enabled firewall support
This commit is contained in:
parent
f9aa9e2977
commit
957115957a
|
@ -1,4 +1,4 @@
|
|||
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>. <b>carol</b> initiates
|
||||
the connection and presents a certificate that has been revoked by the
|
||||
current CRL.Therefore the IKE negotiation fails
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>. The remote host <b>carol</b>
|
||||
initiates the connection and presents a certificate that has been revoked by the
|
||||
current CRL causing the IKE negotiation to fail.
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
|
||||
By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>.
|
||||
|
|
|
@ -9,14 +9,15 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=selfCert.der
|
||||
leftsendcert=never
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightcert=peerCert.der
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -9,6 +9,7 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn carol
|
||||
left=PH_IP_MOON
|
||||
|
@ -16,8 +17,7 @@ conn carol
|
|||
leftcert=selfCert.der
|
||||
leftsendcert=never
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
rightcert=peerCert.der
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::rm /etc/ipsec.d/private/*
|
||||
carol::rm /etc/ipsec.d/certs/*
|
||||
moon::rm /etc/ipsec.d/private/*
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::rm /etc/ipsec.secrets
|
||||
carol::rm /etc/ipsec.d/private/*
|
||||
carol::rm /etc/ipsec.d/certs/*
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
|
||||
The authentication is based on X.509 certificates.
|
||||
The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
|
||||
|
|
|
@ -9,13 +9,14 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn host-host
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -9,13 +9,14 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn host-host
|
||||
left=PH_IP_SUN
|
||||
leftnexthop=%direct
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -1,2 +1,6 @@
|
|||
moon::iptables -v -n -L
|
||||
sun::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
sun::/etc/init.d/iptables stop 2> /dev/null
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
sun::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
sun::ipsec start
|
||||
moon::sleep 1
|
||||
|
|
|
@ -9,13 +9,14 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn host-host
|
||||
right=PH_IP_MOON
|
||||
rightnexthop=%direct
|
||||
rightcert=moonCert.pem
|
||||
rightid=@moon.strongswan.org
|
||||
rightfirewall=yes
|
||||
left=PH_IP_SUN
|
||||
leftid=@sun.strongswan.org
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -9,13 +9,14 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn host-host
|
||||
right=PH_IP_SUN
|
||||
rightnexthop=%direct
|
||||
rightcert=sunCert.pem
|
||||
rightid=@sun.strongswan.org
|
||||
rightfirewall=yes
|
||||
left=PH_IP_MOON
|
||||
leftid=@moon.strongswan.org
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -1,2 +1,6 @@
|
|||
moon::iptables -v -n -L
|
||||
sun::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
sun::/etc/init.d/iptables stop 2> /dev/null
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
sun::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
sun::ipsec start
|
||||
moon::sleep 1
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
|
||||
The authentication is based on <b>X.509 certificates</b>.
|
||||
The authentication is based on <b>X.509 certificates</b>. Upon the successful
|
||||
establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
|
||||
pings client <b>bob</b> located behind gateway <b>sun</b>.
|
||||
|
|
|
@ -9,14 +9,15 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
keyexchange=ikev2
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
rightsubnet=10.2.0.0/16
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -9,14 +9,15 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftsubnet=10.2.0.0/16
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
moon::iptables -v -n -L
|
||||
sun::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
sun::rm /etc/ipsec.d/crls/*
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
sun::/etc/init.d/iptables stop 2> /dev/null
|
||||
moon::rm /etc/ipsec.d/crls/*
|
||||
sun::rm /etc/ipsec.d/crls/*
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
sun::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
sun::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
|
||||
sun::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
|
||||
moon::ipsec start
|
||||
|
|
|
@ -4,3 +4,6 @@ on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
|
|||
A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
|
||||
<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
|
||||
leads to the automatic establishment of the subnet-to-subnet tunnel.
|
||||
<p>
|
||||
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
|
||||
that let pass the tunneled traffic.
|
||||
|
|
|
@ -17,6 +17,7 @@ conn net-net
|
|||
leftsubnet=10.1.0.0/16
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_SUN
|
||||
rightsubnet=10.2.0.0/16
|
||||
rightid=@sun.strongswan.org
|
||||
|
|
|
@ -9,14 +9,15 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftsubnet=10.2.0.0/16
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -1,2 +1,6 @@
|
|||
moon::iptables -v -n -L
|
||||
sun::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
sun::/etc/init.d/iptables stop 2> /dev/null
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
sun::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
sun::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
sun::ipsec start
|
||||
moon::sleep 2
|
||||
|
|
|
@ -3,3 +3,6 @@ respectively, is automatically established by means of the setting
|
|||
<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
|
||||
behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
|
||||
gateway <b>sun</b>.
|
||||
<p>
|
||||
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
|
||||
that let pass the tunneled traffic.
|
||||
|
|
|
@ -9,12 +9,12 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
leftnexthop=%direct
|
||||
keyexchange=ikev2
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_MOON
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
|
|
|
@ -9,14 +9,16 @@ conn %default
|
|||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftsubnet=10.2.0.0/16
|
||||
leftnexthop=%direct
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -1,2 +1,6 @@
|
|||
moon::iptables -v -n -L
|
||||
sun::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
sun::/etc/init.d/iptables stop 2> /dev/null
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
sun::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
sun::/etc/init.d/iptables start 2> /dev/null
|
||||
sun::ipsec start
|
||||
sun::sleep 2
|
||||
moon::ipsec start
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on <b>X.509 certificates</b>.
|
||||
In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
|
||||
<b>alice</b> behind the gateway <b>moon</b>.
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
|
||||
Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
||||
|
|
|
@ -15,6 +15,7 @@ conn home
|
|||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
|
|
|
@ -15,6 +15,7 @@ conn home
|
|||
leftnexthop=%direct
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
|
|
|
@ -16,6 +16,7 @@ conn rw
|
|||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
keyexchange=ikev2
|
||||
auto=add
|
||||
|
|
|
@ -1,6 +1,12 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
dave::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
moon::rm /etc/ipsec.d/crls/*
|
||||
carol::rm /etc/ipsec.d/crls/*
|
||||
dave::rm /etc/ipsec.d/crls/*
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
|
||||
carol::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
|
||||
dave::wget -q http://crl.strongswan.org/strongswan.crl -O /etc/ipsec.d/crls/strongswan.crl
|
||||
|
|
Loading…
Reference in New Issue