testing: Test wolfssl plugin
This commit is contained in:
Andreas Steffen
parent
8bbd7bbd36
commit
de5ca4021a
|
|
@ -415,10 +415,13 @@ KEY_PWD="nH5ZQEWtku0RJEZ6"
|
|||
openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
|
||||
2> /dev/null
|
||||
|
||||
# Put a copy into the ikev2/rw-cert scenario
|
||||
TEST="${TEST_DIR}/ikev2/rw-cert"
|
||||
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
|
||||
cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
|
||||
# Put a copy into the ikev2, botan and wolfssl rw-cert scenarios
|
||||
for d in ikev2 botan wolfssl
|
||||
do
|
||||
TEST="${TEST_DIR}/${d}/rw-cert"
|
||||
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
|
||||
cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
|
||||
done
|
||||
|
||||
# Generate another carol certificate and revoke it
|
||||
TEST="${TEST_DIR}/ikev2/crl-revoked"
|
||||
|
|
@ -1413,18 +1416,21 @@ pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \
|
|||
--crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT}
|
||||
cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem
|
||||
|
||||
# Put a copy in the botan/net2net-sha3-rsa-cert scenario
|
||||
TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert"
|
||||
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
|
||||
mkdir -p rsa x509 x509ca
|
||||
cp ${MOON_KEY} rsa
|
||||
cp ${MOON_CERT} x509
|
||||
cp ${SHA3_RSA_CERT} x509ca
|
||||
cd ${TEST}/hosts/sun/${SWANCTL_DIR}
|
||||
mkdir -p rsa x509 x509ca
|
||||
cp ${SUN_KEY} rsa
|
||||
cp ${SUN_CERT} x509
|
||||
cp ${SHA3_RSA_CERT} x509ca
|
||||
# Put a copy in the botan and wolfssl net2net-sha3-rsa-cert scenarios
|
||||
for d in botan wolfssl
|
||||
do
|
||||
TEST="${TEST_DIR}/${d}/net2net-sha3-rsa-cert"
|
||||
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
|
||||
mkdir -p rsa x509 x509ca
|
||||
cp ${MOON_KEY} rsa
|
||||
cp ${MOON_CERT} x509
|
||||
cp ${SHA3_RSA_CERT} x509ca
|
||||
cd ${TEST}/hosts/sun/${SWANCTL_DIR}
|
||||
mkdir -p rsa x509 x509ca
|
||||
cp ${SUN_KEY} rsa
|
||||
cp ${SUN_CERT} x509
|
||||
cp ${SHA3_RSA_CERT} x509ca
|
||||
done
|
||||
|
||||
# Put a copy in the ikev2/rw-eap-tls-sha3-rsa scenario
|
||||
TEST="${TEST_DIR}/ikev2/rw-eap-tls-sha3-rsa"
|
||||
|
|
@ -1519,18 +1525,21 @@ pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \
|
|||
--crl ${ED25519_CDP} --outform pem > ${MOON_CERT}
|
||||
cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem
|
||||
|
||||
# Put a copy in the botan/net2net-ed25519 scenario
|
||||
TEST="${TEST_DIR}/botan/net2net-ed25519"
|
||||
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
|
||||
mkdir -p pkcs8 x509 x509ca
|
||||
cp ${MOON_KEY} pkcs8
|
||||
cp ${MOON_CERT} x509
|
||||
cp ${ED25519_CERT} x509ca
|
||||
cd ${TEST}/hosts/sun/${SWANCTL_DIR}
|
||||
mkdir -p pkcs8 x509 x509ca
|
||||
cp ${SUN_KEY} pkcs8
|
||||
cp ${SUN_CERT} x509
|
||||
cp ${ED25519_CERT} x509ca
|
||||
# Put a copy in the botan and wolfssl net2net-ed25519 scenarios
|
||||
for d in botan wolfssl
|
||||
do
|
||||
TEST="${TEST_DIR}/${d}/net2net-ed25519"
|
||||
cd ${TEST}/hosts/moon/${SWANCTL_DIR}
|
||||
mkdir -p pkcs8 x509 x509ca
|
||||
cp ${MOON_KEY} pkcs8
|
||||
cp ${MOON_CERT} x509
|
||||
cp ${ED25519_CERT} x509ca
|
||||
cd ${TEST}/hosts/sun/${SWANCTL_DIR}
|
||||
mkdir -p pkcs8 x509 x509ca
|
||||
cp ${SUN_KEY} pkcs8
|
||||
cp ${SUN_CERT} x509
|
||||
cp ${ED25519_CERT} x509ca
|
||||
done
|
||||
|
||||
# Put a copy in the ikev2/rw-ed25519-certpol scenario
|
||||
TEST="${TEST_DIR}/ikev2/rw-ed25519-certpol"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,56 @@
|
|||
#!/usr/bin/make
|
||||
|
||||
PKG = wolfssl
|
||||
REV = 4.7.1r
|
||||
DIR = $(PKG)-$(REV)
|
||||
TAR = v$(REV).tar.gz
|
||||
SRC = https://github.com/wolfSSL/$(PKG)/archive/refs/tags/$(TAR)
|
||||
|
||||
NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
|
||||
|
||||
CFLAGS = \
|
||||
-DWOLFSSL_PUBLIC_MP \
|
||||
-DWOLFSSL_DES_ECB \
|
||||
-DHAVE_AES_ECB \
|
||||
-DHAVE_ECC_BRAINPOOL \
|
||||
-DWOLFSSL_MIN_AUTH_TAG_SZ=8 \
|
||||
-DHAVE_EX_DATA
|
||||
|
||||
CONFIG_OPTS = \
|
||||
--disable-crypttests \
|
||||
--disable-examples \
|
||||
--enable-silent-rules \
|
||||
--enable-aesccm \
|
||||
--enable-aesctr \
|
||||
--enable-ecccustcurves \
|
||||
--enable-curve25519 \
|
||||
--enable-ed25519 \
|
||||
--enable-curve448 \
|
||||
--enable-ed448 \
|
||||
--enable-rsapss \
|
||||
--enable-des3 \
|
||||
--enable-sha3 \
|
||||
--enable-shake256 \
|
||||
--enable-md4 \
|
||||
--enable-camellia \
|
||||
--enable-keygen \
|
||||
--enable-certgen \
|
||||
--enable-certreq \
|
||||
--enable-certext \
|
||||
--enable-sessioncerts
|
||||
|
||||
all: install
|
||||
|
||||
$(TAR):
|
||||
wget $(SRC)
|
||||
|
||||
.$(PKG)-unpacked-$(REV): $(TAR)
|
||||
[ -d $(DIR) ] || tar xf $(TAR)
|
||||
@touch $@
|
||||
|
||||
.$(PKG)-built-$(REV): .$(PKG)-unpacked-$(REV)
|
||||
cd $(DIR) && ./autogen.sh && ./configure C_FLAGS="$(CFLAGS)" $(CONFIG_OPTS) && make -j $(NUM_CPUS)
|
||||
@rm -f .$(PKG)-built-* && touch $@
|
||||
|
||||
install: .$(PKG)-built-$(REV)
|
||||
cd $(DIR) && make install && ldconfig
|
||||
|
|
@ -107,7 +107,8 @@ CONFIG_OPTS = \
|
|||
--enable-systemd \
|
||||
--enable-counters \
|
||||
--enable-save-keys \
|
||||
--enable-python-eggs
|
||||
--enable-python-eggs \
|
||||
--enable-wolfssl
|
||||
|
||||
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
*.pem
|
||||
*.p12
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
|
||||
The authentication is based on <b>X.509 certificates</b> containing <b>Ed25519</b> keys.
|
||||
<b>moon</b> uses the wolfssl plugin based on the wolfCrypt library for all
|
||||
cryptographical functions whereas <b>sun</b> uses the default strongSwan
|
||||
cryptographical plugins.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnel, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
|
||||
pings client <b>bob</b> located behind gateway <b>sun</b>.
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
|
||||
sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
|
||||
moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
|
||||
sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = random pem wolfssl pkcs1 pkcs8 x509 revocation constraints
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce pem wolfssl pkcs1 pkcs8 x509 revocation curl kernel-netlink socket-default updown vici
|
||||
syslog {
|
||||
daemon {
|
||||
lib = 2
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
connections {
|
||||
|
||||
gw-gw {
|
||||
local_addrs = 192.168.0.1
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = 10.1.0.0/16
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
connections {
|
||||
|
||||
gw-gw {
|
||||
local_addrs = 192.168.0.2
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = sunCert.pem
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = 10.2.0.0/16
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
moon::swanctl --terminate --ike gw-gw 2> /dev/null
|
||||
moon::systemctl stop strongswan
|
||||
sun::systemctl stop strongswan
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
moon::rm /etc/swanctl/pkcs8/*
|
||||
sun::rm /etc/swanctl/pkcs8/*
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
moon::rm /etc/swanctl/rsa/moonKey.pem
|
||||
sun::rm /etc/swanctl/rsa/sunKey.pem
|
||||
moon::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan
|
||||
sun::systemctl start strongswan
|
||||
moon::expect-connection gw-gw
|
||||
sun::expect-connection gw-gw
|
||||
moon::swanctl --initiate --child net-net 2> /dev/null
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-w-s-b.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
|
||||
The authentication is based on <b>X.509 certificates</b> with signatures consisting of
|
||||
<b>RSA-encrypted SHA-3 hashes</b>.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnel, the updown script automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
|
||||
pings client <b>bob</b> located behind gateway <b>sun</b>.
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
|
||||
sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl pkcs1 x509 revocation constraints pubkeyrandom
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
connections {
|
||||
|
||||
gw-gw {
|
||||
local_addrs = 192.168.0.1
|
||||
remote_addrs = 192.168.0.2
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = 10.1.0.0/16
|
||||
remote_ts = 10.2.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl pkcs1 x509 revocation constraints pubkey random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici
|
||||
}
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
connections {
|
||||
|
||||
gw-gw {
|
||||
local_addrs = 192.168.0.2
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = sunCert.pem
|
||||
id = sun.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
net-net {
|
||||
local_ts = 10.2.0.0/16
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
rekey_time = 5400
|
||||
rekey_bytes = 500000000
|
||||
rekey_packets = 1000000
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
mobike = no
|
||||
reauth_time = 10800
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
moon::swanctl --terminate --ike gw-gw 2> /dev/null
|
||||
moon::systemctl stop strongswan
|
||||
sun::systemctl stop strongswan
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan
|
||||
sun::systemctl start strongswan
|
||||
moon::expect-connection gw-gw
|
||||
sun::expect-connection gw-gw
|
||||
moon::swanctl --initiate --child net-net 2> /dev/null
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-w-s-b.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>wolfssl</b>
|
||||
plugin based on the <b>wolfSSL</b> library for all cryptographical functions whereas
|
||||
roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
|
||||
plugins. The authentication is based on <b>X.509 certificates</b> and the key exchange
|
||||
on <b>x25519</b>.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
|
||||
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
|
||||
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl x509 revocation constraints pkcs1 pubkey
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = nonce pem wolfssl x509 revocation constraints pkcs1 pubkey curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
rsa-carol {
|
||||
file = carolKey.pem
|
||||
secret = "nH5ZQEWtku0RJEZ6"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pkcs1 pem openssl x509 revocation constraints
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce sha1 sha2 sha3 aes curve25519 hmac mgf1 pem pkcs1 x509 revocation constraints gmp curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl x509 revocation constraints pkcs1 pubkey
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = nonce test-vectors pem wolfssl x509 revocation constraints pkcs1 pubkey curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
integrity_test = yes
|
||||
crypto_test {
|
||||
on_add = yes
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-x25519
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-x25519
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home
|
||||
dave::swanctl --terminate --ike home
|
||||
carol::systemctl stop strongswan
|
||||
dave::systemctl stop strongswan
|
||||
moon::systemctl stop strongswan
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan
|
||||
carol::systemctl start strongswan
|
||||
dave::systemctl start strongswan
|
||||
moon::expect-connection rw
|
||||
carol::expect-connection home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>wolfssl</b>
|
||||
plugin based on the <b>wolfCrypt</b> library for all cryptographical functions whereas
|
||||
roadwarrior <b>dave</b> uses the <b>openssl</b> plugin. The authentication is based
|
||||
on <b>X.509 certificates</b> and the key exchange on <b>ecp256</b>.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
|
||||
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
|
||||
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl pkcs1 x509 revocation constraints pubkey
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-ecp256
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
rsa-carol {
|
||||
file = carolKey.pem
|
||||
secret = "nH5ZQEWtku0RJEZ6"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = nonce openssl pem revocation constraints pubkey curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-ecp256
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl pkcs1 x509 revocation constraints pubkey
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = nonce test-vectors pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-ecp256
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-ecp256
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home
|
||||
dave::swanctl --terminate --ike home
|
||||
carol::systemctl stop strongswan
|
||||
dave::systemctl stop strongswan
|
||||
moon::systemctl stop strongswan
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan
|
||||
carol::systemctl start strongswan
|
||||
dave::systemctl start strongswan
|
||||
moon::expect-connection rw
|
||||
carol::expect-connection home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>wolfssl</b>
|
||||
plugin based on the <b>wolfCrypt</b> library for all cryptographical functions whereas
|
||||
roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
|
||||
plugins. The authentication is based on <b>X.509 certificates</b> and the key exchange
|
||||
on <b>modp3072</b>.
|
||||
<p/>
|
||||
Upon the successful establishment of the IPsec tunnels, the updown script
|
||||
automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
|
||||
the client <b>alice</b> behind the gateway <b>moon</b>.
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
|
||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
|
||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
|
||||
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
|
||||
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl pkcs1 x509 revocation constraints pubkey
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.100
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = carolCert.pem
|
||||
id = carol@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
||||
secrets {
|
||||
|
||||
rsa-carol {
|
||||
file = carolKey.pem
|
||||
secret = "nH5ZQEWtku0RJEZ6"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem pkcs1 x509 revocation constraints pubkey openssl random
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = random nonce sha1 sha2 aes hmac mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
connections {
|
||||
|
||||
home {
|
||||
local_addrs = 192.168.0.200
|
||||
remote_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = daveCert.pem
|
||||
id = dave@strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
children {
|
||||
home {
|
||||
remote_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
swanctl {
|
||||
load = pem wolfssl pkcs1 x509 revocation constraints pubkey
|
||||
}
|
||||
|
||||
charon-systemd {
|
||||
load = nonce test-vectors pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici
|
||||
|
||||
rsa_pss = yes
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
connections {
|
||||
|
||||
rw {
|
||||
local_addrs = 192.168.0.1
|
||||
|
||||
local {
|
||||
auth = pubkey
|
||||
certs = moonCert.pem
|
||||
id = moon.strongswan.org
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
}
|
||||
children {
|
||||
net {
|
||||
local_ts = 10.1.0.0/16
|
||||
|
||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||
esp_proposals = aes128gcm128-modp3072
|
||||
}
|
||||
}
|
||||
version = 2
|
||||
proposals = aes128-sha256-modp3072
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
carol::swanctl --terminate --ike home
|
||||
dave::swanctl --terminate --ike home
|
||||
carol::systemctl stop strongswan
|
||||
dave::systemctl stop strongswan
|
||||
moon::systemctl stop strongswan
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
moon::systemctl start strongswan
|
||||
carol::systemctl start strongswan
|
||||
dave::systemctl start strongswan
|
||||
moon::expect-connection rw
|
||||
carol::expect-connection home
|
||||
carol::swanctl --initiate --child home 2> /dev/null
|
||||
dave::expect-connection home
|
||||
dave::swanctl --initiate --child home 2> /dev/null
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# charon controlled by swanctl
|
||||
#
|
||||
SWANCTL=1
|
||||
Loading…
Reference in New Issue