and <b>10.2.0.0/16</b>, respectively. These unilaterally proposed traffic selectors must be
validated by corresponding IP address block constraints.
<p/>
+In addition to that <b>moon</b> sets its local subnet to <b>10.0.0.0/14</b> but
+which is automatically narrowed down to <b>10.1.0.0/16</b> by <b>sun</b>
+matching it to the IP address constraint in <b>moon</b>'s certificate.
+<p/>
Upon the successful establishment of the IPsec tunnel, the updown script automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host.*state=INSTALLED mode=TUNNEL.*=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32].*net.*state=INSTALLED mode=TUNNEL.*=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host.*state=INSTALLED mode=TUNNEL.*=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32].*net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES
moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES
moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
sun:: cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES
sun:: cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
sun:: cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES
+moon:: cat /var/log/daemon.log::TS 192.168.0.2/32 is contained in address block constraint 192.168.0.2/32::YES
+sun:: cat /var/log/daemon.log::TS 192.168.0.1/32 is contained in address block constraint 192.168.0.1/32::YES
moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
-sun:: cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
+sun:: cat /var/log/daemon.log::TS 10.0.0.0/14 is contained in address block constraint 10.1.0.0/16 (subset 10.1.0.0/16)
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
connections {
- gw-gw {
+ host {
local_addrs = 192.168.0.1
remote_addrs = 192.168.0.2
id = sun.strongswan.org
}
children {
- net-net {
- local_ts = 10.1.0.0/16
- remote_ts = 10.2.0.0/16
+ host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ net {
+ local_ts = 10.0.0.0/14
+ remote_ts = 0.0.0.0/0
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
connections {
- gw-gw {
+ host {
local_addrs = 192.168.0.2
- remote_addrs = 192.168.0.1
local {
- auth = pubkey
- certs = sunCert.pem
- id = sun.strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
- net-net {
+ host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ net {
local_ts = 10.2.0.0/16
- remote_ts = 10.1.0.0/16
+ remote_ts = 0.0.0.0/0
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::swanctl --list-sas --raw
+sun::swanctl --list-sas --raw
+moon::swanctl --terminate --ike host 2> /dev/null
moon::systemctl stop strongswan
sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
sun::systemctl start strongswan
-moon::expect-connection gw-gw
-sun::expect-connection gw-gw
-moon::swanctl --initiate --child net-net 2> /dev/null
+moon::expect-connection host
+sun::expect-connection host
+moon::swanctl --initiate --child host 2> /dev/null
+moon::swanctl --initiate --child net 2> /dev/null
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
projects / thirdparty / strongswan.git / commitdiff
