testing: Added swanctl/ocsp-disabled scenario
This commit is contained in:
parent
db0953d41f
commit
91a4a4aa83
|
@ -0,0 +1,10 @@
|
||||||
|
By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
|
||||||
|
both roadwarrior <b>carol</b> and gateway <b>moon</b>.
|
||||||
|
Client <b>carol</b>'s certificate includes an <b>OCSP URI</b> in an authority information
|
||||||
|
access extension pointing to <b>winnetou</b>. Gateway <b>moon</b>'s certificate doesn't
|
||||||
|
contain any such extensions but <b>carol</b>'s swanctl.conf contains a corresponding
|
||||||
|
authorities section. With the directive <b>charon.plugins.revocation.enable_ocsp = no</b>
|
||||||
|
in strongswan.conf all OCSP fetching is disabled and a fallback to CRL fetching occurs.
|
||||||
|
<p/>
|
||||||
|
<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
|
||||||
|
the status of both certificates is <b>good</b>.
|
|
@ -0,0 +1,8 @@
|
||||||
|
moon:: cat /var/log/daemon.log::all OCSP fetching disabled::YES
|
||||||
|
moon:: cat /var/log/daemon.log::fetching crl from.*http://crl.strongswan.org/strongswan.crl::YES
|
||||||
|
moon:: cat /var/log/daemon.log::certificate status is good::YES
|
||||||
|
carol::cat /var/log/daemon.log::all OCSP fetching disabled::YES
|
||||||
|
carol::cat /var/log/daemon.log::fetching crl from.*http://crl.strongswan.org/strongswan.crl::YES
|
||||||
|
carol::cat /var/log/daemon.log::certificate status is good::YES
|
||||||
|
moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||||
|
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
|
@ -0,0 +1,16 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
auths = /usr/local/sbin/swanctl --load-authorities
|
||||||
|
}
|
||||||
|
plugins {
|
||||||
|
revocation {
|
||||||
|
enable_ocsp = no
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEogIBAAKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gafuCqw
|
||||||
|
hM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG8Sc6
|
||||||
|
DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEboqi3
|
||||||
|
8Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAVM7Cd
|
||||||
|
UPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMOwHn4
|
||||||
|
Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABAoIBAEEGwy5M7mb/G79t
|
||||||
|
exP5CqHa/MsRMwFIxlai+z+usMG/fA5BYud/5gCh0MFKRKC63BghoNWUjCzA/1OQ
|
||||||
|
AW2hDXjvjTTMREIdCVekuzQYdfVreOliaqDAUqjtpP/nrZTKS6Sc8U2qKmJQFvKY
|
||||||
|
V2wPMrXXwQi9BOY9c4R2d36ml7iw6veYhPj0XHy3spJc3V6k7YmbApOQgWDqRwid
|
||||||
|
GGnnvDpdD0gAGAOxadCCpV+N9NK+AMSk03Qpcc2ki4THEn2e8Rs1/dH1k5nics/E
|
||||||
|
cG9VT9pZtvGXjEX7Wo06v0lXsTRWGWLKhHvzfhIb6uWnC/YUR+7Cv8JYRz+RZn98
|
||||||
|
bv5lXokCgYEA1iRf3gH8qwvxQjLtaNKRyr8Bheo3tsOLh2tYriWaUTXqeKAd46zI
|
||||||
|
KcWAKtYWJQenVyFvnsMwKNFvFq/HgJGhKTOvZRwsrTb2wXgxcAleOBO+Ts4Vhb9J
|
||||||
|
xil8/WcWCKU+GPf8hQOkwVnhv4CxLscCXT2g9zxTpP/JCKmHaucQog8CgYEA0qUC
|
||||||
|
NBRMh55bjiHaqsSRvr45iwxzNzd8KK5A/xKyScEl+A4HWdqDpZ+8w9YC4GUQClvH
|
||||||
|
cHn5NpWfq9hrNAXPjBzVGXk+JqFcJM/yPImH+Vg8MupJprwVSHJ1mqQ/MPSpxxhy
|
||||||
|
iNaWeJX6bhPAgQSOAYbH22uNOGePmMQ8kk3v/OcCgYA7ZzPA3kQ9Hr76Yi5Bmcgf
|
||||||
|
ugSuJV73MB+QnVKoXH4GcTJt69zev5t3GvaG64SRGSJupTPVksfVSuPKI1DwdXWD
|
||||||
|
fHb3UW2DT2/8E1+DeNXOMIvmSHzn8TyB4BhwIxyVoWEsg/5k17HogQqCmSyNkV8y
|
||||||
|
hloUu4NojhwybvTFzvtqOQKBgDL0IVVRt7Vyk/kMrWVziUHXp/m/uDsaG9mHVUee
|
||||||
|
USxQIYwgcJzGo+OzgSjqIuX+7GNlEhheGO+gP/CEuGHsKeldrBquXl9f1vc8qf8E
|
||||||
|
0bR6KI20aL6BbrCIp3QR2QtRk6QKgOIi7mEa/moUMxPCc0thPAUSviVvv6eXiINn
|
||||||
|
gO7vAoGAcvwVy9gDcGTL+4mMjZ07jc/TmQPmOpqosXuDTQZITuovpzY0Nf9KPNJs
|
||||||
|
0dTuCaO+N5ZjttxIm6L9h/Ah0BN2Ir+JbplJ5uScWldz0MFJXm1wz7KJCRZQpVIO
|
||||||
|
6SJCLSmh4nZ0TIL8V0ABhaFVQK0qq2z/ASljIF6iC68DBEDfuzY=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,35 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
home {
|
||||||
|
local_addrs = 192.168.0.100
|
||||||
|
remote_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
certs = carolCert.pem
|
||||||
|
id = carol@strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = moon.strongswan.org
|
||||||
|
revocation = strict
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
home {
|
||||||
|
remote_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
esp_proposals = aes128gcm128-curve25519
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-curve25519
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
authorities {
|
||||||
|
|
||||||
|
strongswan {
|
||||||
|
cacert = strongswanCert.pem
|
||||||
|
ocsp_uris = http://ocsp.strongswan.org:8880
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,95 @@
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number: 39 (0x27)
|
||||||
|
Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
|
||||||
|
Validity
|
||||||
|
Not Before: Mar 15 06:42:00 2012 GMT
|
||||||
|
Not After : Mar 14 06:42:00 2017 GMT
|
||||||
|
Subject: C=CH, O=Linux strongSwan, OU=OCSP, CN=carol@strongswan.org
|
||||||
|
Subject Public Key Info:
|
||||||
|
Public Key Algorithm: rsaEncryption
|
||||||
|
RSA Public Key: (2048 bit)
|
||||||
|
Modulus (2048 bit):
|
||||||
|
00:b0:33:dd:ed:c0:d6:9d:01:de:eb:08:c4:f9:6a:
|
||||||
|
e9:46:10:f6:a4:cd:7d:aa:79:4b:c2:33:1f:61:40:
|
||||||
|
40:de:06:9f:b8:2a:b0:84:cd:a7:79:c8:ee:a7:24:
|
||||||
|
69:08:04:89:f8:7b:62:7e:03:9e:0a:d9:df:ff:7c:
|
||||||
|
20:3c:a7:b1:86:7f:cc:e6:ad:0c:7e:6f:c4:9b:31:
|
||||||
|
55:57:92:df:7b:94:86:f1:27:3a:0e:fa:0b:92:58:
|
||||||
|
ad:64:8a:40:46:5d:87:ca:11:20:03:ad:86:68:a5:
|
||||||
|
0c:8a:19:ce:36:d0:55:bf:1f:00:47:c9:1a:af:c5:
|
||||||
|
ad:14:3c:d7:0c:9e:28:d9:61:1b:a2:a8:b7:f1:56:
|
||||||
|
a7:d9:3b:fa:09:08:2c:9b:75:e3:30:64:5e:93:80:
|
||||||
|
48:94:35:0d:97:ca:ac:57:66:02:86:b6:1b:6b:f1:
|
||||||
|
4a:86:30:74:48:38:46:1a:7d:07:61:30:15:33:b0:
|
||||||
|
9d:50:fc:4d:8c:16:1e:30:13:9f:07:04:7a:3b:92:
|
||||||
|
54:33:c7:3a:0b:67:e2:ba:46:b0:b3:0d:79:7f:e4:
|
||||||
|
ed:81:bd:34:cb:e5:30:f3:af:d4:dd:52:3e:f5:13:
|
||||||
|
0e:c0:79:f8:43:c7:f5:b9:b0:12:6a:46:38:db:61:
|
||||||
|
44:c8:4a:68:7b:77:34:68:63:ef:88:16:be:ae:89:
|
||||||
|
ff:89
|
||||||
|
Exponent: 65537 (0x10001)
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Basic Constraints:
|
||||||
|
CA:FALSE
|
||||||
|
X509v3 Key Usage:
|
||||||
|
Digital Signature, Key Encipherment, Key Agreement
|
||||||
|
X509v3 Subject Key Identifier:
|
||||||
|
C5:E8:58:D7:63:B0:B8:D4:2E:22:04:E1:CB:35:34:95:DA:74:F0:E6
|
||||||
|
X509v3 Authority Key Identifier:
|
||||||
|
keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
|
||||||
|
DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
|
||||||
|
serial:00
|
||||||
|
|
||||||
|
X509v3 Subject Alternative Name:
|
||||||
|
email:carol@strongswan.org
|
||||||
|
Authority Information Access:
|
||||||
|
OCSP - URI:http://ocsp.strongswan.org:8880
|
||||||
|
|
||||||
|
X509v3 CRL Distribution Points:
|
||||||
|
URI:http://crl.strongswan.org/strongswan.crl
|
||||||
|
|
||||||
|
Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
b6:2d:d8:bb:40:e9:cf:a9:33:31:6c:91:c7:40:79:8c:5f:89:
|
||||||
|
8e:26:d8:ef:91:67:da:71:75:f9:27:84:21:c3:6c:d1:a5:fb:
|
||||||
|
50:de:b2:02:ad:3c:a4:6b:40:58:30:41:c7:bd:31:ca:df:77:
|
||||||
|
00:c9:ac:5b:10:e3:66:71:6c:be:4a:49:7e:58:92:de:f4:16:
|
||||||
|
51:12:00:2c:33:e2:2c:b5:e5:d4:6e:36:a2:50:ba:86:e3:c6:
|
||||||
|
bb:50:a2:e5:11:69:c4:86:91:fc:4d:65:7e:09:49:bd:d2:ae:
|
||||||
|
cd:70:f8:98:5d:a8:b6:cf:38:c3:19:49:fd:8b:72:3b:1a:cc:
|
||||||
|
fc:19:c9:c1:36:b2:39:ba:ed:9a:cd:db:2d:27:15:b0:ba:8a:
|
||||||
|
64:4a:5c:8f:ff:db:78:7d:cd:78:c3:c6:13:ba:93:7b:b7:57:
|
||||||
|
da:a3:f2:16:9f:f7:24:95:57:df:f4:4f:c5:9f:d6:12:b1:69:
|
||||||
|
39:a7:5a:88:9c:74:be:f7:b0:f3:b4:89:82:46:57:de:7d:a1:
|
||||||
|
42:a2:c2:de:1c:37:19:66:60:2a:df:ed:25:e3:72:d3:f9:9b:
|
||||||
|
84:05:b6:97:6a:63:63:5c:30:5d:01:7a:15:c4:6e:2c:a0:21:
|
||||||
|
d2:31:30:98:60:94:26:44:9a:08:b4:85:8d:52:00:98:ef:cb:
|
||||||
|
07:4f:b7:8e
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEWzCCA0OgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
|
||||||
|
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
|
||||||
|
b290IENBMB4XDTEyMDMxNTA2NDIwMFoXDTE3MDMxNDA2NDIwMFowVjELMAkGA1UE
|
||||||
|
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
|
||||||
|
HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
|
||||||
|
AAOCAQ8AMIIBCgKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gaf
|
||||||
|
uCqwhM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG
|
||||||
|
8Sc6DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEb
|
||||||
|
oqi38Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAV
|
||||||
|
M7CdUPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMO
|
||||||
|
wHn4Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABo4IBQzCCAT8wCQYD
|
||||||
|
VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFMXoWNdjsLjULiIE4cs1NJXa
|
||||||
|
dPDmMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
|
||||||
|
VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
|
||||||
|
b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
|
||||||
|
b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
|
||||||
|
b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
|
||||||
|
cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC2
|
||||||
|
Ldi7QOnPqTMxbJHHQHmMX4mOJtjvkWfacXX5J4Qhw2zRpftQ3rICrTyka0BYMEHH
|
||||||
|
vTHK33cAyaxbEONmcWy+Skl+WJLe9BZREgAsM+IsteXUbjaiULqG48a7UKLlEWnE
|
||||||
|
hpH8TWV+CUm90q7NcPiYXai2zzjDGUn9i3I7Gsz8GcnBNrI5uu2azdstJxWwuopk
|
||||||
|
SlyP/9t4fc14w8YTupN7t1fao/IWn/cklVff9E/Fn9YSsWk5p1qInHS+97DztImC
|
||||||
|
RlfefaFCosLeHDcZZmAq3+0l43LT+ZuEBbaXamNjXDBdAXoVxG4soCHSMTCYYJQm
|
||||||
|
RJoItIWNUgCY78sHT7eO
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,15 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
|
||||||
|
|
||||||
|
start-scripts {
|
||||||
|
creds = /usr/local/sbin/swanctl --load-creds
|
||||||
|
conns = /usr/local/sbin/swanctl --load-conns
|
||||||
|
}
|
||||||
|
plugins {
|
||||||
|
revocation {
|
||||||
|
enable_ocsp = no
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
connections {
|
||||||
|
|
||||||
|
rw {
|
||||||
|
local_addrs = 192.168.0.1
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
certs = moonCert.pem
|
||||||
|
id = moon.strongswan.org
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
revocation = strict
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
net {
|
||||||
|
local_ts = 10.1.0.0/16
|
||||||
|
|
||||||
|
esp_proposals = aes128gcm128-curve25519
|
||||||
|
}
|
||||||
|
}
|
||||||
|
version = 2
|
||||||
|
proposals = aes128-sha256-curve25519
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
carol::swanctl --terminate --ike home
|
||||||
|
carol::service charon stop 2> /dev/null
|
||||||
|
moon::service charon stop 2> /dev/null
|
|
@ -0,0 +1,5 @@
|
||||||
|
moon::service charon start 2> /dev/null
|
||||||
|
carol::service charon start 2> /dev/null
|
||||||
|
moon::expect-connection rw
|
||||||
|
carol::expect-connection home
|
||||||
|
carol::swanctl --initiate --child home
|
|
@ -0,0 +1,25 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# This configuration file provides information on the
|
||||||
|
# guest instances used for this test
|
||||||
|
|
||||||
|
# All guest instances that are required for this test
|
||||||
|
#
|
||||||
|
VIRTHOSTS="moon carol winnetou"
|
||||||
|
|
||||||
|
# Corresponding block diagram
|
||||||
|
#
|
||||||
|
DIAGRAM="m-c-w.png"
|
||||||
|
|
||||||
|
# Guest instances on which tcpdump is to be started
|
||||||
|
#
|
||||||
|
TCPDUMPHOSTS=""
|
||||||
|
|
||||||
|
# Guest instances on which IPsec is started
|
||||||
|
# Used for IPsec logging purposes
|
||||||
|
#
|
||||||
|
IPSECHOSTS="moon carol"
|
||||||
|
|
||||||
|
# charon controlled by swanctl
|
||||||
|
#
|
||||||
|
SWANCTL=1
|
Loading…
Reference in New Issue