.BR aggressive " = yes | " no
whether to use IKEv1 Aggressive or Main Mode (the default).
.TP
+.BR ah " = <cipher suites>"
+comma-separated list of AH algorithms to be used for the connection, e.g.
+.BR sha1-sha256-modp1024 .
+The notation is
+.BR integrity[-dhgroup] .
+For IKEv2, multiple algorithms (separated by -) of the same type can be included
+in a single proposal. IKEv1 only includes the first algorithm in a proposal.
+Only either the
+.B ah
+or
+.B esp
+keyword may be used, AH+ESP bundles are not supported.
+
+There is no default, by default ESP is used.
+The daemon adds its extensive default proposal to the configured value. To
+restrict it to the configured proposal an
+exclamation mark
+.RB ( ! )
+can be added at the end.
+
+If
+.B dh-group
+is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
+Diffie-Hellman exchange.
+.TP
.BR also " = <name>"
includes conn section
.BR <name> .
.TP
+.BR auth " = <value>"
+was used by the
+.B pluto
+IKEv1 daemon to use AH integrity protection for ESP encrypted packets, but is
+not supported in charon. The
+.B ah
+keyword specifies algorithms to use for integrity protection with AH, but
+without encryption. AH+ESP bundles are not supported.
+.TP
.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
how the two security gateways should authenticate each other;
acceptable values are
.BR aes128-sha256 .
The notation is
.BR encryption-integrity[-dhgroup][-esnmode] .
+For IKEv2, multiple algorithms (separated by -) of the same type can be included
+in a single proposal. IKEv1 only includes the first algorithm in a proposal.
+Only either the
+.B ah
+or
+.B esp
+keyword may be used, AH+ESP bundles are not supported.
Defaults to
.BR aes128-sha1,3des-sha1 .
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
IPSEC_POLICY_OUT=""
else
KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
fi
e->destroy(e);
}
- e = create_enumerator(this, ENCRYPTION_ALGORITHM);
- while (e->enumerate(e, &alg, &ks))
+ if (this->protocol == PROTO_ESP)
{
- if (!encryption_algorithm_is_aead(alg))
+ e = create_enumerator(this, ENCRYPTION_ALGORITHM);
+ while (e->enumerate(e, &alg, &ks))
{
- all_aead = FALSE;
- break;
+ if (!encryption_algorithm_is_aead(alg))
+ {
+ all_aead = FALSE;
+ break;
+ }
}
- }
- e->destroy(e);
+ e->destroy(e);
- if (all_aead)
- {
- /* if all encryption algorithms in the proposal are AEADs,
- * we MUST NOT propose any integrity algorithms */
- e = array_create_enumerator(this->transforms);
- while (e->enumerate(e, &entry))
+ if (all_aead)
{
- if (entry->type == INTEGRITY_ALGORITHM)
+ /* if all encryption algorithms in the proposal are AEADs,
+ * we MUST NOT propose any integrity algorithms */
+ e = array_create_enumerator(this->transforms);
+ while (e->enumerate(e, &entry))
{
- array_remove_at(this->transforms, e);
+ if (entry->type == INTEGRITY_ALGORITHM)
+ {
+ array_remove_at(this->transforms, e);
+ }
}
+ e->destroy(e);
}
- e->destroy(e);
}
if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
{NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
{NAT_D_DRAFT_00_03_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
{ID_V1, 0, 1, TRUE, FALSE},
- {CERTIFICATE_V1, 0, 2, TRUE, FALSE},
+ {CERTIFICATE_V1, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
{SIGNATURE_V1, 0, 1, TRUE, FALSE},
{HASH_V1, 0, 1, TRUE, FALSE},
{FRAGMENT_V1, 0, 1, FALSE, TRUE},
{NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
{NAT_D_DRAFT_00_03_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
{ID_V1, 0, 1, TRUE, FALSE},
- {CERTIFICATE_V1, 0, 2, TRUE, FALSE},
+ {CERTIFICATE_V1, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
{SIGNATURE_V1, 0, 1, TRUE, FALSE},
{HASH_V1, 0, 1, TRUE, FALSE},
{FRAGMENT_V1, 0, 1, FALSE, TRUE},
IKEV1_ESP_AUTH_AES_256_GMAC = 13,
} ikev1_esp_auth_transid_it;
+/**
+ * IKEv1 Transform ID AH authentication algorithm.
+ */
+typedef enum {
+ IKEV1_AH_HMAC_MD5 = 2,
+ IKEV1_AH_HMAC_SHA = 3,
+ IKEV1_AH_DES_MAC = 4,
+ IKEV1_AH_HMAC_SHA2_256 = 5,
+ IKEV1_AH_HMAC_SHA2_384 = 6,
+ IKEV1_AH_HMAC_SHA2_512 = 7,
+ IKEV1_AH_RIPEMD = 8,
+ IKEV1_AH_AES_XCBC_MAC = 9,
+ IKEV1_AH_RSA = 10,
+ IKEV1_AH_AES_128_GMAC = 11,
+ IKEV1_AH_AES_192_GMAC = 12,
+ IKEV1_AH_AES_256_GMAC = 13,
+} ikev1_ah_transid_t;
+
/**
* IKEv1 ESP Encapsulation mode.
*/
{ IKEV1_ESP_AUTH_AES_256_GMAC, AUTH_AES_256_GMAC },
};
+/**
+ * AH authentication algorithm mapping
+ */
+static algo_map_t map_ah[] = {
+ { IKEV1_AH_HMAC_MD5, AUTH_HMAC_MD5_96 },
+ { IKEV1_AH_HMAC_SHA, AUTH_HMAC_SHA1_96 },
+ { IKEV1_AH_DES_MAC, AUTH_DES_MAC },
+ { IKEV1_AH_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_128 },
+ { IKEV1_AH_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_192 },
+ { IKEV1_AH_HMAC_SHA2_512, AUTH_HMAC_SHA2_512_256 },
+ { IKEV1_AH_AES_XCBC_MAC, AUTH_AES_XCBC_96 },
+ { IKEV1_AH_AES_128_GMAC, AUTH_AES_128_GMAC },
+ { IKEV1_AH_AES_192_GMAC, AUTH_AES_192_GMAC },
+ { IKEV1_AH_AES_256_GMAC, AUTH_AES_256_GMAC },
+};
+
/**
* Get IKEv2 algorithm from IKEv1 identifier
*/
/**
* Get IKEv2 algorithm from IKEv1 ESP transaction ID
*/
-static u_int16_t get_alg_from_ikev1_transid(transform_type_t type, u_int16_t value)
+static u_int16_t get_alg_from_ikev1_transid(protocol_id_t proto,
+ transform_type_t type, u_int16_t value)
{
algo_map_t *map;
u_int16_t def;
def = ENCR_UNDEFINED;
break;
case INTEGRITY_ALGORITHM:
- map = map_esp_auth;
- count = countof(map_esp_auth);
+ if (proto == PROTO_ESP)
+ {
+ map = map_esp_auth;
+ count = countof(map_esp_auth);
+ }
+ else
+ {
+ map = map_ah;
+ count = countof(map_ah);
+ }
def = AUTH_UNDEFINED;
break;
default:
}
/**
- * Get IKEv1 ESP transaction ID from IKEv2 identifier
+ * Get IKEv1 ESP/AH transaction ID from IKEv2 identifier
*/
-static u_int16_t get_ikev1_transid_from_alg(transform_type_t type, u_int16_t value)
+static u_int16_t get_ikev1_transid_from_alg(protocol_id_t proto,
+ transform_type_t type, u_int16_t value)
{
algo_map_t *map;
int i, count;
count = countof(map_esp_encr);
break;
case INTEGRITY_ALGORITHM:
- map = map_esp_auth;
- count = countof(map_esp_auth);
+ if (proto == PROTO_ESP)
+ {
+ map = map_esp_auth;
+ count = countof(map_esp_auth);
+ }
+ else
+ {
+ map = map_ah;
+ count = countof(map_ah);
+ }
break;
default:
return 0;
}
/**
- * Add an ESP transform to a proposal for IKEv1
+ * Add an ESP/AH transform to a proposal for IKEv1
*/
-static void add_to_proposal_v1_esp(proposal_t *proposal,
- transform_substructure_t *transform)
+static void add_to_proposal_v1(proposal_t *proposal,
+ transform_substructure_t *transform, protocol_id_t proto)
{
transform_attribute_type_t type;
transform_attribute_t *tattr;
break;
case TATTR_PH2_AUTH_ALGORITHM:
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
- get_alg_from_ikev1_transid(INTEGRITY_ALGORITHM,
+ get_alg_from_ikev1_transid(proto, INTEGRITY_ALGORITHM,
value), 0);
break;
case TATTR_PH2_GROUP:
/* TODO-IKEv1: handle ESN attribute */
proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
NO_EXT_SEQ_NUMBERS, 0);
- encr = get_alg_from_ikev1_transid(ENCRYPTION_ALGORITHM,
- transform->get_transform_id(transform));
- if (encr)
+ if (proto == PROTO_ESP)
{
- proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr,
- key_length);
+ encr = get_alg_from_ikev1_transid(proto, ENCRYPTION_ALGORITHM,
+ transform->get_transform_id(transform));
+ if (encr)
+ {
+ proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr,
+ key_length);
+ }
}
}
add_to_proposal_v1_ike(proposal, transform);
break;
case PROTO_ESP:
- add_to_proposal_v1_esp(proposal, transform);
+ case PROTO_AH:
+ add_to_proposal_v1(proposal, transform, this->protocol_id);
break;
default:
break;
return get_life_duration(this, TATTR_PH1_LIFE_TYPE,
IKEV1_LIFE_TYPE_SECONDS, TATTR_PH1_LIFE_DURATION);
case PROTO_ESP:
+ case PROTO_AH:
duration = get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE,
IKEV1_LIFE_TYPE_SECONDS, TATTR_PH2_SA_LIFE_DURATION);
if (!duration)
switch (this->protocol_id)
{
case PROTO_ESP:
+ case PROTO_AH:
return 1000 * get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE,
IKEV1_LIFE_TYPE_KILOBYTES, TATTR_PH2_SA_LIFE_DURATION);
case PROTO_IKE:
}
/**
- * Add an IKEv1 ESP proposal to the substructure
+ * Add an IKEv1 ESP/AH proposal to the substructure
*/
-static void set_from_proposal_v1_esp(private_proposal_substructure_t *this,
+static void set_from_proposal_v1(private_proposal_substructure_t *this,
proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
ipsec_mode_t mode, encap_t udp, int number)
{
transform_substructure_t *transform = NULL;
u_int16_t alg, key_size;
enumerator_t *enumerator;
+ protocol_id_t proto;
+ proto = proposal->get_protocol(proposal);
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
- alg = get_ikev1_transid_from_alg(ENCRYPTION_ALGORITHM, alg);
+ alg = get_ikev1_transid_from_alg(proto, ENCRYPTION_ALGORITHM, alg);
if (alg)
{
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
- number, alg);
+ transform = transform_substructure_create_type(
+ TRANSFORM_SUBSTRUCTURE_V1, number, alg);
if (key_size)
{
transform->add_transform_attribute(transform,
}
}
enumerator->destroy(enumerator);
- if (!transform)
- {
- return;
- }
enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
- alg = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
+ alg = get_ikev1_transid_from_alg(proto, INTEGRITY_ALGORITHM, alg);
if (alg)
{
+ if (!transform)
+ {
+ transform = transform_substructure_create_type(
+ TRANSFORM_SUBSTRUCTURE_V1, number, alg);
+ }
transform->add_transform_attribute(transform,
transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
TATTR_PH2_AUTH_ALGORITHM, alg));
}
enumerator->destroy(enumerator);
+ if (!transform)
+ {
+ return;
+ }
+
enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
set_from_proposal_v1_ike(this, proposal, lifetime, auth, 1);
break;
case PROTO_ESP:
- set_from_proposal_v1_esp(this, proposal, lifetime,
- lifebytes, mode, udp, 1);
+ case PROTO_AH:
+ set_from_proposal_v1(this, proposal, lifetime,
+ lifebytes, mode, udp, 1);
break;
default:
break;
auth, ++number);
break;
case PROTO_ESP:
- set_from_proposal_v1_esp(this, proposal, lifetime,
- lifebytes, mode, udp, ++number);
+ case PROTO_AH:
+ set_from_proposal_v1(this, proposal, lifetime,
+ lifebytes, mode, udp, ++number);
break;
default:
break;
{
int current_proposal = -1, unsupported_proposal = -1;
enumerator_t *enumerator;
- proposal_substructure_t *substruct, *esp = NULL, *ipcomp = NULL;
+ proposal_substructure_t *substruct, *espah = NULL, *ipcomp = NULL;
linked_list_t *list;
- /* we currently only support the combination ESP+IPComp, find the first */
+ /* we currently only support the combination ESP|AH+IPComp, find the first */
enumerator = this->proposals->create_enumerator(this->proposals);
while (enumerator->enumerate(enumerator, &substruct))
{
{
continue;
}
- if (protocol_id != PROTO_ESP && protocol_id != PROTO_IPCOMP)
+ if (protocol_id != PROTO_ESP && protocol_id != PROTO_AH &&
+ protocol_id != PROTO_IPCOMP)
{ /* unsupported combination */
- esp = ipcomp = NULL;
+ espah = ipcomp = NULL;
unsupported_proposal = current_proposal;
continue;
}
if (proposal_number != current_proposal)
{ /* start of a new proposal */
- if (esp && ipcomp)
+ if (espah && ipcomp)
{ /* previous proposal is valid */
break;
}
- esp = ipcomp = NULL;
+ espah = ipcomp = NULL;
current_proposal = proposal_number;
}
switch (protocol_id)
{
case PROTO_ESP:
- esp = substruct;
+ case PROTO_AH:
+ espah = substruct;
break;
case PROTO_IPCOMP:
ipcomp = substruct;
enumerator->destroy(enumerator);
list = linked_list_create();
- if (esp && ipcomp && ipcomp->get_cpi(ipcomp, cpi))
+ if (espah && ipcomp && ipcomp->get_cpi(ipcomp, cpi))
{
- esp->get_proposals(esp, list);
+ espah->get_proposals(espah, list);
}
return list;
}
* Public part of kernel_handler_t object.
*/
kernel_handler_t public;
-
};
/**
}
METHOD(kernel_listener_t, acquire, bool,
- private_kernel_handler_t *this, u_int32_t reqid,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ private_kernel_handler_t *this, u_int32_t reqid,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
{
- job_t *job;
if (src_ts && dst_ts)
{
- DBG1(DBG_KNL, "creating acquire job for policy %R === %R "
- "with reqid {%u}", src_ts, dst_ts, reqid);
+ DBG1(DBG_KNL, "creating acquire job for policy %R === %R with "
+ "reqid {%u}", src_ts, dst_ts, reqid);
}
else
{
DBG1(DBG_KNL, "creating acquire job for policy with reqid {%u}", reqid);
}
- job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
- lib->processor->queue_job(lib->processor, job);
+ lib->processor->queue_job(lib->processor,
+ (job_t*)acquire_job_create(reqid, src_ts, dst_ts));
return TRUE;
}
METHOD(kernel_listener_t, expire, bool,
- private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol,
- u_int32_t spi, bool hard)
+ private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol,
+ u_int32_t spi, bool hard)
{
- job_t *job;
protocol_id_t proto = proto_ip2ike(protocol);
- DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x "
- "and reqid {%u}", hard ? "delete" : "rekey",
- protocol_id_names, proto, ntohl(spi), reqid);
+
+ DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
+ hard ? "delete" : "rekey", protocol_id_names, proto, ntohl(spi), reqid);
+
if (hard)
{
- job = (job_t*)delete_child_sa_job_create(reqid, proto, spi, hard);
+ lib->processor->queue_job(lib->processor,
+ (job_t*)delete_child_sa_job_create(reqid, proto, spi, hard));
}
else
{
- job = (job_t*)rekey_child_sa_job_create(reqid, proto, spi);
+ lib->processor->queue_job(lib->processor,
+ (job_t*)rekey_child_sa_job_create(reqid, proto, spi));
}
- lib->processor->queue_job(lib->processor, job);
return TRUE;
}
METHOD(kernel_listener_t, mapping, bool,
- private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi,
- host_t *remote)
+ private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi,
+ host_t *remote)
{
- job_t *job;
- DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
- "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
- job = (job_t*)update_sa_job_create(reqid, remote);
- lib->processor->queue_job(lib->processor, job);
+ DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and reqid {%u} "
+ "changed, queuing update job", ntohl(spi), reqid);
+
+ lib->processor->queue_job(lib->processor,
+ (job_t*)update_sa_job_create(reqid, remote));
return TRUE;
}
METHOD(kernel_listener_t, migrate, bool,
- private_kernel_handler_t *this, u_int32_t reqid,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, host_t *local, host_t *remote)
+ private_kernel_handler_t *this, u_int32_t reqid,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, host_t *local, host_t *remote)
{
- job_t *job;
- DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with "
- "reqid {%u}", src_ts, dst_ts, policy_dir_names, direction,
- reqid, local);
- job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, direction, local,
- remote);
- lib->processor->queue_job(lib->processor, job);
+ DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
+ src_ts, dst_ts, policy_dir_names, direction, reqid, local);
+
+ lib->processor->queue_job(lib->processor,
+ (job_t*)migrate_job_create(reqid, src_ts, dst_ts,
+ direction, local, remote));
return TRUE;
}
METHOD(kernel_listener_t, roam, bool,
- private_kernel_handler_t *this, bool address)
+ private_kernel_handler_t *this, bool address)
{
- job_t *job;
- DBG2(DBG_KNL, "creating roam job %s", address ? "due to address/link change"
- : "due to route change");
- job = (job_t*)roam_job_create(address);
- lib->processor->queue_job(lib->processor, job);
+ DBG2(DBG_KNL, "creating roam job %s",
+ address ? "due to address/link change" : "due to route change");
+
+ lib->processor->queue_job(lib->processor, (job_t*)roam_job_create(address));
return TRUE;
}
METHOD(kernel_handler_t, destroy, void,
- private_kernel_handler_t *this)
+ private_kernel_handler_t *this)
{
hydra->kernel_interface->remove_listener(hydra->kernel_interface,
&this->public.listener);
return &this->public;
}
-
* parse a proposal string, either into ike_cfg or child_cfg
*/
static void add_proposals(private_stroke_config_t *this, char *string,
- ike_cfg_t *ike_cfg, child_cfg_t *child_cfg)
+ ike_cfg_t *ike_cfg, child_cfg_t *child_cfg, protocol_id_t proto)
{
if (string)
{
char *single;
char *strict;
proposal_t *proposal;
- protocol_id_t proto = PROTO_ESP;
- if (ike_cfg)
- {
- proto = PROTO_IKE;
- }
strict = string + strlen(string) - 1;
if (*strict == '!')
{
}
if (ike_cfg)
{
- ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+ ike_cfg->add_proposal(ike_cfg, proposal_create_default(proto));
}
else
{
- child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+ child_cfg->add_proposal(child_cfg, proposal_create_default(proto));
}
}
msg->add_conn.fragmentation,
msg->add_conn.ikedscp);
- add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
+ add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL, PROTO_IKE);
return ike_cfg;
}
add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
- add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
-
+ if (msg->add_conn.algorithms.ah)
+ {
+ add_proposals(this, msg->add_conn.algorithms.ah,
+ NULL, child_cfg, PROTO_AH);
+ }
+ else
+ {
+ add_proposals(this, msg->add_conn.algorithms.esp,
+ NULL, child_cfg, PROTO_ESP);
+ }
return child_cfg;
}
u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
u_int16_t encr_size = 0, int_size = 0;
u_int16_t esn = NO_EXT_SEQ_NUMBERS;
+ bool first = TRUE;
proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
&encr_alg, &encr_size);
if (encr_alg != ENCR_UNDEFINED)
{
fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+ first = FALSE;
if (encr_size)
{
fprintf(out, "_%u", encr_size);
}
if (int_alg != AUTH_UNDEFINED)
{
- fprintf(out, "/%N", integrity_algorithm_names, int_alg);
+ if (!first)
+ {
+ fprintf(out, "/");
+ }
+ fprintf(out, "%N", integrity_algorithm_names, int_alg);
if (int_size)
{
fprintf(out, "_%u", int_size);
pop_string(msg, &msg->add_conn.xauth_identity);
pop_string(msg, &msg->add_conn.algorithms.ike);
pop_string(msg, &msg->add_conn.algorithms.esp);
+ pop_string(msg, &msg->add_conn.algorithms.ah);
pop_string(msg, &msg->add_conn.ikeme.mediated_by);
pop_string(msg, &msg->add_conn.ikeme.peerid);
DBG2(DBG_CFG, " eap_identity=%s", msg->add_conn.eap_identity);
DBG2(DBG_CFG, " xauth_identity=%s", msg->add_conn.xauth_identity);
DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
+ DBG2(DBG_CFG, " ah=%s", msg->add_conn.algorithms.ah);
DBG2(DBG_CFG, " dpddelay=%d", msg->add_conn.dpd.delay);
DBG2(DBG_CFG, " dpdtimeout=%d", msg->add_conn.dpd.timeout);
DBG2(DBG_CFG, " dpdaction=%d", msg->add_conn.dpd.action);
"PLUTO_CONNECTION='%s' "
"PLUTO_INTERFACE='%s' "
"PLUTO_REQID='%u' "
+ "PLUTO_PROTO='%s' "
"PLUTO_UNIQUEID='%u' "
"PLUTO_ME='%H' "
"PLUTO_MY_ID='%Y' "
config->get_name(config),
iface ? iface : "unknown",
child_sa->get_reqid(child_sa),
+ child_sa->get_protocol(child_sa) == PROTO_ESP ? "esp" : "ah",
ike_sa->get_unique_id(ike_sa),
me, ike_sa->get_my_id(ike_sa),
my_client, my_client_mask,
proto_ike2ip(protocol), this->reqid,
&this->my_spi) == SUCCESS)
{
+ /* if we allocate a SPI, but then are unable to establish the SA, we
+ * need to know the protocol family to delete the partial SA */
+ this->protocol = protocol;
return this->my_spi;
}
return 0;
/* delete SAs in the kernel, if they are set up */
if (this->my_spi)
{
- /* if CHILD was not established, use PROTO_ESP used during alloc_spi().
- * TODO: For AH support, we have to store protocol specific SPI.s */
- if (this->protocol == PROTO_NONE)
- {
- this->protocol = PROTO_ESP;
- }
hydra->kernel_interface->del_sa(hydra->kernel_interface,
this->other_addr, this->my_addr, this->my_spi,
proto_ike2ip(this->protocol), this->my_cpi,
DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
protocol_id_names, this->protocol, ntohl(this->spi));
- delete_payload = delete_payload_create(DELETE_V1, PROTO_ESP);
+ delete_payload = delete_payload_create(DELETE_V1, this->protocol);
delete_payload->add_spi(delete_payload, this->spi);
message->add_payload(message, &delete_payload->payload_interface);
*/
ipsec_mode_t mode;
+ /*
+ * SA protocol (ESP|AH) negotiated
+ */
+ protocol_id_t proto;
+
/**
* Use UDP encapsulation
*/
notify_payload_t *notify;
notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
- PROTO_ESP, type);
+ this->proto, type);
notify->set_spi(notify, this->spi_i);
this->ike_sa->queue_task(this->ike_sa,
{
sa_payload_t *sa_payload;
linked_list_t *list, *tsi, *tsr;
+ proposal_t *proposal;
diffie_hellman_group_t group;
encap_t encap;
}
}
- this->spi_i = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+ list = this->config->get_proposals(this->config, MODP_NONE);
+ if (list->get_first(list, (void**)&proposal) == SUCCESS)
+ {
+ this->proto = proposal->get_protocol(proposal);
+ }
+ list->destroy_offset(list, offsetof(proposal_t, destroy));
+ this->spi_i = this->child_sa->alloc_spi(this->child_sa, this->proto);
if (!this->spi_i)
{
DBG1(DBG_IKE, "allocating SPI from kernel failed");
return FAILED;
}
+
group = this->config->get_dh_group(this->config);
if (group != MODP_NONE)
{
sa_payload_t *sa_payload;
encap_t encap;
- this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+ this->proto = this->proposal->get_protocol(this->proposal);
+ this->spi_r = this->child_sa->alloc_spi(this->child_sa, this->proto);
if (!this->spi_r)
{
DBG1(DBG_IKE, "allocating SPI from kernel failed");
.state = QM_INIT,
.tsi = tsi ? tsi->clone(tsi) : NULL,
.tsr = tsr ? tsr->clone(tsr) : NULL,
+ .proto = PROTO_ESP,
);
if (config)
{
enumerator_t *enumerator;
proposal_t *proposal;
+ protocol_id_t proto = PROTO_ESP;
- /* TODO: allocate additional SPI for AH if we have such proposals */
- this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+ if (this->initiator)
+ {
+ /* we just get a SPI for the first protocol. TODO: If we ever support
+ * proposal lists with mixed protocols, we'd need multiple SPIs */
+ if (this->proposals->get_first(this->proposals,
+ (void**)&proposal) == SUCCESS)
+ {
+ proto = proposal->get_protocol(proposal);
+ }
+ }
+ else
+ {
+ proto = this->proposal->get_protocol(this->proposal);
+ }
+ this->my_spi = this->child_sa->alloc_spi(this->child_sa, proto);
if (this->my_spi)
{
if (this->initiator)
{AUTH_HMAC_SHA2_384_192, 384},
{AUTH_HMAC_SHA2_512_256, 512},
{AUTH_AES_XCBC_96, 128},
+ {AUTH_AES_CMAC_96, 128},
};
int i;
linked_list_t *my_ts, *other_ts, *list;
enumerator_t *enumerator;
status_t status;
+ linked_list_t *proposals;
+ proposal_t *proposal;
+ protocol_id_t proto = PROTO_ESP;
/* try to resolve addresses */
ike_cfg = peer->get_ike_cfg(peer);
other_ts = child->get_traffic_selectors(child, FALSE, NULL, list);
list->destroy_offset(list, offsetof(host_t, destroy));
- /* while we don't know the finally negotiated protocol (ESP|AH), we
- * could iterate all proposals for a best guess (TODO). But as we
- * support ESP only for now, we set it here. */
- child_sa->set_protocol(child_sa, PROTO_ESP);
+ /* We don't know the finally negotiated protocol (ESP|AH), we install
+ * the SA with the protocol of the first proposal */
+ proposals = child->get_proposals(child, TRUE);
+ if (proposals->get_first(proposals, (void**)&proposal) == SUCCESS)
+ {
+ proto = proposal->get_protocol(proposal);
+ }
+ proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
+ child_sa->set_protocol(child_sa, proto);
child_sa->set_mode(child_sa, child->get_mode(child));
status = child_sa->add_policies(child_sa, my_ts, other_ts);
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
{ ARG_MISC, 0, NULL /* KW_COMPRESS */ },
{ ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool },
{ ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool },
- { ARG_MISC, 0, NULL /* KW_AUTH */ },
{ ARG_STR, offsetof(starter_conn_t, authby), LST_authby },
{ ARG_STR, offsetof(starter_conn_t, eap_identity), NULL },
{ ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL },
{ ARG_MISC, 0, NULL /* KW_REAUTH */ },
{ ARG_STR, offsetof(starter_conn_t, ike), NULL },
{ ARG_STR, offsetof(starter_conn_t, esp), NULL },
+ { ARG_STR, offsetof(starter_conn_t, ah), NULL },
{ ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL },
{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL },
{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action },
return FALSE;
}
+ if (token == KW_ESP || token == KW_AH)
+ {
+ if (*seen & (SEEN_KW(KW_ESP, first) | SEEN_KW(KW_AH, first)))
+ {
+ DBG1(DBG_APP, "# can't have both 'ah' and 'esp' options");
+ return FALSE;
+ }
+ }
+
/* set flag that this argument has been seen */
*seen |= SEEN_KW(token, first);
case KW_COMPRESS:
KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_COMPRESS)
break;
- case KW_AUTH:
- KW_SA_OPTION_FLAG("ah", "esp", SA_OPTION_AUTHENTICATE)
- break;
case KW_MARK:
if (!handle_mark(kw->value, &conn->mark_in))
{
typedef enum {
/* IPsec options */
- SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */
SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */
/* IKE and other other options */
unsigned long id;
char *esp;
+ char *ah;
char *ike;
time_t dpd_delay;
KW_COMPRESS,
KW_INSTALLPOLICY,
KW_AGGRESSIVE,
- KW_AUTH,
KW_AUTHBY,
KW_EAP_IDENTITY,
KW_AAA_IDENTITY,
KW_REAUTH,
KW_IKE,
KW_ESP,
+ KW_AH,
KW_DPDDELAY,
KW_DPDTIMEOUT,
KW_DPDACTION,
compress, KW_COMPRESS
installpolicy, KW_INSTALLPOLICY
aggressive, KW_AGGRESSIVE
-auth, KW_AUTH
authby, KW_AUTHBY
eap_identity, KW_EAP_IDENTITY
aaa_identity, KW_AAA_IDENTITY
reauth, KW_REAUTH
ike, KW_IKE
esp, KW_ESP
+ah, KW_AH
dpddelay, KW_DPDDELAY
dpdtimeout, KW_DPDTIMEOUT
dpdaction, KW_DPDACTION
msg.add_conn.unique = cfg->setup.uniqueids;
msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
+ msg.add_conn.algorithms.ah = push_string(&msg, conn->ah);
msg.add_conn.dpd.delay = conn->dpd_delay;
msg.add_conn.dpd.timeout = conn->dpd_timeout;
msg.add_conn.dpd.action = conn->dpd_action;
struct {
char *ike;
char *esp;
+ char *ah;
} algorithms;
struct {
int reauth;
-A INPUT -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
+# allow ah
+-A INPUT -i eth0 -p 51 -j ACCEPT
+-A OUTPUT -o eth0 -p 51 -j ACCEPT
+
# allow IKE
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
--- /dev/null
+An IPsec <b>AH transport-mode</b> connection using HMAC_SHA256 between the hosts
+<b>moon</b> and <b>sun</b> is successfully set up using IKEv1. <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the decrypted
+IP packets. In order to test the host-to-host connection <b>moon</b> pings
+<b>sun</b>.
--- /dev/null
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev1
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ type=transport
+ ah=sha256!
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev1
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ type=transport
+ ah=sha256!
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
--- /dev/null
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up using the IKEv1 protocol.
+With <b>ah=md5,sha1</b> gateway <b>moon</b> proposes the use of an
+<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection
+with its <b>ah=sha1!</b> configuration.
+<p/>
+Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
+gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_MD5_96/NO_EXT_SEQ, AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
+moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
+sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 3"
+
+conn %default
+ keyexchange=ikev1
+ ike=aes128-sha1-modp1536!
+ ah=md5,sha1
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 3"
+
+conn %default
+ keyexchange=ikev1
+ ike=aes128-sha1-modp1536!
+ ah=sha1!
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
--- /dev/null
+An IPsec <b>AH transport-mode</b> connection using AES-XCBC between the hosts
+<b>moon</b> and <b>sun</b> is successfully set up. <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the decrypted
+IP packets. In order to test the host-to-host connection <b>moon</b> pings
+<b>sun</b>.
--- /dev/null
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ type=transport
+ ah=aesxcbc
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ type=transport
+ ah=aesxcbc
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
--- /dev/null
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+With <b>ah=sha1-md5</b> gateway <b>moon</b> proposes the use of an
+<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection
+with its <b>ah=sha1!</b> configuration.
+<p/>
+Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
+gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA1_96/HMAC_MD5_96/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
+moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
+sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 2"
+
+conn %default
+ keyexchange=ikev2
+ ike=aes128-sha1-modp1536!
+ ah=sha1-md5
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="cfg 2, knl 2"
+
+conn %default
+ keyexchange=ikev2
+ ike=aes128-sha1-modp1536!
+ ah=sha1!
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
--- /dev/null
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"