added ikev2/dynamic-two-peers scenario
This commit is contained in:
parent
68f3e2462a
commit
d9e1b4c033
|
@ -0,0 +1,15 @@
|
|||
The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
|
||||
so that the remote end is defined symbolically by <b>right=%<hostname></b>.
|
||||
The ipsec starter resolves the fully-qualified hostname into the current IP address
|
||||
via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
|
||||
expected to change over time, the prefix '%' is used as an implicit alternative to the
|
||||
explicit <b>rightallowany=yes</b> option which will allow an IKE
|
||||
main mode rekeying to arrive from an arbitrary IP address under the condition that
|
||||
the peer identity remains unchanged. When this happens the old tunnel is replaced
|
||||
by an IPsec connection to the new origin.
|
||||
<p>
|
||||
In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
|
||||
<b>moon</b> which has a named connection definition for each peer. Although
|
||||
the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
|
||||
the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn moon
|
||||
left=%any
|
||||
leftsourceip=%config
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=%moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
|
@ -0,0 +1,67 @@
|
|||
# /etc/hosts: This file describes a number of hostname-to-address
|
||||
# mappings for the TCP/IP subsystem. It is mostly
|
||||
# used at boot time, when no name servers are running.
|
||||
# On small systems, this file can be used instead of a
|
||||
# "named" name server. Just add the names, addresses
|
||||
# and any aliases to this file...
|
||||
#
|
||||
|
||||
127.0.0.1 localhost
|
||||
|
||||
192.168.0.254 uml0.strongswan.org uml0
|
||||
10.1.0.254 uml1.strongswan.org uml1
|
||||
10.2.0.254 uml1.strongswan.org uml2
|
||||
|
||||
10.1.0.10 alice.strongswan.org alice
|
||||
10.1.0.20 venus.strongswan.org venus
|
||||
10.1.0.1 moon1.strongswan.org moon1
|
||||
192.168.0.1 moon.strongswan.org moon
|
||||
192.168.0.110 carol.strongswan.org carol
|
||||
10.3.0.1 carol1.strongswan.org carol1
|
||||
192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
|
||||
192.168.0.220 dave.strongswan.org dave
|
||||
10.3.0.2 dave1.strongswan.org dave1
|
||||
192.168.0.2 sun.strongswan.org sun
|
||||
10.2.0.1 sun1.strongswan.org sun1
|
||||
10.2.0.10 bob.strongswan.org bob
|
||||
|
||||
# IPv6 versions of localhost and co
|
||||
::1 ip6-localhost ip6-loopback
|
||||
fe00::0 ip6-localnet
|
||||
ff00::0 ip6-mcastprefix
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
ff02::3 ip6-allhosts
|
||||
|
||||
# IPv6 solicited-node multicast addresses
|
||||
ff02::1:ff00:1 ip6-mcast-1
|
||||
ff02::1:ff00:2 ip6-mcast-2
|
||||
ff02::1:ff00:10 ip6-mcast-10
|
||||
ff02::1:ff00:15 ip6-mcast-15
|
||||
ff02::1:ff00:20 ip6-mcast-20
|
||||
|
||||
# IPv6 site-local addresses
|
||||
fec1::10 ip6-alice.strongswan.org ip6-alice
|
||||
fec1::20 ip6-venus.strongswan.org ip6-venus
|
||||
fec1::1 ip6-moon1.strongswan.org ip6-moon1
|
||||
fec0::1 ip6-moon.strongswan.org ip6-moon
|
||||
fec0::10 ip6-carol.strongswan.org ip6-carol
|
||||
fec3::1 ip6-carol1.strongswan.org ip6-carol1
|
||||
fec0::15 ip6-winnetou.strongswan.org ip6-winnetou
|
||||
fec0::20 ip6-dave.strongswan.org ip6-dave
|
||||
fec3::2 ip6-dave1.strongswan.org ip6-dave1
|
||||
fec0::2 ip6-sun.strongswan.org ip6-sun
|
||||
fec2::1 ip6-sun1.strongswan.org ip6-sun1
|
||||
fec2::10 ip6-bob.strongswan.org ip6-bob
|
||||
|
||||
# IPv6 link-local HW derived addresses
|
||||
fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus
|
||||
fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice
|
||||
fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1
|
||||
fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon
|
||||
fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol
|
||||
fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
|
||||
fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave
|
||||
fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun
|
||||
fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1
|
||||
fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob
|
|
@ -0,0 +1,29 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
left=%any
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftsourceip=PH_IP_MOON1
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftfirewall=yes
|
||||
|
||||
conn carol
|
||||
right=%carol.strongswan.org
|
||||
rightid=carol@strongswan.org
|
||||
rightsourceip=PH_IP_CAROL1
|
||||
auto=add
|
||||
|
||||
conn dave
|
||||
right=%dave.strongswan.org
|
||||
rightid=dave@strongswan.org
|
||||
rightsourceip=PH_IP_DAVE1
|
||||
auto=add
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::sleep 1
|
||||
moon::ipsec stop
|
||||
moon::mv /etc/hosts.ori /etc/hosts
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::ip addr del PH_IP_CAROL1/32 dev eth0
|
||||
dave::ip addr del PH_IP_DAVE1/32 dev eth0
|
|
@ -0,0 +1,12 @@
|
|||
moon::mv /etc/hosts /etc/hosts.ori
|
||||
moon::mv /etc/hosts.stale /etc/hosts
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up moon
|
||||
dave::ipsec up moon
|
||||
carol::sleep 1
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon alice"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
Loading…
Reference in New Issue