ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

added ikev1/nat-virtual-ip scenario

This commit is contained in:
Andreas Steffen 2013-01-07 13:22:37 +01:00 committed by Tobias Brunner
parent ca0128588f
commit ac09da8e50
11 changed files with 328 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
testing/tests/ikev1/nat-virtual-ip/description.txt Normal file
View File

@ -0,0 +1,6 @@
The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.

8
testing/tests/ikev1/nat-virtual-ip/evaltest.dat Normal file
View File

@ -0,0 +1,8 @@
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES

70
testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts Normal file
View File

@ -0,0 +1,70 @@
# /etc/hosts: This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server. Just add the names, addresses
# and any aliases to this file...
#
127.0.0.1 localhost
192.168.0.254 uml0.strongswan.org uml0
10.1.0.254 uml1.strongswan.org uml1
10.2.0.254 uml1.strongswan.org uml2
10.1.0.10 alice.strongswan.org alice
10.1.0.20 venus.strongswan.org venus
10.1.0.1 moon1.strongswan.org moon1
192.168.0.1 moon.strongswan.org moon
192.168.0.50 alice1.strongswan.org alice1
192.168.0.100 carol.strongswan.org carol
10.3.0.1 carol1.strongswan.org carol1
192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
192.168.0.200 dave.strongswan.org dave
10.3.0.2 dave1.strongswan.org dave1
192.168.0.2 sun.strongswan.org sun
10.2.0.1 sun1.strongswan.org sun1
10.2.0.10 bob.strongswan.org bob
10.4.0.1 alice2.strongswan.org alice2
# IPv6 versions of localhost and co
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
# IPv6 solicited-node multicast addresses
ff02::1:ff00:1 ip6-mcast-1
ff02::1:ff00:2 ip6-mcast-2
ff02::1:ff00:10 ip6-mcast-10
ff02::1:ff00:15 ip6-mcast-15
ff02::1:ff00:20 ip6-mcast-20
# IPv6 site-local addresses
fec0::5 ip6-alice1.strongswan.org ip6-alice1
fec1::10 ip6-alice.strongswan.org ip6-alice
fec1::20 ip6-venus.strongswan.org ip6-venus
fec1::1 ip6-moon1.strongswan.org ip6-moon1
fec0::1 ip6-moon.strongswan.org ip6-moon
fec0::10 ip6-carol.strongswan.org ip6-carol
fec3::1 ip6-carol1.strongswan.org ip6-carol1
fec0::15 ip6-winnetou.strongswan.org ip6-winnetou
fec0::20 ip6-dave.strongswan.org ip6-dave
fec3::2 ip6-dave1.strongswan.org ip6-dave1
fec0::2 ip6-sun.strongswan.org ip6-sun
fec2::1 ip6-sun1.strongswan.org ip6-sun1
fec2::10 ip6-bob.strongswan.org ip6-bob
# IPv6 link-local HW derived addresses
fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus
fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice
fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1
fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon
fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol
fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave
fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun
fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1
fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob

22
testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf Normal file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
mobike=no
conn net-net
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsourceip=%config
leftupdown=/etc/nat_updown
right=PH_IP_SUN
rightid=@sun.strongswan.org
rightsubnet=10.2.0.0/16
auto=add

152
testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown Executable file
View File

@ -0,0 +1,152 @@
#! /bin/sh
# NAT updown script
#
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
# things that this script gets (from ipsec_pluto(8) man page)
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica-
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
# is the requid of the ESP policy
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_ID
# is the ID of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
# restricted on our side.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_ID
# is the ID of our peer.
#
# PLUTO_PEER_CA
# is the CA which issued the cert of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
# restricted on the peer side.
#
# define a minimum PATH environment in case it is not set
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
export PATH
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
case "$PLUTO_VERB:$1" in
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac

6
testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf Normal file
View File

@ -0,0 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
}

22
testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf Normal file
View File

@ -0,0 +1,22 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
mobike=no
conn net-net
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftsubnet=10.2.0.0/16
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsourceip=10.4.0.0/24
auto=add

6
testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf Normal file
View File

@ -0,0 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
}

6
testing/tests/ikev1/nat-virtual-ip/posttest.dat Normal file
View File

@ -0,0 +1,6 @@
moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::conntrack -F
moon::rm /etc/nat_updown

9
testing/tests/ikev1/nat-virtual-ip/pretest.dat Normal file
View File

@ -0,0 +1,9 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::conntrack -F
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::ipsec start
sun::ipsec start
moon::sleep 1
moon::ipsec up net-net
moon::sleep 1

21
testing/tests/ikev1/nat-virtual-ip/test.conf Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
#
# This configuration file provides information on the
# UML instances used for this test
# All UML instances that are required for this test
#
UMLHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun bob"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"