alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
-sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
+++ /dev/null
-*.crl
-*.der
-*.p12
-*.pem
+++ /dev/null
-By setting <b>left=%any</b> this scenario tests the ability of the IKEv2 daemon
-to automatically determine its own IP address of an IPsec SA to be established.
-This is achieved by finding a route via the correct network interface to the remote IPsec peer.
-<p>
-The hosts <b>moon</b> and <b>bob</b> act as initiators by setting <b>auto=route</b>
-whereas the hosts <b>alice</b> and <b>sun</b> act as responders by setting <b>auto=add</b>.
-Pings from <b>moon</b> to <b>alice</b> and <b>sun</b> as well as a ping from <b>bob</b>
-to <b>sun</b> set up three compressed IPsec Transport Mode connections.
+++ /dev/null
-moon:: cat /var/log/daemon.log::creating acquire job::YES
-bob:: cat /var/log/daemon.log::creating acquire job::YES
-moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*CN=moon.strongswan.org.*CN=alice@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=moon.strongswan.org.*CN=sun.strongswan.org::YES
-alice::ipsec status 2> /dev/null::remote.*ESTABLISHED.*CN=alice@strongswan.org.*CN=moon.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::remote\[1]: ESTABLISHED.*CN=sun.strongswan.org.*CN=moon.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::remote\[2]: ESTABLISHED.*CN=sun.strongswan.org.*CN=bob@strongswan.org::YES
-bob:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=bob@strongswan.org.*CN=sun.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TRANSPORT::YES
-moon:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES
-alice::ipsec status 2> /dev/null::remote.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::remote[{]1}.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::remote[{]2}.*INSTALLED, TRANSPORT::YES
-bob:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::IP bob.strongswan.org > sun1.strongswan.org: ESP::YES
-bob::tcpdump::IP sun1.strongswan.org > bob.strongswan.org: ESP::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
- type=transport
- compress=yes
- dpdaction=clear
- dpddelay=10
- left=%any
- leftcert=aliceCert.pem
-
-conn remote
- right=%any
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
- multiple_authentication = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
- type=transport
- compress=yes
- dpdaction=hold
- dpddelay=10
- left=%any
- leftcert=bobCert.pem
-
-conn sun
- right=PH_IP_SUN1
- rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org"
- auto=route
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
- type=transport
- compress=yes
- dpdaction=hold
- dpddelay=10
- left=%any
- leftcert=moonCert.pem
-
-conn alice
- right=PH_IP_ALICE
- rightid="C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org"
- auto=route
-
-conn sun
- right=PH_IP_SUN
- rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org"
- auto=route
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
- type=transport
- compress=yes
- dpdaction=clear
- dpddelay=10
- left=%any
- leftcert=sunCert.pem
-
-conn remote
- right=%any
- auto=add
+++ /dev/null
-alice::ipsec stop
-moon::ipsec stop
-sun::ipsec stop
-bob::ipsec stop
-winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON
-winnetou::ip route del 10.2.0.0/16 via PH_IP_SUN
+++ /dev/null
-winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
-winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN
-alice::ipsec start
-moon::ipsec start
-sun::ipsec start
-bob::ipsec start
-alice::expect-connection remote
-sun::expect-connection remote
-moon::expect-connection alice
-moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_ALICE
-moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN
-bob::expect-connection sun
-bob::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice sun bob"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice moon sun bob"
+++ /dev/null
-alice::ipsec status 2> /dev/null::hub.*ESTABLISHED.*alice@strongswan.org.*carol@strongswan.org::YES
-bob:: ipsec status 2> /dev/null::hub.*ESTABLISHED.*bob@strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_MOON.*alice@strongswan.org::YES
-carol::ipsec status 2> /dev/null::hub.*ESTABLISHED.*PH_IP_SUN.*bob@strongswan.org::YES
-alice::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES
-bob:: ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES
-carol::ipsec status 2> /dev/null::hub.*INSTALLED, TUNNEL.*IPCOMP::YES
-carol::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
-carol::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
-alice::ip xfrm state::proto comp spi::YES
-bob:: ip xfrm state::proto comp spi::YES
-carol::ip xfrm state::proto comp spi::YES
-alice::ping -c 1 -s 8184 -p deadbeef PH_IP_CAROL::8192 bytes from PH_IP_CAROL: icmp_.eq=1::YES
-alice::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES
-alice::ping -c 1 -s 8184 -p deadbeef PH_IP_BOB::8192 bytes from PH_IP_BOB: icmp_.eq=1::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-bob:: ping -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > carol.strongswan.org.*: UDP::YES
-moon::tcpdump::IP carol.strongswan.org.* > moon.strongswan.org.*: UDP::YES
-sun::tcpdump::IP sun.strongswan.org.* > carol.strongswan.org.*: UDP::YES
-sun::tcpdump::IP carol.strongswan.org.* > sun.strongswan.org.*: UDP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- dpdaction=restart
- dpddelay=60s
- leftfirewall=yes
- lefthostaccess=yes
-
-conn hub
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftsubnet=10.1.0.0/16
- right=PH_IP_CAROL
- rightid=carol@strongswan.org
- rightsubnet=PH_IP_CAROL/32,10.2.0.0/16
- compress=yes
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- dpdaction=restart
- dpddelay=60s
- leftfirewall=yes
- lefthostaccess=yes
-
-conn hub
- leftcert=bobCert.pem
- leftid=bob@strongswan.org
- leftsubnet=10.2.0.0/16
- right=PH_IP_CAROL
- rightid=carol@strongswan.org
- rightsubnet=PH_IP_CAROL/32,10.1.0.0/16
- compress=yes
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- dpdaction=clear
- dpddelay=60s
-
-conn hub
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=%any
- leftsubnet=0.0.0.0/0
- rightsubnet=0.0.0.0/0
- compress=yes
- auto=add
+++ /dev/null
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: cat /var/log/daemon.log::loaded crl from::YES
-moon:: cat /var/log/daemon.log::crl is valid::YES
-moon:: cat /var/log/daemon.log::certificate status is good::YES
-moon:: cat /var/log/daemon.log::using cached crl::YES
-moon:: ipsec listcrls 2> /dev/null:: ok::YES
-carol::cat /var/log/daemon.log::loaded crl from::YES
-carol::cat /var/log/daemon.log::crl is valid::YES
-carol::cat /var/log/daemon.log::certificate status is good::YES
-carol::cat /var/log/daemon.log::using cached crl::YES
-carol::ipsec listcrls 2> /dev/null:: ok::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- strictcrlpolicy=yes
- cachecrls=yes
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- strictcrlpolicy=yes
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
+++ /dev/null
-moon::wget -q http://crl.strongswan.org/strongswan.crl
-moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-carol::wget -q http://crl.strongswan.org/strongswan.crl
-carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn rw
- right=%any
- rightsourceip=%dhcp
- auto=add
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn rw
- right=%any
- rightsourceip=%dhcp
- auto=add
+++ /dev/null
-The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
-<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
-polling interval of 10 s. When the network connectivity between <b>carol</b>
-and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
-clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
-also takes down the connection but installs a route which triggers when
-<b>carol</b> sends a ping to client <b>alice</b> behind gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 13::no output expected::NO
-carol::cat /var/log/daemon.log::sending DPD request::YES
-carol::cat /var/log/daemon.log::retransmit.*of request::YES
-carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
-carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::ping -c 1 -W 1 PH_IP_ALICE::trigger route::NO
-carol::sleep 1::no output expected::NO
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- dpdaction=hold
- dpddelay=10
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- dpdaction=clear
- dpddelay=10
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
-parameter. The virtual addresses assigned to the clients by gateway <b>moon</b> belong to the
-subnet 10.1.0.0/16 hidden behind the gateway so that <b>carol</b> and <b>dave</b> become full members of
-this network. And this thanks to the <b>farp</b> plugin through which <b>moon</b> acts as a proxy
-for ARP requests e.g. from <b>alice</b> who wants to ping <b>carol</b> and <b>dave</b>.
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
-alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn rw-carol
- right=%any
- rightid=carol@strongswan.org
- rightsourceip=10.1.0.30
- auto=add
-
-conn rw-dave
- right=%any
- rightid=dave@strongswan.org
- rightsourceip=10.1.0.40
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp
- dns1 = PH_IP_WINNETOU
- dns2 = PH_IP_VENUS
-}
+++ /dev/null
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
-gateway <b>sun</b>. Since the firewall on <b>sun</b> blocks the ESP protocol, enforced UDP
-encapsulation (<b>forceencaps=yes</b>) is used by <b>alice</b> to punch through this hurdle.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, host <b>alice</b> pings the
-client <b>bob</b> behind the gateway <b>sun</b>.
+++ /dev/null
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::nat.t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
-alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES
-alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
-moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > alice.strongswan.org.*: UDP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn nat-t
- left=%defaultroute
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- forceencaps=yes
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftfirewall=yes
-
-conn nat-t
- leftsubnet=10.2.0.0/16
- right=%any
- rightsubnet=10.1.0.10/32
- auto=add
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES
-alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null
-carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null
-dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null
-carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
-dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
-moon::iptables -t mangle -L -n -v
-carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
-dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
-carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES
-dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES
-carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES
-dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftsubnet=0.0.0.0/0
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=0.0.0.0/0
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftsubnet=0.0.0.0/0
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- right=PH_IP_MOON
- rightsubnet=0.0.0.0/0
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16,224.0.0.0/4
- right=%any
- rightid=*@strongswan.org
- rightsourceip=10.1.0.128/26
- rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255
- mark=%unique
- auto=add
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
-venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES
-sun::iptables -t mangle -L -n -v
-sun::conntrack -L
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn nat-t
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- right=192.168.0.2
- rightid=@sun.strongswan.org
- type=transport
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- left=192.168.0.2
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
-
-conn nat-t
- right=%any
- type=transport
- mark=%unique
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn nat-t
- leftcert=venusCert.pem
- leftid=venus@strongswan.org
- right=192.168.0.2
- rightid=@sun.strongswan.org
- type=transport
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke
-}
+++ /dev/null
-alice::ipsec stop
-venus::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::sleep 11::NO
-carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
-carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
-carol::ping -c 1 -W 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- inactivity=10
-
-conn home
- left=PH_IP_CAROL
- leftfirewall=yes
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftfirewall=yes
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-carol::iptables-restore < /etc/iptables.flush
+++ /dev/null
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
-moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES
-moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
-moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
-moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES
-moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES
-moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightsourceip=%pool0,%pool1
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
-
- plugins {
- attr-sql {
- database = sqlite:///etc/db.d/ipsec.db
- }
- }
-}
-
-pool {
- load = sqlite
-}
+++ /dev/null
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::ipsec pool --del pool0 2> /dev/null
-moon::ipsec pool --del pool1 2> /dev/null
+++ /dev/null
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool
-named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
-both ping the gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES
-moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
-moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
-moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
-moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=%defaultroute
- leftsourceip=%config
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON1
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
-
-conn int
- left=PH_IP_MOON1
- rightsourceip=%intpool
- auto=add
-
-conn ext
- left=PH_IP_MOON
- rightsourceip=10.3.0.0/28
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown
-
- plugins {
- attr-sql {
- database = sqlite:///etc/db.d/ipsec.db
- }
- }
-}
-
-pool {
- load = sqlite
-}
+++ /dev/null
-carol::ipsec stop
-alice::ipsec stop
-moon::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-alice::iptables-restore < /etc/iptables.flush
-moon::ipsec pool --del intpool 2> /dev/null
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
-carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config4,%config6
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=0.0.0.0/0,::/0
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16,fec1::0/16
- rightsourceip=%v4_pool,%v6_pool
- right=%any
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql
-
- plugins {
- attr-sql {
- database = sqlite:///etc/db.d/ipsec.db
- }
- }
-}
-
-pool {
- load = sqlite
-}
+++ /dev/null
-alice::ip -6 route del default via fec1:\:1
-carol::ipsec stop
-moon::ipsec stop
+++ /dev/null
-The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
-both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
-<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses
-from two in-memory pools using the <b>rightsourceip</b> option. The established tunnel
-carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
-carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config4,%config6
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=0.0.0.0/0,::/0
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16,fec1::0/16
- rightsourceip=10.3.0.0/28,fec3::/120
- right=%any
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-alice::ip -6 route del default via fec1:\:1
-carol::ipsec stop
-moon::ipsec stop
+++ /dev/null
-alice::ip -6 route add default via fec1:\:1
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="carol"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
-increasing order.
-<p>
-Using the <b>ipsec lookup</b> tool which communicates with the <b>lookip</b> plugin via a unix
-socket, information about the assigned virtual IP is retrieved.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+++ /dev/null
-carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec lookip --lookup PH_IP_CAROL1 2> /dev/null::192.168.0.100.*rw\[1].*carol@strongswan.org::YES
-moon:: ipsec lookip --lookup PH_IP_DAVE1 2> /dev/null::192.168.0.200.*rw\[2].*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightsourceip=10.3.0.0/28
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown lookip
-}
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark</b> parameter in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
-iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules
-that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b>
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
+++ /dev/null
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun:: ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
-moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn nat-t
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn alice
- rightid=alice@strongswan.org
- mark=10/0xffffffff
- also=sun
- auto=add
-
-conn venus
- rightid=@venus.strongswan.org
- mark=20 #0xffffffff is used by default
- also=sun
- auto=add
-
-conn sun
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftupdown=/etc/mark_updown
- right=%any
- rightsubnet=0.0.0.0/0
+++ /dev/null
-#!/bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communica-
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_REQID
-# is the reqid of the AH|ESP policy
-#
-# PLUTO_PROTO
-# is the negotiated IPsec protocol, ah|esp
-#
-# PLUTO_IPCOMP
-# is not empty if IPComp was negotiated
-#
-# PLUTO_UNIQUEID
-# is the unique identifier of the associated IKE_SA
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_SOURCEIP
-# PLUTO_MY_SOURCEIP4_$i
-# PLUTO_MY_SOURCEIP6_$i
-# contains IPv4/IPv6 virtual IP received from a responder,
-# $i enumerates from 1 to the number of IP per address family.
-# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
-# virtual IP, IPv4 or IPv6.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side. For ICMP/ICMPv6 this contains the
-# message type, and PLUTO_PEER_PORT the message code.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client sub-
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_SOURCEIP
-# PLUTO_PEER_SOURCEIP4_$i
-# PLUTO_PEER_SOURCEIP6_$i
-# contains IPv4/IPv6 virtual IP sent to an initiator,
-# $i enumerates from 1 to the number of IP per address family.
-# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
-# virtual IP, IPv4 or IPv6.
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side. For ICMP/ICMPv6 this contains the
-# message code, and PLUTO_MY_PORT the message type.
-#
-# PLUTO_XAUTH_ID
-# is an optional user ID employed by the XAUTH protocol
-#
-# PLUTO_MARK_IN
-# is an optional XFRM mark set on the inbound IPsec SA
-#
-# PLUTO_MARK_OUT
-# is an optional XFRM mark set on the outbound IPsec SA
-#
-# PLUTO_IF_ID_IN
-# is an optional XFRM interface ID set on the inbound IPsec SA
-#
-# PLUTO_IF_ID_OUT
-# is an optional XFRM interface ID set on the outbound IPsec SA
-#
-# PLUTO_UDP_ENC
-# contains the remote UDP port in the case of ESP_IN_UDP
-# encapsulation
-#
-# PLUTO_DNS4_$i
-# PLUTO_DNS6_$i
-# contains IPv4/IPv6 DNS server attribute received from a
-# responder, $i enumerates from 1 to the number of servers per
-# address family.
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
-export PATH
-
-# comment to disable logging VPN connections to syslog
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice -/var/log/vpn
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1]) # Older release?!? Play it safe, script may be using new features.
- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete release?" >&2
- exit 2
- ;;
-1.*) ;;
-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
- exit 2
- ;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-iptables:iptables) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
-IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-
-# use protocol specific options to set ports
-case "$PLUTO_MY_PROTOCOL" in
-1) # ICMP
- ICMP_TYPE_OPTION="--icmp-type"
- ;;
-58) # ICMPv6
- ICMP_TYPE_OPTION="--icmpv6-type"
- ;;
-*)
- ;;
-esac
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- if [ -n "$ICMP_TYPE_OPTION" ]
- then
- S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
- D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
- else
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
- fi
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- if [ -n "$ICMP_TYPE_OPTION" ]
- then
- # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
- S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
- D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
- else
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
- fi
-fi
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
- if [ -n "$PLUTO_UDP_ENC" ]
- then
- SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
- else
- SET_MARK="-p $PLUTO_PROTO"
- fi
- SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-case "$PLUTO_VERB:$1" in
-up-host:)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # allow IPIP traffic because of the implicit SA created by the kernel if
- # IPComp is used (for small inbound packets that are not compressed)
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec host connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-down-host:)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # IPIP exception teardown
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec host connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # allow IPIP traffic because of the implicit SA created by the kernel if
- # IPComp is used (for small inbound packets that are not compressed).
- # INPUT is correct here even for forwarded traffic.
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec client connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # IPIP exception teardown
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec client connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn nat-t
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=venusCert.pem
- leftid=@venus.strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_512 successful::YES
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_384 successful::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftauth=rsa-sha384
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftauth=rsa-sha512
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+++ /dev/null
-moon:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*sun.strongswan.org::YES
-sun:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftid=moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftsendcert=never
- leftauth=pubkey
- leftfirewall=yes
- right=sun.strongswan.org
- rightid=sun.strongswan.org
- rightsubnet=10.2.0.0/16
- rightsendcert=never
- rightauth=pubkey
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftid=sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftcert=sunCert.pem
- leftsendcert=never
- leftauth=pubkey
- leftfirewall=yes
- right=moon.strongswan.org
- rightid=moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- rightauth=pubkey
- auto=add
+++ /dev/null
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-Using the <b>forecast</b> plugin additionally all 224.0.0.251 mDNS multicasts are going
-to be tunneled.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, mDNS multicasts sent by <b>alice</b> are
-received by <b>bob</b> and vice versa whereas unfortunately multicasts originating
-from the gateways <b>moon</b> and <b>sun</b> themselves are not tunneled.
+++ /dev/null
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
-alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES
-alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO
-bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES
-bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES
-bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16,224.0.0.251/32
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16,224.0.0.251/32
- mark=%unique
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
-
- multiple_authentication = no
- plugins {
- forecast {
- groups = 224.0.0.251
- interface = eth1
- }
- }
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16,224.0.0.251/32
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16,224.0.0.251/32
- mark=%unique
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
-
- multiple_authentication = no
- plugins {
- forecast {
- groups = 224.0.0.251
- interface = eth1
- }
- }
-}
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
-sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice sun bob"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
+++ /dev/null
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
-sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ntru128!
- esp=aes128-sha256!
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ntru128!
- esp=aes128-sha256!
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+++ /dev/null
-moon:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*moon-be.*sun-be::YES
-moon:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*moon-ef.*sun-ef::YES
-sun:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*sun-be.*moon-be::YES
-sun:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*sun-ef.*moon-ef::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn dscp-be
- leftid=@moon-be
- rightid=@sun-be
- mark=10
- also=net-net
- auto=add
-
-conn dscp-ef
- leftid=@moon-ef
- rightid=@sun-ef
- mark=20
- also=net-net
- auto=add
-
-conn net-net
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- leftauth=psk
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightauth=psk
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon-be @moon-ef @sun-be @sun-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn dscp-be
- leftid=@sun-be
- rightid=@moon-be
- mark=10
- also=net-net
- auto=add
-
-conn dscp-ef
- leftid=@sun-ef
- rightid=@moon-ef
- mark=20
- also=net-net
- auto=add
-
-conn net-net
- left=PH_IP_SUN
- leftsubnet=10.2.0.0/16
- leftfirewall=yes
- leftauth=psk
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightauth=psk
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@sun-be @sun-ef @moon-be @moon-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown
- multiple_authentication = no
- syslog {
- daemon {
- knl = 2
- }
- }
-}
+++ /dev/null
-moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::sleep 6::wait for rekeying::NO
-moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA::YES
-moon::cat /var/log/daemon.log::generating CREATE_CHILD_SA request.*REKEY_SA::YES
-moon::cat /var/log/daemon.log::deleted SAD entry with SPI::1
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon::sleep 2::wait until inbound SA is deleted::NO
-moon::cat /var/log/daemon.log::deleted SAD entry with SPI::2
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- lifetime=10s
- margintime=5s
- rekeyfuzz=0%
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
- # remove rekeyed inbound SA a bit quicker for the test scenario
- delete_rekeyed_delay = 2
- syslog {
- daemon {
- knl = 2
- }
- }
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-sun::expect-connection net-net
-moon::expect-connection net-net
-moon::ipsec up net-net
+++ /dev/null
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_.eq=1::YES
-bob:: ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.0.0.0/14
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.4.0.0/14
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.4.0.0/14
- leftupdown=/etc/mark_updown
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.0.0.0/14
- mark_in=8
- mark_out=4
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
-}
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+++ /dev/null
-Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels
-between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
-defined. The first IPsec SA is restricted to ICMP packets and the second
-covers TCP-based SSH connections. Using <b>add=route</b> %trap
-eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
-a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
-is triggered and the corresponding IPsec tunnel is set up. In the same
-way an ssh session to <b>alice</b> over the second IPsec SA is established.
+++ /dev/null
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq::YES
-carol::ssh PH_IP_ALICE hostname::alice::YES
-carol::cat /var/log/daemon.log::creating acquire job::YES
-carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED::YES
-carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED::YES
-moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED::YES
-moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=route
-
-conn home-icmp
- leftprotoport=icmp
- rightprotoport=icmp
-
-conn home-ssh
- leftprotoport=tcp
- rightprotoport=tcp/ssh
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
-
-conn rw-icmp
- lefthostaccess=yes
- leftprotoport=icmp
- rightprotoport=icmp
-
-conn rw-ssh
- leftprotoport=tcp/ssh
- rightprotoport=tcp
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw-icmp
-moon::expect-connection rw-ssh
-carol::expect-connection home-icmp
-carol::expect-connection home-ssh
-carol::ssh PH_IP_ALICE hostname
-carol::ping -W 1 -c 1 PH_IP_ALICE > /dev/null
+++ /dev/null
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 25s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=5s
- keyingtries=1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=30s
- keylife=20m
- rekeymargin=0s
- keyingtries=1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
-carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=30s
- keylife=20m
- rekeymargin=5s
- keyingtries=1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=3601
- keylife=1200
- rekeymargin=0s
- keyingtries=1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-winnetou::cp /var/www/strongswan.crl /var/www/strongswan.crl.bak
-winnetou::cp /var/www/strongswan_moon_revoked.crl /var/www/strongswan.crl
-carol::ipsec purgecrls
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::sleep 6
-carol::cat /var/log/daemon.log::certificate was revoked.*key compromise::YES
-carol::cat /var/log/daemon.log::peer certificate verification failed, deleting SA::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
-carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- strictcrlpolicy=yes
-
-conn %default
- keylife=20m
- ikelifetime=10s
- rekeymargin=5s
- rekeyfuzz=0%
- keyingtries=1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- make_before_break = yes
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- strictcrlpolicy=yes
-
-conn %default
- ikelifetime=30m
- keylife=20m
- rekeymargin=0s
- keyingtries=1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
+++ /dev/null
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- keylife=20m
- ikelifetime=10s
- rekeymargin=5s
- rekeyfuzz=0%
- keyingtries=1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftsourceip=%config
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- make_before_break = yes
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=30m
- keylife=20m
- rekeymargin=0s
- keyingtries=1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- rightsourceip=10.3.0.0/24
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- keylife=20m
- ikelifetime=10s
- rekeymargin=5s
- rekeyfuzz=0%
- keyingtries=1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- make_before_break = yes
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=30m
- keylife=20m
- rekeymargin=0s
- keyingtries=1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-At the outset the gateway authenticates itself to the client by sending an
-IKEv2 <b>RSA signature</b> accompanied by a certificate.
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
-in association with the <i>Authentication and Key Agreement</i> protocol
-(<b>EAP-AKA</b>) to authenticate against the gateway. In this scenario,
-quintuplets from the SQL database /etc/ipsec.d/ipsec.db are used instead
-of a physical USIM card on the client <b>carol</b>. The USIM provider on
-gateway <b>moon</b> also stores the quintuplets in an SQL database.
+++ /dev/null
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftfirewall=yes
- leftauth=eap
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- auto=add
+++ /dev/null
-INSERT INTO quintuplets
- (id, used, rand, autn, ck, ik, res) VALUES
- ('carol@strongswan.org', 0,
- X'00112233445566778899AABBCCDDEEFF',
- X'112233445566778899AABBCCDDEEFF00',
- X'2233445566778899AABBCCDDEEFF0011',
- X'33445566778899AABBCCDDEEFF001122',
- X'00112233445566778899'
- );
+++ /dev/null
-DROP TABLE IF EXISTS quintuplets;
-CREATE TABLE quintuplets (
- id TEXT NOT NULL,
- used INTEGER NOT NULL,
- rand BLOB NOT NULL,
- autn BLOB NOT NULL,
- ck BLOB NOT NULL,
- ik BLOB NOT NULL,
- res BLOB NOT NULL
-);
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
-
- plugins {
- eap-simaka-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
- }
- }
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftauth=pubkey
- leftfirewall=yes
- right=%any
- rightid=*@strongswan.org
- rightsendcert=never
- rightauth=eap-aka
- auto=add
+++ /dev/null
-INSERT INTO quintuplets
- (id, used, rand, autn, ck, ik, res) VALUES
- ('carol@strongswan.org', 0,
- X'00112233445566778899AABBCCDDEEFF',
- X'112233445566778899AABBCCDDEEFF00',
- X'2233445566778899AABBCCDDEEFF0011',
- X'33445566778899AABBCCDDEEFF001122',
- X'00112233445566778899'
- );
+++ /dev/null
-DROP TABLE IF EXISTS quintuplets;
-CREATE TABLE quintuplets (
- id TEXT NOT NULL,
- used INTEGER NOT NULL,
- rand BLOB NOT NULL,
- autn BLOB NOT NULL,
- ck BLOB NOT NULL,
- ik BLOB NOT NULL,
- res BLOB NOT NULL
-);
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
-
- plugins {
- eap-simaka-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
- }
- }
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
-moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
+++ /dev/null
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap-md5
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftauth=eap-tls
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftauth=pubkey
- leftfirewall=yes
- rightid=*@strongswan.org
- rightauth=eap-dynamic
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-tls eap-dynamic updown
-
- plugins {
- eap-dynamic {
- prefer_user = yes
- preferred = md5, tls
- }
- }
-}
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
-carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
-moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
-moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
-dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
-moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
-dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
-moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
-dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=%any
- leftauth=eap
- leftfirewall=yes
- leftsourceip=%config
- eap_identity=carol
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp"
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=%any
- leftauth=eap
- leftfirewall=yes
- leftsourceip=%config
- eap_identity=dave
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave : EAP "W7R0g3do"
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftauth=pubkey
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- rightsendcert=never
- rightauth=eap-radius
- rightsourceip=%radius
- eap_identity=%any
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::freeradius
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
-carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
-moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
-carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
-moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
-dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
-moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
-dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
-moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
-dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
-dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn alice
- rightsubnet=10.1.0.10/32
- also=home
- auto=add
-
-conn venus
- rightsubnet=10.1.0.20/32
- also=home
- auto=add
-
-conn home
- left=%any
- leftauth=eap
- leftfirewall=yes
- eap_identity=carol
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn alice
- rightsubnet=10.1.0.10/32
- also=home
- auto=add
-
-conn venus
- rightsubnet=10.1.0.20/32
- also=home
- auto=add
-
-conn home
- left=%any
- leftauth=eap
- leftfirewall=yes
- eap_identity=dave
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave : EAP "W7R0g3do"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn research
- rightgroups=Research
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn accounting
- rightgroups=Accounting
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftauth=pubkey
- leftfirewall=yes
- rightsendcert=never
- rightauth=eap-radius
- eap_identity=%any
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::freeradius
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection research
-moon::expect-connection accounting
-carol::expect-connection alice
-carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection alice
-dave::expect-connection venus
-dave::ipsec up alice
-dave::ipsec up venus
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
+++ /dev/null
-carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftcert=carol_D_cert.der
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org"
- rightauth=any
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carol_key.der
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown
- multiple_authentication=no
-
- syslog {
- daemon {
- tls = 2
- }
- }
- plugins {
- eap-tls {
- max_message_count = 40
- }
- }
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moon_D_cert.der
- leftauth=eap-tls
- leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moon_key.der
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown
- multiple_authentication=no
-
- syslog {
- daemon {
- tls = 2
- }
- }
- plugins {
- eap-tls {
- max_message_count = 40
- }
- }
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/cacerts/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/private/*
+++ /dev/null
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-moon::expect-connection rw-eap
-carol::expect-connection home
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice carol moon"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10
-and PH_IP_DAVE10, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
-iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
-that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
+++ /dev/null
-alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun:: ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
-moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn alice
- rightid=alice@strongswan.org
- mark_in=10/0xffffffff
- mark_out=11/0xffffffff
- also=sun
- auto=add
-
-conn venus
- rightid=@venus.strongswan.org
- mark_in=20 #0xffffffff is used by default
- mark_out=21 #0xffffffff is used by default
- also=sun
- auto=add
-
-conn sun
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftupdown=/etc/mark_updown
- right=%any
- rightsubnet=0.0.0.0/0
+++ /dev/null
-#!/bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communica-
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_REQID
-# is the reqid of the AH|ESP policy
-#
-# PLUTO_PROTO
-# is the negotiated IPsec protocol, ah|esp
-#
-# PLUTO_IPCOMP
-# is not empty if IPComp was negotiated
-#
-# PLUTO_UNIQUEID
-# is the unique identifier of the associated IKE_SA
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_SOURCEIP
-# PLUTO_MY_SOURCEIP4_$i
-# PLUTO_MY_SOURCEIP6_$i
-# contains IPv4/IPv6 virtual IP received from a responder,
-# $i enumerates from 1 to the number of IP per address family.
-# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
-# virtual IP, IPv4 or IPv6.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side. For ICMP/ICMPv6 this contains the
-# message type, and PLUTO_PEER_PORT the message code.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client sub-
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_SOURCEIP
-# PLUTO_PEER_SOURCEIP4_$i
-# PLUTO_PEER_SOURCEIP6_$i
-# contains IPv4/IPv6 virtual IP sent to an initiator,
-# $i enumerates from 1 to the number of IP per address family.
-# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
-# virtual IP, IPv4 or IPv6.
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side. For ICMP/ICMPv6 this contains the
-# message code, and PLUTO_MY_PORT the message type.
-#
-# PLUTO_XAUTH_ID
-# is an optional user ID employed by the XAUTH protocol
-#
-# PLUTO_MARK_IN
-# is an optional XFRM mark set on the inbound IPsec SA
-#
-# PLUTO_MARK_OUT
-# is an optional XFRM mark set on the outbound IPsec SA
-#
-# PLUTO_IF_ID_IN
-# is an optional XFRM interface ID set on the inbound IPsec SA
-#
-# PLUTO_IF_ID_OUT
-# is an optional XFRM interface ID set on the outbound IPsec SA
-#
-# PLUTO_UDP_ENC
-# contains the remote UDP port in the case of ESP_IN_UDP
-# encapsulation
-#
-# PLUTO_DNS4_$i
-# PLUTO_DNS6_$i
-# contains IPv4/IPv6 DNS server attribute received from a
-# responder, $i enumerates from 1 to the number of servers per
-# address family.
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
-export PATH
-
-# comment to disable logging VPN connections to syslog
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice -/var/log/vpn
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1]) # Older release?!? Play it safe, script may be using new features.
- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete release?" >&2
- exit 2
- ;;
-1.*) ;;
-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
- exit 2
- ;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-iptables:iptables) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
-IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-
-# use protocol specific options to set ports
-case "$PLUTO_MY_PROTOCOL" in
-1) # ICMP
- ICMP_TYPE_OPTION="--icmp-type"
- ;;
-58) # ICMPv6
- ICMP_TYPE_OPTION="--icmpv6-type"
- ;;
-*)
- ;;
-esac
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- if [ -n "$ICMP_TYPE_OPTION" ]
- then
- S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
- D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
- else
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
- fi
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- if [ -n "$ICMP_TYPE_OPTION" ]
- then
- # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
- S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
- D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
- else
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
- fi
-fi
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
- if [ -n "$PLUTO_UDP_ENC" ]
- then
- SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
- else
- SET_MARK="-p esp"
- fi
- SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-case "$PLUTO_VERB:$1" in
-up-host:)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # allow IPIP traffic because of the implicit SA created by the kernel if
- # IPComp is used (for small inbound packets that are not compressed)
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec host connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-down-host:)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # IPIP exception teardown
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec host connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # allow IPIP traffic because of the implicit SA created by the kernel if
- # IPComp is used (for small inbound packets that are not compressed).
- # INPUT is correct here even for forwarded traffic.
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec client connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # IPIP exception teardown
- if [ -n "$PLUTO_IPCOMP" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
- -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # log IPsec client connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=venusCert.pem
- leftid=@venus.strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-alice::iptables-restore < /etc/iptables.rules
-venus::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-sun::ip route add 10.1.0.0/16 via PH_IP_MOON
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
-sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
-sun::expect-connection alice
-alice::expect-connection home
-alice::ipsec up home
-venus::expect-connection home
-venus::ipsec up home
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
-192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on strong
-preshared keys (PSKs).
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
-increasing order.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+++ /dev/null
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
-moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ntru128!
- esp=aes128-sha256!
- authby=psk
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
- send_vendor_id = yes
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ntru192!
- esp=aes192-sha384!
- authby=psk
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-moon.strongswan.org dave@strongswan.org : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
- send_vendor_id = yes
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
- esp=aes128-sha256,aes192-sha384!
- authby=psk
-
-conn rw
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightsourceip=10.3.0.0/28
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-moon.strongswan.org carol@strongswan.org : PSK 0sC0qhnO9/1MWf6tNvCz6mY6pFiDzkVsNlDxZ+9eUjiwwzhHO5UIvgMcvCGcKY/720
-
-moon.strongswan.org dave@strongswan.org : PSK 0snWAi1DPzCAhr1JA/JzZw8fr4ySDSNcF/5+8c2sPSBEXo+TjWCCcr5wKuTF/HunX8
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown
- send_vendor_id = yes
-}
+++ /dev/null
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
-to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and fully qualified domain names. By setting the wildcard <b>rightid=@*.strongswan.org</b>
-on <b>carol</b> and <b>dave</b>, no <b>IDr</b> payloads are sent by the roadwarriors.
-In order to test the tunnel,
-both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- authby=secret
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@*.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- authby=secret
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@*.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- authby=secret
-
-conn rw
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
-
-dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
-<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
-is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes
-and selects the correct roadwarrior connection definition based on the gateway ID
-requested by the roadwarrior.
-
+++ /dev/null
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
-moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
-moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- authby=secret
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightsendcert=never
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- keyexchange=ikev2
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
-
-conn rw-rsasig
- authby=rsasig
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- auto=add
-
-conn rw-psk
- authby=secret
- leftid=PH_IP_MOON
- auto=add
-
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
-
-dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-carol::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw-rsasig
-moon::expect-connection rw-psk
-carol::expect-connection home
-carol::ipsec up home
-dave::expect-connection home
-dave::ipsec up home
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
-to gateway <b>moon</b>. The roadwarriors' authentication is based on
-<ib>Pre-Shared Keys</b> (PSK) whereas the gateway uses an <b>RSA signature</b>
-(RSASIG) certified by an X.509 certificate.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
+++ /dev/null
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftid=carol@strongswan.org
- leftauth=psk
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftid=dave@strongswan.org
- leftauth=psk
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- rightauth=psk
- rightsourceip=10.3.0.0/28
- rightsendcert=never
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
-
-dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
-carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES
-carol::ipsec down home 2> /dev/null::no output expected::NO
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES
-alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES
-alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- leftsourceip=%config,%config6
- eap_identity=carol
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftauth=pubkey
- leftfirewall=yes
- rightid=*@strongswan.org
- rightsendcert=never
- rightauth=eap-radius
- rightsourceip=10.3.0.0/24,fec3::0/120
- eap_identity=%any
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = PH_IP_ALICE
- accounting = yes
- }
- }
-}
+++ /dev/null
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_384 successful::YES
-moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
-carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
-moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
-moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_512 successful::YES
-moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
-dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
-moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
-dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
-dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn alice
- rightsubnet=10.1.0.10/32
- also=home
- auto=add
-
-conn venus
- rightsubnet=10.1.0.20/32
- also=home
- auto=add
-
-conn home
- left=%any
- leftcert=carolCert.pem
- leftauth=pubkey-sha384
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn alice
- rightsubnet=10.1.0.10/32
- also=home
- auto=add
-
-conn venus
- rightsubnet=10.1.0.20/32
- also=home
- auto=add
-
-conn home
- left=%any
- leftcert=daveCert.pem
- leftauth=pubkey-sha512
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=pubkey
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn research
- rightauth=pubkey-sha384-sha256
- leftsubnet=10.1.0.0/28
- also=rw
- auto=add
-
-conn accounting
- rightauth=pubkey-sha512-sha256
- leftsubnet=10.1.0.16/28
- also=rw
- auto=add
-
-conn rw
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftauth=pubkey
- leftfirewall=yes
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection research
-moon::expect-connection accounting
-carol::expect-connection alice
-carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection alice
-dave::expect-connection venus
-dave::ipsec up alice
-dave::ipsec up venus
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou moon"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS=""
-
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-<b>moon</b> uses whitelisting to grant access to <b>carol</b> with ID <b>carol@strongswan.org</b>
-whereas since ID <b>dave@strongswan.org</b> is not listed, <b>dave</b> gets rejected.
+++ /dev/null
-moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
-moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::NO
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%config
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightsourceip=10.3.0.0/28
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac whitelist stroke kernel-netlink socket-default updown
- plugins {
- whitelist {
- enable = yes
- }
- }
-}
+++ /dev/null
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-moon::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES
-moon::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES
-sun::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES
-dave::ping -c 2 -W 1 -i 0.4 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=2::YES
-dave::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES
-dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES
-moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES
-moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES
-moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_DAVE::YES
-sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
-sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_DAVE::YES
-sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_CAROL::YES
-dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_MOON::YES
-dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_SUN::YES
-carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_MOON::YES
-carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_SUN::YES
-carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_DAVE::NO
-moon::ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
-dave:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
-carol:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
-sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
-carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
-carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES
-carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn trap-any
- right=%any
- type=transport
- authby=psk
- auto=add
+++ /dev/null
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
- syslog {
- daemon {
- knl = 2
- }
- }
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn trap-any
- right=%any
- rightsubnet=192.168.0.0/30
- type=transport
- authby=psk
- auto=route
-
+++ /dev/null
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
- syslog {
- daemon {
- knl = 2
- }
- }
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-# to access the host via SSH in the test environment
-conn pass-ssh
- authby=never
- leftsubnet=0.0.0.0/0[tcp/22]
- rightsubnet=0.0.0.0/0[tcp]
- type=pass
- auto=route
-
-conn trap-any
- right=%any
- type=transport
- authby=psk
- auto=route
+++ /dev/null
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
- syslog {
- daemon {
- knl = 2
- }
- }
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-# to access the host via SSH in the test environment
-conn pass-ssh
- authby=never
- leftsubnet=0.0.0.0/0[tcp/22]
- rightsubnet=0.0.0.0/0[tcp]
- type=pass
- auto=route
-
-conn trap-any
- right=%any
- type=transport
- authby=psk
- auto=route
-
+++ /dev/null
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
- syslog {
- daemon {
- knl = 2
- }
- }
-}
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+++ /dev/null
-moon::ipsec start
-sun::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::sleep 1
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
+++ /dev/null
-carol::ipsec status 2> /dev/null::alice..*PH_IP_CAROL.*PH_IP_ALICE::YES
-moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES
-carol::ipsec status 2> /dev/null::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO
-moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO
-dave:: ipsec status 2> /dev/null::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES
-moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES
-dave:: ipsec status 2> /dev/null::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO
-moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn alice
- leftsubnet=PH_IP_ALICE/32
- right=%any
- rightid="C=CH, O=strongSwan Project, OU=Research, CN=*"
- auto=add
-
-conn venus
- leftsubnet=PH_IP_VENUS/32
- right=%any
- rightid="C=CH, O=strongSwan Project, OU=Accounting, CN=*"
- auto=add
-
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+++ /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-moon::expect-connection alice
-moon::expect-connection venus
-carol::expect-connection alice
-carol::expect-connection venus
-carol::ipsec up alice
-carol::ipsec up venus
-dave::expect-connection alice
-dave::expect-connection venus
-dave::ipsec up venus
-dave::ipsec up alice
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
--- /dev/null
+alice::swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16 192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=1.* remote-id=alice@strongswan.org initiator-spi=.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16 192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+bob:: swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_BOB local-port=4500 local-id=bob@strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16 192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::hub.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_SUN remote-port=1.* remote-id=bob@strongswan.org initiator-spi=.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*hub.*state=INSTALLED mode=TUNNEL.*ESP encap=yes.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16 192.168.0.100/32] remote-ts=\[10.2.0.0/16]::YES
+carol::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+carol::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+alice::ip xfrm state::proto comp spi::YES
+bob:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+alice::ping -c 1 -s 8184 -p deadbeef PH_IP_CAROL::8192 bytes from PH_IP_CAROL: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES
+alice::ping -c 1 -s 8184 -p deadbeef PH_IP_BOB::8192 bytes from PH_IP_BOB: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+bob:: ping -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > carol.strongswan.org.*: UDP::YES
+moon::tcpdump::IP carol.strongswan.org.* > moon.strongswan.org.*: UDP::YES
+sun::tcpdump::IP sun.strongswan.org.* > carol.strongswan.org.*: UDP::YES
+sun::tcpdump::IP carol.strongswan.org.* > sun.strongswan.org.*: UDP::YES
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ hub {
+ remote_addrs = PH_IP_CAROL
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = carol@strongswan.org
+ }
+ children {
+ hub {
+ local_ts = 10.1.0.0/16
+ remote_ts = PH_IP_CAROL/32,10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ hostaccess = yes
+ esp_proposals =aes128-sha256-x25519
+ ipcomp = yes
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ hub {
+ remote_addrs = PH_IP_CAROL
+
+ local {
+ auth = pubkey
+ certs = bobCert.pem
+ id = bob@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = carol@strongswan.org
+ }
+ children {
+ hub {
+ local_ts = 10.2.0.0/16
+ remote_ts = PH_IP_CAROL/32,10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ hostaccess = yes
+ esp_proposals =aes128-sha256-x25519
+ ipcomp = yes
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ hub {
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ hub {
+ local_ts = 0.0.0.0/0
+ remote_ts = 0.0.0.0/0
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ hostaccess = yes
+ esp_proposals =aes128-sha256-x25519
+ ipcomp = yes
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
-bob::ipsec stop
-alice::ipsec stop
-carol::ipsec stop
+bob::systemctl stop strongswan
+alice::systemctl stop strongswan
+carol::systemctl stop strongswan
alice::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
bob::iptables-restore < /etc/iptables.flush
sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
sun::iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT
sun::iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT
-carol::ipsec start
-alice::ipsec start
-bob::ipsec start
+carol::systemctl start strongswan
+alice::systemctl start strongswan
+bob::systemctl start strongswan
carol::expect-connection hub
alice::expect-connection hub
bob::expect-connection hub
-alice::ipsec up hub
-bob::ipsec up hub
+alice::swanctl --initiate --child hub 2> /dev/null
+bob::swanctl --initiate --child hub 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="alice carol bob"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+By setting <b>revocation = strict</b> a <b>strict CRL policy</b> is enforced on
both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
-their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
+their <b>/etc/swanctl/x509crl/</b> directories which allows them to immediately verify
the certificate received from their peer.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sa --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl::YES
+moon:: cat /var/log/daemon.log::crl is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+moon:: cat /var/log/daemon.log::using cached crl::YES
+carol::cat /var/log/daemon.log::loaded certificate from.*/etc/swanctl/x509crl::YES
+carol::cat /var/log/daemon.log::crl is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::using cached crl::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+ }
+ }
+ version = 2
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+ cache_crls = yes
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+ }
+ }
+ version = 2
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::rm /etc/swanctl/x509crl/*
+carol::rm /etc/swanctl/x509crl/*
--- /dev/null
+moon::wget -q http://crl.strongswan.org/strongswan.crl
+moon::mv strongswan.crl /etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+carol::wget -q http://crl.strongswan.org/strongswan.crl
+carol::mv strongswan.crl /etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips=0.0.0.0</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips = 0.0.0.0</b>
parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS server
-information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned dynamically
-by <b>venus</b> from the pool 10.1.0.50..10.1.0.60 so that <b>carol</b> and <b>dave</b> become full members
-of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to the <b>farp</b> plugin
-through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b> who wants to ping
-<b>carol</b> and <b>dave</b>.
+information from DHCP server <b>venus</b> using the DHCP protocol.
+<p/>
+The IP addresses are assigned dynamically by <b>venus</b> from the pool 10.1.0.50..10.1.0.60 so that
+<b>carol</b> and <b>dave</b> become full members of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>.
+And this thanks to the <b>farp</b> plugin through which <b>moon</b> acts as a proxy for ARP requests
+e.g. from <b>alice</b> who wants to ping <b>carol</b> and <b>dave</b>.
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips = 0.0.0.0</b>
parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS/WINS server
-information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically
+information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically
by <b>venus</b> based on the IKEv2 peer identities <b>carol@strongswan.org</b> and <b>dave@strongswan.org</b>,
respectively, included by the dhcp plugin as a <b>dhcp-client-identity</b> option in the DHCP request.
-<p/>
+<p/>
With the static assignment of 10.1.0.30 and 10.1.0.40, respectively, <b>carol</b> and <b>dave</b>
become full members of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to
the <b>farp</b> plugin through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b>
-who wants to ping <b>carol</b> and <b>dave</b>.
+who wants to ping <b>carol</b> and <b>dave</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.30] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.30/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.40] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.40/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.30] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.30/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.40] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.40/32]::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
plugins {
dhcp {
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+ pools = dhcp
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
venus::service isc-dhcp-server stop 2> /dev/null
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.rules
venus::cat /etc/dhcp/dhcpd.conf
venus::service isc-dhcp-server start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
-and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>leftsourceip=%config</b>
+TThe roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips = 0.0.0.0</b>
parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS/WINS server
-information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically
+information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically
by <b>venus</b> based on the user-defined MAC address derived by the <b>dhcp</b> plugin from a hash over
the client identity. This deterministic MAC generation is activated with the strongswan.conf setting
<b>charon.plugins.dhcp.identity_lease = yes</b>.
-<p/>
+<p/>
With the static assignment of 10.1.0.30 and 10.1.0.40, respectively, <b>carol</b> and <b>dave</b>
become full members of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to
the <b>farp</b> plugin through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b>
-who wants to ping <b>carol</b> and <b>dave</b>.
+who wants to ping <b>carol</b> and <b>dave</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.30] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.30/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.40] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.40/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.30] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.30/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.40] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.40/32]::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES
+carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
plugins {
dhcp {
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+ pools = dhcp
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
venus::service isc-dhcp-server stop 2> /dev/null
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.rules
venus::cat /etc/dhcp/dhcpd.conf
venus::service isc-dhcp-server start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
+which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
+When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
+<b>moon</b> clears the connection after a number of unsuccessful retransmits.
+
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
+<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
+polling interval of 10 s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 10 s, <b>moon</b>
+clears the connection after 2 unsuccessful retransmits whereas <b>carol</b>
+also takes down the connection but installs a route which triggers when
+<b>carol</b> sends a ping to client <b>alice</b> behind gateway <b>moon</b>.
+
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+carol::sleep 13::no output expected::NO
+carol::cat /var/log/daemon.log::sending DPD request::YES
+carol::cat /var/log/daemon.log::retransmit.*of request::YES
+carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
+moon:: cat /var/log/daemon.log::retransmit.*of request::YES
+moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::ping -c 1 -W 1 PH_IP_ALICE::trigger route::NO
+carol::sleep 1::no output expected::NO
+carol::cat /var/log/daemon.log::creating acquire job for policy::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+ esp_proposals =aes128gcm16-x25519
+ dpd_action = trap
+ }
+ }
+ version = 2
+ mobike = no
+ dpd_delay = 10
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-x25519
+ dpd_action = clear
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ dpd_delay = 10
+ }
+}
--- /dev/null
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
--- /dev/null
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS=""
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway
+<b>moon</b> and request a <b>virtual IP</b> via the IKEv2 configuration payload by
+using the <b>vips = 0.0.0.0</b> parameter. The virtual addresses assigned to the
+clients by gateway <b>moon</b> belong to the subnet 10.1.0.0/16 hidden behind the
+gateway so that <b>carol</b> and <b>dave</b> become full members of this network.
+And this thanks to the <b>farp</b> plugin through which <b>moon</b> acts as a proxy
+for ARP requests e.g. from <b>alice</b> who wants to ping <b>carol</b> and <b>dave</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.30] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.30/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.40] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.40/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.30] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.30/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.40] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.40/32]::YES
+carol::cat /var/log/daemon.log::installing DNS server 192.168.0.150 to /etc/resolv.conf::YES
+carol::cat /var/log/daemon.log::installing DNS server 10.1.0.20 to /etc/resolv.conf::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.1.0.30::YES
+dave:: cat /var/log/daemon.log::installing DNS server 192.168.0.150 to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server 10.1.0.20 to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.1.0.40::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_.eq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici attr farp
+ dns1 = PH_IP_WINNETOU
+ dns2 = PH_IP_VENUS
+}
--- /dev/null
+connections {
+
+ rw-carol {
+ include swanctl_base.conf
+ pools = carol_vip
+
+ remote {
+ auth = pubkey
+ id = carol@strongswan.org
+ }
+ }
+
+ rw-dave {
+ include swanctl_base.conf
+ pools = dave_vip
+
+ remote {
+ auth = pubkey
+ id = dave@strongswan.org
+ }
+ }
+
+}
+
+pools {
+
+ carol_vip {
+ addrs = 10.1.0.30
+ }
+
+ dave_vip {
+ addrs = 10.1.0.40
+ }
+}
--- /dev/null
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-curve25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-curve25519
--- /dev/null
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.rules
alice::arp -d 10.1.0.30
alice::arp -d 10.1.0.40
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
moon::expect-connection rw-carol
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+moon::expect-connection rw-dave
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarrior <b>alice</b> sitting behind the router <b>moon</b> sets up a tunnel to
+gateway <b>sun</b>. Since the firewall on <b>sun</b> blocks the ESP protocol, enforced UDP
+encapsulation (<b>encap=yes</b>) is used by <b>alice</b> to punch through this hurdle.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the tunnel, host <b>alice</b> pings the
+client <b>bob</b> behind the gateway <b>sun</b>.
--- /dev/null
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-fake=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_ALICE remote-port=4500 remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[PH_IP_ALICE/32]::YES
+alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES
+alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > alice.strongswan.org.*: UDP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ nat-t {
+ remote_addrs = PH_IP_SUN
+
+ encap = yes
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ nat-t {
+ local_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ nat-t {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
-alice::ipsec stop
-sun::ipsec stop
+alice::systemctl stop strongswan
+sun::systemctl stop strongswan
alice::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
sun::ip route del 10.1.0.0/16 via PH_IP_MOON
sun::iptables-restore < /etc/iptables.rules
sun::ip route add 10.1.0.0/16 via PH_IP_MOON
winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
-alice::ipsec start
-sun::ipsec start
+alice::systemctl start strongswan
+sun::systemctl start strongswan
sun::expect-connection nat-t
alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
# Used for IPsec logging purposes
#
IPSECHOSTS="alice sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.129/32 10.1.255.255/32 224.0.0.0/4] remote-ts=\[10.1.0.0/16 224.0.0.0/4]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.130/32 10.1.255.255/32 224.0.0.0/4] remote-ts=\[10.1.0.0/16 224.0.0.0/4]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*rw.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.0/4] remote-ts=\[10.1.0.129/32 10.1.255.255/32 224.0.0.0/4]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*rw.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.0/4] remote-ts=\[10.1.0.130/32 10.1.255.255/32 224.0.0.0/4]::YES
+alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null
+carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null
+dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null
+carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+moon::iptables -t mangle -L -n -v
+carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown resolve
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ local_ts = 0.0.0.0/0
+ remote_ts = 0.0.0.0/0
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default connmark
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown resolve
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_DAVE
+ remote_addrs = PH_IP_MOON
+
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ local_ts = 0.0.0.0/0
+ remote_ts = 0.0.0.0/0
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr forecast
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr forecast
syslog {
daemon {
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = PH_IP_MOON
+
+ pools = rw
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = *@strongswan.org
+ }
+ children {
+ rw {
+ local_ts = 10.1.0.0/16,224.0.0.0/4
+ remote_ts = dynamic,224.0.0.0/4,10.1.255.255
+
+ mark_in = %unique
+ mark_out = %unique
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+pools {
+ rw {
+ addrs = 10.1.0.128/26
+ }
+}
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[PH_IP_SUN/32]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_VENUS/32] remote-ts=\[PH_IP_SUN/32]::YES
+sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*mark-in=00000001 mark-out=00000001 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TRANSPORT protocol=ESP encap=yes.*mark-in=00000002 mark-out=00000002 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
+venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES
+sun::iptables -t mangle -L -n -v
+sun::conntrack -L
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ nat-t {
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ mode = transport
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default connmark
}
--- /dev/null
+connections {
+
+ nat-t {
+ local_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ nat-t {
+ mode = transport
+
+ mark_in = %unique
+ mark_out = %unique
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ nat-t {
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ mode = transport
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
+sun::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT
moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
sun::expect-connection nat-t
alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
venus::expect-connection nat-t
-venus::ipsec up nat-t
+venus::swanctl --initiate --child nat-t
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn nat-t
- leftcert=venusCert.pem
- leftid=venus@strongswan.org
- leftfirewall=yes
- right=192.168.0.2
- rightid=@sun.strongswan.org
- type=transport
- auto=add
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::sleep 11::NO
+carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
+carol::cat /var/log/daemon.log::sending DELETE for ESP CHILD_SA::YES
+moon:: cat /var/log/daemon.log::received DELETE for ESP CHILD_SA::YES
+moon:: cat /var/log/daemon.log::sending DELETE for ESP CHILD_SA::YES
+carol::cat /var/log/daemon.log::received DELETE for ESP CHILD_SA::YES
+carol::ping -c 1 -W 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::NO
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+ esp_proposals =aes128gcm16-x25519
+ inactivity = 10s
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
--- /dev/null
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="m-c-w.png"
# Guest instances on which tcpdump is to be started
#
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration
payload. The gateway moon assigns virtual IP addresses from two disjoint pools named
<b>pool0</b> comprising the single address <b>10.3.0.1</b> and <b>pool1</b> comprising the
-single address <b>10.3.1.1</b> predefined in the SQL database.
+single address <b>10.3.1.1</b> predefined in the SQL database.
+
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.1.1/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.1.1] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default sqlite attr-sql vici
+
+ plugins {
+ attr-sql {
+ database = sqlite:///etc/db.d/ipsec.db
+ }
+ }
+}
+
+pool {
+ load = sqlite
+ database = sqlite:///etc/db.d/ipsec.db
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+ pools = pool0, pool1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::ipsec pool --del pool0 2> /dev/null
+moon::ipsec pool --del pool1 2> /dev/null
moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null
moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null
moon::ipsec pool --status 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS=""
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
# Guest instances on which databases are used
#
DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
+Both hosts request a <b>virtual IP</b> via the IKEv2 configuration payload.
+Gateway <b>moon</b> assigns virtual IP addresses from <b>pool1</b> with an address range of
+<b>10.3.0.0/28</b> to hosts connecting to the <b>eth0</b> (192.168.0.1) interface and
+virtual IP addresses from an SQLite-based pool named <b>intpool</b> [10.4.0.1..10.4.1.244] to
+hosts connecting to the <b>eth1</b> (10.1.0.1) interface.
+<p>
+Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
+both ping the gateway <b>moon</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES
+alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES
+moon:: cat /var/log/daemon.log::added vici pool pool1: 10.3.0.0, 14 entries::YES
+moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES
+moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
+alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 10.1.0.10
+ remote_addrs = 10.1.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
+
+ plugins {
+ attr-sql {
+ database = sqlite:///etc/db.d/ipsec.db
+ }
+ }
+}
+
+pool {
+ load = sqlite
+ database = sqlite:///etc/db.d/ipsec.db
+}
\ No newline at end of file
--- /dev/null
+connections {
+
+ rw1 {
+ local_addrs = 192.168.0.1
+ pools = pool1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw1 {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+ rw2 {
+ local_addrs = 10.1.0.1
+ pools = intpool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw2 {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+pools {
+ pool1 {
+ addrs = 10.3.0.0/28
+ }
+}
--- /dev/null
+carol::swanctl --terminate --ike home
+alice::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+alice::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
alice::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-alice::ipsec start
-moon::expect-connection int
-moon::expect-connection ext
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+alice::systemctl start strongswan
+moon::expect-connection rw1
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+moon::expect-connection rw2
alice::expect-connection home
-alice::ipsec up home
+alice::swanctl --initiate --child home 2> /dev/null
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="alice carol"
+TCPDUMPHOSTS="carol alice"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="alice moon carol"
+IPSECHOSTS="moon carol alice"
# Guest instances on which databases are used
#
DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
-<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses
-from persistent pools stored in an SQL database using the <b>rightsourceip</b> option.
-The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
+<b>vips = 0.0.0.0,0::0</b>. GGateway <b>moon</b> assigns virtual IPs addresses
+from persistent pools stored in an SQL database.
+The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
\ No newline at end of file
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1 fec3::1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32 fec3::1/128] remote-ts=\[10.1.0.0/16 fec1::/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1 fec3::1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 fec1::/16] remote-ts=\[10.3.0.1/32 fec3::1/128]::YES
+moon:: ipsec pool --status 2> /dev/null::pool_v4.*10.3.0.1.*10.3.1.254.*48h.*510 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool_v6.*fec3:\:1.*fec3:\:fe.*48h.*254 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool_v4,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool_v6,addr=fec3::1,id=carol@strongswan.org 2> /dev/null::online::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
+carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0, 0::0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 0.0.0.0/0,::/0
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici sqlite attr-sql
+
+ plugins {
+ attr-sql {
+ database = sqlite:///etc/db.d/ipsec.db
+ }
+ }
+}
+
+pool {
+ load = sqlite
+ database = sqlite:///etc/db.d/ipsec.db
+}
--- /dev/null
+connections {
+
+ rw {
+ pools = pool_v4, pool_v6
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw {
+ local_ts = 10.1.0.0/16,fec1::0/16
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+alice::ip -6 route del default via fec1:\:1
moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
-moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
-moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null
+moon::ipsec pool --add pool_v4 --start 10.3.0.1 --end 10.3.1.254 --timeout 48 2> /dev/null
+moon::ipsec pool --add pool_v6 --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null
alice::ip -6 route add default via fec1:\:1
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w.png"
# Guest instances on which tcpdump is to be started
#
# Guest instances on which databases are used
#
DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
+both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
+<b>vips = 0.0.0.0,0::0</b>. Gateway <b>moon</b> assigns virtual IPs addresses
+from two in-memory pools defined in the <b>pools</b> section. The established tunnel
+carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
\ No newline at end of file
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1 fec3::1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32 fec3::1/128] remote-ts=\[10.1.0.0/16 fec1::/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1 fec3::1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 fec1::/16] remote-ts=\[10.3.0.1/32 fec3::1/128]::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
+carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0, 0::0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 0.0.0.0/0,::/0
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ rw {
+ pools = pool_v4, pool_v6
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ rw {
+ local_ts = 10.1.0.0/16,fec1::0/16
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+pools {
+ pool_v4 {
+ addrs = 10.3.0.0/28
+ }
+ pool_v6 {
+ addrs = fec3::/120
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+alice::ip -6 route del default via fec1:\:1
--- /dev/null
+alice::ip -6 route add default via fec1:\:1
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
moon::systemctl start strongswan
carol::systemctl start strongswan
alice::systemctl start strongswan
-moon::expect-connection rw
+moon::expect-connection rw1
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
+moon::expect-connection rw2
alice::expect-connection home
alice::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via IKEv2 configuration
+payloads by using the <b>vips = 0.0.0.0</b> parameter.
+<b>moon</b> assigns virtual IP addresses from a simple pool defined in the pools section
+of swanctl.conf in a monotonously increasing order.
+<p>
+Using the <b>lookip --lookup</b> command, which communicates with the <b>lookip</b> plugin
+via a UNIX socket, information about the assigned virtual IPs is retrieved.
+<p>
+The updown script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon:: /usr/local/libexec/ipsec/lookip --lookup PH_IP_CAROL1 2> /dev/null::192.168.0.100.*rw\[1].*carol@strongswan.org::YES
+moon:: /usr/local/libexec/ipsec/lookip --lookup PH_IP_DAVE1 2> /dev/null::192.168.0.200.*rw\[2].*dave@strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_DAVE
+ remote_addrs = PH_IP_MOON
+ vips = 0.0.0.0
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl vici kernel-netlink socket-default updown lookip
+}
--- /dev/null
+connections {
+
+ rw {
+ pools = rw_pool
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+pools {
+ rw_pool {
+ addrs = 10.3.0.0/28
+ }
+}
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
+after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark_in</b> and <b>mark_out</b> options. With the <b>set_mark_in</b> option, the
+corresponding mark is applied to the inbound packets after decryption. Return traffic is
+marked via <b>iptables -t mangle</b> rules in the PREROUTING chain.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b>
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
--- /dev/null
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::alice.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*mark-in=0000000a mark-out=0000000a encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::venus.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*mark-in=00000014 mark-out=00000014 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ nat-t {
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ local_ts = 10.1.0.0/25
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ hostaccess = yes
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
syslog {
daemon {
knl = 2
--- /dev/null
+connections {
+
+ alice : connections.nat-t {
+ remote {
+ id = alice@strongswan.org
+ }
+ children {
+ nat-t {
+ mark_in = 10
+ set_mark_in = %same
+ mark_out = 10
+ }
+ }
+ }
+
+ venus : connections.nat-t {
+ remote {
+ id = venus.strongswan.org
+ }
+ children {
+ nat-t {
+ mark_in = 20
+ set_mark_in = %same
+ mark_out = 20
+ }
+ }
+ }
+
+ nat-t {
+ local_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ nat-t {
+ local_ts = 10.2.0.0/16
+ remote_ts = 0.0.0.0/0
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ nat-t {
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ nat-t {
+ local_ts = 10.1.0.0/25
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ hostaccess = yes
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
+sun::systemctl stop strongswan
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-sun::rm /etc/mark_updown
moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520
moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
-sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
+# NAT client traffic to distinct virtual IPs
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+# mark the return traffic accordingly
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
sun::expect-connection alice
sun::expect-connection venus
alice::expect-connection nat-t
-alice::ipsec up nat-t
+alice::swanctl --initiate --child nat-t
venus::expect-connection nat-t
-venus::ipsec up nat-t
+venus::swanctl --initiate --child nat-t
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
-sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES
venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES
-sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b> using SHA-2 to create signatures
as enabled by the IKEv2 Signature Authentication extension described in <b>RFC 7427</b>.
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_512 successful::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_384 successful::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_MOON
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = rsa-sha384
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ local {
+ auth = rsa-sha512
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+sun::expect-connection gw-gw
+moon::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
The authentication is based on trustworthy public keys stored as <b>CERT</b>
resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
<p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+moon:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*sun.strongswan.org::YES
+sun:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*moon.strongswan.org::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default stroke updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown
plugins {
dnscert {
enable = yes
}
unbound {
- # trust_anchors = /etc/ipsec.d/dnssec.keys
- # resolv_conf = /etc/resolv.conf
+ trust_anchors = /etc/swanctl/dnssec.keys
+ resolv_conf = /etc/resolv.conf
}
}
}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_MOON
+ remote_addrs = sun.strongswan.org
+
+ send_cert = never
+ send_certreq = no
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default stroke updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown
plugins {
dnscert {
enable = yes
}
unbound {
- # trust_anchors = /etc/ipsec.d/dnssec.keys
- # resolv_conf = /etc/resolv.conf
+ trust_anchors = /etc/swanctl/dnssec.keys
+ resolv_conf = /etc/resolv.conf
}
}
}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_SUN
+ remote_addrs = moon.strongswan.org
+
+ send_cert = never
+ send_certreq = no
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
+moon::rm /etc/swanctl/dnssec.keys
+sun::rm /etc/swanctl/dnssec.keys
moon::rm /etc/resolv.conf
sun::rm /etc/resolv.conf
-moon::rm /etc/ipsec.d/dnssec.keys
-sun::rm /etc/ipsec.d/dnssec.keys
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/swanctl/x509ca/*
+sun::rm /etc/swanctl/x509ca/*
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+sun::expect-connection net-net
+moon::expect-connection net-net
+moon::swanctl --initiate --child net-net 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
sun::systemctl stop strongswan
moon::cd /etc/swanctl; rm dnssec.keys pubkey/*
sun::cd /etc/swanctl; rm dnssec.keys pubkey/*
+moon::rm /etc/resolv.conf
+sun::rm /etc/resolv.conf
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The key exchange is based on NTRU encryption with a security strength of 128 bits.
The ANSI X9.98 NTRU encryption parameter set used is optimized for bandwidth.
+The authentication is based on <b>X.509 certificates</b>.
<p/>
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac vici kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-ntru128
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ntru128
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac vici kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
parameter_set = x9_98_bandwidth
}
}
-}
+}
\ No newline at end of file
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-ntru128
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ntru128
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is
bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK.
<p/>
-Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+moon::swanctl --list-sas --raw 2> /dev/null::dscp-be.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon-be remote-host=PH_IP_SUN remote-port=500 remote-id=sun-be initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=0000000a mark-out=0000000a encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::dscp-ef.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon-ef remote-host=PH_IP_SUN remote-port=500 remote-id=sun-ef initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=00000014 mark-out=00000014 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::dscp-be.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun-be remote-host=PH_IP_MOON remote-port=500 remote-id=moon-be.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=0000000a mark-out=0000000a encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::dscp-ef.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun-ef remote-host=PH_IP_MOON remote-port=500 remote-id=moon-ef.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=00000014 mark-out=00000014 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 curve25519 hmac curl vici kernel-netlink socket-default updown
+ syslog {
+ daemon {
+ knl = 2
+ }
+ }
+}
--- /dev/null
+connections {
+
+ dscp-be {
+ local_addrs = PH_IP_MOON
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = psk
+ id = moon-be
+ }
+ remote {
+ auth = psk
+ id = sun-be
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ mark_in = 10
+ mark_out = 10
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+
+ dscp-ef : connections.dscp-be {
+ local {
+ id = moon-ef
+ }
+ remote {
+ id = sun-ef
+ }
+ children {
+ net-net {
+ mark_in = 20
+ mark_out = 20
+ }
+ }
+ }
+}
+
+secrets {
+ ike {
+ id-be = sun-be
+ id-ef = sun-ef
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac curl vici kernel-netlink socket-default updown
multiple_authentication = no
syslog {
daemon {
--- /dev/null
+dscp-base {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ local {
+ auth = psk
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+}
+
+connections {
+
+ dscp-be : dscp-base {
+ local {
+ id = sun-be
+ }
+ remote {
+ id = moon-be
+ }
+ children {
+ net-net {
+ mark_in = 10
+ mark_out = 10
+ }
+ }
+ }
+
+ dscp-ef : dscp-base {
+ local {
+ id = sun-ef
+ }
+ remote {
+ id = moon-ef
+ }
+ children {
+ net-net {
+ mark_in = 20
+ mark_out = 20
+ }
+ }
+ }
+}
+
+secrets {
+ ike {
+ id-be = moon-be
+ id-ef = moon-ef
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
alice::iptables -t mangle -F OUTPUT
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF
moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF
sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20
-sun::ipsec start
-moon::ipsec start
+sun::systemctl start strongswan
+moon::systemctl start strongswan
sun::expect-connection dscp-ef
moon::expect-connection dscp-be
-moon::ipsec up dscp-be
+moon::swanctl --initiate --ike dscp-be --child net-net
moon::expect-connection dscp-ef
-moon::ipsec up dscp-ef
+moon::swanctl --initiate --ike dscp-ef --child net-net
# Corresponding block diagram
#
DIAGRAM="a-v-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+establishment of the IPsec tunnel, the updown script automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
-After a while the CHILD_SA is rekeyed by <b>moon</b> (after a deliberately short
-time in this test scenario).
+After a while, the CHILD_SA is rekeyed by <b>moon</b> (after a deliberately short
+time in this test scenario).<br/>
In order to test both tunnel and firewall after the rekeying, client <b>alice</b>
behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>
twice, once right after the rekeying and once after the old inbound SA has been
--- /dev/null
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::sleep 6::wait for rekeying::NO
+moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA::YES
+moon::cat /var/log/daemon.log::generating CREATE_CHILD_SA request.*REKEY_SA::YES
+moon::cat /var/log/daemon.log::deleted SAD entry with SPI::1
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::sleep 2::wait until inbound SA is deleted::NO
+moon::cat /var/log/daemon.log::deleted SAD entry with SPI::2
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ # remove rekeyed inbound SA a bit quicker for the test scenario
+ delete_rekeyed_delay = 2
+ syslog {
+ daemon {
+ knl = 2
+ }
+ }
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_MOON
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ # short lifetimes for testing purposes
+ rekey_time = 5s
+ life_time = 10s
+ rand_time = 0
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::systemctl start strongswan
+moon::systemctl start strongswan
+sun::expect-connection gw-gw
+moon::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
A tunnel that will connect the subnets behind the gateways <b>moon</b>
and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
-on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
+on gateway <b>moon</b> by means of the setting <b>start_action = trap</b> in swanctl.conf.
A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
leads to the automatic establishment of the subnet-to-subnet tunnel.
-<p>
+<p/>
The updown script automatically inserts iptables-based firewall rules
that let pass the tunneled traffic.
sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
<p/>
-Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
-<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
-connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
-the necessary NETMAP operations and forward the tunneled traffic.
+Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the updown
+script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. On gateway <b>sun</b>, a custom updown script
+inserts iptables rules that create the necessary NETMAP operations and forward the
+tunneled traffic.
<p/>
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
--- /dev/null
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.0.0.0/14] remote-ts=\[10.4.0.0/14]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*mark-in=00000008 mark-out=00000004 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.0/14] remote-ts=\[10.0.0.0/14]::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_.eq=1::YES
+bob:: ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_MOON
+ remote_addrs = PH_IP_SUN
+
+ local {
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.0.0.0/14
+ remote_ts = 10.4.0.0/14
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
# define internal interface
INT_INTERFACE="eth1"
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
- if [ -n "$PLUTO_UDP_ENC" ]
- then
- SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
- else
- SET_MARK_IN="-p esp"
- fi
- SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
# is there an outbound mark to be set?
if [ -n "$PLUTO_MARK_OUT" ]
then
# If you are doing a custom version, firewall commands go here.
if [ -n "$PLUTO_MARK_IN" ]
then
- iptables -t mangle -A PREROUTING $SET_MARK_IN
iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
- -d $IN_NET -j NETMAP --to $SAME_NET
+ -d $IN_NET -j NETMAP --to $SAME_NET
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
- -s $SAME_NET -j NETMAP --to $OUT_NET
+ -s $SAME_NET -j NETMAP --to $OUT_NET
fi
if [ -n "$PLUTO_MARK_OUT" ]
then
- iptables -t mangle -A PREROUTING $SET_MARK_OUT
+ iptables -t mangle -A PREROUTING $SET_MARK_OUT
iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-d $OUT_NET -j NETMAP --to $SAME_NET
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
# If you are doing a custom version, firewall commands go here.
if [ -n "$PLUTO_MARK_IN" ]
then
- iptables -t mangle -D PREROUTING $SET_MARK_IN
iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
- -d $IN_NET -j NETMAP --to $SAME_NET
+ -d $IN_NET -j NETMAP --to $SAME_NET
iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
- -s $SAME_NET -j NETMAP --to $OUT_NET
+ -s $SAME_NET -j NETMAP --to $OUT_NET
fi
if [ -n "$PLUTO_MARK_OUT" ]
then
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ local {
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.4.0.0/14
+ remote_ts = 10.0.0.0/14
+
+ mark_in = 8
+ set_mark_in = %same
+ mark_out = 4
+
+ updown = /etc/mark_updown
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
sun::iptables -t mangle -n -v -L PREROUTING
sun::iptables -t nat -n -v -L
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun bob"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
respectively, is automatically established by means of the setting
-<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
-behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
-gateway <b>sun</b>. The updown script automatically inserts iptables-based
-firewall rules that let pass the tunneled traffic.
+<b>start_action = start </b> in swanctl.conf.
+<p/>
+The connection is tested by client <b>alice</b> behind gateway <b>moon</b> pinging
+the client <b>bob</b> located behind gateway <b>sun</b>. The updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
is checked via the OCSP server <b>winnetou</b> which possesses a <b>self-signed</b>
OCSP signer certificate that must be imported locally by the peers into the
-<b>/etc/swanctl/x509ocsp/</b> directory. A strongswan <b>ca</b> section in ipsec.conf
-defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
+<b>/etc/swanctl/x509ocsp/</b> directory. A strongswan <b>authorities</b> section
+in swanctl.conf defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
<p>
<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
the status of both certificates is <b>good</b>.
--- /dev/null
+Using <b>[<protocol>/<port>]</b> selectors in the
+<b>local_ts</b> and <b>remote_ts</b> child parameters, two IPsec tunnels
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
+The first CHILD_SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections.
+<p/>
+By sending a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP trap
+is triggered and the corresponding IPsec tunnel is set up. In the same
+way an ssh session to <b>alice</b> over the second IPsec SA is established.
\ No newline at end of file
--- /dev/null
+carol::cat /var/log/daemon.log::creating acquire job.*\[icmp/8]::YES
+carol::cat /var/log/daemon.log::creating acquire job.*\[tcp/ssh]::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ icmp {
+ local_ts = dynamic[icmp]
+ remote_ts = 10.1.0.0/16[icmp]
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ start_action = trap
+ }
+ ssh {
+ local_ts = dynamic[tcp]
+ remote_ts = 10.1.0.0/16[tcp/ssh]
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ start_action = trap
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ icmp {
+ local_ts = 10.1.0.0/16[icmp]
+ remote_ts = dynamic[icmp]
+
+ hostaccess = yes
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ ssh {
+ local_ts = 10.1.0.0/16[tcp/ssh]
+ remote_ts = dynamic[tcp]
+
+ hostaccess = yes
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection icmp
+moon::expect-connection ssh
+carol::expect-connection icmp
+carol::expect-connection ssh
+carol::ping -W 1 -c 1 PH_IP_ALICE > /dev/null
+carol::ssh PH_IP_ALICE hostname
+
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
This scenario tests <b>repeated authentication</b> according to RFC 4478.
-The initiator <b>carol</b> sets a large <b>ikelifetime=20m</b> but the responder
-<b>moon</b> defining a much shorter <b>ikelifetime=30s</b> proposes this
-value via an AUTH_LIFETIME notification to the initiator. Thus the
+The initiator <b>carol</b> sets a large <b>reauth_time=60m</b> but the responder
+<b>moon</b> defining a much shorter <b>reauth_time=30s</b> proposes this
+value via an AUTH_LIFETIME notification to the initiator. Thus the
IKE reauthentication takes places after less than 30s. A ping from
<b>carol</b> to client <b>alice</b> hiding in the subnet behind <b>moon</b>
-tests if the CHILD_SA has been inherited by the new IKE_SA.
+tests if the CHILD_SA has been recreated under the new IKE_SA.
--- /dev/null
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 20s::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+
+ # short lifetimes for testing purposes
+ reauth_time = 60m
+ over_time = 10s
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = PH_IP_MOON
+
+ # short lifetimes for testing purposes
+ reauth_time = 30s
+ over_time = 10s
+ rand_time = 0
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
+carol::sleep 21
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
This scenario tests <b>repeated authentication</b> according to RFC 4478.
-The initiator <b>carol</b> sets a short <b>ikelifetime=20m</b> but the responder
-<b>moon</b> defining a much larger <b>ikelifetime=30s</b> proposes this
+The initiator <b>carol</b> sets a short <b>reauth_time=20s</b> but the responder
+<b>moon</b> defining a much larger <b>reauth_time=60m</b> proposes this
value via an AUTH_LIFETIME notification to the initiator. The initiator
-ignores this notification and schedules the IKE reauthentication within
-the shorter interval of 30s. A ping from <b>carol</b> to client <b>alice</b>
+ignores this notification and schedules the IKE reauthentication at its
+configured time. A ping from <b>carol</b> to client <b>alice</b>
hiding in the subnet behind <b>moon</b> tests if the CHILD_SA has been
-inherited by the new IKE_SA.
+recreated under the new IKE_SA.
--- /dev/null
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+carol::cat /var/log/daemon.log::scheduling reauthentication in 20s::YES
+carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 20s::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+
+ # short lifetimes for testing purposes
+ reauth_time = 20s
+ over_time = 10s
+ rand_time = 0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = PH_IP_MOON
+
+ # short lifetimes for testing purposes
+ reauth_time = 60m
+ over_time = 10s
+ rand_time = 0
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
-carol::sleep 30
+carol::swanctl --initiate --child home
+carol::sleep 21
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
This scenario tests <b>make-before-break reauthentication</b> using overlapping
IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
-initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
-<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
-CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
-hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
-whole procedure.
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b>, but does
+not close the old IKE_SA before the replacement CHILD_SA is in place.
<p/>
Because the responder is always able to install CHILD_SAs before the initiator
is, some traffic sent by the responder over such a CHILD_SA might get dropped by
--- /dev/null
+winnetou::cp /var/www/strongswan.crl /var/www/strongswan.crl.bak
+winnetou::cp /var/www/strongswan_moon_revoked.crl /var/www/strongswan.crl
+carol::swanctl --flush-certs --type x509_crl
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+carol::sleep 6
+carol::cat /var/log/daemon.log::certificate was revoked.*key compromise::YES
+carol::cat /var/log/daemon.log::peer certificate verification failed, deleting SA::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::NO
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+
+ make_before_break = yes
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+
+ # short lifetimes for testing purposes
+ reauth_time = 5s
+ over_time = 5s
+ rand_time = 0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ revocation = strict
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = PH_IP_MOON
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ revocation = strict
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
winnetou::cp /var/www/strongswan.crl.bak /var/www/strongswan.crl
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
--- /dev/null
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::NO
+carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::NO
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+
+ make_before_break = yes
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+
+ vips = 0.0.0.0
+
+ # short lifetimes for testing purposes
+ reauth_time = 5s
+ over_time = 5s
+ rand_time = 0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = PH_IP_MOON
+
+ pools = rw
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+pools {
+ rw {
+ addrs = 10.3.0.0/24
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
-carol::sleep 30
+carol::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
This scenario tests <b>make-before-break reauthentication</b> using overlapping
IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
-initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
-<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
-CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b>, but does
+not close the old IKE_SA before the replacement CHILD_SA is in place.
+A constant ping from <b>carol</b> to client <b>alice</b>
hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
whole procedure.
--- /dev/null
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::NO
+carol::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::NO
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+
+ make_before_break = yes
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+
+ # short lifetimes for testing purposes
+ reauth_time = 5s
+ over_time = 5s
+ rand_time = 0
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = PH_IP_MOON
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+moon::systemctl stop strongswan
+carol::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
proposals = aes128-sha256-x25519
}
}
-
-secrets {
-
- rsa-carol {
- file = carolKey.pem
- secret = "nH5ZQEWtku0RJEZ6"
- }
-}
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-md5 updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-md5
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 mgf1 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-tls
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 mgf1 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 eap-tls eap-dynamic updown
+
+ plugins {
+ eap-dynamic {
+ prefer_user = yes
+ preferred = md5, tls
+ }
+ }
+}
--- /dev/null
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-dynamic
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = eap
+ eap_id = carol
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = eap
+ eap_id = dave
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-dave {
+ id = dave
+ secret = W7R0g3do
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
plugins {
eap-radius {
- class_group = yes
secret = gv6URkSs
server = PH_IP_ALICE
}
--- /dev/null
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+ pools = radius
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = %any
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou moon"
+VIRTHOSTS="alice carol winnetou dave moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::accounting.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.20/32 === 192.168.0.100/32 unacceptable::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.10/32 === 192.168.0.200/32 unacceptable::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ eap_id = carol
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ eap_id = dave
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-dave {
+ id = dave
+ secret = W7R0g3do
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
plugins {
eap-radius {
--- /dev/null
+connections {
+
+ research {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ eap_id = %any
+ groups = Research
+ }
+ children {
+ alice {
+ local_ts = 10.1.0.10/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+
+ accounting {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ eap_id = %any
+ groups = Accounting
+ }
+ children {
+ venus {
+ local_ts = 10.1.0.20/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
alice::killall freeradius
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+alice::freeradius
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+moon::expect-connection accounting
+carol::expect-connection home
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
# All guest instances that are required for this test
#
-VIRTHOSTS="alice venus moon carol winnetou moon"
+VIRTHOSTS="alice carol winnetou dave moon"
# Corresponding block diagram
#
-DIAGRAM="a-v-m-c-w-d.png"
+DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
(without a separate IKEv2 authentication), using TLS client and server certificates,
-respectively. Large certificates and a multi-level trust hierarchy with a path length
-of 3 force a fragmentation of the TLS handshake message into two TLS records.
+respectively.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=carol@d.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.d.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.d.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=carol@d.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-tls {
+ max_message_count = 40
+ }
+ }
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-tls
+ certs = carol_D_cert.der
+ }
+ remote {
+ auth = eap-tls
+ id = "C=CH, O=strongSwan Project, CN=moon.d.strongswan.org"
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
+
+ multiple_authentication=no
+ syslog {
+ daemon {
+ tls = 2
+ }
+ }
+ plugins {
+ eap-tls {
+ max_message_count = 40
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
--- /dev/null
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-tls
+ certs = moon_D_cert.der
+ }
+ remote {
+ auth = eap-tls
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::cd /etc/swanctl; rm rsa/moonKey.pem rm x509/moonCert.pem x509ca/strongswanCert.pem
+carol::cd /etc/swanctl; rm rsa/carolKey.pem x509/carolCert.pem x509ca/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
+and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark_in</b> and <b>mark_out</b> options. With the <b>set_mark_in</b> option, the
+corresponding mark is applied to the inbound packets after decryption. Return traffic is
+marked via <b>iptables -t mangle</b> rules in the PREROUTING chain.
+<p/>
+In order to test the tunnel, the hosts <b>alice</b> and <b>venus</b> ping the client
+<b>bob</b> behind the gateway <b>sun</b>.
--- /dev/null
+alice::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/25] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::alice.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_ALICE.*remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*mark-in=0000000a mark-out=0000000b encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES
+sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::venus.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_VENUS.*remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=home.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*mark-in=00000014 mark-out=00000015 encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/25]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ home {
+ local_ts = 10.1.0.0/25
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ hostaccess = yes
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
syslog {
daemon {
knl = 2
--- /dev/null
+connections {
+
+ alice : connections.home {
+ remote {
+ id = alice@strongswan.org
+ }
+ children {
+ home {
+ mark_in = 10/0xffffffff
+ set_mark_in = %same
+ mark_out = 11/0xffffffff
+ }
+ }
+ }
+
+ venus : connections.home {
+ remote {
+ id = venus.strongswan.org
+ }
+ children {
+ home {
+ mark_in = 20 # 0xffffffff is used by default
+ set_mark_in = %same
+ mark_out = 21 # 0xffffffff is used by default
+ }
+ }
+ }
+
+ home {
+ local_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ home {
+ local_ts = 10.2.0.0/16
+ remote_ts = 0.0.0.0/0
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = PH_IP_SUN
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ home {
+ local_ts = 10.1.0.0/25
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ hostaccess = yes
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
+sun::systemctl stop strongswan
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
sun::ip route del 10.1.0.0/16 via PH_IP_MOON
-sun::rm /etc/mark_updown
-moon::iptables -t nat -F
+winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON
--- /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+# NAT client traffic to distinct virtual IPs
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+# mark the return traffic accordingly
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
+sun::expect-connection alice
+alice::expect-connection home
+alice::swanctl --initiate --child home
+sun::expect-connection venus
+venus::expect-connection home
+venus::swanctl --initiate --child home
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on strong
+preshared keys (PSKs).
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>vips = 0.0.0.0</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool in a monotonously increasing order.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown
+ send_vendor_id = yes
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = psk
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-ntru128
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ntru128
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = moon.strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown
+ send_vendor_id = yes
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+ vips = 0.0.0.0
+
+ local {
+ auth = psk
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes192gcm128-ntru192
+ }
+ }
+ version = 2
+ proposals = aes192-sha384-ntru192
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = moon.strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown
+ send_vendor_id = yes
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+ pools = rw_pool
+
+ local {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-ntru128,aes192gcm128-ntru192
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ntru128,aes192-sha384-ntru192
+ }
+}
+
+secrets {
+
+ ike-carol {
+ id = carol@strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+ ike-dave {
+ id = dave@strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
+
+pools {
+ rw_pool {
+ addrs = 10.3.0.0/28
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and fully qualified domain names. By setting the wildcard <b>remote.id=@*.strongswan.org</b>
+on <b>carol</b> and <b>dave</b>, no <b>IDr</b> payloads are sent by the roadwarriors.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the
+client <b>alice</b> behind the gateway <b>moon</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave ::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon ::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon ::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon ::cat /var/log/daemon.log::looking for peer configs matching 192.168.0.1\[%any]...192.168.0.100\[carol@strongswan.org]
+moon ::cat /var/log/daemon.log::looking for peer configs matching 192.168.0.1\[%any]...192.168.0.200\[dave@strongswan.org]
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = psk
+ id = *.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ ike-carol {
+ id = carol@strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+}
+
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = psk
+ id = *.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ ike-dave {
+ id = dave@strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ ike-carol {
+ id = carol@strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+ ike-dave {
+ id = dave@strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
+<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
+is based on an Public key signature (<b>Pubkey</b>). Gateway <b>moon</b> supports both
+authentication modes and selects the correct roadwarrior connection definition based on the
+gateway ID requested by the roadwarrior.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-psk.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-pubkey.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with pre-shared key successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = moon.strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+}
+
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
+swanctl {
+ load = random openssl
+}
- cache_crls = yes
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
- multiple_authentication = no
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ rw-psk {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+rw-pubkey {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ ike-carol {
+ id = carol@strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+}
--- /dev/null
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw-psk
+moon::expect-connection rw-pubkey
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The roadwarriors' authentication is based on
+<ib>Pre-Shared Keys</b> (PSK) whereas the gateway uses an <b>Public key signature</b>
+(Pubkey) certified by an X.509 certificate.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown-script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
\ No newline at end of file
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
- multiple_authentication = no
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = moon.strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+}
+
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
- multiple_authentication = no
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = psk
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ ike-moon {
+ id = moon.strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = random openssl
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ send_certreq = no
+ }
+}
+
+secrets {
+
+ ike-carol {
+ id = carol@strongswan.org
+ secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+ }
+ ike-dave {
+ id = dave@strongswan.org
+ secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+ }
+}
--- /dev/null
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
+dave::cd /etc/swanctl; rm rsa/* x509/*
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-carol::swanctl --terminate --ike home
-dave::swanctl --terminate --ike home
carol::systemctl stop strongswan
dave::systemctl stop strongswan
moon::systemctl stop strongswan
(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior
<b>carol</b> uses the EAP identity <b>carol</b>.
-The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
-and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
<p/>
Since RADIUS accounting is enabled in <b>strongswan.conf</b>, gateway <b>moon</b>
sends user name, connection time and data volume information to the
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES
+carol::swanctl --terminate --ike home 2> /dev/null::no output expected::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ eap_id = carol
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
+
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ accounting = yes
+ }
+ }
+}
--- /dev/null
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ eap_id = %any
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
-carol::ipsec stop
-moon::ipsec stop
+carol::systemctl stop strongswan
+moon::systemctl stop strongswan
alice::killall freeradius
alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
-carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/swanctl; rm rsa/* x509/*
alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
alice::freeradius
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan
+carol::systemctl start strongswan
moon::expect-connection rw-eap
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c.png"
# Guest instances on which tcpdump is to be started
#
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
<b>moon</b>. They authenticate themselves using <b>RSA signatures</b> but
they use different hash algorithms. <b>moon</b> uses signature scheme constraints
to only allow access to the <b>research</b> and <b>accounting</b> subnets if
-specific algorithms are used. <b>Note:</b> Because the client certificate's are signed
-with SHA-256 we have to accept that algorithm too because signature schemes in
-<b>rightauth</b> are also used as constraints for the whole certificate chain.
+specific algorithms are used.
+<p/>
+<b>Note:</b> Because the client certificate's are signedwith SHA-256 we have to
+accept that algorithm too because signature schemes in <b>rightauth</b> are also
+used as constraints for the whole certificate chain.
Therefore, <b>carol</b> obtains access to the <b>research</b> subnet behind gateway
<b>moon</b> whereas <b>dave</b> has access to the <b>accounting</b> subnet, but not
vice-versa.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice-net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::accounting.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus-net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_384 successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_512 successful::YES
+moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.20/32 === 192.168.0.100/32 unacceptable::YES
+moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.10/32 === 192.168.0.200/32 unacceptable::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey-sha384
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey-sha512
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+}
--- /dev/null
+connections {
+
+ research {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey-sha384-sha256
+ }
+ children {
+ alice-net {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+ accounting {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey-sha512-sha256
+ }
+ children {
+ venus-net {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+moon::expect-connection accounting
+carol::expect-connection home
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+<b>moon</b> uses whitelisting to grant access to <b>carol</b> with ID <b>carol@strongswan.org</b>
+whereas since ID <b>dave@strongswan.org</b> is not listed, <b>dave</b> gets rejected.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> can successfully ping
+the client <b>alice</b> behind the gateway <b>moon</b> whereas <b>dave</b> fails.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::NO
+moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::NO
+moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
+alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::NO
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = rsa/pss-sha512
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = rsa/pss-sha384
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints whitelist pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+
+ plugins {
+ whitelist {
+ enable = yes
+ }
+ }
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-moon::expect-connection rw
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
moon::ipsec whitelist add alice@strongswan.org
moon::ipsec whitelist add bob@strongswan.org
moon::ipsec whitelist add carol@strongswan.org
moon::ipsec whitelist enable
moon::ipsec whitelist list
+moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
-carol::sleep 1
+dave::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
The hosts <b>moon</b>, <b>sun</b> and <b>dave</b> install <b>transport-mode</b> trap
-policies with <b>right=%any</b>. The remote host is dynamically determined based on
-the acquires received from the kernel. Host <b>dave</b> additionally limits the remote
-hosts to <b>moon</b> and <b>sun</b> with <b>rightsubnet</b>. This is tested by
+policies with <b>remote_addrs=%any</b>. The remote host is dynamically determined
+based on the acquires received from the kernel. Host <b>dave</b> additionally limits
+the remote hosts to <b>moon</b> and <b>sun</b> with <b>remote_ts</b>. This is tested by
pinging <b>sun</b> and <b>carol</b> from <b>moon</b>, <b>carol</b> from <b>sun</b>, and
<b>sun</b> and <b>moon</b> from <b>dave</b>. The latter also pings <b>carol</b>, which
-is not going to be encrypted as <b>carol</b> is not part of the configured <b>rightsubnet</b>.
+is not going to be encrypted as <b>carol</b> is not part of the configured
+<b>remote_ts</b>.
--- /dev/null
+moon::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES
+moon::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES
+sun::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=2::YES
+dave::ping -c 2 -W 1 -i 0.4 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=2::YES
+dave::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=2::YES
+dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_MOON.*remote-host=PH_IP_SUN.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_MOON/32] remote-ts=\[PH_IP_SUN/32]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_MOON.*remote-host=PH_IP_CAROL.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_MOON/32] remote-ts=\[PH_IP_CAROL/32]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_MOON.*remote-host=PH_IP_DAVE.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_MOON/32] remote-ts=\[PH_IP_DAVE/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_SUN.*remote-host=PH_IP_MOON.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_SUN.*remote-host=PH_IP_DAVE.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_DAVE/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_SUN.*remote-host=PH_IP_CAROL.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_CAROL/32]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_DAVE.*remote-host=PH_IP_MOON.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_DAVE/32] remote-ts=\[PH_IP_MOON/32]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_DAVE.*remote-host=PH_IP_SUN.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_DAVE/32] remote-ts=\[PH_IP_SUN/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_CAROL.*remote-host=PH_IP_MOON.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_CAROL/32] remote-ts=\[PH_IP_MOON/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_CAROL.*remote-host=PH_IP_SUN.*child-sas.*trap-any.*state=INSTALLED mode=TRANSPORT.*local-ts=\[PH_IP_CAROL/32] remote-ts=\[PH_IP_SUN/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::trap-any.*state=ESTABLISHED local-host=PH_IP_CAROL.*remote-host=PH_IP_DAVE::NO
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES
+carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ syslog {
+ daemon {
+ knl = 2
+ }
+ }
+}
--- /dev/null
+connections {
+
+ trap-any {
+ remote_addrs = %any
+
+ local {
+ auth = psk
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ trap-any {
+ mode = transport
+ }
+ }
+ }
+}
+
+secrets {
+ ike {
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ syslog {
+ daemon {
+ knl = 2
+ }
+ }
+}
--- /dev/null
+connections {
+
+ trap-any {
+ remote_addrs = %any
+
+ local {
+ auth = psk
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ trap-any {
+ remote_ts = 192.168.0.0/30
+ mode = transport
+ start_action = trap
+ }
+ }
+ }
+}
+
+secrets {
+ ike {
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ syslog {
+ daemon {
+ knl = 2
+ }
+ }
+}
--- /dev/null
+connections {
+
+ trap-any {
+ remote_addrs = %any
+
+ local {
+ auth = psk
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ trap-any {
+ mode = transport
+ start_action = trap
+ }
+ }
+ }
+
+ # to access the host via SSH in the test environment
+ pass {
+ remote_addrs = 127.0.0.1
+
+ children {
+ pass-ssh {
+ local_ts = 0.0.0.0/0[tcp/22]
+ remote_ts = 0.0.0.0/0[tcp]
+ mode = pass
+ start_action = trap
+ }
+ }
+ }
+}
+
+secrets {
+ ike {
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ syslog {
+ daemon {
+ knl = 2
+ }
+ }
+}
--- /dev/null
+connections {
+
+ trap-any {
+ remote_addrs = %any
+
+ local {
+ auth = psk
+ }
+ remote {
+ auth = psk
+ }
+ children {
+ trap-any {
+ mode = transport
+ start_action = trap
+ }
+ }
+ }
+
+ # to access the host via SSH in the test environment
+ pass {
+ remote_addrs = 127.0.0.1
+
+ children {
+ pass-ssh {
+ local_ts = 0.0.0.0/0[tcp/22]
+ remote_ts = 0.0.0.0/0[tcp]
+ mode = pass
+ start_action = trap
+ }
+ }
+ }
+}
+
+secrets {
+ ike {
+ secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+ }
+}
--- /dev/null
+moon::systemctl stop strongswan
+sun::systemctl stop strongswan
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
--- /dev/null
+moon::systemctl start strongswan
+sun::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::sleep 1
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice-net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::accounting.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus-net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+moon ::cat /var/log/daemon.log::CHILD_SA alice-net.*established.*TS 10.1.0.10/32 === 192.168.0.100/32
+moon ::cat /var/log/daemon.log::CHILD_SA venus-net.*established.*TS 10.1.0.20/32 === 192.168.0.200/32
+moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.20/32 === 192.168.0.100/32 unacceptable::YES
+moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.10/32 === 192.168.0.200/32 unacceptable::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+ esp_proposals = aes128gcm128-x25519
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+ esp_proposals = aes128gcm128-x25519
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ research {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
+ }
+ children {
+ alice-net {
+ local_ts = 10.1.0.0/28
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+
+ accounting {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ venus-net {
+ local_ts = 10.1.0.16/28
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
--- /dev/null
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+oon::expect-connection research
+moon::expect-connection accounting
+carol::expect-connection home
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1