implemented PASS and DROP shunt policies
This commit is contained in:
parent
6a5c8ee7a5
commit
f87991704e
3
NEWS
3
NEWS
|
@ -1,6 +1,9 @@
|
||||||
strongswan-4.5.3
|
strongswan-4.5.3
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
|
- IKEv2 charon daemon supports start PASS and DROP shunt policies
|
||||||
|
preventing traffic to go through IPsec connections.
|
||||||
|
|
||||||
- IMC/IMV test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
|
- IMC/IMV test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
|
||||||
(--enable-imc-test/--enable-imv-test).
|
(--enable-imc-test/--enable-imv-test).
|
||||||
|
|
||||||
|
|
|
@ -72,6 +72,7 @@ sa/ike_sa_id.c sa/ike_sa_id.h \
|
||||||
sa/ike_sa_manager.c sa/ike_sa_manager.h \
|
sa/ike_sa_manager.c sa/ike_sa_manager.h \
|
||||||
sa/task_manager.c sa/task_manager.h \
|
sa/task_manager.c sa/task_manager.h \
|
||||||
sa/keymat.c sa/keymat.h \
|
sa/keymat.c sa/keymat.h \
|
||||||
|
sa/shunt_manager.c sa/shunt_manager.h \
|
||||||
sa/trap_manager.c sa/trap_manager.h \
|
sa/trap_manager.c sa/trap_manager.h \
|
||||||
sa/tasks/child_create.c sa/tasks/child_create.h \
|
sa/tasks/child_create.c sa/tasks/child_create.h \
|
||||||
sa/tasks/child_delete.c sa/tasks/child_delete.h \
|
sa/tasks/child_delete.c sa/tasks/child_delete.h \
|
||||||
|
|
|
@ -115,6 +115,7 @@ static void destroy(private_daemon_t *this)
|
||||||
#endif /* CAPABILITIES_LIBCAP */
|
#endif /* CAPABILITIES_LIBCAP */
|
||||||
DESTROY_IF(this->kernel_handler);
|
DESTROY_IF(this->kernel_handler);
|
||||||
DESTROY_IF(this->public.traps);
|
DESTROY_IF(this->public.traps);
|
||||||
|
DESTROY_IF(this->public.shunts);
|
||||||
DESTROY_IF(this->public.ike_sa_manager);
|
DESTROY_IF(this->public.ike_sa_manager);
|
||||||
DESTROY_IF(this->public.controller);
|
DESTROY_IF(this->public.controller);
|
||||||
DESTROY_IF(this->public.eap);
|
DESTROY_IF(this->public.eap);
|
||||||
|
@ -294,6 +295,7 @@ private_daemon_t *daemon_create()
|
||||||
this->public.backends = backend_manager_create();
|
this->public.backends = backend_manager_create();
|
||||||
this->public.socket = socket_manager_create();
|
this->public.socket = socket_manager_create();
|
||||||
this->public.traps = trap_manager_create();
|
this->public.traps = trap_manager_create();
|
||||||
|
this->public.shunts = shunt_manager_create();
|
||||||
this->kernel_handler = kernel_handler_create();
|
this->kernel_handler = kernel_handler_create();
|
||||||
|
|
||||||
#ifdef CAPABILITIES
|
#ifdef CAPABILITIES
|
||||||
|
|
|
@ -146,6 +146,7 @@ typedef struct daemon_t daemon_t;
|
||||||
#include <bus/listeners/sys_logger.h>
|
#include <bus/listeners/sys_logger.h>
|
||||||
#include <sa/ike_sa_manager.h>
|
#include <sa/ike_sa_manager.h>
|
||||||
#include <sa/trap_manager.h>
|
#include <sa/trap_manager.h>
|
||||||
|
#include <sa/shunt_manager.h>
|
||||||
#include <config/backend_manager.h>
|
#include <config/backend_manager.h>
|
||||||
#include <sa/authenticators/eap/eap_manager.h>
|
#include <sa/authenticators/eap/eap_manager.h>
|
||||||
#include <sa/authenticators/eap/sim_manager.h>
|
#include <sa/authenticators/eap/sim_manager.h>
|
||||||
|
@ -193,6 +194,11 @@ struct daemon_t {
|
||||||
*/
|
*/
|
||||||
trap_manager_t *traps;
|
trap_manager_t *traps;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Manager for shunt PASS|DROP policies
|
||||||
|
*/
|
||||||
|
shunt_manager_t *shunts;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Manager for the different configuration backends.
|
* Manager for the different configuration backends.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -328,6 +328,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
|
||||||
case AUTH_CLASS_EAP:
|
case AUTH_CLASS_EAP:
|
||||||
auth = "eap";
|
auth = "eap";
|
||||||
break;
|
break;
|
||||||
|
case AUTH_CLASS_ANY:
|
||||||
|
auth = "any";
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
|
@ -15,7 +15,9 @@
|
||||||
|
|
||||||
#include "stroke_control.h"
|
#include "stroke_control.h"
|
||||||
|
|
||||||
|
#include <hydra.h>
|
||||||
#include <daemon.h>
|
#include <daemon.h>
|
||||||
|
|
||||||
#include <processing/jobs/delete_ike_sa_job.h>
|
#include <processing/jobs/delete_ike_sa_job.h>
|
||||||
#include <processing/jobs/rekey_ike_sa_job.h>
|
#include <processing/jobs/rekey_ike_sa_job.h>
|
||||||
#include <processing/jobs/rekey_child_sa_job.h>
|
#include <processing/jobs/rekey_child_sa_job.h>
|
||||||
|
@ -521,18 +523,37 @@ METHOD(stroke_control_t, purge_ike, void,
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* call charon to install a trap
|
* call charon to install a shunt or trap
|
||||||
*/
|
*/
|
||||||
static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
|
static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
|
||||||
char *name, FILE *out)
|
char *name, FILE *out)
|
||||||
{
|
{
|
||||||
if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
|
ipsec_mode_t mode;
|
||||||
|
|
||||||
|
mode = child_cfg->get_mode(child_cfg);
|
||||||
|
if (mode == MODE_PASS || mode == MODE_DROP)
|
||||||
{
|
{
|
||||||
fprintf(out, "'%s' routed\n", name);
|
if (charon->shunts->install(charon->shunts, child_cfg))
|
||||||
|
{
|
||||||
|
fprintf(out, "'%s' shunt %N policy installed\n",
|
||||||
|
name, ipsec_mode_names, mode);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
fprintf(out, "'%s' shunt %N policy installation failed\n",
|
||||||
|
name, ipsec_mode_names, mode);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
fprintf(out, "routing '%s' failed\n", name);
|
if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
|
||||||
|
{
|
||||||
|
fprintf(out, "'%s' routed\n", name);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
fprintf(out, "routing '%s' failed\n", name);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -614,6 +635,13 @@ METHOD(stroke_control_t, unroute, void,
|
||||||
child_sa_t *child_sa;
|
child_sa_t *child_sa;
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
u_int32_t id;
|
u_int32_t id;
|
||||||
|
bool found = FALSE;
|
||||||
|
|
||||||
|
if (charon->shunts->uninstall(charon->shunts, msg->unroute.name))
|
||||||
|
{
|
||||||
|
fprintf(out, "shunt policy '%s' uninstalled\n", msg->unroute.name);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
enumerator = charon->traps->create_enumerator(charon->traps);
|
enumerator = charon->traps->create_enumerator(charon->traps);
|
||||||
while (enumerator->enumerate(enumerator, NULL, &child_sa))
|
while (enumerator->enumerate(enumerator, NULL, &child_sa))
|
||||||
|
@ -624,11 +652,15 @@ METHOD(stroke_control_t, unroute, void,
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
charon->traps->uninstall(charon->traps, id);
|
charon->traps->uninstall(charon->traps, id);
|
||||||
fprintf(out, "configuration '%s' unrouted\n", msg->unroute.name);
|
fprintf(out, "configuration '%s' unrouted\n", msg->unroute.name);
|
||||||
return;
|
found = TRUE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
fprintf(out, "configuration '%s' not found\n", msg->unroute.name);
|
|
||||||
|
if (!found)
|
||||||
|
{
|
||||||
|
fprintf(out, "configuration '%s' not found\n", msg->unroute.name);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
METHOD(stroke_control_t, destroy, void,
|
METHOD(stroke_control_t, destroy, void,
|
||||||
|
|
|
@ -398,6 +398,7 @@ METHOD(stroke_list_t, status, void,
|
||||||
child_cfg_t *child_cfg;
|
child_cfg_t *child_cfg;
|
||||||
child_sa_t *child_sa;
|
child_sa_t *child_sa;
|
||||||
ike_sa_t *ike_sa;
|
ike_sa_t *ike_sa;
|
||||||
|
linked_list_t *my_ts, *other_ts;
|
||||||
bool first, found = FALSE;
|
bool first, found = FALSE;
|
||||||
char *name = msg->status.name;
|
char *name = msg->status.name;
|
||||||
u_int half_open;
|
u_int half_open;
|
||||||
|
@ -503,12 +504,11 @@ METHOD(stroke_list_t, status, void,
|
||||||
children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
|
children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
|
||||||
while (children->enumerate(children, &child_cfg))
|
while (children->enumerate(children, &child_cfg))
|
||||||
{
|
{
|
||||||
linked_list_t *my_ts, *other_ts;
|
|
||||||
|
|
||||||
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
|
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
|
||||||
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
|
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
|
||||||
fprintf(out, "%12s: child: %#R=== %#R", child_cfg->get_name(child_cfg),
|
fprintf(out, "%12s: child: %#R=== %#R%N",
|
||||||
my_ts, other_ts);
|
child_cfg->get_name(child_cfg), my_ts, other_ts,
|
||||||
|
ipsec_mode_names, child_cfg->get_mode(child_cfg));
|
||||||
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
|
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
|
||||||
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
|
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
|
||||||
|
|
||||||
|
@ -524,10 +524,39 @@ METHOD(stroke_list_t, status, void,
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Enumerate shunt policies */
|
||||||
|
first = TRUE;
|
||||||
|
enumerator = charon->shunts->create_enumerator(charon->shunts);
|
||||||
|
while (enumerator->enumerate(enumerator, &child_cfg))
|
||||||
|
{
|
||||||
|
if (name && !streq(name, child_cfg->get_name(child_cfg)))
|
||||||
|
{
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if (first)
|
||||||
|
{
|
||||||
|
fprintf(out, "Shunted Connections:\n");
|
||||||
|
first = FALSE;
|
||||||
|
}
|
||||||
|
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
|
||||||
|
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
|
||||||
|
fprintf(out, "%12s: %#R=== %#R%N\n",
|
||||||
|
child_cfg->get_name(child_cfg), my_ts, other_ts,
|
||||||
|
ipsec_mode_names, child_cfg->get_mode(child_cfg));
|
||||||
|
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
|
||||||
|
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
|
||||||
|
}
|
||||||
|
enumerator->destroy(enumerator);
|
||||||
|
|
||||||
|
/* Enumerate traps */
|
||||||
first = TRUE;
|
first = TRUE;
|
||||||
enumerator = charon->traps->create_enumerator(charon->traps);
|
enumerator = charon->traps->create_enumerator(charon->traps);
|
||||||
while (enumerator->enumerate(enumerator, NULL, &child_sa))
|
while (enumerator->enumerate(enumerator, NULL, &child_sa))
|
||||||
{
|
{
|
||||||
|
if (name && !streq(name, child_sa->get_name(child_sa)))
|
||||||
|
{
|
||||||
|
continue;
|
||||||
|
}
|
||||||
if (first)
|
if (first)
|
||||||
{
|
{
|
||||||
fprintf(out, "Routed Connections:\n");
|
fprintf(out, "Routed Connections:\n");
|
||||||
|
|
|
@ -42,6 +42,7 @@ METHOD(job_t, execute, void,
|
||||||
enumerator_t *enumerator, *children;
|
enumerator_t *enumerator, *children;
|
||||||
peer_cfg_t *peer_cfg;
|
peer_cfg_t *peer_cfg;
|
||||||
child_cfg_t *child_cfg;
|
child_cfg_t *child_cfg;
|
||||||
|
ipsec_mode_t mode;
|
||||||
char *name;
|
char *name;
|
||||||
|
|
||||||
enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
|
enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
|
||||||
|
@ -69,7 +70,16 @@ METHOD(job_t, execute, void,
|
||||||
break;
|
break;
|
||||||
case ACTION_ROUTE:
|
case ACTION_ROUTE:
|
||||||
DBG1(DBG_JOB, "start action: route '%s'", name);
|
DBG1(DBG_JOB, "start action: route '%s'", name);
|
||||||
charon->traps->install(charon->traps, peer_cfg, child_cfg);
|
mode = child_cfg->get_mode(child_cfg);
|
||||||
|
if (mode == MODE_PASS || mode == MODE_DROP)
|
||||||
|
{
|
||||||
|
charon->shunts->install(charon->shunts, child_cfg);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
charon->traps->install(charon->traps, peer_cfg,
|
||||||
|
child_cfg);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case ACTION_NONE:
|
case ACTION_NONE:
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -0,0 +1,242 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2011 Andreas Steffen
|
||||||
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "shunt_manager.h"
|
||||||
|
|
||||||
|
#include <hydra.h>
|
||||||
|
#include <daemon.h>
|
||||||
|
#include <threading/rwlock.h>
|
||||||
|
#include <utils/linked_list.h>
|
||||||
|
|
||||||
|
|
||||||
|
typedef struct private_shunt_manager_t private_shunt_manager_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Private data of an shunt_manager_t object.
|
||||||
|
*/
|
||||||
|
struct private_shunt_manager_t {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Public shunt_manager_t interface.
|
||||||
|
*/
|
||||||
|
shunt_manager_t public;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Installed shunts, as child_cfg_t
|
||||||
|
*/
|
||||||
|
linked_list_t *shunts;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Install in and out shunt policies in the kernel
|
||||||
|
*/
|
||||||
|
static bool install_shunt_policy(child_cfg_t *child)
|
||||||
|
{
|
||||||
|
enumerator_t *e_my_ts, *e_other_ts;
|
||||||
|
linked_list_t *my_ts_list, *other_ts_list;
|
||||||
|
traffic_selector_t *my_ts, *other_ts;
|
||||||
|
policy_type_t policy_type;
|
||||||
|
status_t status = SUCCESS;
|
||||||
|
ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT };
|
||||||
|
|
||||||
|
policy_type = (child->get_mode(child) == MODE_PASS) ?
|
||||||
|
POLICY_PASS : POLICY_DROP;
|
||||||
|
my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
|
||||||
|
other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
|
||||||
|
|
||||||
|
/* enumerate pairs of traffic selectors */
|
||||||
|
e_my_ts = my_ts_list->create_enumerator(my_ts_list);
|
||||||
|
while (e_my_ts->enumerate(e_my_ts, &my_ts))
|
||||||
|
{
|
||||||
|
e_other_ts = other_ts_list->create_enumerator(other_ts_list);
|
||||||
|
while (e_other_ts->enumerate(e_other_ts, &other_ts))
|
||||||
|
{
|
||||||
|
/* install out policy */
|
||||||
|
status |= hydra->kernel_interface->add_policy(
|
||||||
|
hydra->kernel_interface, NULL, NULL,
|
||||||
|
my_ts, other_ts, POLICY_OUT, policy_type,
|
||||||
|
&sa, child->get_mark(child, FALSE), FALSE);
|
||||||
|
|
||||||
|
/* install in policy */
|
||||||
|
status |= hydra->kernel_interface->add_policy(
|
||||||
|
hydra->kernel_interface, NULL, NULL,
|
||||||
|
other_ts, my_ts, POLICY_IN, policy_type,
|
||||||
|
&sa, child->get_mark(child, TRUE), FALSE);
|
||||||
|
|
||||||
|
/* install forward policy */
|
||||||
|
status |= hydra->kernel_interface->add_policy(
|
||||||
|
hydra->kernel_interface, NULL, NULL,
|
||||||
|
other_ts, my_ts, POLICY_FWD, policy_type,
|
||||||
|
&sa, child->get_mark(child, TRUE), FALSE);
|
||||||
|
}
|
||||||
|
e_other_ts->destroy(e_other_ts);
|
||||||
|
}
|
||||||
|
e_my_ts->destroy(e_my_ts);
|
||||||
|
|
||||||
|
my_ts_list->destroy_offset(my_ts_list,
|
||||||
|
offsetof(traffic_selector_t, destroy));
|
||||||
|
other_ts_list->destroy_offset(other_ts_list,
|
||||||
|
offsetof(traffic_selector_t, destroy));
|
||||||
|
|
||||||
|
return status == SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
METHOD(shunt_manager_t, install, bool,
|
||||||
|
private_shunt_manager_t *this, child_cfg_t *child)
|
||||||
|
{
|
||||||
|
enumerator_t *enumerator;
|
||||||
|
child_cfg_t *child_cfg;
|
||||||
|
bool found = FALSE;
|
||||||
|
|
||||||
|
/* check if not already installed */
|
||||||
|
enumerator = this->shunts->create_enumerator(this->shunts);
|
||||||
|
while (enumerator->enumerate(enumerator, &child_cfg))
|
||||||
|
{
|
||||||
|
if (streq(child_cfg->get_name(child_cfg), child->get_name(child)))
|
||||||
|
{
|
||||||
|
found = TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
enumerator->destroy(enumerator);
|
||||||
|
|
||||||
|
if (found)
|
||||||
|
{
|
||||||
|
DBG1(DBG_CFG, "shunt %N policy '%s' already installed",
|
||||||
|
ipsec_mode_names, child->get_mode(child), child->get_name(child));
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
this->shunts->insert_last(this->shunts, child->get_ref(child));
|
||||||
|
|
||||||
|
return install_shunt_policy(child);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Uninstall in and out shunt policies in the kernel
|
||||||
|
*/
|
||||||
|
static void uninstall_shunt_policy(child_cfg_t *child)
|
||||||
|
{
|
||||||
|
enumerator_t *e_my_ts, *e_other_ts;
|
||||||
|
linked_list_t *my_ts_list, *other_ts_list;
|
||||||
|
traffic_selector_t *my_ts, *other_ts;
|
||||||
|
status_t status = SUCCESS;
|
||||||
|
|
||||||
|
my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
|
||||||
|
other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
|
||||||
|
|
||||||
|
/* enumerate pairs of traffic selectors */
|
||||||
|
e_my_ts = my_ts_list->create_enumerator(my_ts_list);
|
||||||
|
while (e_my_ts->enumerate(e_my_ts, &my_ts))
|
||||||
|
{
|
||||||
|
e_other_ts = other_ts_list->create_enumerator(other_ts_list);
|
||||||
|
while (e_other_ts->enumerate(e_other_ts, &other_ts))
|
||||||
|
{
|
||||||
|
/* uninstall out policy */
|
||||||
|
status |= hydra->kernel_interface->del_policy(
|
||||||
|
hydra->kernel_interface, my_ts, other_ts,
|
||||||
|
POLICY_OUT, child->get_mark(child, FALSE), FALSE);
|
||||||
|
|
||||||
|
/* uninstall in policy */
|
||||||
|
status |= hydra->kernel_interface->del_policy(
|
||||||
|
hydra->kernel_interface, other_ts, my_ts,
|
||||||
|
POLICY_IN, child->get_mark(child, TRUE), FALSE);
|
||||||
|
|
||||||
|
/* uninstall forward policy */
|
||||||
|
status |= hydra->kernel_interface->del_policy(
|
||||||
|
hydra->kernel_interface, other_ts, my_ts,
|
||||||
|
POLICY_FWD, child->get_mark(child, TRUE), FALSE);
|
||||||
|
}
|
||||||
|
e_other_ts->destroy(e_other_ts);
|
||||||
|
}
|
||||||
|
e_my_ts->destroy(e_my_ts);
|
||||||
|
|
||||||
|
my_ts_list->destroy_offset(my_ts_list,
|
||||||
|
offsetof(traffic_selector_t, destroy));
|
||||||
|
other_ts_list->destroy_offset(other_ts_list,
|
||||||
|
offsetof(traffic_selector_t, destroy));
|
||||||
|
|
||||||
|
if (status != SUCCESS)
|
||||||
|
{
|
||||||
|
DBG1(DBG_CFG, "uninstalling shunt %N 'policy %s' failed",
|
||||||
|
ipsec_mode_names, child->get_mode(child), child->get_name(child));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
METHOD(shunt_manager_t, uninstall, bool,
|
||||||
|
private_shunt_manager_t *this, char *name)
|
||||||
|
{
|
||||||
|
enumerator_t *enumerator;
|
||||||
|
child_cfg_t *child, *found = NULL;
|
||||||
|
|
||||||
|
enumerator = this->shunts->create_enumerator(this->shunts);
|
||||||
|
while (enumerator->enumerate(enumerator, &child))
|
||||||
|
{
|
||||||
|
if (streq(name, child->get_name(child)))
|
||||||
|
{
|
||||||
|
this->shunts->remove_at(this->shunts, enumerator);
|
||||||
|
found = child;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
enumerator->destroy(enumerator);
|
||||||
|
|
||||||
|
if (!found)
|
||||||
|
{
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
uninstall_shunt_policy(child);
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
|
||||||
|
private_shunt_manager_t *this)
|
||||||
|
{
|
||||||
|
return this->shunts->create_enumerator(this->shunts);
|
||||||
|
}
|
||||||
|
|
||||||
|
METHOD(shunt_manager_t, destroy, void,
|
||||||
|
private_shunt_manager_t *this)
|
||||||
|
{
|
||||||
|
child_cfg_t *child;
|
||||||
|
|
||||||
|
while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS)
|
||||||
|
{
|
||||||
|
uninstall_shunt_policy(child);
|
||||||
|
child->destroy(child);
|
||||||
|
}
|
||||||
|
this->shunts->destroy(this->shunts);
|
||||||
|
free(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* See header
|
||||||
|
*/
|
||||||
|
shunt_manager_t *shunt_manager_create()
|
||||||
|
{
|
||||||
|
private_shunt_manager_t *this;
|
||||||
|
|
||||||
|
INIT(this,
|
||||||
|
.public = {
|
||||||
|
.install = _install,
|
||||||
|
.uninstall = _uninstall,
|
||||||
|
.create_enumerator = _create_enumerator,
|
||||||
|
.destroy = _destroy,
|
||||||
|
},
|
||||||
|
.shunts = linked_list_create(),
|
||||||
|
);
|
||||||
|
|
||||||
|
return &this->public;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2011 Andreas Steffen
|
||||||
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @defgroup shunt_manager shunt_manager
|
||||||
|
* @{ @ingroup sa
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef SHUNT_MANAGER_H_
|
||||||
|
#define SHUNT_MANAGER_H_
|
||||||
|
|
||||||
|
#include <library.h>
|
||||||
|
#include <utils/enumerator.h>
|
||||||
|
#include <config/child_cfg.h>
|
||||||
|
|
||||||
|
typedef struct shunt_manager_t shunt_manager_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Manage PASS and DROP shunt policy excepting traffic from IPsec SAs.
|
||||||
|
*/
|
||||||
|
struct shunt_manager_t {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Install a policy as a shunt.
|
||||||
|
*
|
||||||
|
* @param child child configuration to install as a shunt
|
||||||
|
* @return TRUE if installed successfully
|
||||||
|
*/
|
||||||
|
bool (*install)(shunt_manager_t *this, child_cfg_t *child);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Uninstall a shunt policy.
|
||||||
|
*
|
||||||
|
* @param name name of child configuration to uninstall as a shunt
|
||||||
|
* @return TRUE if uninstalled successfully
|
||||||
|
*/
|
||||||
|
bool (*uninstall)(shunt_manager_t *this, char *name);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create an enumerator over all installed shunts.
|
||||||
|
*
|
||||||
|
* @return enumerator over (child_sa_t)
|
||||||
|
*/
|
||||||
|
enumerator_t* (*create_enumerator)(shunt_manager_t *this);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Destroy a shunt_manager_t.
|
||||||
|
*/
|
||||||
|
void (*destroy)(shunt_manager_t *this);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a shunt_manager instance.
|
||||||
|
*/
|
||||||
|
shunt_manager_t *shunt_manager_create();
|
||||||
|
|
||||||
|
#endif /** SHUNT_MANAGER_H_ @}*/
|
|
@ -15,10 +15,12 @@
|
||||||
|
|
||||||
#include "kernel_ipsec.h"
|
#include "kernel_ipsec.h"
|
||||||
|
|
||||||
ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_BEET,
|
ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_DROP,
|
||||||
"TRANSPORT",
|
"TRANSPORT",
|
||||||
"TUNNEL",
|
"TUNNEL",
|
||||||
"BEET",
|
"BEET",
|
||||||
|
"PASS",
|
||||||
|
"DROP"
|
||||||
);
|
);
|
||||||
|
|
||||||
ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
|
ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
|
||||||
|
|
|
@ -47,6 +47,10 @@ enum ipsec_mode_t {
|
||||||
MODE_TUNNEL,
|
MODE_TUNNEL,
|
||||||
/** BEET mode, tunnel mode but fixed, bound inner addresses */
|
/** BEET mode, tunnel mode but fixed, bound inner addresses */
|
||||||
MODE_BEET,
|
MODE_BEET,
|
||||||
|
/** passthrough policy for traffic without an IPsec SA */
|
||||||
|
MODE_PASS,
|
||||||
|
/** drop policy discarding traffic */
|
||||||
|
MODE_DROP
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -609,7 +609,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
|
||||||
case KW_AUTHBY:
|
case KW_AUTHBY:
|
||||||
conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
|
conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
|
||||||
|
|
||||||
if (!(streq(kw->value, "never") || streq(kw->value, "eap")))
|
if (!streq(kw->value, "never"))
|
||||||
{
|
{
|
||||||
char *value = kw->value;
|
char *value = kw->value;
|
||||||
char *second = strchr(kw->value, '|');
|
char *second = strchr(kw->value, '|');
|
||||||
|
@ -636,7 +636,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
|
||||||
{
|
{
|
||||||
conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
|
conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
|
||||||
}
|
}
|
||||||
else if (streq(value, "xauthpsk"))
|
else if (streq(value, "xauthpsk") || streq(value, "eap"))
|
||||||
{
|
{
|
||||||
conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
|
conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,6 +24,8 @@
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
|
|
||||||
|
#include <credentials/auth_cfg.h>
|
||||||
|
|
||||||
#include <freeswan.h>
|
#include <freeswan.h>
|
||||||
|
|
||||||
#include <constants.h>
|
#include <constants.h>
|
||||||
|
@ -39,15 +41,6 @@
|
||||||
#define IPV4_LEN 4
|
#define IPV4_LEN 4
|
||||||
#define IPV6_LEN 16
|
#define IPV6_LEN 16
|
||||||
|
|
||||||
/**
|
|
||||||
* Authentication methods, must be the same as in charons authenticator.h
|
|
||||||
*/
|
|
||||||
enum auth_method_t {
|
|
||||||
AUTH_PUBKEY = 1,
|
|
||||||
AUTH_PSK = 2,
|
|
||||||
AUTH_EAP = 3
|
|
||||||
};
|
|
||||||
|
|
||||||
static char* push_string(stroke_msg_t *msg, char *string)
|
static char* push_string(stroke_msg_t *msg, char *string)
|
||||||
{
|
{
|
||||||
unsigned long string_start = msg->length;
|
unsigned long string_start = msg->length;
|
||||||
|
@ -202,15 +195,19 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
|
||||||
/* PUBKEY is preferred to PSK and EAP */
|
/* PUBKEY is preferred to PSK and EAP */
|
||||||
if (conn->policy & POLICY_PUBKEY)
|
if (conn->policy & POLICY_PUBKEY)
|
||||||
{
|
{
|
||||||
msg.add_conn.auth_method = AUTH_PUBKEY;
|
msg.add_conn.auth_method = AUTH_CLASS_PUBKEY;
|
||||||
}
|
}
|
||||||
else if (conn->policy & POLICY_PSK)
|
else if (conn->policy & POLICY_PSK)
|
||||||
{
|
{
|
||||||
msg.add_conn.auth_method = AUTH_PSK;
|
msg.add_conn.auth_method = AUTH_CLASS_PSK;
|
||||||
|
}
|
||||||
|
else if (conn->policy & POLICY_XAUTH_PSK)
|
||||||
|
{
|
||||||
|
msg.add_conn.auth_method = AUTH_CLASS_EAP;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
msg.add_conn.auth_method = AUTH_EAP;
|
msg.add_conn.auth_method = AUTH_CLASS_ANY;
|
||||||
}
|
}
|
||||||
msg.add_conn.eap_type = conn->eap_type;
|
msg.add_conn.eap_type = conn->eap_type;
|
||||||
msg.add_conn.eap_vendor = conn->eap_vendor;
|
msg.add_conn.eap_vendor = conn->eap_vendor;
|
||||||
|
@ -230,6 +227,14 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
|
||||||
msg.add_conn.mode = MODE_TRANSPORT;
|
msg.add_conn.mode = MODE_TRANSPORT;
|
||||||
msg.add_conn.proxy_mode = TRUE;
|
msg.add_conn.proxy_mode = TRUE;
|
||||||
}
|
}
|
||||||
|
else if (conn->policy & POLICY_SHUNT_PASS)
|
||||||
|
{
|
||||||
|
msg.add_conn.mode = MODE_PASS;
|
||||||
|
}
|
||||||
|
else if (conn->policy & (POLICY_SHUNT_DROP | POLICY_SHUNT_REJECT))
|
||||||
|
{
|
||||||
|
msg.add_conn.mode = MODE_DROP;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
msg.add_conn.mode = MODE_TRANSPORT;
|
msg.add_conn.mode = MODE_TRANSPORT;
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
|
||||||
|
by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
|
||||||
|
prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
|
||||||
|
tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
|
||||||
|
In order for the shunt to work, automatic route insertion must be disabled
|
||||||
|
by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
|
||||||
|
<p/>
|
||||||
|
In order to demonstrate the use of <b>type=drop</b> shunt policies, the
|
||||||
|
<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
|
||||||
|
to use the IPsec tunnel by dropping such packets. Thanks to the <b>local-net</b>
|
||||||
|
pass shunt, <b>venus</b> and <b>moon</b> can still ping each other, though.
|
|
@ -0,0 +1,16 @@
|
||||||
|
moon::ipsec statusall::net-net.*ESTABLISHED::YES
|
||||||
|
sun::ipsec statusall::net-net.*ESTABLISHED::YES
|
||||||
|
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
|
||||||
|
alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
|
||||||
|
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
|
||||||
|
venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
|
||||||
|
moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
|
||||||
|
moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||||
|
moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
|
||||||
|
bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||||
|
bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
|
||||||
|
bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
|
||||||
|
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||||
|
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||||
|
venus::ssh PH_IP_BOB hostname::bob::YES
|
||||||
|
bob::ssh PH_IP_VENUS hostname::venus::YES
|
|
@ -0,0 +1,84 @@
|
||||||
|
#!/sbin/runscript
|
||||||
|
# Copyright 1999-2004 Gentoo Foundation
|
||||||
|
# Distributed under the terms of the GNU General Public License v2
|
||||||
|
|
||||||
|
opts="start stop reload"
|
||||||
|
|
||||||
|
depend() {
|
||||||
|
before net
|
||||||
|
need logger
|
||||||
|
}
|
||||||
|
|
||||||
|
start() {
|
||||||
|
ebegin "Starting firewall"
|
||||||
|
|
||||||
|
# enable IP forwarding
|
||||||
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
|
# default policy is DROP
|
||||||
|
/sbin/iptables -P INPUT DROP
|
||||||
|
/sbin/iptables -P OUTPUT DROP
|
||||||
|
/sbin/iptables -P FORWARD DROP
|
||||||
|
|
||||||
|
# allow esp
|
||||||
|
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||||
|
|
||||||
|
# allow IKE
|
||||||
|
iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||||
|
|
||||||
|
# allow MobIKE
|
||||||
|
iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||||
|
|
||||||
|
# allow crl fetch from winnetou
|
||||||
|
iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||||
|
|
||||||
|
# allow ssh
|
||||||
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||||
|
|
||||||
|
# allow icmp in local net
|
||||||
|
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
|
||||||
|
|
||||||
|
eend $?
|
||||||
|
}
|
||||||
|
|
||||||
|
stop() {
|
||||||
|
ebegin "Stopping firewall"
|
||||||
|
for a in `cat /proc/net/ip_tables_names`; do
|
||||||
|
/sbin/iptables -F -t $a
|
||||||
|
/sbin/iptables -X -t $a
|
||||||
|
|
||||||
|
if [ $a == nat ]; then
|
||||||
|
/sbin/iptables -t nat -P PREROUTING ACCEPT
|
||||||
|
/sbin/iptables -t nat -P POSTROUTING ACCEPT
|
||||||
|
/sbin/iptables -t nat -P OUTPUT ACCEPT
|
||||||
|
elif [ $a == mangle ]; then
|
||||||
|
/sbin/iptables -t mangle -P PREROUTING ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P INPUT ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P FORWARD ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P OUTPUT ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
|
||||||
|
elif [ $a == filter ]; then
|
||||||
|
/sbin/iptables -t filter -P INPUT ACCEPT
|
||||||
|
/sbin/iptables -t filter -P FORWARD ACCEPT
|
||||||
|
/sbin/iptables -t filter -P OUTPUT ACCEPT
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
eend $?
|
||||||
|
}
|
||||||
|
|
||||||
|
reload() {
|
||||||
|
ebegin "Flushing firewall"
|
||||||
|
for a in `cat /proc/net/ip_tables_names`; do
|
||||||
|
/sbin/iptables -F -t $a
|
||||||
|
/sbin/iptables -X -t $a
|
||||||
|
done;
|
||||||
|
eend $?
|
||||||
|
start
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
crlcheckinterval=180
|
||||||
|
strictcrlpolicy=no
|
||||||
|
plutostart=no
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
ikelifetime=60m
|
||||||
|
keylife=20m
|
||||||
|
rekeymargin=3m
|
||||||
|
keyingtries=1
|
||||||
|
keyexchange=ikev2
|
||||||
|
mobike=no
|
||||||
|
|
||||||
|
conn local-net
|
||||||
|
leftsubnet=10.1.0.0/16
|
||||||
|
rightsubnet=10.1.0.0/16
|
||||||
|
authby=never
|
||||||
|
type=pass
|
||||||
|
auto=route
|
||||||
|
|
||||||
|
conn venus-icmp
|
||||||
|
leftsubnet=10.1.0.20/32
|
||||||
|
rightsubnet=0.0.0.0/0
|
||||||
|
leftprotoport=icmp
|
||||||
|
rightprotoport=icmp
|
||||||
|
leftauth=any
|
||||||
|
rightauth=any
|
||||||
|
type=drop
|
||||||
|
auto=route
|
||||||
|
|
||||||
|
conn net-net
|
||||||
|
left=PH_IP_MOON
|
||||||
|
leftcert=moonCert.pem
|
||||||
|
leftid=@moon.strongswan.org
|
||||||
|
leftsubnet=10.1.0.0/16
|
||||||
|
leftfirewall=yes
|
||||||
|
lefthostaccess=yes
|
||||||
|
right=PH_IP_SUN
|
||||||
|
rightid=@sun.strongswan.org
|
||||||
|
rightsubnet=0.0.0.0/0
|
||||||
|
auto=add
|
|
@ -0,0 +1,7 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||||
|
multiple_authentication = no
|
||||||
|
install_routes = no
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
crlcheckinterval=180
|
||||||
|
strictcrlpolicy=no
|
||||||
|
plutostart=no
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
ikelifetime=60m
|
||||||
|
keylife=20m
|
||||||
|
rekeymargin=3m
|
||||||
|
keyingtries=1
|
||||||
|
keyexchange=ikev2
|
||||||
|
mobike=no
|
||||||
|
|
||||||
|
conn net-net
|
||||||
|
left=PH_IP_SUN
|
||||||
|
leftcert=sunCert.pem
|
||||||
|
leftid=@sun.strongswan.org
|
||||||
|
leftsubnet=0.0.0.0/0
|
||||||
|
leftfirewall=yes
|
||||||
|
right=PH_IP_MOON
|
||||||
|
rightid=@moon.strongswan.org
|
||||||
|
rightsubnet=10.1.0.0/16
|
||||||
|
auto=add
|
|
@ -0,0 +1,6 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||||
|
multiple_authentication = no
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
moon::ipsec stop
|
||||||
|
sun::ipsec stop
|
||||||
|
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||||
|
sun::/etc/init.d/iptables stop 2> /dev/null
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
moon::/etc/init.d/iptables start 2> /dev/null
|
||||||
|
sun::/etc/init.d/iptables start 2> /dev/null
|
||||||
|
moon::ipsec start
|
||||||
|
sun::ipsec start
|
||||||
|
moon::sleep 1
|
||||||
|
moon::ipsec up net-net
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# This configuration file provides information on the
|
||||||
|
# UML instances used for this test
|
||||||
|
|
||||||
|
# All UML instances that are required for this test
|
||||||
|
#
|
||||||
|
UMLHOSTS="alice moon winnetou sun bob"
|
||||||
|
|
||||||
|
# Corresponding block diagram
|
||||||
|
#
|
||||||
|
DIAGRAM="a-m-w-s-b.png"
|
||||||
|
|
||||||
|
# UML instances on which tcpdump is to be started
|
||||||
|
#
|
||||||
|
TCPDUMPHOSTS="sun"
|
||||||
|
|
||||||
|
# UML instances on which IPsec is started
|
||||||
|
# Used for IPsec logging purposes
|
||||||
|
#
|
||||||
|
IPSECHOSTS="moon sun"
|
|
@ -0,0 +1,11 @@
|
||||||
|
All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
|
||||||
|
by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
|
||||||
|
prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
|
||||||
|
tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
|
||||||
|
In order for the shunt to work, automatic route insertion must be disabled
|
||||||
|
by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
|
||||||
|
<p/>
|
||||||
|
In order to demonstrate the use of <b>type=drop</b> shunt policies, the
|
||||||
|
<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
|
||||||
|
to use the IPsec tunnel by dropping such packets. Thanks to the <b>local-net</b>
|
||||||
|
pass shunt, <b>venus</b> and <b>moon</b> can still ping each other, though.
|
|
@ -0,0 +1,16 @@
|
||||||
|
moon::ipsec statusall::net-net.*ESTABLISHED::YES
|
||||||
|
sun::ipsec statusall::net-net.*ESTABLISHED::YES
|
||||||
|
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
|
||||||
|
alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
|
||||||
|
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
|
||||||
|
venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
|
||||||
|
moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
|
||||||
|
moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||||
|
moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
|
||||||
|
bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||||
|
bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
|
||||||
|
bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
|
||||||
|
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||||
|
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||||
|
venus::ssh PH_IP_BOB hostname::bob::YES
|
||||||
|
bob::ssh PH_IP_VENUS hostname::venus::YES
|
|
@ -0,0 +1,84 @@
|
||||||
|
#!/sbin/runscript
|
||||||
|
# Copyright 1999-2004 Gentoo Foundation
|
||||||
|
# Distributed under the terms of the GNU General Public License v2
|
||||||
|
|
||||||
|
opts="start stop reload"
|
||||||
|
|
||||||
|
depend() {
|
||||||
|
before net
|
||||||
|
need logger
|
||||||
|
}
|
||||||
|
|
||||||
|
start() {
|
||||||
|
ebegin "Starting firewall"
|
||||||
|
|
||||||
|
# enable IP forwarding
|
||||||
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
|
# default policy is DROP
|
||||||
|
/sbin/iptables -P INPUT DROP
|
||||||
|
/sbin/iptables -P OUTPUT DROP
|
||||||
|
/sbin/iptables -P FORWARD DROP
|
||||||
|
|
||||||
|
# allow esp
|
||||||
|
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||||
|
|
||||||
|
# allow IKE
|
||||||
|
iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||||
|
|
||||||
|
# allow MobIKE
|
||||||
|
iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||||
|
|
||||||
|
# allow crl fetch from winnetou
|
||||||
|
iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||||
|
|
||||||
|
# allow ssh
|
||||||
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||||
|
|
||||||
|
# allow icmp in local net
|
||||||
|
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
|
||||||
|
|
||||||
|
eend $?
|
||||||
|
}
|
||||||
|
|
||||||
|
stop() {
|
||||||
|
ebegin "Stopping firewall"
|
||||||
|
for a in `cat /proc/net/ip_tables_names`; do
|
||||||
|
/sbin/iptables -F -t $a
|
||||||
|
/sbin/iptables -X -t $a
|
||||||
|
|
||||||
|
if [ $a == nat ]; then
|
||||||
|
/sbin/iptables -t nat -P PREROUTING ACCEPT
|
||||||
|
/sbin/iptables -t nat -P POSTROUTING ACCEPT
|
||||||
|
/sbin/iptables -t nat -P OUTPUT ACCEPT
|
||||||
|
elif [ $a == mangle ]; then
|
||||||
|
/sbin/iptables -t mangle -P PREROUTING ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P INPUT ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P FORWARD ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P OUTPUT ACCEPT
|
||||||
|
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
|
||||||
|
elif [ $a == filter ]; then
|
||||||
|
/sbin/iptables -t filter -P INPUT ACCEPT
|
||||||
|
/sbin/iptables -t filter -P FORWARD ACCEPT
|
||||||
|
/sbin/iptables -t filter -P OUTPUT ACCEPT
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
eend $?
|
||||||
|
}
|
||||||
|
|
||||||
|
reload() {
|
||||||
|
ebegin "Flushing firewall"
|
||||||
|
for a in `cat /proc/net/ip_tables_names`; do
|
||||||
|
/sbin/iptables -F -t $a
|
||||||
|
/sbin/iptables -X -t $a
|
||||||
|
done;
|
||||||
|
eend $?
|
||||||
|
start
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
crlcheckinterval=180
|
||||||
|
strictcrlpolicy=no
|
||||||
|
plutostart=no
|
||||||
|
|
||||||
|
# configuration is read from SQLite database
|
|
@ -0,0 +1,227 @@
|
||||||
|
/* Identities */
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
|
||||||
|
9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
|
||||||
|
11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
|
||||||
|
11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* moon.strongswan.org */
|
||||||
|
2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* sun.strongswan.org */
|
||||||
|
2, X'73756e2e7374726f6e677377616e2e6f7267'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
|
||||||
|
11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* %any */
|
||||||
|
0, '%any'
|
||||||
|
);
|
||||||
|
|
||||||
|
/* Certificates */
|
||||||
|
|
||||||
|
INSERT INTO certificates (
|
||||||
|
type, keytype, data
|
||||||
|
) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
|
||||||
|
1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificates (
|
||||||
|
type, keytype, data
|
||||||
|
) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
|
||||||
|
1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 2
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 3
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
2, 4
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
2, 6
|
||||||
|
);
|
||||||
|
|
||||||
|
/* Private Keys */
|
||||||
|
|
||||||
|
INSERT INTO private_keys (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
|
||||||
|
1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO private_key_identity (
|
||||||
|
private_key, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 4
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO private_key_identity (
|
||||||
|
private_key, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 6
|
||||||
|
);
|
||||||
|
|
||||||
|
/* Configurations */
|
||||||
|
|
||||||
|
INSERT INTO ike_configs (
|
||||||
|
local, remote
|
||||||
|
) VALUES (
|
||||||
|
'PH_IP_MOON', 'PH_IP_SUN'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO ike_configs (
|
||||||
|
local, remote
|
||||||
|
) VALUES (
|
||||||
|
'%any', '%any'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO peer_configs (
|
||||||
|
name, ike_cfg, local_id, remote_id, mobike, dpd_delay
|
||||||
|
) VALUES (
|
||||||
|
'net-net', 1, 4, 5, 0, 0
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO peer_configs (
|
||||||
|
name, ike_cfg, local_id, remote_id, auth_method, mobike, dpd_delay
|
||||||
|
) VALUES (
|
||||||
|
'shunts', 2, 7, 7, 0, 0, 0
|
||||||
|
);
|
||||||
|
INSERT INTO child_configs (
|
||||||
|
name, updown, hostaccess
|
||||||
|
) VALUES (
|
||||||
|
'net-net', 'ipsec _updown iptables', 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_configs (
|
||||||
|
name, mode, start_action
|
||||||
|
) VALUES (
|
||||||
|
'local-net', 4, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_configs (
|
||||||
|
name, mode, start_action
|
||||||
|
) VALUES (
|
||||||
|
'venus-icmp', 5, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO peer_config_child_config (
|
||||||
|
peer_cfg, child_cfg
|
||||||
|
) VALUES (
|
||||||
|
1, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO peer_config_child_config (
|
||||||
|
peer_cfg, child_cfg
|
||||||
|
) VALUES (
|
||||||
|
2, 2
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO peer_config_child_config (
|
||||||
|
peer_cfg, child_cfg
|
||||||
|
) VALUES (
|
||||||
|
2, 3
|
||||||
|
);
|
||||||
|
INSERT INTO traffic_selectors (
|
||||||
|
type, start_addr, end_addr
|
||||||
|
) VALUES (
|
||||||
|
7, X'0a010000', X'0a01ffff'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO traffic_selectors (
|
||||||
|
type, start_addr, end_addr
|
||||||
|
) VALUES (
|
||||||
|
7, X'00000000', X'ffffffff'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO traffic_selectors (
|
||||||
|
type, start_addr, end_addr, protocol
|
||||||
|
) VALUES (
|
||||||
|
7, X'0a010014', X'0a010014', 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO traffic_selectors (
|
||||||
|
type, start_addr, end_addr, protocol
|
||||||
|
) VALUES (
|
||||||
|
7, X'00000000', X'ffffffff', 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
1, 1, 0
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
1, 2, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
2, 1, 0
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
2, 1, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
3, 3, 0
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
3, 4, 1
|
||||||
|
);
|
|
@ -0,0 +1,3 @@
|
||||||
|
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||||
|
|
||||||
|
# secrets are read from SQLite database
|
|
@ -0,0 +1,10 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
plugins {
|
||||||
|
sql {
|
||||||
|
database = sqlite:///etc/ipsec.d/ipsec.db
|
||||||
|
}
|
||||||
|
}
|
||||||
|
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
crlcheckinterval=180
|
||||||
|
strictcrlpolicy=no
|
||||||
|
plutostart=no
|
||||||
|
|
||||||
|
# configuration is read from SQLite database
|
|
@ -0,0 +1,152 @@
|
||||||
|
/* Identities */
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
|
||||||
|
9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
|
||||||
|
11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
|
||||||
|
11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* moon.strongswan.org */
|
||||||
|
2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* sun.strongswan.org */
|
||||||
|
2, X'73756e2e7374726f6e677377616e2e6f7267'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO identities (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
|
||||||
|
11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
|
||||||
|
);
|
||||||
|
|
||||||
|
/* Certificates */
|
||||||
|
|
||||||
|
INSERT INTO certificates (
|
||||||
|
type, keytype, data
|
||||||
|
) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
|
||||||
|
1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificates (
|
||||||
|
type, keytype, data
|
||||||
|
) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */
|
||||||
|
1, 1, X'3082042030820308a003020102020116300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373039353930345a170d3134303832363039353930345a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c10203010001a38201193082011530090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041456d69e2fdaa8a1cd195c2353e7c5b67096e30bfb306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100a37ecb613f40c31d0c2bf9c0159a4f26a52bd04cbe3b952472c771ee7774d12966a6241163c2a6b915c20509c312074bb2d777b254234f4a49120585d29cf1c9b9c8e9e3b360084b7e16abb7e5f58544623466d78e0826dace08e7e2b7d9b54890d12a96c62777fe85f68a3964d3b4fde4d3aee2d97e435eff372104629efd9ecc69c57095859609b32d055e0ad5de5d19c45182943d5a2bc39666ad361f7096c7034a04869371c991bc67abaf7954def351b0d6014bd65a15796c80e394047fc724fd029a88c62c95551ba57d8ac4ed4d391dbb7a1a002ba0028ba7aa89ba9f7e4f14002928ca23027485feceb98c90f1366d5474bb00e866f93ff91bf8c618'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 2
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 3
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
2, 5
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO certificate_identity (
|
||||||
|
certificate, identity
|
||||||
|
) VALUES (
|
||||||
|
2, 6
|
||||||
|
);
|
||||||
|
|
||||||
|
/* Private Keys */
|
||||||
|
|
||||||
|
INSERT INTO private_keys (
|
||||||
|
type, data
|
||||||
|
) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
|
||||||
|
1, X'308204a40201000282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c102030100010282010031f9d618cddb393d1d5825426713016cdc5227b970b321acff8cf66b42f0ede3702c30158e8ec1f9db314f031f2d0632a1e0e6507c6fdf545153f01cb0338c3c3f11291cea9819b381048494ecc492ecbd39de3e01ecb048325e75dfee045512a2643e885fcbe672d140877885105e2325390ef183b883321c0d6be51d592b79dfd0f3b522a29509f6c5d3d98c59cc4f4fe9aef978340ffc667e78fd27560eae7245d2d66fa10ad55ef2277ebcec65d1d63cc6b60cbb4d7ba77142554d8817ed174fd539fa8160fc60043f45f4f40dd5989b85874a049bf7f356f250591f6cb2de183e94d8287d712f4df0643b94325b7d4b22bd2d095eb384921c63d33168a502818100f6c92d6977e13cb7b41028dd79010eab910ab83ac2be248a08eb8057804348eb1dc3afb92d67d855bfe891ef0def494bdd109b95c8f5a4e296522d8efd2a4425d0d176e8b0da033d717b77fdb0a14931c2e13b08c7137f0dbf4e1a0ef6919e2c458e40bbecf20004180705e1156bb1d7de09939a8ad096e5346f49e5032a643702818100e7ee610601d43043bea5d304e6502249ce4f70d4de8e903a8fe3a2902878fc7157cb70bf74bc7e0acd7e7a0c3ae1cf2255a22f344a3b9fb13d2347b75ea6a73d15e1327051acffb7f4e56c58f999d7c2e2d878bce0ac09ca2f18d759775c93aa698a45c0c554b99a7147475f1b993fe46c13fed12499006094e806de6db350c702818100e26dd577d6a1579769e405caa7329c26388f3057e1c49a3bf85133d19502a74dea6258c1bbf272e0c292fe0aebab28822dd4061cd964e123712ef75421defce601819eeb8310953674000829413dcaad9894151949a70ec52b48dac9eddbcfd7e8fdcb5161e6ecb2d4e4e4b50f755f98a3c5ffa325489b9ab39084a9564d37e302818047f5087b21a42099541404a55783732fece76ebd4c9374a206b47c62377c59ee1c6c0cfe098cd59a2a695c1a61465fca6a41185e23cddddcd27818af0699b3f75acb74a7ae5f7b332ab2e76baf7d1098f162720b3fb580900f0ea8f9a3f3c008b617e54e4aaadfaed0086a5752abb84bf95036d5d281f9c0fd5203978cf77e4f028181009b29e83640d4b6aa13c81bd79aa890d13aec66c5bff4eddece05cb60320c55bca86a5bd856e364b2809e7d7f2cf94231416927dc39d7f88242b211ac15a38e7fabaca6210537ed1e2f178096f59dc27da21bc09a7b2dc1d5cc7d3bb28fc736c66e6ba19609208b254e4c782462673936445892f4a21a2cfe2066776fe255ce89'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO private_key_identity (
|
||||||
|
private_key, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 5
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO private_key_identity (
|
||||||
|
private_key, identity
|
||||||
|
) VALUES (
|
||||||
|
1, 6
|
||||||
|
);
|
||||||
|
|
||||||
|
/* Configurations */
|
||||||
|
|
||||||
|
INSERT INTO ike_configs (
|
||||||
|
local, remote
|
||||||
|
) VALUES (
|
||||||
|
'PH_IP_SUN', 'PH_IP_MOON'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO peer_configs (
|
||||||
|
name, ike_cfg, local_id, remote_id, mobike, dpd_delay
|
||||||
|
) VALUES (
|
||||||
|
'net-net', 1, 5, 4, 0, 0
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_configs (
|
||||||
|
name, updown
|
||||||
|
) VALUES (
|
||||||
|
'net-net', 'ipsec _updown iptables'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO peer_config_child_config (
|
||||||
|
peer_cfg, child_cfg
|
||||||
|
) VALUES (
|
||||||
|
1, 1
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO traffic_selectors (
|
||||||
|
type, start_addr, end_addr
|
||||||
|
) VALUES (
|
||||||
|
7, X'0a010000', X'0a01ffff'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO traffic_selectors (
|
||||||
|
type, start_addr, end_addr
|
||||||
|
) VALUES (
|
||||||
|
7, X'0a020000', X'0a02ffff'
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
1, 2, 0
|
||||||
|
);
|
||||||
|
|
||||||
|
INSERT INTO child_config_traffic_selector (
|
||||||
|
child_cfg, traffic_selector, kind
|
||||||
|
) VALUES (
|
||||||
|
1, 1, 1
|
||||||
|
);
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||||
|
|
||||||
|
# secrets are read from SQLite database
|
|
@ -0,0 +1,10 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
plugins {
|
||||||
|
sql {
|
||||||
|
database = sqlite:///etc/ipsec.d/ipsec.db
|
||||||
|
}
|
||||||
|
}
|
||||||
|
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
|
||||||
|
}
|
|
@ -0,0 +1,6 @@
|
||||||
|
moon::ipsec stop
|
||||||
|
sun::ipsec stop
|
||||||
|
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||||
|
sun::/etc/init.d/iptables stop 2> /dev/null
|
||||||
|
moon::rm /etc/ipsec.d/ipsec.*
|
||||||
|
sun::rm /etc/ipsec.d/ipsec.*
|
|
@ -0,0 +1,12 @@
|
||||||
|
moon::rm /etc/ipsec.d/cacerts/*
|
||||||
|
sun::rm /etc/ipsec.d/cacerts/*
|
||||||
|
moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
|
||||||
|
sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
|
||||||
|
moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
|
||||||
|
sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
|
||||||
|
moon::/etc/init.d/iptables start 2> /dev/null
|
||||||
|
sun::/etc/init.d/iptables start 2> /dev/null
|
||||||
|
moon::ipsec start
|
||||||
|
sun::ipsec start
|
||||||
|
moon::sleep 1
|
||||||
|
moon::ipsec up net-net
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# This configuration file provides information on the
|
||||||
|
# UML instances used for this test
|
||||||
|
|
||||||
|
# All UML instances that are required for this test
|
||||||
|
#
|
||||||
|
UMLHOSTS="alice moon winnetou sun bob"
|
||||||
|
|
||||||
|
# Corresponding block diagram
|
||||||
|
#
|
||||||
|
DIAGRAM="a-m-w-s-b.png"
|
||||||
|
|
||||||
|
# UML instances on which tcpdump is to be started
|
||||||
|
#
|
||||||
|
TCPDUMPHOSTS="sun"
|
||||||
|
|
||||||
|
# UML instances on which IPsec is started
|
||||||
|
# Used for IPsec logging purposes
|
||||||
|
#
|
||||||
|
IPSECHOSTS="moon sun"
|
Loading…
Reference in New Issue