added xauth scenarios
This commit is contained in:
parent
af87afed47
commit
fc9f75ed0f
|
@ -5,4 +5,4 @@ moon::ipsec start
|
|||
carol::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
carol::sleep 2
|
||||
carol::sleep 3
|
||||
|
|
|
@ -2,5 +2,5 @@ moon::/etc/init.d/iptables start 2> /dev/null
|
|||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
sleep 2
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
|
|
|
@ -21,10 +21,9 @@ conn alice
|
|||
right=%any
|
||||
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
|
||||
auto=add
|
||||
|
||||
|
||||
conn venus
|
||||
leftsubnet=PH_IP_VENUS/32
|
||||
right=%any
|
||||
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
|
||||
auto=add
|
||||
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on Pre-Shared Keys (<b>PSK</b>)
|
||||
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
|
||||
based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
|
||||
<b>virtual IP</b> via the IKE Mode Config protocol by using the
|
||||
<b>leftsourceip=%modeconfig</b> parameter.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
|
||||
<b>alice</b> behind the gateway <b>moon</b>.
|
|
@ -0,0 +1,18 @@
|
|||
carol::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
dave::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES
|
||||
moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthpsk
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftsourceip=%modeconfig
|
||||
leftnexthop=%direct
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthpsk
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftsourceip=%modeconfig
|
||||
leftnexthop=%direct
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,30 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthpsk
|
||||
xauth=server
|
||||
left=PH_IP_MOON
|
||||
leftid=@moon.strongswan.org
|
||||
leftnexthop=%direct
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
||||
|
||||
conn carol
|
||||
rightid=carol@strongswan.org
|
||||
rightsourceip=10.3.0.1
|
||||
|
||||
conn dave
|
||||
rightid=dave@strongswan.org
|
||||
rightsourceip=10.3.0.2
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
dave::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
|
@ -0,0 +1,12 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::rm /etc/ipsec.d/cacerts/*
|
||||
carol::rm /etc/ipsec.d/cacerts/*
|
||||
dave::rm /etc/ipsec.d/cacerts/*
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="alice moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
|
@ -0,0 +1,9 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on Pre-Shared Keys (<b>PSK</b>)
|
||||
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
|
||||
based on user names and passwords.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
|
||||
<b>alice</b> behind the gateway <b>moon</b>.
|
|
@ -0,0 +1,12 @@
|
|||
carol::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
dave::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
moon::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthpsk
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthpsk
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftnexthop=%direct
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthpsk
|
||||
xauth=server
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
dave::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
|
@ -0,0 +1,12 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::rm /etc/ipsec.d/cacerts/*
|
||||
carol::rm /etc/ipsec.d/cacerts/*
|
||||
dave::rm /etc/ipsec.d/cacerts/*
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
|
@ -0,0 +1,5 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
|
||||
certificates followed by extended authentication (<b>XAUTH</b>) based
|
||||
on user name and password. Because user <b>carol</b> presents a wrong
|
||||
XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted.
|
|
@ -0,0 +1,4 @@
|
|||
carol::cat /var/log/auth.log::extended authentication failed::YES
|
||||
moon::cat /var/log/auth.log::extended authentication failed::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
|
||||
|
||||
: XAUTH carol "4iChxLT8"
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
xauth=server
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
|
@ -0,0 +1,2 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -0,0 +1,4 @@
|
|||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -0,0 +1,11 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
|
||||
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
|
||||
based on user names and passwords. Next both <b>carol</b> and <b>dave</b> request a
|
||||
<b>virtual IP</b> via the IKE Mode Config protocol by using the
|
||||
<b>leftsourceip=%modeconfig</b> parameter.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
|
||||
<b>alice</b> behind the gateway <b>moon</b>.
|
|
@ -0,0 +1,18 @@
|
|||
carol::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
dave::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES
|
||||
moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
|
||||
alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
|
|
@ -0,0 +1,26 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftsourceip=%modeconfig
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
|
@ -0,0 +1,26 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftsourceip=%modeconfig
|
||||
leftnexthop=%direct
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA daveKey.pem
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,31 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug="control"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
xauth=server
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
||||
|
||||
conn rw-carol
|
||||
rightid=carol@strongswan.org
|
||||
rightsourceip=PH_IP_CAROL1
|
||||
|
||||
conn rw-dave
|
||||
rightid=dave@strongswan.org
|
||||
rightsourceip=PH_IP_DAVE1
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
dave::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
|
@ -0,0 +1,9 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="alice moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
|
@ -0,0 +1,6 @@
|
|||
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
|
||||
certificates followed by extended authentication (<b>XAUTH</b>) based
|
||||
on user name and password. Because user <b>carol</b> cannot find her
|
||||
XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the
|
||||
ISAKMP SA is deleted.
|
|
@ -0,0 +1,4 @@
|
|||
carol::cat /var/log/auth.log::xauth user credentials not found::YES
|
||||
moon::cat /var/log/auth.log::received FAIL status in XAUTH reply::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
xauth=server
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
|
@ -0,0 +1,2 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -0,0 +1,4 @@
|
|||
carol::ipsec start
|
||||
moon::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
|
@ -0,0 +1,9 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
|
||||
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
|
||||
based on user names and passwords.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
|
||||
<b>alice</b> behind the gateway <b>moon</b>.
|
|
@ -0,0 +1,12 @@
|
|||
carol::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
dave::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
moon::cat /var/log/auth.log::extended authentication was successful::YES
|
||||
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
|
||||
moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug=control
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftnexthop=%direct
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,5 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA daveKey.pem
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutodebug="control"
|
||||
crlcheckinterval=180
|
||||
strictcrlpolicy=no
|
||||
charonstart=no
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=xauthrsasig
|
||||
xauth=server
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
: XAUTH carol "4iChxLT3"
|
||||
|
||||
: XAUTH dave "ryftzG4A"
|
|
@ -0,0 +1,9 @@
|
|||
moon::iptables -v -n -L
|
||||
carol::iptables -v -n -L
|
||||
dave::iptables -v -n -L
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
|
@ -0,0 +1,9 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
Loading…
Reference in New Issue