug="control crypt"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=camellia192-sha384-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
ike=camellia256-sha512-modp2048!
|
||||
esp=camellia192-sha1!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftfirewall=yes
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,2 +1,4 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
carol::ipsec start
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec start
|
||||
carol::sleep 1
|
||||
carol::ipsec up home
|
||||
carol::sleep 1
|
||||
|
|
|
|||
|
|
@ -19,4 +19,3 @@ TCPDUMPHOSTS="moon"
|
|||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
|
||||
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
|
||||
functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
|
||||
plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for
|
||||
the Elliptic Curve Diffie-Hellman groups only.
|
||||
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
|
||||
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
|
||||
cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
|
||||
plugin for the Elliptic Curve Diffie-Hellman groups only.
|
||||
<p>
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
|
|
|
|||
|
|
@ -1,11 +1,15 @@
|
|||
moon::cat /var/log/auth.log::ECP_256.*refused due to strict flag::YES
|
||||
moon::ipsec statusall::IPsec SA established::YES
|
||||
carol::ipsec statusall::IPsec SA established::YES
|
||||
carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384::YES
|
||||
dave::ipsec statusall::IPsec SA established::YES
|
||||
dave::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/ECP_521::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
|
||||
dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
plutodebug=control
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
@ -12,7 +9,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
|
||||
ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
plutodebug=control
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
@ -12,7 +9,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
|
||||
ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
plutodebug=control
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
|
||||
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
|
||||
functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
|
||||
plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for
|
||||
the Elliptic Curve Diffie-Hellman groups only.
|
||||
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
|
||||
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
|
||||
cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
|
||||
plugin for the Elliptic Curve Diffie-Hellman groups only.
|
||||
<p>
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
|
|
|
|||
|
|
@ -1,11 +1,15 @@
|
|||
moon::cat /var/log/auth.log::ECP_192.*refused due to strict flag::YES
|
||||
moon::ipsec statusall::IPsec SA established::YES
|
||||
carol::ipsec statusall::IPsec SA established::YES
|
||||
carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_224::YES
|
||||
dave::ipsec statusall::IPsec SA established::YES
|
||||
dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
|
||||
dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
plutodebug=control
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
@ -12,7 +9,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
|
||||
ike=aes192-sha384-ecp192,3des-sha256-ecp224!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
plutodebug=control
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
@ -12,7 +9,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
|
||||
ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
plutodebug=control
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
@ -12,7 +9,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
|
||||
ike=3des-sha256-ecp224,aes128-sha256-ecp256!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,13 +1,19 @@
|
|||
moon::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
|
||||
moon::cat /var/log/auth.log::ECDSA-384 signature check passed::YES
|
||||
carol::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
|
||||
dave::cat /var/log/auth.log::ECDSA-384 signature check passed::YES
|
||||
moon::ipsec statusall::carol.*IPsec SA established::YES
|
||||
moon::ipsec statusall::dave.*IPsec SA established::YES
|
||||
carol::ipsec statusall::home.*IPsec SA established::YES
|
||||
dave::ipsec statusall::home.*IPsec SA established::YES
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
|
||||
moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA successful::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES
|
||||
carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
|
|||
|
|
@ -1,9 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
plutodebug=control
|
||||
charonstart=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +1,8 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
plutodebug=control
|
||||
charonstart=no
|
||||
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,9 +1,7 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
crlcheckinterval=180
|
||||
plutodebug=control
|
||||
charonstart=no
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
@ -12,21 +10,11 @@ conn %default
|
|||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn carol
|
||||
also=moon
|
||||
leftcert=moon_ec256_Cert.pem
|
||||
rightid=carol@strongswan.org
|
||||
auto=add
|
||||
|
||||
conn dave
|
||||
also=moon
|
||||
leftcert=moon_ec384_Cert.pem
|
||||
rightid=dave@strongswan.org
|
||||
auto=add
|
||||
|
||||
conn moon
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
||||
|
|
|
|||
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
|
||||
VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
|
||||
b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
|
||||
EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
|
||||
NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
|
||||
PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
|
||||
5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
|
||||
BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
|
||||
Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
|
||||
Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
|
||||
j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
|
||||
bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
|
||||
VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
|
||||
dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
|
||||
SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
|
||||
l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
|
||||
mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
|
||||
CI9WpQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
|
||||
yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
|
||||
1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
|
||||
tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
|
||||
pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
|
@ -1,5 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: ECDSA moon_ec256_Key.pem
|
||||
|
||||
: ECDSA moon_ec384_Key.pem
|
||||
: ECDSA moonKey.pem
|
||||
|
|
|
|||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
pluto {
|
||||
load = pem pkcs1 openssl random hmac curl kernel-netlink
|
||||
}
|
||||
|
||||
# pluto uses optimized DH exponent sizes (RFC 3526)
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
charon {
|
||||
load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,5 +4,3 @@ dave::ipsec stop
|
|||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
moon::rm /etc/ipsec.d/private/*
|
||||
moon::rm /etc/ipsec.d/certs/*
|
||||
|
|
|
|||
Loading…
Reference in New Issue