cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
done
+for t in rw-hash-and-url-multi-level
+do
+ TEST="${TEST_DIR}/swanctl/${t}"
+ mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+ cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+done
+
# Convert Research CA certificate into DER format
openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
done
+for t in rw-hash-and-url-multi-level
+do
+ TEST="${TEST_DIR}/swanctl/${t}"
+ mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+ cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+done
+
# Convert Sales CA certificate into DER format
openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
done
-for t in multi-level-ca ocsp-multi-level
+for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
do
TEST="${TEST_DIR}/swanctl/${t}"
mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
done
-for t in multi-level-ca ocsp-multi-level
+for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
do
TEST="${TEST_DIR}/swanctl/${t}"
mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa
--- /dev/null
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
+<p/>
+The gateway <b>moon</b> doesn't have the intermediate CA certificate installed
+and instead of sending the actual certificates, the two clients send "Hash and URL"
+certificate payloads. The gateway fetches the certificates via HTTP from server
+<b>winnetou</b>.
--- /dev/null
+carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*CN=Research CA::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+ hash_and_url = yes
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ revocation = strict
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+authorities {
+
+ strongswan {
+ cacert = strongswanCert.pem
+ cert_uri_base = http://winnetou.strongswan.org/certs/
+ }
+
+ research {
+ cacert = researchCert.pem
+ cert_uri_base = http://winnetou.strongswan.org/certs/research/
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+ hash_and_url = yes
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ revocation = strict
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+authorities {
+
+ strongswan {
+ cacert = strongswanCert.pem
+ cert_uri_base = http://winnetou.strongswan.org/certs/
+ }
+
+ sales {
+ cacert = salesCert.pem
+ cert_uri_base = http://winnetou.strongswan.org/certs/sales/
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+ hash_and_url = yes
+}
--- /dev/null
+connections {
+
+ research {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
+ }
+ children {
+ alice {
+ local_ts = 10.1.0.10/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+
+ sales {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = "C=CH, O=strongSwan Project, OU=Sales, CN=*"
+ }
+ children {
+ venus {
+ local_ts = 10.1.0.20/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+authorities {
+
+ strongswan {
+ cacert = strongswanCert.pem
+ cert_uri_base = http://winnetou.strongswan.org/certs/
+ }
+}
--- /dev/null
+carol::swanctl --terminate --ike home 2> /dev/null
+dave::swanctl --terminate --ike home 2> /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
\ No newline at end of file
--- /dev/null
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
