added ikev1/nat-virtual-ip scenario
This commit is contained in:
parent
ca0128588f
commit
ac09da8e50
|
@ -0,0 +1,6 @@
|
|||
The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
|
||||
to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
|
||||
virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
|
||||
specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
|
||||
which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
|
||||
This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
|
|
@ -0,0 +1,8 @@
|
|||
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
|
||||
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
|
||||
bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
|
|
@ -0,0 +1,70 @@
|
|||
# /etc/hosts: This file describes a number of hostname-to-address
|
||||
# mappings for the TCP/IP subsystem. It is mostly
|
||||
# used at boot time, when no name servers are running.
|
||||
# On small systems, this file can be used instead of a
|
||||
# "named" name server. Just add the names, addresses
|
||||
# and any aliases to this file...
|
||||
#
|
||||
|
||||
127.0.0.1 localhost
|
||||
|
||||
192.168.0.254 uml0.strongswan.org uml0
|
||||
10.1.0.254 uml1.strongswan.org uml1
|
||||
10.2.0.254 uml1.strongswan.org uml2
|
||||
|
||||
10.1.0.10 alice.strongswan.org alice
|
||||
10.1.0.20 venus.strongswan.org venus
|
||||
10.1.0.1 moon1.strongswan.org moon1
|
||||
192.168.0.1 moon.strongswan.org moon
|
||||
192.168.0.50 alice1.strongswan.org alice1
|
||||
192.168.0.100 carol.strongswan.org carol
|
||||
10.3.0.1 carol1.strongswan.org carol1
|
||||
192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
|
||||
192.168.0.200 dave.strongswan.org dave
|
||||
10.3.0.2 dave1.strongswan.org dave1
|
||||
192.168.0.2 sun.strongswan.org sun
|
||||
10.2.0.1 sun1.strongswan.org sun1
|
||||
10.2.0.10 bob.strongswan.org bob
|
||||
10.4.0.1 alice2.strongswan.org alice2
|
||||
|
||||
# IPv6 versions of localhost and co
|
||||
::1 ip6-localhost ip6-loopback
|
||||
fe00::0 ip6-localnet
|
||||
ff00::0 ip6-mcastprefix
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
ff02::3 ip6-allhosts
|
||||
|
||||
# IPv6 solicited-node multicast addresses
|
||||
ff02::1:ff00:1 ip6-mcast-1
|
||||
ff02::1:ff00:2 ip6-mcast-2
|
||||
ff02::1:ff00:10 ip6-mcast-10
|
||||
ff02::1:ff00:15 ip6-mcast-15
|
||||
ff02::1:ff00:20 ip6-mcast-20
|
||||
|
||||
# IPv6 site-local addresses
|
||||
fec0::5 ip6-alice1.strongswan.org ip6-alice1
|
||||
fec1::10 ip6-alice.strongswan.org ip6-alice
|
||||
fec1::20 ip6-venus.strongswan.org ip6-venus
|
||||
fec1::1 ip6-moon1.strongswan.org ip6-moon1
|
||||
fec0::1 ip6-moon.strongswan.org ip6-moon
|
||||
fec0::10 ip6-carol.strongswan.org ip6-carol
|
||||
fec3::1 ip6-carol1.strongswan.org ip6-carol1
|
||||
fec0::15 ip6-winnetou.strongswan.org ip6-winnetou
|
||||
fec0::20 ip6-dave.strongswan.org ip6-dave
|
||||
fec3::2 ip6-dave1.strongswan.org ip6-dave1
|
||||
fec0::2 ip6-sun.strongswan.org ip6-sun
|
||||
fec2::1 ip6-sun1.strongswan.org ip6-sun1
|
||||
fec2::10 ip6-bob.strongswan.org ip6-bob
|
||||
|
||||
# IPv6 link-local HW derived addresses
|
||||
fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus
|
||||
fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice
|
||||
fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1
|
||||
fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon
|
||||
fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol
|
||||
fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
|
||||
fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave
|
||||
fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun
|
||||
fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1
|
||||
fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
mobike=no
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsourceip=%config
|
||||
leftupdown=/etc/nat_updown
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
rightsubnet=10.2.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,152 @@
|
|||
#! /bin/sh
|
||||
# NAT updown script
|
||||
#
|
||||
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation; either version 2 of the License, or (at your
|
||||
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
# for more details.
|
||||
|
||||
# things that this script gets (from ipsec_pluto(8) man page)
|
||||
#
|
||||
# PLUTO_VERSION
|
||||
# indicates what version of this interface is being
|
||||
# used. This document describes version 1.1. This
|
||||
# is upwardly compatible with version 1.0.
|
||||
#
|
||||
# PLUTO_VERB
|
||||
# specifies the name of the operation to be performed
|
||||
# (prepare-host, prepare-client, up-host, up-client,
|
||||
# down-host, or down-client). If the address family
|
||||
# for security gateway to security gateway communica-
|
||||
# tions is IPv6, then a suffix of -v6 is added to the
|
||||
# verb.
|
||||
#
|
||||
# PLUTO_CONNECTION
|
||||
# is the name of the connection for which we are
|
||||
# routing.
|
||||
#
|
||||
# PLUTO_NEXT_HOP
|
||||
# is the next hop to which packets bound for the peer
|
||||
# must be sent.
|
||||
#
|
||||
# PLUTO_INTERFACE
|
||||
# is the name of the ipsec interface to be used.
|
||||
#
|
||||
# PLUTO_REQID
|
||||
# is the requid of the ESP policy
|
||||
#
|
||||
# PLUTO_ME
|
||||
# is the IP address of our host.
|
||||
#
|
||||
# PLUTO_MY_ID
|
||||
# is the ID of our host.
|
||||
#
|
||||
# PLUTO_MY_CLIENT
|
||||
# is the IP address / count of our client subnet. If
|
||||
# the client is just the host, this will be the
|
||||
# host's own IP address / max (where max is 32 for
|
||||
# IPv4 and 128 for IPv6).
|
||||
#
|
||||
# PLUTO_MY_CLIENT_NET
|
||||
# is the IP address of our client net. If the client
|
||||
# is just the host, this will be the host's own IP
|
||||
# address.
|
||||
#
|
||||
# PLUTO_MY_CLIENT_MASK
|
||||
# is the mask for our client net. If the client is
|
||||
# just the host, this will be 255.255.255.255.
|
||||
#
|
||||
# PLUTO_MY_SOURCEIP
|
||||
# if non-empty, then the source address for the route will be
|
||||
# set to this IP address.
|
||||
#
|
||||
# PLUTO_MY_PROTOCOL
|
||||
# is the IP protocol that will be transported.
|
||||
#
|
||||
# PLUTO_MY_PORT
|
||||
# is the UDP/TCP port to which the IPsec SA is
|
||||
# restricted on our side.
|
||||
#
|
||||
# PLUTO_PEER
|
||||
# is the IP address of our peer.
|
||||
#
|
||||
# PLUTO_PEER_ID
|
||||
# is the ID of our peer.
|
||||
#
|
||||
# PLUTO_PEER_CA
|
||||
# is the CA which issued the cert of our peer.
|
||||
#
|
||||
# PLUTO_PEER_CLIENT
|
||||
# is the IP address / count of the peer's client sub-
|
||||
# net. If the client is just the peer, this will be
|
||||
# the peer's own IP address / max (where max is 32
|
||||
# for IPv4 and 128 for IPv6).
|
||||
#
|
||||
# PLUTO_PEER_CLIENT_NET
|
||||
# is the IP address of the peer's client net. If the
|
||||
# client is just the peer, this will be the peer's
|
||||
# own IP address.
|
||||
#
|
||||
# PLUTO_PEER_CLIENT_MASK
|
||||
# is the mask for the peer's client net. If the
|
||||
# client is just the peer, this will be
|
||||
# 255.255.255.255.
|
||||
#
|
||||
# PLUTO_PEER_PROTOCOL
|
||||
# is the IP protocol that will be transported.
|
||||
#
|
||||
# PLUTO_PEER_PORT
|
||||
# is the UDP/TCP port to which the IPsec SA is
|
||||
# restricted on the peer side.
|
||||
#
|
||||
|
||||
# define a minimum PATH environment in case it is not set
|
||||
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
|
||||
export PATH
|
||||
|
||||
# resolve octal escape sequences
|
||||
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
|
||||
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
|
||||
|
||||
case "$PLUTO_VERB:$1" in
|
||||
up-host:)
|
||||
# connection to me coming up
|
||||
# If you are doing a custom version, firewall commands go here.
|
||||
;;
|
||||
down-host:)
|
||||
# connection to me going down
|
||||
# If you are doing a custom version, firewall commands go here.
|
||||
;;
|
||||
up-client:)
|
||||
# connection to my client subnet coming up
|
||||
# If you are doing a custom version, firewall commands go here.
|
||||
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
|
||||
-d $PLUTO_PEER_CLIENT -j ACCEPT
|
||||
iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
|
||||
-s $PLUTO_PEER_CLIENT -j ACCEPT
|
||||
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
|
||||
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
|
||||
echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
|
||||
;;
|
||||
down-client:)
|
||||
# connection to my client subnet going down
|
||||
# If you are doing a custom version, firewall commands go here.
|
||||
iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
|
||||
-d $PLUTO_PEER_CLIENT -j ACCEPT
|
||||
iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
|
||||
-s $PLUTO_PEER_CLIENT -j ACCEPT
|
||||
iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
|
||||
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
|
||||
echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
|
||||
;;
|
||||
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
mobike=no
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftsubnet=10.2.0.0/16
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsourceip=10.4.0.0/24
|
||||
auto=add
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
moon::conntrack -F
|
||||
moon::rm /etc/nat_updown
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::conntrack -F
|
||||
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::ipsec start
|
||||
sun::ipsec start
|
||||
moon::sleep 1
|
||||
moon::ipsec up net-net
|
||||
moon::sleep 1
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-w-s-b.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun bob"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
Loading…
Reference in New Issue